Overclock.net banner
1 - 19 of 19 Posts

·
Registered
Joined
·
46 Posts
Discussion Starter · #1 ·
Firstly, this not an ad but I wrote this as a guide to why one would want to try free based firewalls. Some of you come here with no idea of what a "true" firewall is like.... so what's a firewall? I was one of those people once. I was using a cheap wireless Netgear router and was satisfied. Then I began learning about the internet and networks. Then I heard about firewall appliances and distros like pfsense, Sophos, Untangle ect and was amazed at the possibilities but was so daunted by the basics that I didn't know where to begin. But once you grasp the basic concepts of firewall rules, port forwarding, DNS, web filtering/IPS, ect., you will enjoy learning more about what firewall suites have to offer over home routers.
So, why should you get rid of your cheap router and go with a custom firewall software "build" ? So you can have enterprise level security for FREE and be protected from almost all threats and have so much more control over your network.

Part 1: the basics simplified.
Your home router for the most part only protects your home network from intruders on the internet using a very, very basic approach. Your router has
a simple "dumb" firewall that blocks Incoming attacks, as long as they do not originate from within your network. A lot of users have routers that will automatically open up PORTS which will allow attacks to happen if for example you had a trojan on your PC, using a feature on most routers called UPnP, universal plug n' Play. That is only the tip of the iceberg. Most made-in-China home routers have many security vulnerabilities due to lack of firmware updates, and poor support. Many may even have backdoors allowing a hacker to access it.

Another aspect that you may not be aware of is Outbound protection. Assuming Windows built in firewall is protecting you it may not be that big of a concern, but a Huge advantage of a custom firewall, also referred to as a "next generation firewall (NGFW) or a "UTM (unified threat management) firewall", or is the possibility to have control of every application that connects to the internet at the firewall level. This is referred to as application filtering, and uses something called deep packet inspection to block harmful apps and malware from being downloaded BEFORE they reach your PC. Pretty awesome, huh!?

Another feature to that is amazing to have and is the heart and soul of every professional enterprise grade firewall is called an Intrusion Prevention System. Simply, it is software within the firewall that monitors your network for attacks, looking for suspicious traffic and network activity by utilizing signatures or Rulesets. The IPS can detect hackers scanning your firewall for open ports and ban them. It can prevent denial of service attacks, where an attacker "floods" your network with useless data in an attempt to crash your PC or laptop, ect.

So do you want to know how to get into the basics and build or install your own firewall? Maybe this could be a tutorial.....
 

·
Registered
Joined
·
116 Posts
I'm debating taking my Z690 Extreme and my 12900k and making that my router, just wondering if mixing ram to reach 64gb would be an issue?
That would be ridiculously over kill and a waste of your money and hardware.
If you dont want a virtual router, you can install pfsense on a range of cheap and readily available hardware devices. Google is your friend.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #5 · (Edited)
That would be ridiculously over kill and a waste of your money and hardware.
If you dont want a virtual router, you can install pfsense on a range of cheap and readily available hardware devices. Google is your friend.
He could run multiple KVMs at once including multiple IPS like Snort, suricata, squid proxy, pihole, on top of a Linux distribution, inside of a ram disk, inside Vmware, running on Windows 11 inside ESXi inside Proxmox on a Mac Pro. It would be a nightmare to configure a monstrosity like this. Funny thing is that this is actually probably doable.
 

·
Banned
Joined
·
5,237 Posts
That would be ridiculously over kill and a waste of your money and hardware.
If you dont want a virtual router, you can install pfsense on a range of cheap and readily available hardware devices. Google is your friend.
Money has already been spent, trying to resell it and I'd be lucky to get half back. I'd rather go overkill.
 

·
Premium Member
Joined
·
6,922 Posts
Money has already been spent, trying to resell it and I'd be lucky to get half back. I'd rather go overkill.
In that case, do it. I ran a 7600k as the CPU for my pfsense and then opnsense router for a couple of years and it was great. I loved that the router could handle far more throughput than I needed (40gb LAN and 2.5gb WAN) and more packets per second than any consumer or enterprise router ever could at the time. It was nice having a router that could do all sorts of great security features without slowing down and having the router not bog me down in gaming sessions when others were web browsing and streaming.


I always wanted to run Untangle with it, as it has the most polish of the linux distro firewalls I have seen, and I loved that it had BitDefender AV built into the firewall with SSL virus scanning capabilities. Such a great feature set. Only problem is the cost was just too high with it. I had more devices on my network than "home basic" allowed and there is no way I am paying $150 a year for a firewall subscription for home use.

Earlier this year I moved on though after running PF/OPN sense for the past 5 years without issue. I went with a full Ubiquiti stack, which did cost more money. But I was getting security cameras and wanted a video doorbell and all that and Ubiquiti offered a very nice integration of all that while also not having my video go to Amazon or Google servers and keeping it all myself on premises with no monthly subscription costs. I do like the end result, it works very well. Ubiquiti offers me all the same features as PFsense did with a bunch of plugins, but in a much more integrated and easier to use manner.
 

·
Banned
Joined
·
5,237 Posts
In that case, do it. I ran a 7600k as the CPU for my pfsense and then opnsense router for a couple of years and it was great. I loved that the router could handle far more throughput than I needed (40gb LAN and 2.5gb WAN) and more packets per second than any consumer or enterprise router ever could at the time. It was nice having a router that could do all sorts of great security features without slowing down and having the router not bog me down in gaming sessions when others were web browsing and streaming.


I always wanted to run Untangle with it, as it has the most polish of the linux distro firewalls I have seen, and I loved that it had BitDefender AV built into the firewall with SSL virus scanning capabilities. Such a great feature set. Only problem is the cost was just too high with it. I had more devices on my network than "home basic" allowed and there is no way I am paying $150 a year for a firewall subscription for home use.

Earlier this year I moved on though after running PF/OPN sense for the past 5 years without issue. I went with a full Ubiquiti stack, which did cost more money. But I was getting security cameras and wanted a video doorbell and all that and Ubiquiti offered a very nice integration of all that while also not having my video go to Amazon or Google servers and keeping it all myself on premises with no monthly subscription costs. I do like the end result, it works very well. Ubiquiti offers me all the same features as PFsense did with a bunch of plugins, but in a much more integrated and easier to use manner.
I got the Extreme in for a RMA atm so we'll see how that goes, otherwise I have a brand Z690 Apex and 16gb crappy Lancer ram and a 3080ti that will be hard to sell without taking a major loss on it all.
I either want to get rid of the excess stuff or least do something with it.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #9 · (Edited)
3080ti used= $800
Apex Z690 used=$800

You are looking at about $1,500 on ebay for those two.

In contrast, even a refurbished $150 HP Prodesk or Lenovo Thinkcentre with an i5 CPU, and a $25 Intel NIC card will be more than adequate.

I'm using something like these, which are upgradeable with any dual LAN card you choose. Then you can install opnsense, pfsense, Untange, ect.
Or there are fanless firewall devices to choose from for under $300.
Rectangle Handwriting Font Material property Parallel
 

·
Banned
Joined
·
5,237 Posts
3080ti used= $800
Apex Z690 used=$800

You are looking at about $1,500 on ebay for those two.
lol @ $800. I was offering less then $400 at one point, unless I can prove it's not one of the bad boards I'll be lucky to get $300 for it. As for the 3080ti, I rather not lose half on it without ever using it so I'd rather put it to use.

Thanks for the suggestions but I have spare hardware that blows that stuff away, why would I even considering any of that. I didn't ask about what else I could use, I have no interest in buying cheap crap instead.
 

·
Registered
Joined
·
559 Posts
I'm debating taking my Z690 Extreme and my 12900k and making that my router, just wondering if mixing ram to reach 64gb would be an issue?
Nothing wrong with using overpowered hardware if you have it. If I had something like this laying around. Totally route it using a hypervisor like ESXi or Proxmox and then using the rest of the system resources for something like ad guard/Pi-hole, Windows/Linux VM's via VFIO pass-though for any GPU's laying around, and passing drives to a NAS which I personally need to get with the times which I mostly rely on a cold storage server and whatever drives I have in my workstation. I have been kicking around the idea of a 12100 for something like this with those powerful P-Cores for beyond 10Gbit routing. Hypervisors are a bit funky last I researched when it comes to E-cores so I would disable those.

Or there are fanless firewall devices to choose from for under $300.
I went with one of these 10nm Celeron N5105 6x 2.5Gbit Intel i225V b3 stepping nics aliexpress units about a few months ago.


Bought it barebones for $220 but added in 32gb of ram. I have been testing for the last couple of months and helping to work out some issues with Proxmox. I got OpnSense running on it along with a couple of Linux VM's, Open speed test server, TrueNas for small storage share which has been great hosting my toolbox for troubleshooting other machines, and soon to deploy a recursive DNS/Pi-hole.

It has been great so far except for guest crashing on Proxmox but that seems to be figured out just by using a different kernel. This thing sips power at less then 7W at idle just need to add some higher capacity storage into it since I am using just 2x256gb with the SATA and the NVME which takes 1x3.0 lane. Will soon move it into my production environment, There are some Ryzen 5600/5800u units are popping up out there with 2.5 i225/226 nics which are not fanless but are more impressive then these N5105/N6005 units. Serve The Home just reviewed one of these a couple days ago.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #12 ·
Thanks for the suggestions but I have spare hardware that blows that stuff away, why would I even considering any of that. I didn't ask about what else I could use, I have no interest in buying cheap crap instead.
Maybe because most of us aren't insane enough to waste a 3080ti on a pfsense firewall. At least use the 12900k and not the gpu. Use put GPU in a spare PC an use it for upscaling movies or something useful.
 

·
Banned
Joined
·
5,237 Posts
Maybe because most of us aren't insane enough to waste a 3080ti on a pfsense firewall. At least use the 12900k and not the gpu. Use put GPU in a spare PC an use it for upscaling movies or something useful.
Yeah I know the 3080ti is beyond stupid, still gotta do something with it. My 3090KPE is going in my Plex server. I’ve lost any desire to have a gaming PC so I might end up sticking it a family members PC, would be good to play Candy Crush on lol

I still have a z390 dark and a 9900k I need to put to use as well, not to mention old server hardware that I’ll likely make a NAS or something.
 

·
Registered
Joined
·
116 Posts
Yeah I know the 3080ti is beyond stupid, still gotta do something with it. My 3090KPE is going in my Plex server. I’ve lost any desire to have a gaming PC so I might end up sticking it a family members PC, would be good to play Candy Crush on lol

I still have a z390 dark and a 9900k I need to put to use as well, not to mention old server hardware that I’ll likely make a NAS or something.
why not donate it to charity? Sounds like you have too much money
 

·
Premium Member
Joined
·
6,922 Posts
My 3090KPE is going in my Plex server.
Be aware Nvidia GPUs limit you to 2 transcoding streams maximum no matter what consumer card you have. A 3090 will be the same performance as a 1080 for plex use because of this limit Nvidia has. They only allow more than 2 streams with a Quadro series workstation card. You are far better off for Plex using the 12900K iGPU, as it will support 12+ streams just fine. This is not a Plex specific limit, it is a driver limit Nvidia imposes so that anyone wanting to do more than just game live streaming must spend the extra money on a workstation card.

Sorry to derail to a plex topic a bit too much here when this is a firewall thread for setting up a linux firewall, but just wanted to get that information out there.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #17 · (Edited)
Yeah I know the 3080ti is beyond stupid, still gotta do something with it. My 3090KPE is going in my Plex server. I’ve lost any desire to have a gaming PC so I might end up sticking it a family members PC, would be good to play Candy Crush on lol

I still have a z390 dark and a 9900k I need to put to use as well, not to mention old server hardware that I’ll likely make a NAS or something.
Good idea. the 3080ti is still an amazing GPU, you wouldn't want to see it go to waste in a system that will not even benefit from it.. Not to mention, having that pfsense PC on all the time with that hardware will consume a large amount of power even at idle. The base power consumption of the 12900K is 125 watts compared to 65 watts with the "crappy hardware" that uses the older (but pretty much guaranteed compatible) i5 CPUs I mentioned..

But the problem is even bigger than that. Even with that crazy fast 12900K, a single threaded program like Snort will not allow the CPU to "ramp up" much past it's speedstep frequency which is why it's often disabled in Firewalls which will again, use a hell of a lot more power.. I know, it's backwards, but that's how it is.
In fact, some firewalls have trouble with UEFI bios and HDMI graphics, which is also why VGA is still used along with the older motherboards that support legacy BIOS mode.
 

·
Banned
Joined
·
5,237 Posts
Be aware Nvidia GPUs limit you to 2 transcoding streams maximum no matter what consumer card you have. A 3090 will be the same performance as a 1080 for plex use because of this limit Nvidia has. They only allow more than 2 streams with a Quadro series workstation card. You are far better off for Plex using the 12900K iGPU, as it will support 12+ streams just fine. This is not a Plex specific limit, it is a driver limit Nvidia imposes so that anyone wanting to do more than just game live streaming must spend the extra money on a workstation card.

Sorry to derail to a plex topic a bit too much here when this is a firewall thread for setting up a linux firewall, but just wanted to get that information out there.
It's up to 3 now, but you can patch that limit out.

Good idea. the 3080ti is still an amazing GPU, you wouldn't want to see it go to waste in a system that will not even benefit from it.. Not to mention, having that pfsense PC on all the time with that hardware will consume a large amount of power even at idle. The base power consumption of the 12900K is 125 watts compared to 65 watts with the "crappy hardware" that uses the older (but pretty much guaranteed compatible) i5 CPUs I mentioned..

But the problem is even bigger than that. Even with that crazy fast 12900K, a single threaded program like Snort will not allow the CPU to "ramp up" much past it's speedstep frequency which is why it's often disabled in Firewalls which will again, use a hell of a lot more power.. I know, it's backwards, but that's how it is.
In fact, some firewalls have trouble with UEFI bios and HDMI graphics, which is also why VGA is still used along with the older motherboards that support legacy BIOS mode.
Yeah I'm aware I'd be wasting 90% of it. That part I'm fine with. Anyways I'm just spitballing ideas atm, as I'm sick of the hassle of selling stuff, so I'm going to put them to use. All I need in my house is a Media Server, Router and 1 PC for the family, I'm done with going all out for gaming that I never do so I don't need anything myself.

So all the hardware I had for gaming will be repurposed.
https://pcpartpicker.com/product/qrhFf7/intel-core-i3-12100-33-ghz-quad-core-processor-bx8071512100
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #19 · (Edited)
A lot of users choose pfsense or OPNsense because it's open source, but the firewall I currently use is Sophos UTM which is not open source but is free and most all of the configuration is user-friendly by comparison and done through the GUI web interface. Here some screenshots as an example of what it does...

The first image is the Dashboard which has an overview of all the features that are available on the left hand side.
Rectangle Font Screenshot Parallel Software

One of the highlights is the antivirus system that blocks threats while they are being downloaded...here I tried to download the "eicar test virus" and it was blocked by Avira.
Rectangle Font Screenshot Number Parallel

The intrusion protection system prevents anything from port scans to floods or DDoS attacks, for any type of server or program...here you can see all that it can do...
Font Rectangle Screenshot Parallel Number

Application control can control allow or block many thousands of different applications. Here, is the "flow monitor" which tells you what applications are currently accessing the internet. You can shape or throttle internet traffic by application in addition to QoS.
Product Rectangle Font Parallel Screenshot

So that's just part of it in case you need an idea of what these "Layer 7" firewalls can do. They are capable of filtering traffic all the way down to the application level. That is why they are referred to as Layer 7 firewalls or NGFW, next-gen firewalls. I have no experience with others, but supposedly Untangle is able to do similar but costs money for the full package.
 
1 - 19 of 19 Posts
Top