Home Network Firewall Options

wrx7m

@Jason Eth0 has been LAN on my SonicWALL and Sophos SG 210. I thought that was weird but I just got used to it, so I mirrored the config on the ERX. I understand that there must have been a configuration issue but wasn't sure what it would have been. The WAN port was on DHCP, the LAN was set with a DHCP server on it for connected clients but I couldn't get out. I swapped them and ran the wizard and it worked.

JaredBusch

@wrx7m said:

@Jason Eth0 has been LAN on my SonicWALL and Sophos SG 210. I thought that was weird but I just got used to it, so I mirrored the config on the ERX. I understand that there must have been a configuration issue but wasn't sure what it would have been. The WAN port was on DHCP, the LAN was set with a DHCP server on it for connected clients but I couldn't get out. I swapped them and ran the wizard and it worked.

Willing to bet you had the WAN port also on the switch0.

wrx7m

@JaredBusch That would do it.

JaredBusch

@wrx7m said:

@JaredBusch That would do it.

If you had an ERL, that would not have been possible. In fact, the original wizards for the ERL all had people put the WAN on eth1 because you had to plug in to eth0 with a fixed IP to get into the ERL in the first place.

wrx7m

@JaredBusch So I wasn't that far off when I was setting up the WAN on eth1

scottalanmiller

@wirestyle22 said:

I'm really impressed at EdgeOS. I can't talk its praises enough. For $60 I can't see anything else comparing.

It's VyOS, which took over from Vyatta when that went away. We've been using some form of that for over a decade now. It's been consistently awesome.

scottalanmiller

@Jason said:

@wirestyle22 said:

I'm really impressed at EdgeOS. I can't talk its praises enough. For $60 I can't see anything else comparing.

Ah, EdgeOS is nothing special. Ubquiti didn't to much work to it (because it didn't need much) VyOS/Vyatta is where all the magic came from.. Brocade tried Killing the Vyatta community edition though. So everything now is a fork from before Brocade bought them.

The beauty of open source, it's amazing how often companies try to kill off proprietary software in the real world. Open source projects protect the end users should someone out there actually find the software to be useful. VyOS has taken on a much bigger life than Vyatta ever had.

JaredBusch

@scottalanmiller said:

@wirestyle22 said:

I'm really impressed at EdgeOS. I can't talk its praises enough. For $60 I can't see anything else comparing.

It's VyOS, which took over from Vyatta when that went away. We've been using some form of that for over a decade now. It's been consistently awesome.

It is NOT VyOS. It is Vyatta. I know we have had this conversation before. I wish you would keep your facts straight.

References: http://vyos.net/wiki/EdgeOS & http://community.ubnt.com/t5/EdgeMAX/edgemax-vyatta/m-p/391382#M4533

scottalanmiller

@JaredBusch said:

@scottalanmiller said:

@wirestyle22 said:

I'm really impressed at EdgeOS. I can't talk its praises enough. For $60 I can't see anything else comparing.

It's VyOS, which took over from Vyatta when that went away. We've been using some form of that for over a decade now. It's been consistently awesome.

It is NOT VyOS. It is Vyatta. I know we have had this conversation before. I wish you would keep your facts straight.

References: http://vyos.net/wiki/EdgeOS & http://community.ubnt.com/t5/EdgeMAX/edgemax-vyatta/m-p/391382#M4533

I have no memory of having discussed this.

It's a competing fork to VyOS? That seems odd. Why maintain two competing forks?

JaredBusch

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@wirestyle22 said:

I'm really impressed at EdgeOS. I can't talk its praises enough. For $60 I can't see anything else comparing.

It's VyOS, which took over from Vyatta when that went away. We've been using some form of that for over a decade now. It's been consistently awesome.

It is NOT VyOS. It is Vyatta. I know we have had this conversation before. I wish you would keep your facts straight.

References: http://vyos.net/wiki/EdgeOS & http://community.ubnt.com/t5/EdgeMAX/edgemax-vyatta/m-p/391382#M4533

I have no memory of having discussed this.

It's a competing fork to VyOS? That seems odd. Why maintain two competing forks?

http://mangolassi.it/topic/1714/tonight-s-project-ubiquiti-router-for-home/15

scottalanmiller

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@wirestyle22 said:

I'm really impressed at EdgeOS. I can't talk its praises enough. For $60 I can't see anything else comparing.

It's VyOS, which took over from Vyatta when that went away. We've been using some form of that for over a decade now. It's been consistently awesome.

It is NOT VyOS. It is Vyatta. I know we have had this conversation before. I wish you would keep your facts straight.

References: http://vyos.net/wiki/EdgeOS & http://community.ubnt.com/t5/EdgeMAX/edgemax-vyatta/m-p/391382#M4533

I have no memory of having discussed this.

It's a competing fork to VyOS? That seems odd. Why maintain two competing forks?

http://mangolassi.it/topic/1714/tonight-s-project-ubiquiti-router-for-home/15

Okay, I did not respond to that and it was not directed at me, while I try to read things, I might easily have missed that.

NETS

@scottalanmiller said:

@NETS said:

So without a UTM device how are you monitoring the network and locking down the traffic?

1. What is the actual need here? A firewall already monitors and locks down the traffic. Those are not UTM functions.
2. With a UTM, how are you doing it?

I look at UTM's as a single device that can easily secure and monitor and a variety of network traffic with minimal effort. Running a regular ERX works but you lose the malware, mail filtering and IPS features of a UTM. Sure there are other methods of gaining those features back but not on a single box. For SMB that single box is a big sell.

If you use a Edge router how are you adding back in the other security features that a UTM or Nextgen firewall offers?

wrx7m

@NETS said:

@scottalanmiller said:

@NETS said:

So without a UTM device how are you monitoring the network and locking down the traffic?

1. What is the actual need here? A firewall already monitors and locks down the traffic. Those are not UTM functions.
2. With a UTM, how are you doing it?

I look at UTM's as a single device that can easily secure and monitor and a variety of network traffic with minimal effort. Running a regular ERX works but you lose the malware, mail filtering and IPS features of a UTM. Sure there are other methods of gaining those features back but not on a single box. For SMB that single box is a big sell.

If you use a Edge router how are you adding back in the other security features that a UTM or Nextgen firewall offers?

Take Cover!

NETS

@wrx7m said:

@NETS said:

@scottalanmiller said:

@NETS said:

So without a UTM device how are you monitoring the network and locking down the traffic?

1. What is the actual need here? A firewall already monitors and locks down the traffic. Those are not UTM functions.
2. With a UTM, how are you doing it?

I look at UTM's as a single device that can easily secure and monitor and a variety of network traffic with minimal effort. Running a regular ERX works but you lose the malware, mail filtering and IPS features of a UTM. Sure there are other methods of gaining those features back but not on a single box. For SMB that single box is a big sell.

If you use a Edge router how are you adding back in the other security features that a UTM or Nextgen firewall offers?

Take Cover!

I fully expect it. Possibly even looking forward to the rousing discussion that takes place because of it.

wrx7m

@NETS The summary of past discussions:

UTM is a waste of money
Use separate boxes for specific uses - Firewall, proxy
Use endpoint protections for AV
Don't log/block websites/categories unless it is to prevent malware (even then, use a service like Open DNS)

I don't necessarily endorse all comments

Edit- I almost forgot - The performance is almost always better when you separate the roles.

MattSpeller

@wrx7m said:

@NETS The summary of past discussions:

UTM is a waste of money
Use separate boxes for specific uses - Firewall, proxy
Use endpoint protections for AV
Don't log/block websites/categories unless it is to prevent malware (even then, use a service like Open DNS)

I don't necessarily endorse all comments

A good "do it all in one box" solution saves an imperial buttload of time though, good grief.

+1 to Fortigate; you may be expensive but you work darn well for us.

wrx7m

@MattSpeller I do like my Sophos too. Although, I am starting to see the benefit to having fewer things running on the same box. Troubleshooting might actually be easier. "Is it a proxy issue or firewall rule? Could be either."

MattSpeller

@wrx7m said:

@MattSpeller I do like my Sophos too. Although, I am starting to see the benefit to having fewer things running on the same box. Troubleshooting might actually be easier. "Is it a proxy issue or firewall rule? Could be either."

Just remember that sometimes the grass isn't really greener haha. I would love to do all these boxes myself and learn a bunch of new junk but that'd be a huge chunk of time I don't have.

JaredBusch

@NETS the point is not to always separate or always to use an all in one. The point of every IT solution should be to find the correct solution to the problem.

Very rarely is an UTM actually ever required when you break all the pieces down and look at what they do and what the business needs.

I have never needed a full UTM at a single client.

The good place to find the need is in libraries and education. They have laws or ordinances mandating things and vendors have provided solid solutions for them.

wirestyle22

Are you guys using actual server hardware to make the devices to fill those roles?