gadgethome Posted August 15, 2019 Share Posted August 15, 2019 Hi, Just wanted to know what, if any, people are using as a firewall. I was going to with pfsense but cannot get unraid to work with the additional intel dual nic I installed. Any there any firewalls that will work with just one nic card or do you need a minimum of 2? Thanks Quote Link to comment
ashman70 Posted August 15, 2019 Share Posted August 15, 2019 If you are talking about software firewalls, you will need a minimum of two nics, one for the internet and one for your local network, you could use one network card and an integrated network card if there is one built into the motherboard. Personally I prefer hardware based firewalls, I use the Ubiquity Edge router X and I love it. 1 Quote Link to comment
blaine07 Posted August 15, 2019 Share Posted August 15, 2019 Entirely separate appliance running pfsense here. Firewall too important to risk being mucked up with a bunch or other stuff. Sent from my SM-G975U using Tapatalk Quote Link to comment
1812 Posted August 15, 2019 Share Posted August 15, 2019 Have run pfsense a bunch, also opnsense for a bit. ive been on Sophos utm 9 for about 6 months or so and really like it. Going to setup failover on a small fanless pc in a month or two that will take over automatically if the virtualized firewall goes down Quote Link to comment
PanteraGSTK Posted August 15, 2019 Share Posted August 15, 2019 6 minutes ago, 1812 said: Have run pfsense a bunch, also opnsense for a bit. ive been on Sophos utm 9 for about 6 months or so and really like it. Going to setup failover on a small fanless pc in a month or two that will take over automatically if the virtualized firewall goes down Same here. Been using Sophos UTM for about 5 years or so. Fantastic product and pretty amazing what you get for the free license. It does have a learning curve though. I've had it running on an i3 with 8gb of ram and it hardly uses any resources with my config. I also run a pi-hole along side it and the combo is fantastic. Quote Link to comment
Abzstrak Posted August 16, 2019 Share Posted August 16, 2019 I use pfsense, I see it as a core networking device, so I would never virtualize it. Quote Link to comment
1812 Posted August 16, 2019 Share Posted August 16, 2019 21 minutes ago, Abzstrak said: I use pfsense, I see it as a core networking device, so I would never virtualize it. I use to think that way, until I didn't. 1 Quote Link to comment
gadgethome Posted August 16, 2019 Author Share Posted August 16, 2019 Thanks everyone for their input. I've worked for a large company and they had everything on VM. Separate one for AD, voice, email, firewall etc. Quote Link to comment
JonathanM Posted August 16, 2019 Share Posted August 16, 2019 37 minutes ago, 1812 said: I use to think that way, until I didn't. Yes, but I will always keep a hardware pfsense box ready to spin up when it's needed. It's so easy to back up and restore, and my server has so much more horsepower it seemed like a waste to keep the hardware pfsense spun up all the time. Virtualized pfsense for the win. 1 Quote Link to comment
langelus Posted August 16, 2019 Share Posted August 16, 2019 Running two unraidservers with pfsense in HA, one with a Intel Dual NIC passthrough and one with bridged interfaces (will change to Intel NIC soon, it's in the mail) and it works great. Quote Link to comment
1812 Posted August 16, 2019 Share Posted August 16, 2019 1 minute ago, jonathanm said: Yes, but I will always keep a hardware pfsense box ready to spin up when it's needed. It's so easy to back up and restore, and my server has so much more horsepower it seemed like a waste to keep the hardware pfsense spun up all the time. Virtualized pfsense for the win. exactly. I have a main server and a backup server, each running a firewall vm. easy to change over if the main goes down. I had issues getting sophos auto-failover working when I messed with it a few months ago but hopefully I'll get it setup soon and have automatic backup going, whether that way or in tandem with a mini pc. Quote Link to comment
gadgethome Posted August 16, 2019 Author Share Posted August 16, 2019 I've added a dual intel nic to unraid so I can play about pfsense VM. I've split the iommu group using vfio-pci.ids=8086:105e but when I start up the VM getting this error: internal error: qemu unexpectedly closed the monitor: 2019-08-16T17:30:46.702102Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted Any suggestions as to what I am doing wrong? Thanks Quote Link to comment
langelus Posted August 16, 2019 Share Posted August 16, 2019 1 hour ago, gadgethome said: I've added a dual intel nic to unraid so I can play about pfsense VM. I've split the iommu group using vfio-pci.ids=8086:105e but when I start up the VM getting this error: internal error: qemu unexpectedly closed the monitor: 2019-08-16T17:30:46.702102Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted Any suggestions as to what I am doing wrong? Thanks Is it perhaps a HP server? In that case use the HP patched bzimage Quote Link to comment
gadgethome Posted August 16, 2019 Author Share Posted August 16, 2019 48 minutes ago, langelus said: Is it perhaps a HP server? In that case use the HP patched bzimage Thanks. Yes it is a HP Z600. I replaced the bzimage with the 6.7.2 one. Rebooted and still getting this error: Execution error internal error: qemu unexpectedly closed the monitor: 2019-08-16T19:29:11.942433Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted Quote Link to comment
langelus Posted August 16, 2019 Share Posted August 16, 2019 5 minutes ago, gadgethome said: Thanks. Yes it is a HP Z600. I replaced the bzimage with the 6.7.2 one. Rebooted and still getting this error: Execution error internal error: qemu unexpectedly closed the monitor: 2019-08-16T19:29:11.942433Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted I might be wrong but I thought that 6.7.0 was the latest patched version? Quote Link to comment
gadgethome Posted August 16, 2019 Author Share Posted August 16, 2019 github shows 6.7.2 is available https://github.com/AnnabellaRenee87/Unraid-HP-Proliant-Edition/tree/master/bzimage releases/Stable Quote Link to comment
gadgethome Posted August 16, 2019 Author Share Posted August 16, 2019 I added this to the config file and then it worked fine append vfio_iommu_type1.allow_unsafe_interrupts=1 initrd=/bzroot Quote Link to comment
1812 Posted August 16, 2019 Share Posted August 16, 2019 1 hour ago, gadgethome said: I added this to the config file and then it worked fine append vfio_iommu_type1.allow_unsafe_interrupts=1 initrd=/bzroot there are more hp tips/tricks in my sig 1 Quote Link to comment
ken-ji Posted August 19, 2019 Share Posted August 19, 2019 Running a Mikrotik hEX Router https://mikrotik.com/product/RB750Gr3 Its quite a bit of a learning curve for people coming from "point-n-click routers" but should be fairly straightforward for most technical users. What I really like about it is the QoS (quite a challenge) capability, and the support for VPN options (though still missing OpenVPN in UDP mode) There are some rough spots still like the built in DNS server only supporting A/AAAA records (but has regex matching) It also has builtin AP management (these need to be Mikrotik AP though) so new APs just need to be plugged in to the network and told to look for the head unit. The main feature I've loved about it until my ISP started placing users on CGNAT is how easy it is to create a site-to-site VPN between routers, just plug in the public IP on both ends and you are done. 1 Quote Link to comment
Kevek79 Posted August 19, 2019 Share Posted August 19, 2019 I am running a Unifi USG for the last couple of months and still happy with my decision yet. The controller runs as a docker container on my main unraid box. 1 Quote Link to comment
Vetteman Posted Friday at 02:47 PM Share Posted Friday at 02:47 PM I installed DD-WRT onto a Netgear home router that is no longer supported with Netgear's upgrades. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.