Jump to content
gadgethome

What are people using for a firewall

20 posts in this topic Last Reply

Recommended Posts

Hi, Just wanted to know what, if any, people are using as a firewall. 

I was going to with pfsense but cannot get unraid to work with the additional intel dual nic I installed. 

 

Any there any firewalls that will work with just one nic card or do you need a minimum of 2?

 

Thanks

Share this post


Link to post

If you are talking about software firewalls, you will need a minimum of two nics, one for the internet and one for your local network, you could use one network card and an integrated network card if there is one built into the motherboard.

 

Personally I prefer hardware based firewalls, I use the Ubiquity Edge router X and I love it.

Share this post


Link to post

Entirely separate appliance running pfsense here. Firewall too important to risk being mucked up with a bunch or other stuff.

Sent from my SM-G975U using Tapatalk

Share this post


Link to post

Have run pfsense a bunch, also opnsense for a bit.

 

ive been on Sophos utm 9 for about 6 months or so and really like it. Going to setup failover on a small fanless pc in a month or two that will take over automatically if the virtualized firewall goes down 

Share this post


Link to post
6 minutes ago, 1812 said:

Have run pfsense a bunch, also opnsense for a bit.

 

ive been on Sophos utm 9 for about 6 months or so and really like it. Going to setup failover on a small fanless pc in a month or two that will take over automatically if the virtualized firewall goes down 

 

Same here. Been using Sophos UTM for about 5 years or so. Fantastic product and pretty amazing what you get for the free license.

 

It does have a learning curve though. I've had it running on an i3 with 8gb of ram and it hardly uses any resources with my config. I also run a pi-hole along side it and the combo is fantastic.

Share this post


Link to post

I use pfsense, I see it as a core networking device, so I would never virtualize it.

 

 

Share this post


Link to post
21 minutes ago, Abzstrak said:

I use pfsense, I see it as a core networking device, so I would never virtualize it.

 

 

I use to think that way, until I didn't.

Share this post


Link to post

Thanks everyone for their input.

I've worked for a large company and they had everything on VM. Separate one for AD, voice, email, firewall etc. 

Share this post


Link to post
37 minutes ago, 1812 said:

I use to think that way, until I didn't.

Yes, but I will always keep a hardware pfsense box ready to spin up when it's needed. It's so easy to back up and restore, and my server has so much more horsepower it seemed like a waste to keep the hardware pfsense spun up all the time.

 

Virtualized pfsense for the win.

Share this post


Link to post

Running two unraidservers with pfsense in HA, one with a Intel Dual NIC passthrough and one with bridged interfaces (will change to Intel NIC soon, it's in the mail) and it works great.

Share this post


Link to post
1 minute ago, jonathanm said:

Yes, but I will always keep a hardware pfsense box ready to spin up when it's needed. It's so easy to back up and restore, and my server has so much more horsepower it seemed like a waste to keep the hardware pfsense spun up all the time.

 

Virtualized pfsense for the win.

exactly. I have a main server and a backup server, each running a firewall vm. easy to change over if the main goes down. I had issues getting sophos auto-failover working when I messed with it a few months ago but hopefully I'll get it setup soon and have automatic backup going, whether that way or in tandem with a mini pc.

Share this post


Link to post

I've added a dual intel nic to unraid so I can play about pfsense VM. I've split the iommu group using vfio-pci.ids=8086:105e

but when I start up the VM getting this error:

 

internal error: qemu unexpectedly closed the monitor: 2019-08-16T17:30:46.702102Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted

 

Any suggestions as to what I am doing wrong? Thanks

Share this post


Link to post
1 hour ago, gadgethome said:

I've added a dual intel nic to unraid so I can play about pfsense VM. I've split the iommu group using vfio-pci.ids=8086:105e

but when I start up the VM getting this error:

 

internal error: qemu unexpectedly closed the monitor: 2019-08-16T17:30:46.702102Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted

 

Any suggestions as to what I am doing wrong? Thanks

Is it perhaps a HP server? In that case use the HP patched bzimage

Share this post


Link to post
48 minutes ago, langelus said:

Is it perhaps a HP server? In that case use the HP patched bzimage

Thanks. Yes it is a HP Z600.

 

I replaced the bzimage with the 6.7.2 one. Rebooted and still getting this error:

 

Execution error

internal error: qemu unexpectedly closed the monitor: 2019-08-16T19:29:11.942433Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted

Share this post


Link to post
5 minutes ago, gadgethome said:

Thanks. Yes it is a HP Z600.

 

I replaced the bzimage with the 6.7.2 one. Rebooted and still getting this error:

 

Execution error

internal error: qemu unexpectedly closed the monitor: 2019-08-16T19:29:11.942433Z qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio 0000:03:00.0: failed to setup container for group 14: failed to set iommu for container: Operation not permitted

I might be wrong but I thought that 6.7.0 was the latest patched version?

Share this post


Link to post

I added this to the config file and then it worked fine

 

append vfio_iommu_type1.allow_unsafe_interrupts=1 initrd=/bzroot

Share this post


Link to post
1 hour ago, gadgethome said:

I added this to the config file and then it worked fine

 

append vfio_iommu_type1.allow_unsafe_interrupts=1 initrd=/bzroot

there are more hp tips/tricks in my sig

Share this post


Link to post

Running a Mikrotik hEX Router https://mikrotik.com/product/RB750Gr3

Its quite a bit of a learning curve for people coming from "point-n-click routers" but should be fairly straightforward for most technical users.

What I really like about it is the QoS (quite a challenge) capability, and the support for VPN options (though still missing OpenVPN in UDP mode)

There are some rough spots still like the built in DNS server only supporting A/AAAA records (but has regex matching)

It also has builtin AP management (these need to be Mikrotik AP though) so new APs just need to be plugged in to the network and told to look for the head unit.

The main feature I've loved about it until my ISP started placing users on CGNAT is how easy it is to create a site-to-site VPN between routers, just plug in the public IP on both ends and you are done.

Share this post


Link to post

I am running a Unifi USG for the last couple of months and still happy with my decision yet. 

The controller runs as a docker container on my main unraid box. 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.