Question Router/Firewall + POE WiFi Access Points?

[Mr Bob]

I'm currently updating a fairly complex / device-rich network at our house. When we moved into a new house, I had to quickly deploy 4 Google WiFi points just to setup an inexpensive network with WiFi, having full coverage. The new setup will be mostly hard wired, with POE runs to 2-3 areas for WiFi coverage.

Hard wired to modem is just below gigabit speeds via the ISP, so I'd like to keep the wired network as close to that as possible.

So now I need a router / firewall / gateway, as well as 2 or 3 POE WiFi access points to provide coverage, and with only 1 device running, being able to pass that gigabit speed through to the router.

I've looked around, it seems like Cisco has a few cloud solutions, Zyxel listed a handful of routers but they weren't true gigabit when the firewall was enabled. Kind of pointless to lose that much bandwidth...

Any suggestions? The more management options/information, the better... Ideally, I'd like to keep it under $1k.

 

[boomerang]

Two links on UDM Pro.

 

[Mr Bob]

So I ordered a UniFi Dream Machine Pro to go along with 3 POE WiFI APs and 1 POE Outdoor WiFi AP. Hope this doesn't turn out to be super cheap / low grade hardware... Seems like there's even an option to power cycle the modem when it detects loss of connection. I totally could see that being used.

 

[SamirD]

So I ordered a UniFi Dream Machine Pro to go along with 3 POE WiFI APs and 1 POE Outdoor WiFi AP. Hope this doesn't turn out to be super cheap / low grade hardware... Seems like there's even an option to power cycle the modem when it detects loss of connection. I totally could see that being used.

I think you'll be pretty happy with the performance. I haven't seen any ubiquiti stuff personally, but I've read so many people's setups and satisfaction with the overall performance that I think you'll be really satisfied. And I'm very interested in hearing what you think of it and any oddities.

 

[Mr Bob]

I'll for sure report back! Thanks again everyone. I miss this place!

Those videos/reviews from Lawrence are pretty solid.

 

[Genx87]

Go to Ebay, look for an used Sophos SG135 or 200 series or higher. Grab free Sophos XG Home edition. It will provide every feature the paid for version offers except Sandstorm. It is also limited to 50 concurrent devices. Install free version onto Sophos device and away you go. I grabbed SG230s for ~$170 a couple months ago. You could put them into HA for double the price.

Ubiquiti makes nice switches\WAPs. But not impressed with their edge devices.

Edit: Oops didnt see you already ordered.

 

[Mr Bob]

This system has to be the best piece of technology I've ever owned or configured. So many small business type features.

Assuming the hardware holds up, I'm able to cover a 3500sqft home with 2 APs instead of the 4 Google WiFi devices we had previously.

Every click on the internet just moves instantly, no matter where you're at.

 

[SamirD]

This is so awesome to hear! I've not dived into ubiquiti to replace the age old g APs at my parents house, but your post makes me want to seriously consider doing so. So great to hear how much you love the setup!

 

[Mir96TA]

As a full UniFi echo system user, I would say their F.W. are from yesterday days, and limited in IDS/IPS. PFsense are days better, you can run off dedicated computer (Laptop or low energy computer) or VM ware.
I do like UniFi DPi and echo system, but world has move to SSL, and DNS over https. Their echo system of dashboard, traffic info, user info, hardware info etc is nice glass gadget to look at it.
It is a time to look L7 F.W. i.e. PaloAlto P220 may be. Not sure about the cost
With DPi on I can easily it 1Gige wire speed.

 

[Mir96TA]

As of right now UniFi switches are L2 switches, not a big deal for SOHO setup.
In bigger network, there would be lot of over utilization of Router interface (Router on Stick concept).

 

[mxnerd]

It is a time to look L7 F.W. i.e. PaloAlto P220 may be. Not sure about the cost

PaloGuard - Enterprise Security Platforms

PaloGuard provides Palo Alto Networks Products and Solutions - protecting thousands of enterprise, government, and service provider networks from cyber threats.

www.paloguard.com

Almost $1.000.

 

[SamirD]

It truly amazes me how far the 'home' network as come. If you're talking Palo Alto gear, you're definitely up there with enterprise costs (and performance/features). Too rich for my blood, lol.

 

[mxnerd]

world has move to SSL, and DNS over https.

Believe Unifi will improve its firmware over time.

Chrome and Fiefox already supports DNS over https. You just have to enable them.

How to Enable DNS Over HTTPS in Google Chrome

Chrome supports DNS over HTTPS (DoH), but it's not enabled by default yet. Here's how to turn it on.

www.howtogeek.com

Firefox DNS-over-HTTPS | Firefox Help

DoH improves privacy by hiding domain name lookups from anyone lurking on public Wi-Fi, your ISP or others on your local network. Learn more.

support.mozilla.org

Windows 10 will integrate DNS over HTTPS too in the future.

 

[Mir96TA]

Ebay have pa 220 for $135 used.

Palo Alto Networks 4 port PA 200 PA200 Firewall Security Appliance Tested work for sale | eBay

Find great deals on eBay for Palo Alto Networks 4 port PA 200 PA200 Firewall Security Appliance Tested work. Shop with confidence.

www.ebay.ca

 

[Mir96TA]

SSL forward proxy

 

[mxnerd]

Ebay have pa 220 for $135 used.

Palo Alto Networks 4 port PA 200 PA200 Firewall Security Appliance Tested work for sale | eBay

Find great deals on eBay for Palo Alto Networks 4 port PA 200 PA200 Firewall Security Appliance Tested work. Shop with confidence.

www.ebay.ca

Err, that's PA-200. Firewall throughput 100Mbps.

 

[Mir96TA]

Err, that's PA-200. Firewall throughput 100Mbps.

View attachment 20892

O sorry it is
How about this beast.

Enterprise Firewall & VPN Devices for sale | eBay

Get the best deal for Enterprise Firewall & VPN Devices from the largest online selection at eBay.ca. | Browse our daily deals for even more savings! | Free shipping on many items!

www.ebay.ca

 

[mxnerd]

O sorry it is
How about this beast.

Enterprise Firewall & VPN Devices for sale | eBay

Get the best deal for Enterprise Firewall & VPN Devices from the largest online selection at eBay.ca. | Browse our daily deals for even more savings! | Free shipping on many items!

www.ebay.ca

Well, no home user needs that kind of beast, which weighs 41 lb and use avg 270 watts. UDM-Pro max out at 33w.

 

[Genx87]

PFSense or Sophos Home provide NGFW capabilities that can run on minimal bare metal. I run XG Home v18 on a pair of Sophos SG 230s I got off Ebay for a combined ~350 bucks. That is my gripe with Unifi edge devices. The world has moved onto TLS, including the scammers. In a cruel twist TLS which was to make us more secure actually made us less. As a lot of our legacy firewalls lacked the capability or performance to play man in the middle for TLS connections. Thus allowing the scammers a way around some of the most vital part of a defense.

 

[Genx87]

It truly amazes me how far the 'home' network as come. If you're talking Palo Alto gear, you're definitely up there with enterprise costs (and performance/features). Too rich for my blood, lol.

A lot of this technology has finally filtered down to the home user space. It is great for people who are willing to invest time to learn it as these technologies will provide a level of safety unseen in the home space before.

 

[Mir96TA]

PFSense or Sophos Home provide NGFW capabilities that can run on minimal bare metal. I run XG Home v18 on a pair of Sophos SG 230s I got off Ebay for a combined ~350 bucks. That is my gripe with Unifi edge devices. The world has moved onto TLS, including the scammers. In a cruel twist TLS which was to make us more secure actually made us less. As a lot of our legacy firewalls lacked the capability or performance to play man in the middle for TLS connections. Thus allowing the scammers a way around some of the most vital part of a defense.

Because, it would require SSL session inspection, meaning F.W. good beefy hardware & software for SSL sessions. That mean devices need certificate or some sort of trust certificate pinning system. IT-PC support admin can't even handle that let alone average home office user.
It is best not go there.

 

[Mr Bob]

I'm just not sure that in a home type of environment, with a basic modem, how anything above an old WRT54G wouldn't provide the necessary firewall protection. Nothing would handle a home connection against a DDos attack, so that's not the level of concern I have nor something I would try to prevent against.. not going to run the CPU power to stop that.

Can anyone explain why I would NOT be protected without this high level firewall? Seems like if you're not opening up your network so much to the outside, it's pretty tough to take advantage.

I have to account for things like the fact there's an internet cord outside the house, connected to a camera 20 ft from the ground. So I have to protect against things like that so people can't plug in directly and access my network (yay for VLANs). I just don't see how if I ran Ubiquiti why I would need to run the advanced firewall features.

I haven't had time to play around with that yet, cords are still running through the floor of the house.

Apparently one of the Google WiFi points was left powered on while my new network was being created. This was causing the UDM Pro to throw "Rogue Access Point Detected" errors, all enabled by DEFAULT. That's some good out of the box protection.

 

[Genx87]

I'm just not sure that in a home type of environment, with a basic modem, how anything above an old WRT54G wouldn't provide the necessary firewall protection. Nothing would handle a home connection against a DDos attack, so that's not the level of concern I have nor something I would try to prevent against.. not going to run the CPU power to stop that.

Can anyone explain why I would NOT be protected without this high level firewall? Seems like if you're not opening up your network so much to the outside, it's pretty tough to take advantage.

I have to account for things like the fact there's an internet cord outside the house, connected to a camera 20 ft from the ground. So I have to protect against things like that so people can't plug in directly and access my network (yay for VLANs). I just don't see how if I ran Ubiquiti why I would need to run the advanced firewall features.

I haven't had time to play around with that yet, cords are still running through the floor of the house.

Apparently one of the Google WiFi points was left powered on while my new network was being created. This was causing the UDM Pro to throw "Rogue Access Point Detected" errors, all enabled by DEFAULT. That's some good out of the box protection.

People believe firewalls are there to protect them from traffic coming inbound(internet). Truth is it is there to stop traffic leaving your network. NAT will stop anything originating from the outside to an inside address. But they actually will need a firewall to stop endpoints from dialing home to a botnet, or going to a website that is known for malware, or stop malware\virus in it's tracks when the endpoint requests the payload. Further advanced features delve into IPS\IDS\ATP, Application layer filtering, web filtering(URL) and HTTPS decryption. Ubiquiti can do many of the previous features. But my complaint is if they are going to offer enterprise like features. They need to offer HTTPS decrypt. Without HTTPS decrypt capability web filtering takes a hit and sets them back about a decade compared to the competition. Many malware sites are now encrypting their traffic. Without HTTPS the malware will come through because the firewall cant inspect the traffic due to being encrypted.

And yes it does take setting up with the firewall's certificate installed on the endpoint. But this can also be accomplished with an agent install that hooks into the firewall ala Z-Scaler. An agent would make certificate install seamless.

 

[Mir96TA]

People believe firewalls are there to protect them from traffic coming inbound(internet).

That is what F.W. do. It's security called policy. I mean it cannot stop traffic is trying to enterin . However it will get dropped or permitted depending on security policy at the outside interface.

Truth is it is there to stop traffic leaving your network.

Again security policy can do that.

NAT will stop anything originating from the outside to an inside address.

NAT is basically address forwarding table. Nothing more than that.
Yes if NAT table does not have an entry (Dynamic) for return traffic, it may get forwarded by NAT static table or get droped

But they actually will need a firewall to stop endpoints from dialing home to a botnet, or going to a website that is known for malware, or stop malware\virus in it's tracks when the endpoint requests the payload. Further advanced features delve into IPS\IDS\ATP, Application layer filtering, web filtering(URL) and HTTPS decryption. Ubiquiti can do many of the previous features. But my complaint is if they are going to offer enterprise like features.

IPS/IDS and other threat prevention can inspect data at network level.
L7 that is for control the access beyond port and IP

And yes it does take setting up with the firewall's certificate installed on the endpoint. But this can also be accomplished with an agent install that hooks into the firewall ala Z-Scaler. An agent would make certificate install seamless.

If they are using certificate pining MS OS system, all F.W. need Root CA, and and sign off subordinate certificate from local CA authority. No distribution is required.
if it is SOHO (AKA no CA ) setup install manually
However SSL inspection requires lot of processing power on F.W. picking a right size of F.W. is key for success.

 

[Mr Bob]

Thanks folks.. sounds like I might have a website or two to whitelist if I turn a few things on.

 

[mxnerd]

Thanks folks.. sounds like I might have a website or two to whitelist if I turn a few things on.

I use ad-blocking/malicious DNS Pi-Hole a few months ago and I gave up finally.

It blocked so many websites that my local grocery store's ads can't be viewed. I had to debug the DNS log to find out what's blocked.

Now I use Chrome extension Ghostery instead.