I am wondering what hardware I could use to make a physical firewall. Actually I only have my Livebox that is not really used because all services except the NAT are on a NethServer VM
The first idea could be to find an old PC of course, but I still have many many server/laptop in my room and I was looking to either virtualize it but I am not sure it is really secure, or buy a mini PC pfsense/nethserver compatible.
At the end I would know what hardware I could buy, if you have some clues with some links to evaluate the cost I would be pleased.
i have one of this from more than 2 years with nethserver on it, and it works well. No fan, 4 gigabit port, taken with 2GB and lately upgraded to 8GB. The cpu obviously is not a monster but for my use (ns7.9+Nexcloud+zabbix+pihole and sometimes ntopng or proxy) it is more than enough and it’s low power
I’d really suggest one of those APU boards, the quad core was so popular they got a new batch of 500 pieces end of November, all sold out within one week!. Next batch is coming in beginning of January.
Those are the ones with Quad Core, 4 GB RAM and 4 NICs.
The ones with 3 NICs are available, about 10€ cheaper.
These are good for about up to 400 MBit/S Internet connection.
I have one of these boxes at the hotel client.
They have 4 simultaneous OpenVPN and 2 IPsec VPNs always open…
If difficult to get in France, I can send you a box, after all, they’re in Switzerland.
Yes, it’s a little more powerful than the Celeron (j1900).
APU is used for PFsense and OPNsense.
As a matter of fact, Decisio, the maker of the Distro OPnsense, actually sells the APU Board for both Distros:
These are both the APU, but I think the hardware is quite a bit older. I have one of these at the hotel I mentionned, more than enough power. But it’s APU1 or APU2, AFAIK.
Cool thing as Dev: you can use the optional ports OPT1 and OPT2 to play around, eg with Captive Portal on OPNsense / PFsense, compared with what NethServer has. NethServer can run on these too, you just need to use Serial as output, not VGA or any monitor…
Also, you can boot from SD or SSD, this can be switched with the BIOS, even USB boot is possible.
I’d suggest using the 120 GB mSSD, it’s faster than a fast SD card, and runs much cooler too!.
These boxes are VERY reliable, not even a power supply died on me in the last 4-5 years using them.
All drivers are automatically recognized by OPNsense / PFsense…
The card has these specs:
Compex WLE200NX 802.11a/b/g/n miniPCI express wireless card (for apu)
The other cards have no drivers for FreeBSD, neither OPNsense nor PFsense will recognize them.
A “real” AP is always better and more powerful, but in the beginning I needed Internet at home (in Germany), and I only had a wireless hotspot without LAN - so I used the shown construction of OPNsense with OPNsense AP-Client… It was also a “test” to see how usable a Wireless like that could be. Usable, but there are better solutions. Aerial, cables and WLan-Adapter cost all in all about 20€ more.
A seperate firewall has sooo many advantages, for networkers like me or devs like you.
If, during a session, your NethServer doesn’t quite work as expected, you still have full Internet to research the problem and find a solution.
The only change you could do on a client PC or Server which “would” affect a hardware firewall is an IP conflict. And only if you allocate the same IP to another box. But NO other change for example on your NethServer would cause Internet-disruption.
But I also need a stronger WiFi at home, my WiFi AP (Netgear) is now a few years old, and my Apple AirPort Extreme is also a few years old now… Both work, but could be better coverage.
I’m using the OPNsense WiFi as Internet Backup / Failover. My Neighbor has also Internet, but if my Cable-Modem fries, I can use his Internet via Wi-Fi… (We have a deal, I fix his IT…
Mes deux centimes
Andy
PS: I can provide you with a “standard” config (à Andy), to start with OPNsense.
VPN with IPsec and OpenVPN are halfway preconfigured and only need adaption to your actual IPs and networks.
PFsense is not open source, the Git Repo is NOT compilable!
I have also this is mind to get a dual wan, for now with the fiber it is more reliable than with the copper. In france the subcontractors of isp provider are paid by intervention, no matter the time they spent, so it is so easy to unplug a workable connection to fix the not workable one…Since two years with the fiber, no more trouble, it is so much fun.
Maybe I would go to LTE backup, but it is some euros more each month…maybe I should go to knock the door of my neighbour
A deal with your neighbor is often to mutual benefit!
I have here at home a 600 MBit/s cable connection, and a LTE Backup (Huawei Mobile Hotspot with LAN and WiFi), but sometimes I take that box along, then my Neighbors Internet is my “WAN Failover”.
How fast is your fiber?
In Switzerland, in quite a few cities, you can get a 10000 GBit/S connection with same upload speed as download - for about 100€ / Month! But not yet where I live!
Also I’d need a 10 GBE Switch and Router to benefit from that speed!
