Hi All,
I have been using ClearOS on an old PC for many years to manage my
internal network. I have my broadband router on it's own subnet on one
NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.
I am getting FTTP installed next week so thought I would take the
opportunity to re-look at the network setup whilst I am at it. My version
of ClearOS requires a full rebuild to upgrade anyway so thought I would
look at what the best is these days.
After a bit of Googling, pfSense seems to be the most popular but was wondering if anyone here had any views on pfSense vs ClearOS or indeed any alternative suggestions? I don't know what router I am getting with the install so maybe these days the routers are good enough and should scrap
the external network manager - although I do like the idea of the internal and external networks being on separate subnets with a hardware/ physical separation (maybe a security expert might say this makes no real difference?).
Also, any suggestions on good newsgroups I should post to instead who
focus on these sorts of things?
leen...@yahoo.co.uk <leenowell@yahoo.co.uk> wrote:
Hi All,
I have been using ClearOS on an old PC for many years to manage my
internal network. I have my broadband router on it's own subnet on one
NIC of my ClearOS PC and then the internal network on a separate subnet on >> the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory >> virus scan/ malware protection etc. etc.
I am getting FTTP installed next week so thought I would take the
opportunity to re-look at the network setup whilst I am at it. My version >> of ClearOS requires a full rebuild to upgrade anyway so thought I would
look at what the best is these days.
After a bit of Googling, pfSense seems to be the most popular but was
wondering if anyone here had any views on pfSense vs ClearOS or indeed any >> alternative suggestions? I don't know what router I am getting with the
install so maybe these days the routers are good enough and should scrap
the external network manager - although I do like the idea of the internal >> and external networks being on separate subnets with a hardware/ physical
separation (maybe a security expert might say this makes no real
difference?).
Also, any suggestions on good newsgroups I should post to instead who
focus on these sorts of things?
uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a crosspost...
On 26/09/2021 11:51, Theo wrote:
leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
Hi All,
I have been using ClearOS on an old PC for many years to manage my
internal network. I have my broadband router on it's own subnet on one
NIC of my ClearOS PC and then the internal network on a separate subnet on
the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory >> virus scan/ malware protection etc. etc.
I am getting FTTP installed next week so thought I would take the
opportunity to re-look at the network setup whilst I am at it. My version >> of ClearOS requires a full rebuild to upgrade anyway so thought I would >> look at what the best is these days.
After a bit of Googling, pfSense seems to be the most popular but was
wondering if anyone here had any views on pfSense vs ClearOS or indeed any
alternative suggestions? I don't know what router I am getting with the >> install so maybe these days the routers are good enough and should scrap >> the external network manager - although I do like the idea of the internal
and external networks being on separate subnets with a hardware/ physical >> separation (maybe a security expert might say this makes no real
difference?).
Also, any suggestions on good newsgroups I should post to instead who
focus on these sorts of things?
uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a crosspost...
pfSense is OK. I've been using it for many years. If you have a PC with
a dual NIC you can test it in a Virtual Machine.
People say OpenWRT is good. I would try it, but I have a working pfSense
set up and it is too much effort to change. i.e. pfSense doesn't annoy
me enough for the effort of a change.
Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot better logging/ metrics that my routers - unsure what OpenWRT provides.
My house is all wired with cat6 so either have the end devices connected
via Ethernet or via a series of other wifi routers dotted around the house
to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?
leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:
Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot better logging/ metrics that my routers - unsure what OpenWRT provides.I'm not sure what you mean about a 'pure software firewall'. The PC with
two NICs is using software to route from one NIC to the other. It doesn't have a hardware firewall.
A typical wifi router has a single NIC but its five ports (4xLAN, 1xWAN)
are all connected to a VLAN-enabled switch. The OS sets up the VLAN tags on the ports to be, for example, 1-4=VLAN #1, 5=VLAN #2, and designates VLAN#1 as LAN and VLAN#2 as WAN.
Then it sees a packet coming in on VLAN#2 and decides whether or not to route it to VLAN#1. Depending on the SoC there may be a bit of NAT acceleration in there, but it's mostly all software, just like the dual-NIC case.
As far as the OS is concerned it has two network ports, which are enforced by the VLAN tagging in the switch (ie hardware). An attacker coming in on VLAN#2 can't forge the VLAN tag to make their traffic look like it came from VLAN#1, because the tags are all internal and not sent over the wire.
So unless the OS sets up the VLANs in a broken way (in which case it wouldn't work) it's effectively two NICs.
With a replacement router OS you can control the port<->VLAN mappings, so you can decide to have 5 different isolated networks if you want. To do
that on a PC would require a 5 port NIC or an external VLAN tagged switch.
OpenWRT has some packages for logging etc. They aren't installed by default (due to having to fit on routers with small amounts of flash) - I haven't tried them.
My house is all wired with cat6 so either have the end devices connected via Ethernet or via a series of other wifi routers dotted around the house to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?It could be worth a go. I have a HH5a as the main router, and a Ubiquiti AP for wifi, both flashed with OpenWRT. Both have a port configured to export VLAN-tagged traffic (ie not strip the VLAN tags inside the switch), and I have multiple wifi networks configured, one for each VLAN. That means I
have a 'IoT junk never going near the internet' wifi network which routes back to the firewall config on the main OpenWRT router. It's a bit more fiddly setting this up than if it was integrated into the main router, but then I can place the AP in a better location.
Theo
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 415 |
Nodes: | 16 (2 / 14) |
Uptime: | 35:24:05 |
Calls: | 8,720 |
Calls today: | 3 |
Files: | 13,276 |
Messages: | 5,956,173 |