Home Firewall: pfSense On Untangle Hardware? (u150)

[PinkFloydEffect]

I really want to run pfSense at home, to create a subnet as I share a WiFi network with another family. The current system requirements are a 600MHz processor with 512MB of RAM. I have some firewall choices I got from work, I just started studying for my CCNA so bare with me if I am not making sense on your level yet. We upgraded our firewall a few times over the years at work, especially when we started using two different WAN connections. We have a D-LINK DFL-260E, a NETGEAR FV336G and a UNTANGLE u150 all of which are no longer being used. Now we just run pfSense on a little standalone 1U HP server with 4 NICs. Not sure why we did not load it onto the Untangle?

The DFL-260E only has a 266MHz processor (Intel xScale IXP425), some appear to have come with a 532MHz Intel xScale IXP435 but that is barely going to cut it. The FV336G only has a 300MHz processor and 64MB of DRAM so that will not run pfSense either. However the u150 has a dual-core processor with 4GB of RAM and a 7200rpm HDD so that should be capable of running pfSense. I know you can buy a mini-PC with multiple NICs to run pfSense but this u150 has high quality NICs. I may even be able to upgrade the HDD to a SSD, I can run pfSense on Untangle hardware...right?


D-LINK DFL-260E
http://www.dlinkworks.com/DFL-260E.asp

Port Speed: 7x Switched Ports @ Gigabit
PoE: ?
Firewall Throughput: 150Mbps
VPN Throughput: 45Mbps
IPS Throughput: 60Mbps
CPU: Intel xScale IXP425 @ 266MHz*
CPU: Intel xScale IXP435 @ 532MHz*
Memory: Unknown

-

NETGEAR FVS336G
https://www.netgear.com/business/products/security/FVS336G.aspx

Port Speed: 6x Switched Ports @ Gigabit
PoE: ?
Firewall Throughput: 350Mbps (LAN-to-WAN)
VPN Throughput: 78Mbps (3DES) – 14Mbps (SSL)
IPS Throughput: ?
CPU: Unknown @ 300MHz
Memory: 16MB Flash / 64MB DRAM

-

UNTANGLE u150
https://untangle-firewall.it/wp-content/uploads/2018/02/Untangle-Datasheet-Jan-2018.pdf

Port Speed: 6x Switched Ports @ Gigabit
PoE: ?
Firewall Throughput: 1Gbps
VPN Throughput: ?
IPS Throughput: ?
CPU: Pentium Dual Core @ ?
Memory: 1TB @ 7200rpm / 4GB RAM
USB 3.0: 2x


The u150 seems like the winner, much faster throughput! Thoughts? Would be nice if the firewall supported PoE too...possibly the Untangle?

 

[CrystalLattice]

I really want to run pfSense at home, to create a subnet as I share a WiFi network with another family. The current system requirements are a 600MHz processor with 512MB of RAM. I have some firewall choices I got from work, I just started studying for my CCNA so bare with me if I am not making sense on your level yet. We upgraded our firewall a few times over the years at work, especially when we started using two different WAN connections. We have a D-LINK DFL-260E, a NETGEAR FV336G and a UNTANGLE u150 all of which are no longer being used. Now we just run pfSense on a little standalone 1U HP server with 4 NICs. Not sure why we did not load it onto the Untangle?

The DFL-260E only has a 266MHz processor (Intel xScale IXP425), some appear to have come with a 532MHz Intel xScale IXP435 but that is barely going to cut it. The FV336G only has a 300MHz processor and 64MB of DRAM so that will not run pfSense either. However the u150 has a dual-core processor with 4GB of RAM and a 7200rpm HDD so that should be capable of running pfSense. I know you can buy a mini-PC with multiple NICs to run pfSense but this u150 has high quality NICs. I may even be able to upgrade the HDD to a SSD, I can run pfSense on Untangle hardware...right?


D-LINK DFL-260E
http://www.dlinkworks.com/DFL-260E.asp

Port Speed: 7x Switched Ports @ Gigabit
PoE: ?
Firewall Throughput: 150Mbps
VPN Throughput: 45Mbps
IPS Throughput: 60Mbps
CPU: Intel xScale IXP425 @ 266MHz*
CPU: Intel xScale IXP435 @ 532MHz*
Memory: Unknown

-

NETGEAR FVS336G
https://www.netgear.com/business/products/security/FVS336G.aspx

Port Speed: 6x Switched Ports @ Gigabit
PoE: ?
Firewall Throughput: 350Mbps (LAN-to-WAN)
VPN Throughput: 78Mbps (3DES) – 14Mbps (SSL)
IPS Throughput: ?
CPU: Unknown @ 300MHz
Memory: 16MB Flash / 64MB DRAM

-

UNTANGLE u150
https://untangle-firewall.it/wp-content/uploads/2018/02/Untangle-Datasheet-Jan-2018.pdf

Port Speed: 6x Switched Ports @ Gigabit
PoE: ?
Firewall Throughput: 1Gbps
VPN Throughput: ?
IPS Throughput: ?
CPU: Pentium Dual Core @ ?
Memory: 1TB @ 7200rpm / 4GB RAM
USB 3.0: 2x


The u150 seems like the winner, much faster throughput! Thoughts? Would be nice if the firewall supported PoE too...possibly the Untangle?

ODROID H2 x86 board with VYOS or OPENWRT will run much faster, 1.5G both ways. Can us ubuntu server 18.04 LTS as diy router if you enjoy minor coding. Also smoother with less incomplete downloads. Never bring old defective equipment home from work!

 

[PinkFloydEffect]

ODROID H2 x86 board with VYOS or OPENWRT will run much faster, 1.5G both ways. Can us ubuntu server 18.04 LTS as diy router if you enjoy minor coding. Also smoother with less incomplete downloads. Never bring old defective equipment home from work!

I am not a fan of coding at all to be honest. This may be old equipment, but its not defective lol just did not meet our goals anymore. Figured it was a home solution without spending money, I really do not need 1.5G anyway seeing how my home connection is only 300Mbps duplex.

Do you really not recommend using the Untangle? Its really just me on my network, maybe a CCTV camera, my phone on an AP, and I would like to setup a VPN because I am always acessing my home PC from work using RealVNC. So the demand on the firewall will be very low, I figured the Untangle was actually overkill to be honest.

 

[HeMaN]

it will probably run pfsense, if you have the box at home you can always try and see if it fits your needs

on the other hand, if you are just looking for a firewall for your home why not use it with untangle? it is not that expensive for home use

Verstuurd vanaf mijn SM-G955F met Tapatalk

 

[Val D.]

ODROID H2 x86 board with VYOS or OPENWRT will run much faster, 1.5G both ways. Can us ubuntu server 18.04 LTS as diy router if you enjoy minor coding. Also smoother with less incomplete downloads. Never bring old defective equipment home from work!

Have you ever run OpenWrt, Untangle, pfSense, Sophos, OPNsense, etc. firewalls?
Could you share some own experience with this "less incomplete downloads" thing?
Thank you!

ODROID H2 with Realtek NICs... really?

 

[abailey]

The Untangle u150 should run your PFSense fine. Not sure how fast it can run VPN's though, if your looking for that. I run Untangle at home. Why not use the U150 to run Untangle? The home version is $50 a year but you can also run the free version if you want.

 

[PinkFloydEffect]

I did not want to pay the $50, this is a novelty to me right now. I was not aware there was a free version but I will have to look into what limitations it has.

Does anyone know if I can run two routers on a Frontier ONT? I want to leave the existing ISP router in place and also run my own in front of this firewall, creating two completely isolated networks.

 

[HeMaN]

Does anyone know if I can run two routers on a Frontier ONT? I want to leave the existing ISP router in place and also run my own in front of this firewall, creating two completely isolated networks.

you can always run the two routers on one internet connection. you will have a 'double nat' situation.
the second router is placed in the network of the first router, so it is not a completely independent network.

if your provider has given you more than one public ip, I think it is possible to put them in parallel and create two completely independent networks (place a small switch between the ont and the routers. however I never tried or researched this theory)

Verstuurd vanaf mijn SM-G955F met Tapatalk

 

[PinkFloydEffect]

you can always run the two routers on one internet connection. you will have a 'double nat' situation.
the second router is placed in the network of the first router, so it is not a completely independent network.

if your provider has given you more than one public ip, I think it is possible to put them in parallel and create two completely independent networks (place a small switch between the ont and the routers. however I never tried or researched this theory)

Verstuurd vanaf mijn SM-G955F met Tapatalk

Sounds like I am pretty screwed on this idea, the whole point of adding a router is so that I do not tamper with the landlords connection. So putting their router behind mine is just another point of failure, and I will never hear the end of that if it happens. I am just going to have to get my own connection.

 

[PinkFloydEffect]

I have not figured out what all this means for limitations in running a VPN behind my landlords router/firewall yet, but I can still create a subnet for myself. I am unable to get the ISP to drop another connection or ONT to this address, so I am still trying to work with what I have.

Things are looking promising so far for running pfSense on Untangle hardware, I opened up the enclosure and chipped away the adhesive on the hard drive connections. Its running a 500GB WD5003ABYX that I replaced with a 120GB Kingston A400 SSD using a 2.5" surface mount drive caddy. I tried upgrading the RAM to 8GB but the BIOS would not post so I put the OEM 4GB back in. The BIOS is very interesting with all sorts of settings I have never seen before on a consumer grade main board. I was concerned about the excessive noise level of the cooling fans, they are small and run at a very high RPM which is not ideal for in-home use so I thought I was going to have to install a vent on the top of the case with a large diameter low RPM fan. I assume small diameter fans at a higher RPM are more reliable for enterprise environments? However thanks to the extensive BIOS settings I was able to change all the fans from a manual max RPM setting to an automatic thermally controlled setting, which has reduced the noise by probably 90% which is great! I will have to see how loud it gets under a resource load though...my guess is that the manual fan settings are more reliable for enterprise environments because it bypasses the thermal sensor(s) which is just another potential point of failure. The PSU must be of high quality because its not redundant, and firewalls are the only thing between a WAN and LAN which could be a weak link in the chain. I know you can implement a transfer switch but that does not cover a PSU failure, which must be why the industry is migrating to small blade servers for pfSense that have redundant PSUs which is what my company has done. I do see a secondary SATA connection on the main board and the BIOS settings do have a RAID configuration option so this board probably has a RAID controller. In that case I may be able to install a secondary redundant SSD, or maybe even use the secondary SATA connection for a NAS if pfSense is capable. However this SSD model is likely nowhere near as reliable as the HDD I removed so the SSD RAID is much more desirable than a NAS.

I was easily able to boot the pfSense installer from a USB flash drive, but did not have time to proceed with the installation before leaving the office. Looks promising though so I will let you all know how it goes this week!

 

[MichaelCG]

I have not figured out what all this means for limitations in running a VPN behind my landlords router/firewall yet, but I can still create a subnet for myself. I am unable to get the ISP to drop another connection or ONT to this address, so I am still trying to work with what I have.

You should have no problem with outbound VPN, but you will have challenges with trying to do an inbound VPN (for remote access) behind a double NAT. Also to note, VPN performance won't be the greatest since the CPU in here is unlikely to support AES-NI. Depending on your needs...it may not really matter until pfSense goes back to making AES-NI a requirement again...if they get around to that again.

I was concerned about the excessive noise level of the cooling fans, they are small and run at a very high RPM which is not ideal for in-home use so I thought I was going to have to install a vent on the top of the case with a large diameter low RPM fan. I assume small diameter fans at a higher RPM are more reliable for enterprise environments? However thanks to the extensive BIOS settings I was able to change all the fans from a manual max RPM setting to an automatic thermally controlled setting, which has reduced the noise by probably 90% which is great! I will have to see how loud it gets under a resource load though...my guess is that the manual fan settings are more reliable for enterprise environments because it bypasses the thermal sensor(s) which is just another potential point of failure.

Enterprises rarely care about noise, these belong in a data center. Also note...small fans due to small chassis. In an Enterprise, these would be in a rack with other systems directly above or below it. They must be front/back breathers due to rack requirements. It is the trade-off of being in a 1U enclosure.

The PSU must be of high quality because its not redundant, and firewalls are the only thing between a WAN and LAN which could be a weak link in the chain. I know you can implement a transfer switch but that does not cover a PSU failure, which must be why the industry is migrating to small blade servers for pfSense that have redundant PSUs which is what my company has done.

You either go with a small box with single PSU and accept the failure scenario, get a dual PSU box, or run two boxes in HA. All about the price point and the risks you are willing to accept. We have a mixture of both in our Enterprise. For the more critical stuff, we have dual PSU boxes running in HA. For the standard Enterprise stuff, single PSU boxes in HA. And for lab environments, single PSU box. If a lab goes down for a few hours, it is annoying, but not a huge financial impact. If your ERP system goes down for a few hours...the majority of the company shuts down..therefore spending an extra $100K on equipment is pocket change in the bigger picture.

 

[coxhaus]

Untangle is going to be a better firewall than pfsense. If you are studying for your CCNA then you will be better off running a Cisco router on the edge and running Untangle in transparent bridge mode behind the router. Untangle can be installed 2 ways one being in transparent bridge mode and the other as router mode.

Running pfsense is not going to prepare you for CCNA testing. You need to be running Cisco IOS devices. The most affordable will be the devices close to end life.

 

[PinkFloydEffect]

Thank you for your responses. I am not using this to study for my CCNA though I just want to make that clear. I will build a lab specific to that as the need arises. This is just free hardware to use at home as a "better than nothing" solution.

I guess given the circumstances this will end up being used just to create a subdomain, and function as a switch if I can VLAN a few ports together. I do not have much of a need to run a VPN out of my home...the only thing I do remotely is access my workstation with RealVNC.

This is what the RAID settings look like in the BIOS for the u150. I must have missed the RAID option in the pfSense setup because the BIOS does not provide many options for configuring a RAID.