Upgrade to Wifi6?

[Tech9]

Ok, then you're limited to your WAN port which these days is either 1gbps or 2.5gbps

Good enough for most users. What's the point of this conversation? How to spend maximum amount of money on hardware?

300/300 Mbps internet connection

If you don't need fast internal wireless network, you are good with what you already have. If you want to upgrade to Wi-Fi 6, better spend some money on SMB equipment, instead of another set of home routers used as AP's. There are options available for similar to home routers price.

 

[yugi]

Ok, then you're limited to your WAN port which these days is either 1gbps or 2.5gbps unless you're investing in something more than a home router.

So, you see how if you follow the path from Client to WAN you have several roadblocks to getting your true potential speed.

What if you have 4 clients at 1Gbps each?

 

[yugi]

If you don't need fast internal wireless network, you are good with what you already have. If you want to upgrade to Wi-Fi 6, better spend some money on SMB equipment, instead of another set of home routers used as AP's. There are options available for similar to home routers price.

I have 1Gbps wired connectivity through the home, except for the barn, which is sufficient right now. My QNAP NAS is also 1Gbps capable only. This should be enough for now.
Yes, I heard about Ubiquity Unifi.

 

[L&LD]

Is Wi-Fi 6 Worth It

Wi-Fi 6 Pt 2

 

[Tech9]

have 1Gbps wired connectivity through the home, except for the barn, which is sufficient right now.

Save your money and make a budget for something better, when you need it.

 

[coxhaus]

I have Cisco PIX-506 laying around, but it's very old.

If you know how to configure the Cisco PIX then a Cisco FirePower 1010 using ASM code would be close to the same. I am thinking around 2 gigs of through put. I have seen the price around $500 plus a license for around $100. I have been considering one, well 2 as I need a new setup for my daughter's new house this summer.

I am just waiting on Cisco and their RV340 router replacement. I hate to let people down and change to a Cisco device that only me and a handful of people can configure on this site.

 

[Tech Junky]

Cisco PIX then a Cisco FirePower 1010 using ASM code would be close to the same. I am thinking around 2 gigs of through put. I have seen the price around $500 plus a license for around $100.

Why?

Unless you're running a ton of rules it's overkill. All you need is iptables on a Linux box to get wire speed connectivity. If you put too many rules on the system it takes longer to process and slows things down. A PC has smore HP than a PIX.

 

[coxhaus]

Why?

Unless you're running a ton of rules it's overkill. All you need is iptables on a Linux box to get wire speed connectivity. If you put too many rules on the system it takes longer to process and slows things down. A PC has smore HP than a PIX.

I don't think so. I think it is a very secure option for a firewall. This is enterprise level not consumer level so it is very granular being enterprise level. It will not be easy to setup as you start with inbound and outbound traffic blocked.

You will also need to jump through all the Cisco licensing hoops to make it work.

PS
Just to be fair the Cisco Firepower 1010 is the smallest one Cisco makes so it does have its limit. The bigger ones are pretty expensive.

 

[Tech Junky]

It will not be easy to setup as you start with inbound and outbound traffic blocked.

I have iptables setup in default block as well. It's not that difficult.

I've played with tons of FW's Cisco / Juniper mostly from small site FW's to core FW's for nationwide networks.

 

[coxhaus]

I have iptables setup in default block as well. It's not that difficult.

I've played with tons of FW's Cisco / Juniper mostly from small site FW's to core FW's for nationwide networks.

Sounds like you are well versed and can configure a Cisco Firepower 1010 firewall. I am sure there are other people here as well. The problem is the average user here will not be able to make it work. Surely Cisco knows this and replaces the Cisco RV340 router.

 

[Tech Junky]

The problem is the average user here will not be able to make it work.

Then why bring it up in the first place?

If you can take a RPI for $50 or whatever they cost and throw iptables onto it and get the same result w/o dealing with the licensing BS w/ Cisco or the price.... It doesn't make sense.

However a power user / prosumer not interested in the Asus Fanboy experience might come across this thread and find something useful through a google search.

Taking a Cisco FW config and being able to chop it down into this is impossible.

# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*mangle
:PREROUTING ACCEPT [41:49134]
:INPUT ACCEPT [39:49020]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [21:1544]
:POSTROUTING ACCEPT [22:1474]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*security
:INPUT ACCEPT [24:32068]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [20:1360]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*raw
:PREROUTING ACCEPT [41:49134]
:OUTPUT ACCEPT [21:1544]
:FORWARD - [0:0]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT
# Completed on Sun Jan 23 20:51:32 2022

For even the pebcak user can figure this out with very little explanation and full protection offered by a $500 FW that can't (shouldn't) be used a router. This iptables configuration is quite basic and probably more secure than your initial lockdown configuration on a PIX. I've been running this now for years at this point and no issues or anything triggering a raised eyebrow for traffic that shouldn't be.

 

[coxhaus]

Then why bring it up in the first place?

If you can take a RPI for $50 or whatever they cost and throw iptables onto it and get the same result w/o dealing with the licensing BS w/ Cisco or the price.... It doesn't make sense.

However a power user / prosumer not interested in the Asus Fanboy experience might come across this thread and find something useful through a google search.

Taking a Cisco FW config and being able to chop it down into this is impossible.

# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*mangle
:PREROUTING ACCEPT [41:49134]
:INPUT ACCEPT [39:49020]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [21:1544]
:POSTROUTING ACCEPT [22:1474]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*security
:INPUT ACCEPT [24:32068]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [20:1360]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*raw
:PREROUTING ACCEPT [41:49134]
:OUTPUT ACCEPT [21:1544]
:FORWARD - [0:0]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT
# Completed on Sun Jan 23 20:51:32 2022

For even the pebcak user can figure this out with very little explanation and full protection offered by a $500 FW that can't (shouldn't) be used a router. This iptables configuration is quite basic and probably more secure than your initial lockdown configuration on a PIX. I've been running this now for years at this point and no issues or anything triggering a raised eyebrow for traffic that shouldn't be.

I guess you know the Cisco PIX firewall has been gone for many years, I am guessing like 10 years ago, enough to where you should not be referencing a PIX except in past tense.

There are many currently active Cisco Firepower firewalls out there. It is widely used nowadays. More at the business level. Businesses do not use iptables in straight Linux as much as Cisco Firepower firewalls in this country. This is for thread reference.

 

[Tech Junky]

PIX ASA FP whatever you want to call them it's the same HW with a different name.

I know enterprise deployment isn't going to use iptables but, a home user doesn't have a 6 figure budget to be dealing with the blue boxes.

First rule of most things is KISS and if you don't then you're exposed and stuff doesn't work. The more you complicate the deployment the easier it is to miss a hole that lets data out or in from where it's supposed to be contained. Segregation / isolation of data into compartments is the goal when tryin to prevent leaks.

It's is however able to be scaled with iptables w/o being vendor specific if you use switches for the port density and high capacity cards on a server chassis. Big tech doesn't use common equipment from Cisco / Juniper / etc. to achieve the bandwidth they need to supply access to billions of people. Sure there's some of it scattered through the network for specific purposes but, in more of a DC environment to keep things moving it's easier to roll out a cluster of hyper visors and contain all of this inside the cluster.

Once you get into the edge you might see more commercially dependent devices that carry service contracts for quick replacement when it fails. Smaller sites will see more of the "cheaper" devices in use. In a smaller multi-site deployment with 100's of locations you'll see more commonly routers being deployed w/ small FW's or a built in module being used.

It all comes down to how agile the company needs to be to achieve their goals.

 

[coxhaus]

Isn't it nice Cisco has dropped the price of the Cisco Firepower 1010 down to where it is the same price range as high-end consumer routers?
It is a firewall not a router but it has to be more secure than any consumer router.

 

[Tech Junky]

Isn't it nice Cisco has dropped the price of the Cisco Firepower 1010 to where it is the same price range as high-end consumer routers?

No, because it's a dumb idea for consumers to put such a device into their network. It's more of a cash grab than a value add. There's no need for it at all! Some idiot in marketing thought of a way to sell something that feeds into people's fears of network security.

 

[coxhaus]

I am happy with it. I think smaller businesses can now start with Cisco and then grow into larger Cisco products. I think the higher prices were keeping smaller businesses out of the Cisco world.

I would have used it at my daughter's work now at this price.

 

[Tech Junky]

SMB's get a solution from their provider if they even think beyond a simple ISP connection. SMB's don't have the margins to deal with a robust solution being produced with gear you're talking about. I've seen a lot of different things in the field when it comes to dealing with SMB's ranging from using their phone hotspot to run their network needs to piecing together consumer gear in an attempt to keep money in their pocket. Even on a recent TV show there was a SMB using a dial up terminal for CC processing and a mechanical / analog register due to the tablet POS system costing $1500.

Keeping things geared towards your audience makes a difference.

 

[yugi]

If you know how to configure the Cisco PIX then a Cisco FirePower 1010 using ASM code would be close to the same. I am thinking around 2 gigs of through put. I have seen the price around $500 plus a license for around $100. I have been considering one, well 2 as I need a new setup for my daughter's new house this summer.

I am just waiting on Cisco and their RV340 router replacement. I hate to let people down and change to a Cisco device that only me and a handful of people can configure on this site.

Yes, I can configure Cisco PIX, but this is yesterday compared to Palo Alto Networks.

 

[yugi]

I purchased RT-AX86U from Bestbuy for a good deal (around $125 before tax) and placed it in place of my main AP R7000.
The speeds now are around 10% faster, but the range is not as good as R7000. The speeds in most of the house are faster compared to R7000, except for one place in a basement, where R7000 was approximately giving 120/90, now I get 140/50. I did enable OFDMA+MIMO and set 160 MHz channels. All devices are working fine so far.
RAX200 is on order and should arrive soon. We'll see how it performs. Also ordered EAX80 just to test, from Amazon.

 

[Tech Junky]

RT-AX86U

RAX200

EAX80

R7000

Well, that's one way to kill dead spots.