Upgrading Home Network - Need Advice

Derek1320 · Jan 31, 2021

ToolAA said:
My SG-3100 came in Yesterday. I've been banging my head against the wall trying to configure ports 1 & 2 to be part of a Link Aggregated Port to connect to the switch. I finally seem to have figured it out but it's been 4-5 hrs of resetting the 3100 to default settings because I kept getting locked out of the LAN. However during the process I've come to really like the flexibility of pfsense. I see a lot of finely tuned customization opportunities and OpenVPN remote access.

Nice! I finally bit the bullet and ordered an SG-2100. It came last week and it's just been sitting on my kitchen table. Just need to find the time to "break" my network so I can improve it. Out of curiosity, how did you approach initial config? The way Netgate recommends? Connect WAN interface to ONT/Modem then connect to a LAN port via Ethernet to a mgmt computer?

dealsearch said:
I'd recommend to look into Eero. managed from a smart phone and is pretty good for me after I increased my plan with FIOS to 1gb/s

I ran an Eero setup for years until we moved and I had wired ethernet drops run for access points. It's a nice plug and play set up and surprisingly fast. Control isn't super granular though (by design I'm sure), you can't shut off SSID broadcasting, and I did have issues maintaining a connection when roaming between APs. I gave the Eero to my parents and they love it though. It massively improved their pathetic WiFi situation. I would recommend it to anyone who just wants plug and play.

ToolAA · Jan 31, 2021

Derek1320 said:
Nice! I finally bit the bullet and ordered an SG-2100. It came last week and it's just been sitting on my kitchen table. Just need to find the time to "break" my network so I can improve it. Out of curiosity, how did you approach initial config? The way Netgate recommends? Connect WAN interface to ONT/Modem then connect to a LAN port via Ethernet to a mgmt computer?

If your network is fairly simple then that approach works just fine. You release the IP on your current router, then plug in the new one. The default network will be 192.168.1.0/24. If all of your current connected devices are getting DHCP on the same network ID then once you boot up the new router, wired devices will pickup their new IP assignments just like they were connected to the previous router. Then using a wired connection, log into the WebGUI 192.168.1.1 and tweak your setup.

However in my own use case, my home network was already set at 192.168.0.0/24. Also I'm running my wired network through a POE Managed switch and my WiFi access points are wired into the switch. So the faster path for me was to just connect my laptop to the Netgate by it self without connecting the netgate to the Verizon Fios WAN. I changed all of the settings that I could, including setting the LAN network address as 192.168.0.1.24, then created the Firewall rules that I wanted from my existing router and lastly setup the static IP addresses of the devices which already have Static IP's on my current network.

Once that was done I pulled out the old router, set the new router. Released the FIOS IP and then powered up the netgate. For the most part everything connected. I actually just did this step this morning at 6am before anyone else in the house work up. It gave me a little time to migrate the PiHole and other security settings I wanted in place before they started to use it.

The most seriously time consuming issue for me was that I wanted to use two of the Cat5 ports in a LAGG configuration to connect to my POE Switch. It turns out that in pfSense you cannot actually just do this with a click of a switch. You need to delete the assigned LAN interface (which totally blocks your ability to use the WebGUI from the cat5 lan port), then reconfigure the interface as LAGG and establish a new LAN network using the LAGG Ports. While I can understand that this approach provides the maximum customization for enterprise users, it was extremely cumbersome for me. I tried multiple approaches to access the WebGUI from the WAN or OPT1 ports but failed for hours. Eventually I just reconnected the 3100 to the existing router and routed through the existing router to the 3100 and program it from the WAN port. In order to connect, I had to disable all firewall rules for a little while but eventually I got connected.

Now I'm working on setting up SNORT to identify intrusion traffic and laslty I've got to create a vlan for my wireless IOT crap.

I can see that the Netgate devices are a pretty good hardware/software setup.

Derek1320 · Feb 1, 2021

Thanks for the details! My setup is similar to yours, with a managed switched feeding access points/ethernet drops etc. So I think I'll take your approach, do as much configuration as possible and then swap my existing router out.

Then, VLAN segregation, snort, etc. Nice move on the link aggregation, I never even thought of that for a home setup but the redundancy definitely adds peace of mind. I'll keep my eyes open for more updates!

ToolAA · Feb 2, 2021

Now that I'm knee deep into the swap and somewhat familiar with PFSense I've got some more questions for the brain trust. I was examining the firewall logs and I'm shocked to see how many attempts there are to access my home network. I did a trace route on some of the IP addresses and they are mostly coming from Russia and eastern European countries like Moldavia, Ukraine, Albania, Croatia, just to name a few that I checked. However there are a bunch from the USA too. What are all of these pings? Are they just looking for open ports on peoples networks?

Also I have one very unusual pattern. It seems like I have one IPv6 address that is hitting my firewall continually like 5-10 times per Minute, ALL DAY LONG. My old router didn't create logs like this. Is this activity normal?

So now that I'm seeing all of this firewall activity, I'm looking to install some sort of Intrusion Detection System software and this leads me to more questions.

1) Is there a big difference between Snort, Suricata or pFBlockerNG? It seems like I can any of these directly onto the Netgate SG-3100.
2) Does anyone have a recommendation for one over the other.
3) Does it make sense to install the IDS on the Router or should I just put that system on the Synology NAS. It seems like running on the router directly is the best option from what I'm reading because you will really capture all traffic from the LAN to the WAN.

Thanks again for any helpful info you guys provide. It's much appreciated.

traveller · Feb 2, 2021

Yes, that's normal.

Alan3413 · Feb 2, 2021

ToolAA said:
Now that I'm knee deep into the swap and somewhat familiar with PFSense I've got some more questions for the brain trust. I was examining the firewall logs and I'm shocked to see how many attempts there are to access my home network. I did a trace route on some of the IP addresses and they are mostly coming from Russia and eastern European countries like Moldavia, Ukraine, Albania, Croatia, just to name a few that I checked. However there are a bunch from the USA too. What are all of these pings? Are they just looking for open ports on peoples networks?

Also I have one very unusual pattern. It seems like I have one IPv6 address that is hitting my firewall continually like 5-10 times per Minute, ALL DAY LONG. My old router didn't create logs like this. Is this activity normal?

So now that I'm seeing all of this firewall activity, I'm looking to install some sort of Intrusion Detection System software and this leads me to more questions.

1) Is there a big difference between Snort, Suricata or pFBlockerNG? It seems like I can any of these directly onto the Netgate SG-3100.
2) Does anyone have a recommendation for one over the other.
3) Does it make sense to install the IDS on the Router or should I just put that system on the Synology NAS. It seems like running on the router directly is the best option from what I'm reading because you will really capture all traffic from the LAN to the WAN.

Thanks again for any helpful info you guys provide. It's much appreciated.

5353 looks like Bonjour. It's either someone's misconfigured device on an external IP, or someone hoping to find an unsecured device. Either way, it's blocked so it's fine.

Occam · Feb 3, 2021

ToolAA said:
Is this activity normal?

Yeah, normal! My business runs a very busy 128 hard IP addresses exposed to the outside world. The amount of toxic crap that comes knocking on all 128 of those doors is stupefying.

I like snort just fine on pfsense - just works, and so widely used you can find answers online for pretty much any conceivable question.

Deep Thought · Feb 3, 2021

Looks like the ipv6 entry is on your lan interface. Probably a device on your local network generating that. No reason to panic. You could add a rule to drop that traffic without logging.. track down the offending device...or do nothing.

geda · Feb 3, 2021

1. pFBlockerNG can be useful sometimes, but it can also cause strange issues. It is useful when you have exposed ports to keep the bots out. Moving ssh for example to some random high number port will kill 99% of the random connection attempts, adding pfblocker will get it down to 99.7%.

2. Snort vs Suricata, is like ford vs chevy, they both do the same thing. Snort has been around much much longer and it is the only one I have experience with. Snort3 is the new hotness, you should check it out if you want to tinker.

3. I always run my IDS on a separate box from my router. If you have a managed switch you can run the wan link through port based vlan then have a span port for the IDS, this is what I do. If you want to run snort as an IPS you will have to put it inline with the wan link or on the router.

ToolAA · Feb 3, 2021

Deep Thought said:
Looks like the ipv6 entry is on your lan interface. Probably a device on your local network generating that. No reason to panic. You could add a rule to drop that traffic without logging.. track down the offending device...or do nothing.

I was going to ask who you can tell but I see in the photo it says LAN vs Wan. Strange that one of my own devices is pinging IPv6. I don’t even have that feature turned on in PFSense.

When I was younger and seemed to have more time the Anal Retentive Toolaa would have probably put considerable effort into finding the offending device. I think I’m going with the IGNORE option.

Derek1320 · Feb 8, 2021

Deep Thought said:
Looks like the ipv6 entry is on your lan interface. Probably a device on your local network generating that. No reason to panic. You could add a rule to drop that traffic without logging.. track down the offending device...or do nothing.

Yup, this is a multicast DNS IPv6 address being targeted so something on the network that runs a dual stack is looking to resolve an address. Mobile phone maybe, though I'd think it would be getting an IPv4 address if its on your WiFi.

EDIT: I just checked my own pfSense logs and I've got something on my network hitting the mDNS block on my firewall too.

ToolAA · Feb 9, 2021

Derek1320 said:
Yup, this is a multicast DNS IPv6 address being targeted so something on the network that runs a dual stack is looking to resolve an address. Mobile phone maybe, though I'd think it would be getting an IPv4 address if its on your WiFi.

EDIT: I just checked my own pfSense logs and I've got something on my network hitting the mDNS block on my firewall too.

I finally found out what my device was. I have a Logitec Harmony Remote and that thing is pinging IPv6 30-40 times a minute. There no way to turn it off. By they way they are great remote controls.

Deep Thought · Feb 9, 2021

ToolAA said:
I finally found out what my device was. I have a Logitec Harmony Remote and that thing is pinging IPv6 30-40 times a minute. There no way to turn it off. By they way they are great remote controls.

Sheesh.. How's the battery life?

ToolAA · Feb 9, 2021

Deep Thought said:
Sheesh.. How's the battery life?

The handheld remotes last a long time between charges and it has a built in caddy. The HUB that is connected to the WiFi network is plugged in and thats where the IpV6 traffic is coming from.

ToolAA · Feb 21, 2021

New question regarding Battery Backup/UPS power supply. Old UPS was almost 20yrs old and it was time to replace.

I picked up a new/open box APC BX1500M from Amazon for $129. I’ve got it connected and it looks like my entire network suite of hardware is only drawing 41 watts. That’s the Netgate 3100, Netgear 24 port POE+ Switch, 3 POE access points, Synology NAS, Wink Hub, a windows NUC, and Verizon Fios Router. Looks like with everything running I’ll be able to stay online for 160 minutes.

My question is how do you actually use the UPS to send out a signal to shut down the network Devices. I’ve got the UPS connected to the NUC running the APCUPSD service. The router sees the service, but I cannot figure out how to get the Synology NAS to recognize the UPS, unless I plug it directly into the NAS, but when I do that, the router doesn’t see the UPS.

Occam · Feb 21, 2021

ToolAA said:
I cannot figure out how to get the Synology NAS to recognize the UPS, unless I plug it directly into the NAS, but when I do that, the router doesn’t see the UPS.

In one of my configurations, the Synology NAS gets the hard wired connection so I know absolutely that it understands it needs to do a clean shut down and preserve the integrity of its file system. All my other network devices? Meh - they really shouldn't care about a hard power yank/restore. Takes them a moment to come to their senses, but they aren't usually fragile when it comes to power interruption. The UPS still keeps them save from spikes and other hardware damaging power oddities.

Now, out at my datacenter, I've got much busier routing/firewall gear with spinning disks and lots of stuff in RAM/cache. Whole different situation.

ToolAA · Feb 21, 2021

Occam said:
Now, out at my datacenter, I've got much busier routing/firewall gear with spinning disks and lots of stuff in RAM/cache. Whole different situation.

Sign me up for the next Datacenter tour.

Especially if your wife dresses like the 1968 version Agent 99.

Occam · Feb 23, 2021

ToolAA said:
Sign me up for the next Datacenter tour.

I would take you out there in a second! It's quite an experience, if you've never been into one of those huge facilities. Alas, the current COVID posture means absolutely zero non-critical visits for guests. Soon, perhaps! It's an eye-opening experience, driving through that part of Loudon county, which is wall-to-wall enormous datacenters. Then when you set foot in one and realize you're looking at acres of racked up computing and storage hardware in every one of those buildings, all of those internet cat videos start to really gain some perspective. Seriously, when the time is right, I'll happily host a small (1 to maybe 5) group visit. There's lunch and beer available nearby!

Especially if your wife dresses like the 1968 version Agent 99.

I will speak to her about this. She's more of a CZ girl these days, while I always saw 99 with a revolver.

ToolAA · Oct 9, 2021

It’s been a while since posting here. My personal Netgate setup has been chugging along just fine without any unusual problems. I’ve gone in and tweaked a few firewall settings from time to time and I still need to setup proton VPN on the router and partition off things like streaming devices but that will eventually get done.

Today’s post is to offer some alternative to the PFsense devices. My close friend just moved and was asking for some home network device advice. After some discussion he really was not that interested in spending a lot of time to dive into the minutiae of setting up a PFSense box. He wanted something fast, easy to setup and somewhat professionally expandable. I recommend he get the Uniquiti Dream Machine pro https://store.ui.com/collections/unifi-network-unifi-os-consoles/products/udm-pro along with a few of their AP-Pro’s and a POE switch.

Last night I helped him get things setup. We got 2 of the AP’a hardwired along with the whole network setup in about 90min. I’ve got to hand it to the Ubiquity team, they really did create a very simple looking and easy to use interface with a pretty decent set of customization possible. We had multiple Wifi networks and VLAN’s ready in just a few minutes.

If you want to setup a series of security cameras the DMPro has the ability to add a hard drive directly to the device and has built in monitoring capabilities too.

It is not as customizable as my Netgate for sure, but for 95% of home users it’s more powerful and not really more expensive than some of those fancy gaming routers.

AntiGun · Oct 9, 2021

Your link is 404.

Upgrading Home Network - Need Advice

The #1 community for Gun Owners of the Northeast

Member Benefits:

Active Member

Ultimate Member

Active Member

Ultimate Member

The one with two L

Ultimate Member

Not Even ONE Indictment

Active Member

Active Member

Ultimate Member

Active Member

Ultimate Member

Active Member

Ultimate Member

Ultimate Member

Not Even ONE Indictment

Ultimate Member

Not Even ONE Indictment

Ultimate Member

.

Users who are viewing this thread

Log in

Forum statistics