Looking to build new network, please give your input!

[Delaminator]

So I'm tired of this BEFSR41. It crashes every other day. It's not secure. It's outdated. I could go on! I don't want to go back to using my 2.2GHz AMD as a pFsense firewall/router, cause that sucked up power!

I'm looking at getting a new router. I had the DGL-4100, before my housemates cat peed on it, but that was before I started playing around with servers. So I'm thinking of buying the DGL-4100 again. I know the DGL-4100 has a firewall built in, but is it secure enough to have a NAS behind it, 'or' should I also invest in a hardware solution firewall to put behind the DGL-4100? Can the DGL-4100 assign additional subnets for a NAS and AutoCAD PC?

If not, I'm looking at the NETGEAR-FVS318 firewall behind the DGL-4100 for creating a second subnet to keep the 2TB NAS, and AutoCAD PC from touching the net, but will need to allow the AutoCAD PC a secure, encrypted path to my work PC. Is this possible? Is this overkill? Will the DGL-4100 be enough on its own? Is the NETGEAR-FVS318 enough and the DGL-4100 overkill? Please help me on this subject! If you need me to answer more question on the setup, please feel free to ask!

Does the DGL-4100 need to have VPN to allow the other subnet[NETGEAR-FVS318] to tunnel out?

The DGL-4100 and NETGEAR-FVS318 will cost me $185 total!

As of right now, the DGL-4100 is a far cheaper solution then building a 1.6Ghz Dual Core, 1GB memory, Dual NIC, MiniITX router that will have pFsense run on it. Which is what I desire, but the cost is what holds me back.

Thanks for reading,
Delaminator

[YeOldeStonecat]

I'm not a fan of double NAT'ing routers...and putting that Netgear behind the DLink..that's really all you're doing. Unless there are PCs which are threats behind the DLink, but in front of the Netgear....having your graphics workstations behind the Netgear.....all you're doing is slowing things down for it on the 'net. Esp with that model Netgear. That doesn't really add much more protection than the DLink.

What features are you looking for on a firewall? Because with home grade, and a large portion of SOHO/SMB grade routers...protection wise they're all the same...NAT is NAT. The next step is to look into a UTM appliance...Unified Threat Management. They add features like content filtering, anti spyware, and anti virus scanning as traffic passes through them, as an additional layer of protection for PCs on the network. Products like Astaro HGW or Untangle are two products which are free to home users...you install them on your own hardware much like you did with PFSense. (I run Astaro at home an a small Atom box). Store bought models, like Netgears UTM10...you'll see UTM appliances starting at around 400 bucks. Yeah they're not cheap.

Tell me more about your home network and why you want to chop it up, what else is there that you want to hide your graphics workstation from?

[Delaminator]

.

I'm not a fan of double NAT'ing routers...and putting that Netgear behind the DLink..that's really all you're doing. Ok!

Unless there are PCs which are threats behind the DLink, but in front of the Netgear.... Yea, this is part of the issue.
I have two house mates with PC's I can not administer and they're always having some type of machine issue associated with maleware, spyware and so on, even though I've tried to educate them. At times during the evening through early morning the LAN is bogged down by torrenting, which was killed with the pFsense box, but since the pFsense box was a power drain I reinstalled the BEFSR and the torrenting started again. My housemates don't play games at all, but do watch lots of movies and listen to music. Even if all three of us did play online games at the same time, it wouldn't kill the 28Mb Comcast connection of the WAN. However, the LAN slows way down when the other users are home. Or it gets its random, day or night, router crashes. Only when their PC's are off, cause they are not home, does the LAN not slow down with the BEFSR. I liked how pFsense could assign bandwidth to internal IP's. This let my housemates torrent at a crawl, but stream without an issue, and the LAN was not bogged down at all!

having your graphics workstations behind the Netgear.....all you're doing is slowing things down for it on the 'net. Esp with that model Netgear. That doesn't really add much more protection than the DLink. Ok, I'm following...

Because with home grade, and a large portion of SOHO/SMB grade routers...protection wise they're all the same...NAT is NAT. The next step is to look into a UTM appliance...Unified Threat Management. They add features like content filtering, anti spyware, and anti virus scanning as traffic passes through them, as an additional layer of protection for PCs on the network. Products like Astaro HGW or Untangle are two products which are free to home users...you install them on your own hardware much like you did with PFSense. (I run Astaro at home an a small Atom box). Store bought models, like Netgears UTM10...you'll see UTM appliances starting at around 400 bucks. Yeah they're not cheap.
So, really it would just be cheaper to buy the DGL-4100 so I could shape the traffic on the torrenting and create firewall rules for the NAS and local IP's, while putting together the parts for a 150W to 250W pFsense Box with VPN? Since it seems as if it is going to cost more to get a VPN router/firewall and UTM appliance over building a pFsense-VPN-Box! And, I beleive you can install Untangle on pFsense?

Tell me more about your home network and why you want to chop it up, what else is there that you want to hide your graphics workstation from?
What features are you looking for on a firewall? About $200 worth!
QOS, SPI, Bandwidth shaping, traffic shaping, VPN for encrypted file transfers with my works VPN, which has it's own administrator. I've tried to talk to the admin at work about this, but it seems like he does not want to waist his time talking to me about it.

How to explain the setup?
I don't want any local computers, including Xbox360, connecting to the AutoCAD system, but the AutoCAD PC must have a VPN to tranfer files between work. This is the only route in which my work lets work related files come to, or leave the office computers. If you don't have a VPN at home, the business will not let you work on contract designs at home. Their policy: All files to and from work must be registered with the administrator for some kind of oversight. I could lose my job just by sticking a USB chip or unregistered hardware in the workstation at work!

2nd, I don't want three of the local IP's connecting to the NAS, only my internal IP will connect to the NAS. The NAS will have deny inbound from WAN & 'specified internal Ip's' filters applied. The LAN of the NAS will be allowed egress through the LAN to my PC, but egress filters will be applied to deny the NAS outbound connections to the WAN and other internal IP's.

3rd, the 360 will get an IP in the local subnet and be ported-forward. I would like to be able to create a filter that only allows specified ports forwarded to connect, all other inbound and egress ports to the 360 not specified will be denied by rule.

I 'could' do all of the above with a pFsense Box, as long as I bought a VPN card for the build. I did not get VPN for the pFsense Box as I did not have a reason to at the time of the build.

That's pretty much the direction I'm heading. What advice could you give me?

Thanks for you help, it's appreciated!
Delaminator-

[YeOldeStonecat]

You've been spoiled by PFSense....it's a great distro, I've frequently run it at home, and rocks for QoS...I've never found anything as good.

Untangle is its own distro, it won't install on PFSense, it would replace it. It's a pretty good UTM distro, however designed for businesses, if you have gamers at home, XBox, etc..you may have to wrestle with bypass rules to get online games working well. If you have roomies that get frequently hit by malware, you might want to look into a UTM distro like Untangle or Astaro HGW..both free for home users. However, you build your own box to run them on, and they're a little pickier about the hardware quality you use...they're especially demanding to use good NICs...Intel.

For separating your network....keeping "them" from seeing "yours"...I prefer to do that at the switch level, specifically port based VLANs. This keeps the network simple (1x router).

An off the shelf product that would be a decent choice for you...powerful processor, somewhat decent QoS, and it will combine a managed switch built into it that supports port based VLANs...the Linksys/Cisco RV082. Built in 8 port switch. They also have a 4 port version, RV042, and a 16 port version..RV016. But I'm figuring 8 ports will work for you.
http://www.cisco.com/en/US/products/ps9926/

[Delaminator]

The RV082, a little over what I want to spend, but it's perfect for what I need it for. I may just have to put a little more together. If I don't go that way, I did DL Astaro last night. If it comes to it, I may just use that, though I'll have to take on the learning curve to get the games to work right, which is the only thing that throws me off from UTM distro's!

As for the router build. I have x2 Intel PCI Pro100s, old, but they still get updates and work at 100 Full duplex and my house is laced with Cat5. The only broad not in use that can work well with pFsense is an AMD CPU, VIA-NB ATX using 1GB SuperTalent DDR400 and a 2.2GHz, 939 Winchester, 6GB Transend Flash or 20GB Maxtor(blah). The power draw is around 230W with the CPU downclocked to 1.5GHz. For the small network it would control, that's just to much of a monthly power drain!

I'm a bit interested in the MiniITX computers. The Jetway J7F4K1G5S-LF Via C7 has dual LAN, but reading the specs on the J7F4K1G5S-LF, it uses a Realtek 8110SC for the primary LAN controller. The 8110SC has a watchdog-timer(not really to sure what it is, but I know pFsense errors with it) which does not work well with pFsense. Interestingly enough, reading about the VT6103L LAN controller, it does not have a watchdog-timer? So why would they have one controller with and one without?

I can't find any Intel Mini-ITX Dual LAN's and I don't really want to go with a MB that I'll have to buy a CPU for. Unless I can get an 'Intel Celeron E3300 Wolfdale 2.5GHz' on the cheap and downclock it! I wouldn't want to get another PSU for the build, so I'd have to go with a converter. Are those safe to use for such a project?

Delaminator-

[YeOldeStonecat]

I'm a bit interested in the MiniITX computers. The Jetway J7F4K1G5S-LF Via C7 has dual LAN, but reading the specs on the J7F4K1G5S-LF, it uses a Realtek 8110SC for the primary LAN controller.

I can't find any Intel Mini-ITX Dual LAN's and I don't really want to go with a MB that I'll have to buy a CPU for. Unless I can get an 'Intel Celeron E3300 Wolfdale 2.5GHz' on the cheap and downclock it! I wouldn't want to get another PSU for the build, so I'd have to go with a converter. Are those safe to use for such a project?

Delaminator-

A little over a month ago I built a mini-ITX system that fit in a front I/O port 1U rack mount chassis, for home. Copied and pasted from a prior thread...

"I have the SuperMicro in my shopping cart from NewEgg.
I decided to change the motherboard to the front panel model...
http://www.newegg.com/Product/Product.a ... 6811152107

I got the Atom D510 mobo combo with the remote management IPMI 2.0 option and dual Intel gigabit LANs
http://www.newegg.com/Product/Product.a ... 6813182238

And a Seagate Pipeline drive...a "green" hard drive designed for ultra low power consumption, quietness, and low heat output.
http://www.newegg.com/Product/Product.a ... 6822148556

Total is 359.97"

What's unusual about the particular SuperMicro chassis that I got was it's a front I/O model, which I like...good for putting in a cabinet with switches since most switches have their ports in the front.

Just a note...realtec NICs...they're more software driven (hence their nickname...realsuck ) , you'll want to shy away from those if you want heavy traffic through your router...and QoS isn't as effective with them.

I had lots of memory kicking around so I didn't have to spend on that...I know getting the smaller laptop memory will push that over 400 bucks..so even more above your budget.

You can shop around ebay, some online stores sell pre-built SuperMicro kits for a decent price, just be careful...some have the similar SuperMicro motherboards but with realtec NICs...there are subtle differences...some with realtecs, some with just 1 Intel NIC...some models with dual Intel NICs..and the model I got also has remote management card on it. You can get a similar SuperMicro dual Intel motherboard without the remote management card on it for about 60 bucks less. Which may bring the price down to a palatable level for you.

I installed Untangle on it and it ran great. Currently have Astaro HGW running on it very nicely too. Pretty soon will probably get back to PFSense on it.

[Delaminator]

WOW... 1.66GHz Atom with DDR2 SODIMM, Dual LAN and HDD, roughly $20:drool:

I have this small aluminum Red Cross medical container that the MBD-X7SPE-HF-O and ST3160310CS will fit into nicely and I can easily make an I/O shield for it with attached 7v, 60mm intake and exhaust fans. I have a $72 credit with newegg, so I could use that with this purchase. My father has a dead Laptop at his house that uses DDR2667, it's 2x1GB matching kit Kingston value RAM. More money saved and I know he wont care, already gave me it's harddrive(dead now).

Thanks for the info, you've helped me a great deal!

When building this router, should I stress test the system & memory to see if it errors, as I did with my AMD system? Mem86 and/or P95?

[YeOldeStonecat]

It's up to you if you want to stress test it. I've never stress tested hardware I use for a build, the OS install and first several days of running show me how well it's built and how compatible the parts are for the OS.

This link here is the same motherboard, but without the remote management module..
http://www.newegg.com/Product/Product.a ... -_-Product

Note the model number is almost the same, just without the "F"
Here they are side by side...
http://www.newegg.com/Product/ProductLi ... PE&x=0&y=0

OK only 30 bucks less...I thought the price diff was greater. But still...if it helps a budget, and you don't care about remote management into the hardware.

And note the hard drive again, it's designed for being used in small chassis for continuous use..such as home media centers, DVRs, so it's low power consumption, low heat output, and extra quiet.

SuperMicros support is pretty decent too...I had a question and issue with the small power supply fan in the chassis I got, sent an e-mail, had a reply back by end of day, and a couple of back 'n forths with the guy.