What would be the pros and cons of either the dream machine pro, or pc or rasp-pi with pfsense (or VM in proxmox)
Basically I have a google wifi mesh system now, but it’s limited in what I can so in my network. I am looking at getting a UDM pro or setting up pfsense. I have installed pfsense in proxmox just to check it out, it’s not in use. I never really had the time to setup anything much more.
Also, if you have suggestions other then that for a router/firewall setup it would be appreciated. I don’t have a lot of needs as far as a router/gateway is concerned, just want to be able to setup a TLD for internal things, I don’t like opening or having open ports. Also to play around with virtual networks too.
pfSense can’t run on a Raspberry Pi from what I know. You can make a router out of it, but it’s a bit silly, unless you got a CM4 with 2 ethernet ports (or more) or if you are going to use it as either a wireless AP, or get internet through a WWAN.
Assuming you don’t really care that much about your connection to the outside world, then you probably don’t need anything more than a WRT. The reason why I prefer having at least a FOSS hardware, preferably something based on OpenBSD, but if that’s not available, a light version of linux that receives security updates, is that most ISP and consumer all-in-one routers that you buy from the store are easy targets for hackers. So if you can’t remove the ISP router (or using it in bridge mode), using a firewall in-between the ISP router and your internal network will prevent the damage spreading to your internal network. Currently there doesn’t appear to have been any ransomeware attacks that involve getting into vulnerable routers, but it’s just a matter of time.
In your case, if a pfSense hardware is not an option, the next best thing is to use a single board computer like the Raspberry Pi, or preferably something with 2 ethernet ports, like a NanoPi R4S and use that as a firewall. If you get a managed switch, you should be able to do some cool stuff with it. But note that I never used a NanoPi or RPi with a managed switch, so I’m not entirely sure if their ethernet ports support VLANs.
But again, if you don’t care much about that stuff, all you need is either a pf or iptables firewall between your internal network and your very vulnerable device that connects you to the outside world and that should be good enough.
We have a Protectli FW4B running Coreboot and OpnSense and it works really well with our 400 Mb connection, even running multiple VPNs, etc. You can also get them with pfSense; they support both. The management interface is really simple to use and makes backing up/restoring configurations really easy. They also make 2- and 6-port models.
If you have an RPi that you’re looking to use, it would make an excellent Pi-Hole server to help block adware, malware, tracking, and other shenanigans. You can also use it for your local DHCP/DNS; it’s very easy to configure as well as backup/restore. A 2GB RPi 4B is plenty capable, or even a 1GB if you have an older one (or when the re-released ones become available). I think even a 3B is plenty, but we don’t have one so I can’t say for absolute sure.
I figured out phsense can’t run on a pi after I posted. I just set up pihole on one of my Pi’s that’s what got me started down this rabbit hole. I watched Tom Lawrence videos on offense and have a better understanding of it. VPNs I don’t really need, don’t go anywhere. I just want to tinker around in my internal network and not have anything exposed. Like I said, I don’t open ports to the inside of the lan. The Google wifi works fine, just limited to anything. I can’t disable the dhcp server in it, so I didn’t want to use dhcp on the pihole. I can’t set up a TLD either.
I’ve never used the UDM Pro, so I can’t really speak about that on the level that Tom can. From what I understand, pfsense has more features. Someone can correct me if I’m wrong on that, though. At the time I made the decision to go with pfsense, I thought about using all Ubiquiti to keep everything the same, but ended up deciding that pfsense was a better fit due to having all the features I needed. Take this opinion with a grain of salt though, a lot could have changed since I last looked at UDMPro.
On my end though, I did run Pihole at one point in time along with pfsense. IIRC, I had the DNS resolver in pfsense to use Pihole as the external DNS server. Then I had pihole be the one to resolve external name lookups. They worked well together. Later on, I migrated Pihole to be a VM in Proxmox. That made it easier to snapshot in case I wanted to restore.
Thanks Jay
I’ve been watching Toms vids on the UDM and others. Just wasnt sure if there is much difference using one over the other. Extra features are good, but also a lot more involved. I like the Ubiquity stuff, it just seems more like my OCD will allow . It went in stock last night so that is what I got, along with a poe switch. Now lets hope I don’t mess everything up and expose myself to the whole world…
Ubiquity firewalls are good for basic home usage. I’m using an older USG‑PRO‑4, and it fits my needs. You can do all basic firewall/gateway stuff, like port forwarding, DHCP, Vlans etc.
Some of it’s limitations are with VPN connection, since it’s not using OpenVPN or Wireguard for remote access, but uses the older L2TP or PPTP protocol (OpenVPN is available for site-to-site VPN though). Also, features like adblocking etc. have to be implemented with other means.
But I like having a single Unifi’ed interface for my network configuration.
. It went in stock last night so that is what I got, along with a poe switch. Now lets hope I don’t mess everything up and expose myself to the whole world… 