The Homelab Show: Episode 3 Firewalls & Switches

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let me turn my phone off before it makes noise all right that's done and we are live welcome to the home lab episode three firewalls and switches this is tom lawrence and jay lacroix we are progressing right along here we wanted to get these kind of foundational ones are going to be the first episodes and there's as this show evolves and listening to all the feedback we get from you one of the things that we will be doing so for those wondering in the future is diving deep into individual topics like an individual self-hosted project or an individual firewall or use cases uh but the first shows and episodes you know while we're getting our bearings that's how we want to take this in what directions we're going to do these overview ones just to give some people foundation and also the podcast may by the time you're listening to this be live with the other episodes they're being uploaded as of today march 24th and so if you're watching this live right now they're not available but in a few hours they should be able to be consumed wherever you consume podcasts from and you'll find everything at thehomelab.show but we do have an official site for all this so you'll be able to find it and we're ripping the video out of this and putting it over there the youtube channel will remain we're still going to keep doing them live here but you will also be able to just get this as a podcast in the future so if you can't participate live or you're listening to this not participating live this is our plan is to make it you know easily and more available for everyone and easier on ourselves too we're keeping it simple yeah yeah when you look at the website uh you'll probably find there's not much there that's kind of the plan we don't really plan to keep much there other than the podcast that's kind of the goal right now is to make it easy for you to consume easy to get the data but we won't dwell too much on that you can go ahead and check out the homelab.show to see all that let's dive in today's topic and it's talking about firewalls and switches because well you got to connect all that stuff in your home lab and there's got to be a way to connect it you have to connect a to b and man this is a hotly debated topic for sure but at least i'll mention cause i don't want to get too off topic on the physical wiring part of it i did a recent video on building your own home lab rack i will leave that link in the show note so you can easily find it on my lawrence systems channel but i did a video talking about the components and the patch cables and stuff like that i will agree those are greatly important i but i think those are harder to really discuss in depth on a podcast because there's such a physical aspect and aesthetics are what people will start really focusing on in that particular topic going i like the thinner patch cables i don't like modular or i do like modular patch panels personally i prefer modular fight me in the comments um but but the that topic you know i do address some of that and what cables you should use and maybe if there's enough interest we will address that because i mean there are different things like dac or fiber and i will get uh one thing out of the way this comes this is like every time people start a home lab is hey i'm building a new house and i want to have home lab in it should i run fiber all over my house and 99 of the time i'm going to answer no let's get that part out of the way just run the latest cable as of today that's going to be cat 6 and if you can spend a little more you want to get cat 6a because cat6a will do 10 gig over greater distances than cat6 go there so there's our whole rant on some of the topics related to the physical layer in terms of the cabling but now let's get to the real topic let's start with the switch because the firewall is going to be a fun topic at the end where i know the comments will go crazy because there's deeper opinions probably on firewalls than there are on switches the common home lab switches though i'm going to start with unifi uh i i think unify makes a one of the easiest platforms to learn how vlans work and then there's gonna be someone commenting it doesn't teach you how vlans work because they make it so easy that you don't really learn the cisco way of learning vlans and how trunking works because it's a little pull down with the web ui and it's not all command line driven for uh setting it up but that's actually in my opinion if you can get a vlan working and you can get some of this stuff functional quicker it's up to you then you if you're like cool i see how it works now how do i add another component to this because the way the vlans work is a standard so if you get it working on unifi i think it builds up a little that confidence to be able to do it elsewhere but for some people unifies perfectly fine like that they they're not going to dive deep into the networking what do you think jay you like unify right i do i love it and you know it's kind of interesting for me because um the reason why i went to unified not just because you kind of turned me onto it but um in my home where i was living at the time i literally bought every single router at the local store micro center and they all failed me and obviously wasn't anything wrong with the routers they're okay it's just that the house was a really hard thing to get things through the walls and i even bought a 400 router took that one back and i bought a i think it was 99 i paid for a unifi access point and it won it it got the signal everywhere all over the house not a single um blank spot anywhere and then from there i unified all the things but before that i was doing everything manually with um you know debian and ip tables and all that so i i lived the do-it-yourself life for a long time and then i got to a point okay i know that stuff fairly well it's time to make it easy on myself and go with unify and i like unify quite a bit i just installed the doorbell like two days ago so just give you an idea they definitely make a lot of different cool projects uh you know outside of just their core thing of switches now you mentioned routing and but i don't want to conflate this the routing we i'm not a big fan and we'll get to that when we talk to the firewalls of the unifi routers we'll talk about more of that later for a lot of routing me and jay both use pf sense but before you call us fanboys of only pfsense we will mention opensense and a couple other ones later but in terms of switching if you need to get your switches set up you need to get uh things going pretty fast pretty easy granted yes it does have a controller system that you have to load so there's a softer control plane that allows you to manage many unified devices now there's a turn off to some people have to unify and if you're someone building your home lab you only have one switch running a separate piece of software to manage one switch seems silly and you're kind of right but i don't know too many home labbers that are really into it that didn't buy seven more switches within the first year you know it's it's all it always starts with a single switch and one of the cool things that unifi has is like those mini switches those uh little 30 i think they're like 30 something 39 dollars for the tiny ones the little four five port ones that also support some of the vlans so that's um there are some you know slowly you can expand in there they have 10 gig models and when you tie them all together having everything in one control plane starts to make sense now a few other models that i'll mention that are going to be pretty popular uh meeker tick and micro tick is probably has the best bang for the buck when you want to go 10 gig i've reviewed the little meeker tick four port of technically five port four 10 gig ports one uh rj45 uh one gig port and that little switch by mikotek there's nobody in the price range of 130 that offers the 4.10 gig switch right now that i'm aware of on march 24th of 2021. um right the the folks that serve the home um someone said it's actually 29 for the usw mini flex switch to flex minis so yeah unifi i mean that's a one gig switch i actually have um i was using one as a port tap for a while for uh doing some testing with security onion i don't know any 29 dollar switch that you could use as a port tap as easy as you could a unify one it's like you could just do it in a little drop down and away you go but back over to the micro tick so meager takes an interesting company um there's a lot of people that it's a love hate relationship they seem to have with it going they have a higher level of complexity when it comes to learning it but that complexity once you get through it and i always hear people i don't know if this is them just throwing shade out of them but they just refer to it as latvian logic because of where the uh where they're from of the unusual ways that they implement some of the things among the unusualness you find in like a meeker tick 10 gig switch is wi-fi settings and it doesn't have wi-fi because micro tick has a very extensive not great ui and all the features are there even if they don't physically exist they have the same software and all this that when they create a series of switches they all have the same software on them whether or not the features are there doesn't really matter you still have all those options which creates um kind of like that analysis paralysis people look at it and go which menu option do i choose again and i don't know if have you looked at the microtic switches jay no but i was actually thinking about buying one based on your recommendation um because i want to actually go back to 10 gig i was using 10 gig for a while um long story made short i switched away from it and i miss it now so i kind of want that back and then um i was in a chat room and someone said hey tom mentioned that this is a really inexpensive 10 gig switch i'm like okay sold i'll go buy one so i will have an opinion on it but unfortunately as of today i have yet to check out that unit or anything made by makertick yeah the uh the meeker tick stuff is it's interesting because one of the other options you have a lot of models you have to look this up ahead of time with some of the maker tick models but they support switch os and they have their mikrotik os their router os it's not actually called make your tick os router os and then they have switch os switch os is basically a lesser version of the same software it runs on the same switch you don't have to reflash it it's like a mode you can put it in essentially and it does reboot into that mode now the cool thing about that is that makes it a lot easier to use because instead of having all those functionality it narrows the scope down to switch functions so you can set up your vlans you can set up some of the more basic things now a lot of the mikro ticks actually support routing within their switches i don't believe that's available if you use the switch os you want to use the router os if you want all the advanced extra routing functions but for a lot of people they're going nope i just kind of need some 10g hooked up and i might need a couple vlans split off and that's where they're uh stopping which is fine and meeker tick also does allow some command line configuration and i talk about them from the homeland perspective because home lab frequently means starting out without the budget to buy uh cisco or some of those and hands down maker check really hits that price point that is just killer they they have some uh switches that there's they're in their own price categories and we can really describe them now one downside if you buy three micro tick switches that does mean you have to configure three of them this is where back to like that we mentioned unifi having a single control plane can be really easy or i i define a vlan it automatically is defined in the other ones now granted there's ways to do this and all the other major switch manufacturers but the uh maker tick like i said it's a little it's a little strange and i already see comments uh in the live stream that people say yes it's a very complex ui that's definitely for sure now a couple other ones worth mentioning are going to be like the edge devices now this is made by ubiquity it's a different line of their switches the edge ones the edge ones are actually pretty nice too um i i don't have any issue with the edge switches other than they have a configuration that's probably more traditional looking when you i've done a couple videos like how to do vlans in them uh it's not like the unify and this is where people get confused thinking the edge line will tie in with the unified platform and be easy to use nope they just have their own kind of web ui for setting up switches and things like that but they're actually usually on the same price point as the unifi one so they don't if you're choosing between the two of them you kind of go well i may as well get the one that works with this larger control platform that's really easy to use so that's uh there's nothing wrong with those and the last part i'll touch on on switches is there's a ton of great deals you can get on used equipment that's been pulled from data centers that's 10 gig or faster from a lot of different companies i actually would say check out serve the home and they do in their write ups and on some especially because they write up and have done some videos on older model switches and talking about what deals there are and i think some of them are made by companies like brocade i mean these are some where extremely expensive in their heyday are much more affordable now and you can you can build something out there the downside and be prepared is those devices are going to end up um having an even steeper learning curve especially cisco if you're not familiar at all with cisco ios it's going to be difficult to you if you're a cisco veteran then no problem just go for you then you're going to be in familiar territory and buying a use cisco becomes pretty easy check licensing and make sure that you have all the features and nothing's going to not work if you get cisco um i see people mentioning a few other brands other corporate brands there's a lot of corporate brands you know juniper being among them you can always find those they're not something you're going to buy brand new for the home lab though i'm gonna throw that out there i don't think there's any home labs running out and buying uh juniper switches yeah i haven't heard of any of my you know on my end so yeah yeah the only cisco switches that might be in the home lab category is uh they make a couple new small business switches i reviewed on my channel and there's a couple of them they're they're small business line but they're cisco they nerf out some of the features so they're not they're cisco but not the same cisco cisco hardware but cisco without some of the other features and i don't think they're they're they're not a bad choice and i did that review on them but one of the things i highlighted was like when you wanted to do the switch stacking which is a feature even though they there's another person on youtube that may have claimed it was really easy and they automatically switched act they don't there's a lot more steps involved as opposed to something like when you're doing unify it's easy to do that's one of the reasons unified's popularity really uh is the fact that they have built a really easy to use platform that's been kind of unifies ethos and goals they want to really put this in the hands of a lot of people make it easy and they certainly did we use actually a lot of unified commercially and don't have any problem with it it's proven to be a really solid product but you know it's it comes down to uh where's your goals in your home lab if your home lab says i'm building a home lab because i plan to be a cisco engineer then throw out everything i talked about for last 20 minutes and go buy a cisco [Laughter] what you use at work will probably impact a lot of people that are starting and you know if you are working in i.t maybe more on the entry level side of i.t it doesn't hurt to let your senior level administrators know that your intent is to learn and build a home lab and if they are going to recycle some equipment they might just throw some switches your way if they're going to throw something out or maybe an older server you might get lucky i used to every now and then get some hand-me-down equipment and when i was first starting and that's really awesome when that happens and if you are wanting to work your way up in your current company then it might just make sense to learn what your company uses because that would uh you know make it easier for you to learn yeah and that's one of the best things about home lab is you know you could take it down anytime you want and the worst thing you're going to do is make your kids angry or your other family members or whoever you live with when you you know the internet stops working but you don't have like a whole company um coming at you with pitchforks when you take something down so you have the full reign to just you know every every minute is a maintenance window basically so yeah a lot of flexibility there so yeah and i will give a quick shout out to uh jeff aquino he threw a donation in here so we'll give a shout out to people throw money at us for this project and it says it's his birthday so happy birthday jeff so eight plus equals one yep yeah yep um the cisco's i mentioned i reviewed are the cisco 1000s and someone to comment as well that the and you're right uh the ui is less than wonderful uh so when cisco does take the time to put a ui on a switch um yeah just learn the command line because the cisco ui is well not not good not not um not wonderful um i will mention a couple runners up though i've tested some of the aruba equipment as well and that's another one aruba makes a few switches now that are seem to be part of their new platform that do have a cloud enablement but also have local management as well and those are another one that aren't a bad choice their ui is not bad they they pack a lot of features in them and the nice thing is there's really not because like things like vlans they're a standard so you can have and this is actually a lot of people build their lab this way and it's a great learning experience because each company does it differently if you want to learn vlans have four different switches and figure out how four different switches and get a vlan to traverse four different switches it's a great learning experience or a very aggravating experience so um that depends on where your perspective is but i actually encourage that uh i think i've done a couple videos even talking about like this is how you do it here this is how you do it here this is what makes a vlan explainer video so hard to do because you kind of have to explain it with whatever switch you're using and then you're like well it's implemented differently in this switch i'm like yes there's there may not there's a standard for how the packets are framed and how things traverse so two switches have different brands have no problem talking vlan to each other but the implementation of how the interface achieves that is going to be different on each switch yeah i wanted to also address a few comments that came in as well just to um make sure because there's some really good ones and and a lot of them are to do with vlans and one comment is regarding switches yrb lands necessary in my home lab and the answer is vlans are not necessary by default they're not a requirement you can totally be fine without ever implementing that and i i waited multiple years before i did but the reason why you might want to do that depends on what you have now if you have four computers you know maybe two servers two desktops in your entire network and you put each one in their own vlan that's not really going to get you much benefit because i mean you have four devices right so why it's necessary really depends on what you have and what you want to accomplish now it was also brought up iot that now that's a really good reason for vlans because you don't need vlans for iot it's just a good idea because you're separating the iot devices and you can choose which networks they're able to communicate with by you know implementing firewall rules and i'll give you an example on my vlan for iot i don't let any of those devices talk to anything in my network anything else with a few exceptions i have home assistant which is a popular software for home automation i'm not going to um talk too much about home assistant today but um i do want home assistant which is also on that iotv land to talk to my desktop because i want to access home assistant but i don't want all my spark plugs talking to everything else so but i do want to talk to home assistant which is my bridge kind of into that network that makes sense and then my television a smart tv there's no way to disable the ads and it drives me nuts so what do you what do you do well i just basically said a firewall rule you know because that's on the iot network as well that that tv isn't even allowed to talk to the internet at all it just can't escape the network here but i do want it to talk to home assistant so through home assistant i can you know power on the tv or automate that i still want to do that but i don't want it to talk to the outside world and one more example is my son has a gaming pc that runs windows no judgment now he hasn't yet which is surprising run into a virus or malware at all but i kind of figured if one day he does i have a youtube channel i have all these important files and things i don't want them the malware on my kids network to talk to my business stuff so i segregate that with the vlan so they can't talk to my devices so why you want to enable a vlan really comes down to what you want to accomplish what devices you have what what's important to you and then you design your vlans around what's important to you the the other big advantage for vlans is as you spider out your network and it gets bigger you know even our office isn't that big our office is only about 2 000 square feet but we have a data pipeline going from the back of the office to the front of the office we have a lot of connectivity at the very back where our servers are and we have a lot of connectivity at the front where we work on customer equipment and things like that we could run individual runs all the way back and have a non-separated network but by trunking everything in putting it all into one trunk that comes down uh the hallway and brings it up front we're able to create a series of separate networks a matter of fact because of the way we have things segregated at our office with several networks for different testing at different times vlans make it really easy just go take a switch port and say make this switchport this particular network right now i even have a lot of advanced things set up because we'll get to the topic i see people already starting to comment on about virtual firewalls especially when i create virtual firewalls we have a series of vlans that are only for some of my lab stuff so i can create virtual firewalls and virtual systems and then put them all on a separate vlan but then physically bring them out into the real world to plug in devices and v-landing just makes that really easy to do especially with the virtualization stacks just tie it all to a specific vlan and then you just make those ports you bring them and trunk them down to only be that particular vlan so it becomes kind of a uh easy way to manage all of that but we should probably start moving over to firewalls now because that's uh and i will mention no because we didn't talk much about wireless we'll probably do a separate video on that that we could probably just talk just about wireless as its own because there's a lot to it because i want to dive deep into the wireless topic there's a lot there so we just wanted to talk about switches and firewalls and trust me there's we don't have any shortage of topics we know that's one that we want to dive into but um firewalls we're gonna start with what me and jay use but don't take this um i i don't know where there's a lot of uh people that think that i'm only recommending people use this i just happen to use a lot of pfsense so i do a lot of videos on pfsense so that is in pf sense is hugely popular in the commercial market has been for a long time and yes uh save your um uh keyboard typing we're aware of all the problems in 2.50 i did a video about that topic so we're completely aware that there are some bugs and uh they are working towards the release candidate on there but pfsense has been a popular project it's forked from mono wall it is now comes in two flavors which of course adds to a little bit of the confusion they have the pf sense um plus which is the one that comes with the neck gate hardware that at some point in the road map they do plan to sell it as an upgrade where it's based on the open source tools but has a little bit of proprietaryness added in it's still an open source project at the back end but you would be right to say the final product is not open source this is not uncommon for a lot of things where they bake in a couple special things but they still have pf sense ce 2.5 right now and community edition is still open source and the code's posted on github despite what people keep commenting youtube tell me it's not you can go see that they've kept that part open source now whether or not that means speculatively that they will kill it off i will let the commenters argue that out but for now as of today it's a live project so if you want to think something's happening later feel free to speculate i don't need to do that um but be of sense is one of the things that's made popular is the fact that it's extremely flexible they really baked in a massive amount of functionality inside of a firewall so you have a free radius server you have a captive portal system for those you that want to have a specific network and authenticate people with a captive portal it breaks out a lot of really advanced rules some of those rules are even able to uh stack rules together there's a lot of unusual use case situations we've come into where pf sense was kind of like the easy way to solve it and one of them is the way you can take one rule and create a tag that gets added on a packet stream to then go filter out differently again later to apply it to a different role if that tag exists you can also even filter the rules based on what operating system it detects in the stream that was used i mean they have you can go kind of crazy with it which is what's made it such a popular product is sure routing packets is easy but when you want to route packets and apply a lot of functionality to them that's where the firewall complexities come in and ipsense has always done that but not going to have a problem well what's your thoughts on psense you've been running it for quite a number of time right yeah like i want to say four years maybe five um you know you you mentioned and i you know you have sense quite a few times and then at penguiconi did this panel about it i think that's when i decided to use it and that was around the time i was using debian basically as my firewall and i was manually using ip tables for everything which if there's nothing wrong with that i felt like there's a valuable learning experience but pf sense was um i have to say it fits perfectly and i think people could accuse me of being a pfsense fanboy but um the reality is it's really hard to tell the difference between someone who is a fanboy versus someone who just found something that works super well for their use case and they're naturally going to speak highly about it so for me personally pf sense is great i mean i can drop an entire uh you know access to an entire vlan on a schedule or something like that like my kids go to bed at a certain time cut their network you know yeah you don't have to worry about hearing netflix until two in the morning so you get all this control and you can basically be as creative with your firewall rules as you are creative and there's all kinds of things that i did i have a separate network for vms iot kids like i mentioned my um you know devices network for for you know computers and phones for example i think i have like eight different vlans in there because it just i just went crazy with it and i love the fact that you could just say all of these devices can't access anything except this one this one can access something and this one can access something you know i gave the example of my television my smart tv i could basically disrupt its ability to download ads from its server which all the ad rules i've added didn't really help i swear you know cutting its access to the win that seemed to stop it from being able to download ads and since i have all this control i just really love it it just works well yeah and and one of the really popular plugins of course that pf sense can't be mentioned almost without its most popular plug-in pf blocker to give you a lot of the dns sync holding and things like that which it's kind of a way to run and you can even use some of the similar feeds as a pie hole pie hole is a different project but in the same concept of what they do paf blocker will allow a lot of extra dns stuff and i've chat with the developer actually me and him are chatting last friday night if you can go support that developer bb can the developer of that awesome he's got a patreon page but definitely a great project and the fact that it can pull in some of the pie holes makes it a really popular option now i will mention pf sense you can run this in hardware or virtual so you can just download and run it on whatever hardware you want you can buy an appliance from netgate or you can run this virtually it does support xcpng proxmox and hyper-v for those of you that like that oh and vmware of course i mean i mean that almost goes without saying uh you can build uh ha systems with it as well uh whether it be hardware aj or virtualized hx i've talked to people who've built uh multiple systems for running it virtually but then also have it set up in an aha they have an entire system that can be done this i've broke down how to do a lot of things in there now let's talk about another firewall open sense i people think i don't like it i usually just say i don't have a use case for that so what happened is there was a disagreement between developers so fork it because that's the open source way we don't like something but we think we can deploy it better a group of people will get together and fork a project open sense uh decided to go with harden bsd and they forked the project it's i don't remember exactly but it's been a few years if you like open sense use open sense open sense is a from everyone who has told me i don't run this so i'm not speaking directly from it opensense does have a a good user base it's got a popular forum it seems to work perfectly fine the only thing i've noticed it from a business use case one we rarely have ever ever seen anyone running it in businesses i'm not saying no one does just are you know running into it we run into pf sense all the time when we take over clients we've taken over clients you know from an msp standpoint like as a managed service writer we take over from another i.t company we find uh pf sense all the time and we see pf sense using a corporate but open sense i have not run into one in the wild yet but like i said it's not me at all saying it's not used that way i'm just saying my my from my experience but open sense is a um my understanding quite reliable it does have a lot of the same features they have a lot more plug-ins i don't know specifically i don't have like a side-by-side comparison but they have a listing on their website for that i have no problems if people want to use it people think because i don't do videos on it i must hate a product no i just haven't taken the time to familiarize with myself with that particular product um it does have and someone mentioned earlier that because of some of the problems that apparently are with the code that netgate sponsored for wireguard netgate has since removed wireguard from the pfsense project for now but the opensense does have wireguard already in it and has for a little while but they don't have a kernel implementation they have a user space implementation written and go and because of the way context switching and some of the details behind that work your go in implementation is not going to be as fast as a kernel implementation but yes it is absolutely um something that is there it exists so you can do most of the same functionality seems to be there the only other thing i noticed is they seem to update more frequently and from me as a business standpoint um the newest spells and whistles aren't always what i'm looking for we're looking for a stable slower update cycle so we don't have to run out and update hundreds of firewalls that we manage because we're responsible for updating these so cool that there's a new update every two weeks if you're excited about new updates um not everybody is because we're more excited about stability and so far and yes i know the pfsense 2.5 has bugs in it that i did a video about about some of the current issues with it but yeah overall the the migration path has been relatively slow but that's okay because it works so i have no problems with uh you know with a little bit slower update path i think i feel the same way that's why i don't use open sense because i'm a little biased towards updates frequently when it's a linux system because for a linux channel that's great new version of gnome let's go over it let's go over the new kde plasma desktop because these updates keep coming so i'll download them as they come in but since i have a linux channel i don't cover pfsense because it's outside the scope of my channel so in that case i don't want the updates frequently because that's a distraction from my channel since i'm not going to cover any of those updates that's the only reason why i don't use opensense and haven't checked it out also because the process of converting from psense to open sense is not a straightforward thing you can't just upload a config file well you kind of can but it's not supported it may not work it may blow up in your face but you could try it probably won't work correctly there are ways to convert a pfsense config file to open sense but i didn't i just don't have time to go through all that and i know that they're without getting into it there's some drama there has been drama that led to the split with open sense actually being created and you know some interesting points are brought up there but for me personally it's what i implemented you know quite a long time ago it's outside the scope of my channel and so if it has fewer updates then it's less of a distraction for me um because i have the new shiny syndrome oh look update um yeah content over to that so because it doesn't update i could be focused more on what i want to do it's outside the scope of my channel but i could totally understand if you're a business you don't want to update you know that frequently because it's really hard for some companies to get a maintenance window and think about that for a moment maybe at your company it's not i've had people comment well that's easy i just do it in the middle of the night well maybe it's easy for you and your business but some businesses are have a hard time with that so they would probably be more inclined to use open sense in that regard so i think it kind of depends on you know do you prefer the new shiny or do you want something that's stable kind of stays out of your way and that might determine what you go with right now um the other thing too is like you build so much complexity into a firewall it becomes a little bit harder like json to switch between different firewalls we a lot of times and where my videos come from is the fact that we're working with these different firewalls that's why i'm able to do the videos on them so i can talk a lot about the you know features but i'm working with some clients use this firewall some clients use that firewall and another popular one that i bring up a lot is going to be untangle now untangle is open source with upsells so that's the way i would describe it so it is an open source project but it certainly has upsells to it and including in those upsells is it has wireguard but i and i wish they didn't do this um so don't blame me i don't work there they they decided that up an upsell to you the consumer is going to be wireguard so you can get the firewall for free but certain features like some of their web filtering features and threat protection features or upsells and those make sense because those require feeds uh from threat intelligence feeds to be constantly updated you have to maintain that list but they also decided when they added wireguard they made an announcement and then they also simultaneously announced it's also only available with our home user versions or our uh they call it ng firewall complete versions so the way untangle works is you can get a license for the upsold features and you can work it perfectly fine and one of the things i like about them as a company is it does continue routing packets if a license expires so license is for the upsold features now like threat protection as i said it requires a feed so people who want a web filtering system and all the extra protection that may come with that and you want all those websites to constantly be indexed that's a paid item on a subscription they're reasonably priced they actually have some special home user pricing because they realize a lot of people want to start using in a home lab and it's like 150 a year so it's not free but it's pretty good price for all the features you get with the home lab version or the thing is called home pro now i said home lab i think it's they call it the home pro version so it's not bad and for some people that go you know what i want a really simple firewall that can do things like filter and tell me a report of where did my kids go online or you know create some rules to keep them off sites you don't want them on or block a certain site they have a lot of those features and they did a nice job of building them into the untangle firewall but you don't get it for free um that's the one side about it and it's one of the more common questions people ask like hey um can you also uh you know do filtering in pf sense i'm like it's just not as easy it's a lot more steps it's not one click there's all kinds of you know more in-depth ways to set up things like squid proxy and stuff like that in pfsense it's all very turn-key and smoothly integrated and untangled so it comes back down to your home lab goals do you want to dive deep into setting up squid and loading everything or would you like an auto installer that you click a button and block a website on a certain computer and just create a policy around it that's where untangle i think really kind of excels for that ease of use that ease of use though does cost a few dollars i have a lot of people that have put this in even we've done a lot of businesses with that want all the advanced filtering and all the advanced options that come with it and they buy the business version of it but then the we've talked to it's a lot of home users that they just like you know it just works it's just simple i want to play with kubernetes i want to play with all this i don't really want to spend time filtering what my kids are doing i just want to check a box and say block certain hub sites that they don't want their kids on done just check a box move on we blocked the casino we blocked the gambling websites with a couple check boxes and moved on so hey and and for people looking for that simplicity another big thing that untangle does i think is rather clever um pia internet privacy vpns and pia is a pretty popular one uh there's a few others i can't remember i just number pi being among them they built it into untangle so you can put your username and your password for your pia account in untangle and then say route this box to go out pia and you know it's no secret that why did you get a privacy vpn they call them privacy vpns because we care about privacy a little it's almost always because i need to torrent something i'm just going to stay in it man i need to torrent something or you're trying to get around a region lock to watch some type of content people go i need to pretend i'm in europe right now or i need to pretend i'm in the united states and this is what those vpns become very popular for and entangle allows through a tagging system where you just put in user and password to be able to quickly redirect i have a joke kind of it's not really a joke video but it's kind of a to show you how easy is i did a video on how to set up untangle with pia in five minutes and i think the video is three minutes so because you just drop in your username password you tag it and by the way it has some like predefined rules among those predefined rules i believe are would you like to detect torrent traffic and redirect torrent traffic on your network over pia well yes i would like to do that they they know that's a nod to them knowing why people use it so it's definitely um you know it's it's a nice it's a nice setup i would say it's if you have those use cases if you want things to be turnkey they give you less of the things to tinker with it is linux underneath so it is running on you know like i said it's got an open source base with some of their stuff baked into it um it is have a decent ui now if you go into it from the business standpoint it's got a dashboard where you can you can have a bunch of them deployed and manage them from like a central control panel it they class up to all the business features they get that that's why they offer their uh lab version so to speak their home lab pro versions or home user pro versions but i think it's a pretty nice firewall overall um and once again like i mentioned with uh untangle untangle can be run inside of a virtual system a virtual stack open sense too if i didn't mention that open sense can be run inside a virtualization system as well so either one of those are pretty good have you used untangle at all jay i have not yeah i have no knowledge about that at all but i yeah i know basically everything you just mentioned now so there's that yeah so there's it's definitely um one of the it's a popular fire out there and now i've seen in the comments and vios uh bios is pretty cool it's a command line only firewall and someone will point out there's someone writing some type of web interface to go on top of it i looked at that briefly i have not loaded it the web interface looks pretty basic and incomplete like i don't think it covers all the advanced features maybe i'm wrong i just looked at it i did not actually try to install it vios is actually a really neat project and if you're going to work in a data center you'll find bios and data centers vios is a commercial firewall i'm unclear someone said they charge a subscription fee now but only if you want the latest version of it but vios is a pretty neat firewall system downside being that it's command line only it has a much steeper learning curve but as someone pointed out even earlier once you start learning theme show command line if that's the skill set you want to enhance you can get really good because well what do you think about ansible j and being able to script everything because it's from the command line and i love apple yeah and these are the fun things uh well someone said bios is a router first firewall second yes um that's another way to look at it it's a router with zones there's a lot of it's yes it's a firewall but yes it's a router yes it's used commercially there's a lot of complexities it has a massive amount of features but one of the things about them is that learning curve but the learning curve of command line also command line offers you the advantages like me and jay said with things like ansible where if you're running a data center and i have to make a change and i have you know some type of automation tool that can send scripts out to my firewalls and be able to change them bios is ready for that because it's already command line driven uh and someone asked about the edge routers and the edge routers yes somewhere back in the day i believe it's before vios i can't remember the name of the software before then the edge routers by ubiquity are a variation off of bios they have some of that baked in i don't know where or how different their code is now than from the vios code but yes it is also similar and the edge os is also viata that's what it was called so viata was the base viata got forked into vios and edge routers so i don't know how changed the code is but it's it is a certain divergence we have seen on there uh no problem if you want to play with it but it's one of those it's going to take some time and learning curve to uh you know dive into and start understanding that those are it's under option and in all these so far that we mentioned run on x86 so well uh edge edge doesn't edge is its own product but um bfsense does untangle and the uh open sense sorry drew a blank there they all run on standard x86 hardware and uh someone asked about what's a good way to uh buy some of the hardware for that really because it'll run on most anything and someone asked about protect tele boxes i don't know if you've seen these uh their projectality is the u.s name i believe and someone may call me out on this that protectely imports them but they're also go by a name quotam uotom we've got some of both here laying around the office we've been playing with they seem to work perfectly fine um they're usually solid metal piece uh passively cool devices they have like four intel network ports on them they make a pretty decent firewall i i don't really have any um i don't really have any problem with them so to speak we've we've deployed them out in the field they work pretty good that might be what i'm running actually i forgot the name of it but i have a metal box that is a core i7 it's not like the most you know newest core i7 generation but it basically fits that description and that's what i run pf sense on again i forgot the name of the manufacturer i bought it off of i think it was amazon you got it off amazon it was probably a protectely i i think it is and i'll tell you this like um i was before this i had all kinds of problems even with zoom calls it would max out the cpu of my previous device i have never seen the cpu on this device get above two percent running pf sense because i think an i7 is just overkill for a firewall but that's fine i like overkill i'm not going to max it out anytime soon so it works very very well for me yeah and one thing about uh firewalls and this is a really fuzzy issue is people always ask how fast they are for basic routing an i5 even or even something slower even you know a couple generations ago i5 you can get one gig routing but where things start to break down is you're usually testing with something when you're doing a speed test on a router people will use and i've done this myself you're you're creating single streams with a uh what's that speed test tool i use all the time that it's on tip of my tongue report speed test no not that speed test like the one you can run internally um right iperf iperf i kept on saying iptables because i've seen it in the comments but no ipirf when you use iper if you're doing a single stream when you want to measure firewall speed it's the single streams are pretty much always going to go fast it's your imix traffic as they refer to it your imix traffic is where you're going to be more problems so imix means lots of mixed traffic and there's a tool called t-rex by cisco that you can set up to to create the artificial traffic so you can actually start testing it but once again it's only when you start doing things like seracota and snort which will start pushing the cpu because when you want to do something that's looking deeper at the packets that's when you actually will hit cpu so if you're running something like seracota and you run not a single stream of data where it goes hey look some streams are going from here to there i love how many comments that are on iperf right now because the delay there's there's a whole row of them in the comments here but when you're running a single stream like iperf it's not going to tax it as much but when you have 50 devices going to many different websites and pulling many different small packets from all over the place to you know use different services online someone streaming youtube someone's streaming spotify and this is a whole lot of back and forth all the different things you're using now there's thousands of streams that it has to look into that loads up the cpu and it doesn't become as much a speed issue it becomes a how fast can we inspect these packets and pass them along back to their destinations so it becomes a little bit more challenging for how much routing you can do and it's also why a speed test even from something like dsl reports may report really fast but you may notice higher cpu usage and slow downs later because well you've not gone to a few devices downloading a file you've gone to 50 100 1 000 devices just using a lot of network traffic and having to keep track of all the states that are available for that so it's it's not is easy even on netgate they started posting their two different numbers for how their vpn speed works because if you have vpns you go all right well how fast is the vpn while running iperf we get this speed running imix traffic using the t-rex tool we get this speed so it really comes down to how many streams are in there and things like that so you get it it's not as easy it's not as cookie cutter it's not like measuring a hard drive speed or a wire speed for two points going how much data can i get from point a to point b well what happens when there's a thousand different people that want to get a thousand different pieces of dissimilar data from point a to point b and what happens with the pr packet processing that you put in between also how many rules did you load in seracota all of them now you have a bigger rule set because let me parse this against a larger rule set other than a narrow rule set so there's a lot of uh factors that go into that answer it's not it's why when people ask i'm like i don't i don't i i have to go into like a five minute explainer and overload your cpu yep uh someone pointed out and i believe they're still doing this i don't know on every model but i know uh some of the protactility protect helis use core boot as well so if you're into using a better boot system that is something that's a feature of some of the protect tele boxes now last but not least we started out mentioning unify making good switches but i uh i'm not gonna give that same answer for their firewalls um i i feel as those are firewalls are better than something you can buy from a consumer you know go to walmart and buy some consumer device do i think their firewalls are better than that yes the usg line which is actually a little bit older usg pro or the unified dream machine and unifi dream machine pro which are ubiquity devices i like the concept that you get a single plane of glass i can create my vlan i have the vlan in my switches my access point and my firewall all through one web interface except they keep falling flat with the way they implement things i know there's an upcoming beta as someone will point out for things like assigning multiple ips to wan this is a weird shortcoming to me that has been in the requests for years like when they released the unifi usg series it didn't have the ability to assign multiple ips to wan and there's always someone that will point out oh you just have to go and edit the json file and change configs and command line this but the problem is when you do that one it doesn't always survive updates two it doesn't always make the web interface work properly so changes you make in a web interface may overwrite those changes or in some cases we've seen uh it sends the usg into a boot loop because it doesn't know how to address the changes you made to the system so it can be a challenge getting things set up on them unifi is also notably lacking in good vpn support and a lot of advanced functions just kind of keep falling flat with a lot of the unified dream machine devices when it comes to advanced routing for basic routing i think it works but the moment you start talking about any of those advanced rules that b and j mentioned earlier with the other devices like pfsense or opensense or untangle that all just starts kind of falling flat and the statistics that's another thing people ask like it gives me deep packet instruction statistics go spend some time over in ubiquiti's um reddit forum or their forum and you'll find out how vague their numbers are they give you usage numbers like hey this person used this much media data for streaming media okay over what time frame well we don't want to tell you that we don't want to break down actual actionable information we're just going to give you these cool charts that draw and make pictures on the screen but don't give you actionable intelligence yeah they'll shame you in the interface every now and then you go in the interface and you click on a section you are not able to access this because you should have this device if uh depending on which one it is um that you're missing and pf sense just integrates very well with it in my opinion so i've never looked outside of that but whenever whenever i looked at these unifi routers i'm like yeah it'd be nice if they had this feature and that feature they don't for some reason i don't understand why it's taking so long it just seems to be like a weak area in their product line i i mean writing firewalls is really challenging it is not for the faint of heart um and also by the way this is by no means an exhaustive list because there's so many options out there when it comes to firewalls there's a lot of other side projects um the open wrt and everything related to that i have not touched that project in a long time but yeah it's out there it's a popular project i haven't used it so i can't really speak um as an expert on it because it's been i mean i played with it forever ago on my linksys wr54t um when were those relevant how many years ago that's the last time i've used the project so i i'm so far removed from it but i'm aware that there's still activity on those projects um what are some of the other ones that we use kind of the clo put some closure on ubiquity stuff though i don't know if ubiquity is going to get better at theirs um i always have hope because someone was even asking me and tagging me on twitter today about what another update on the dream machine hey does it address all the issues i don't know i have a dream machine here so i can plug it in and can load an update and be disappointed again that's kind of my joke of why it's in the rack we don't actually have it turned on at any given time but when i know there's a new version and people want to say does it still suck i load i load it turn it on and i'm going yes i'll do a video to let you know they updated to a new version they solved these problems but not any real issues or they made buttons that nobody asked for or they've split things into two different menus for reasons that i can't define that sucks one percent less in this update yeah it sucks one percent list so there's yeah it's it's like ah yeah i want them to do better it's not that i'm not hating on the company because i don't want them to do better they are absolutely aware between me and other people who produce videos on their product we talk about their shortcomings there are feature requests that are long standing in their forums under their feature request headings they just seem to ignore the fact over five or six years that yeah they just don't want to listen to people on it i don't know why and there was all the speculation when they had hired some more developers that they would change it they hired people who were specifically talented at firewall development from other projects in the open source community and everyone's like oh this is awesome they hired so and so and i don't know what that person is doing because we haven't seen a massive amount of innovation granted there's at least some because the usg line is not the same hardware at all or even the same really operating system base as the unified dream machine line so maybe that person had a hand in that but why did you guys keep the shortcomings and those shortcomings such as not being able to do multiple wan ips and a lot of routing features not being there or why is an openvpn i mean openvpn's kind of a industry standard for any of these other firewalls we mentioned but openvpn's just missing and wireguard i don't even think that's on their roadmap anytime soon there's someone going to point out there's a way to hack it in there i'm aware but once again i don't think it's on if you if you want unifi for their interface then while you're going around their interface to get something done you suddenly broke it at that point right like the whole point is um you know for a lot of people is to have an easy to use interface that abstracts the underpinnings but then to be required to get into the plumbing kind of defeats one of the purposes that some people use that for yeah and also it could just be the case i don't know if this is true that their developers are just spread too thin that's very common especially with um with things like this that there's just not enough manpower to make some of this stuff happen sometimes it's as simple as that or maybe they're okay with the audience that they have with the wi-fi equipment maybe that's their bread and butter i'm just assuming that's the case i don't know if it's true there could be it could be that there's just so much more money in the other things and that's where their focus is it could be as simple as that too but it's really hard to say i you know i think you know a little back-end perspective i have on them would be the fact that uh you know i don't know anyone directly there other than when they used to send us stuff and i say used to because best i can tell they're not sending us anything anymore because i did some scathing reviews of their product and they did hear me when i email them now asking questions um but the the general consensus i seem to have is um they just kind of get different directions sometimes from leadership inside there that's the best guess like they're working on this and now they're working on that now they're going in this direction they're they're unified switching and access points we've deployed thousands of and we manage those at scale i think they make a solid product for its use case they're not as advanced as you'll get with some of the other higher-end companies like cisco you can't say they're a one-to-one match with cisco but do i need any of those extra features that cisco offers if the answer is no then cool i can go do this deployment and we've got deployments with some of their um equipment that you know like 300 access points and as many switches as needed to run all those and i've done some reviews we've been deploying them at scale and because they don't need features that aren't supported in unified they work to always think about what's your use case do you need those extra features but the routing equipment i don't really deploy that for any businesses it's really yeah not not as great so hopefully uh someone said multiple ips came in with 1.92 weeks ago so i guess i'll have to look at that to see it but i don't know if that's a beta version or not i i know the beta versions had but i don't i don't know if the release versions have it on the unifi maybe now it sucks five percent less yeah because multiple wan ip cool where's openvpn and some of the other features that people look for um in a firewall because you know openvpn integration whether using opensense pf sense or untangle has been solid matter of fact you can really do a there's a lot of flexibility in user management and everything with all those especially for business use cases or when you have a lot of people that want to log in remotely those all have a lot of advanced features around that or the aforementioned selective routing when you use a privacy vpn where you go i want to send certain things for you know whether you're getting around a region lock or torrenting your favorite uh distribution um those privacy vpn functions are null because there's all command line and a lot of hacking going on to try to get them to work in unifi if unifi wanted to you know help the home user market that is interested in those things you think they take the time to develop them but yeah so that's kind of a they i don't think that's their interest level they um i don't know they just kind of fall short on that i will give a shout i have not used it uh tnsr is another project from the folks over at netgate tns are just if you're not fair what it is it's vector packet routing um it's designed for even higher scale fast routing i'm not an expert at it they have their own write-ups and white papers so you can kind of learn a little bit more about what vector packet routing is where it becomes like a use case is running it in cloud services like azure and aws when you go i need not gigabit speed not 10 gigabit speed but even more than that type of speed um this is it's supposed to be designed to solve some scalability problems for people that are running things at a very high enterprise level especially like you know routing stuff in the data center not an expert at it i haven't used it they do have some free editions so you can try i don't know all the details of it but i know i've seen they announced that so they do have some free editions essentially so you can go out and try the tns tnsr i think they want to call it tensor i i'm bad with pronouncing things it's tnsr on their website yep any any closing comments yeah i think we covered the major firewalls at least the ones that we have some knowledge of i don't i think that you know those are the things that i was thinking we should say i think we covered a lot of options i mean again i mean there's quite a few things out there to consider even things that we didn't mention but there's just not enough time to check everything out that exists out there as much as we would love to do that but uh i think you know i think that covers that in my opinion yeah so um i if you have questions comments leave them below we do check the comments on these uh on for those of you watching the live streaming this is a post as a video for those who listen to the podcast hey awesome welcome and uh check us out at thehomelab.show this is tom lawrence with lawrence systems and jay lacroix with learn linux tv and thanks for listening folks take care you

Info

Channel: Lawrence Systems

Views: 21,310

Rating: undefined out of 5

Keywords: lawrencesystems

Id: qD22dcnkigg

Channel Id: undefined

Length: 61min 12sec (3672 seconds)

Published: Wed Mar 24 2021