Stand alone Firewall for FTTP

[www.GymRats.uk]

Slightly different one today.

Zen finally managed to persuade OpenReach that our property WAS served
by FTTP even though their system said no. (something to do with the
property having 3 different address keys - most likely from days long
gone when it had 3 water bills etc)

After one absolutely cretinous "engineer" (I reluctantly call him an
engineer due to his complete incompetence and lack of any ounce of a
clue about how to run the simplest cabling route in the history of
installs, nor how to use any of the simple hand tools he's been gifted...)

Sorry, back on track... Right, we finally have Zen 300/50 up and running
but my older Draytek 2920 has a Max. firewall throughput of "150Mbps"
although even removing QoS, and deactivating DoS etc it still struggles
to get more than 100Mbps down.
That in it's self isn't a problem as it was the 50Mbps upstream I was
desperate for which it manages just fine but I had a thought today, what
if there was a stand alone firewall option with a MUCH higher that could
go between the router WAN port and the ONT which would mean I could
potentially switch off all router firewalling filters, rules etc giving
it a bit more headroom and perhaps potentially closer to 200Mbps.

I have a shelf full of redundant Draytek routers and am reluctant to add
another to the pile if there was an economical option to bypass its
firewall bottleneck.

Thoughts and suggestions appreciated.
Cheers - Pete

[Theo]

www.GymRats.uk <0845.86...@gymratz.gym.equipment> wrote:
> Sorry, back on track... Right, we finally have Zen 300/50 up and running
> but my older Draytek 2920 has a Max. firewall throughput of "150Mbps"
> although even removing QoS, and deactivating DoS etc it still struggles
> to get more than 100Mbps down.

That'll likely be a CPU problem. Not much you can do to improve performance
at that end. Some of them have hardware acceleration for networking, but
many don't (or no drivers, especially on replacement OS installs)

> That in it's self isn't a problem as it was the 50Mbps upstream I was
> desperate for which it manages just fine but I had a thought today, what
> if there was a stand alone firewall option with a MUCH higher that could
> go between the router WAN port and the ONT which would mean I could
> potentially switch off all router firewalling filters, rules etc giving
> it a bit more headroom and perhaps potentially closer to 200Mbps.

Depends how much you want to set up, but anything with a decent amount of
compute: small Intel box (eg search TinyMiniMicro - like a NUC but cheaper),
Chinese small Celeron box, Raspberry Pi 4, etc. Preferably one with two
network interfaces. Perhaps you have something like this lying around?

If you want to go commercial, Ubiquiti have things like the EdgeRouter,
Mikrotik have similar small boxes, etc. Possibly an older one can be picked
up used for cheap.

> I have a shelf full of redundant Draytek routers and am reluctant to add
> another to the pile if there was an economical option to bypass its
> firewall bottleneck.

Unless you already have suitable hardware, you're going to be investing in a
second one anyway. It would seem more awkward to have separate firewall +
router boxes where you could have combined box, unless you have particular
needs. Although there is something to be said for having a wired
firewall/router and then a separate wireless access point (located
whereever's best for wifi signal).

I assume your redundant Drayteks are going to be worse/older than your
current one, so no help from your pile.

Theo

[Angus Robertson - Magenta Systems Ltd]

> I have a shelf full of redundant Draytek routers and am reluctant
> to add another to the pile if there was an economical option to
> bypass its firewall bottleneck.

My Draytek is now on the spares shelf, I replaced it with a Netgate pfSense+
appliance, range of sizes with varying numbers of ports and speeds, from about
£150 plus VAT:

https://www.netgate.com/pfsense-plus-software/how-to-buy#appliances

https://shop.amicatech.co.uk/product-category/pfsense/pfsense-systems/

The pfSense software they run is Linux open source, and can be run on any Linux
box or virtual machine, it also runs on a VM in my hosted rack. But buying it
on a Netgate appliance means it runs out of the box with automatic updating and
support. There are lots of extras packages you can add.

Angus

[Tweed]

Just remember the extra running costs of this additional firewall box. At
30p/unit a device takes 2.6 times its power rating in pounds per year if
left on 24/7. So a 10W device costs around £26/year to run.

[Andy Burns]

Angus Robertson wrote:

> The pfSense software they run is Linux

Ahem! freeBSD

[Mark Carver]

On 31/05/2022 17:52, Tweed wrote:
>
> Just remember the extra running costs of this additional firewall box. At
> 30p/unit a device takes 2.6 times its power rating in pounds per year if
> left on 24/7. So a 10W device costs around £26/year to run.
>

It will heat up the room ever so slightly, so it's not a totally wasted
cost !

[www.GymRats.uk]

On 31/05/2022 17:08, Angus Robertson - Magenta Systems Ltd wrote:
>> I have a shelf full of redundant Draytek routers and am reluctant
>> to add another to the pile if there was an economical option to
>> bypass its firewall bottleneck.
>
> My Draytek is now on the spares shelf, I replaced it with a Netgate
pfSense+
> appliance, range of sizes with varying numbers of ports and speeds,
from about

> Ł150 plus VAT:

Having just spent the morning digging around products, prices etc, given
that our home area is on the verge of the local fibre co. "Truesped"
becoming activated and no doubt Openreach on rapidly on their way to
replace copper from FTTC to full fibre it appears possibly the most
logical option would be to relocate my more capable Draytek 2926 from
home and replace with a 2927. Not the biggest performance improvement
for home but clearing the path for the incoming network upgrades and
allowing the shop to max. out the 330mbps.

Might be able to get a few quid back for the outgoing shop router.

Seems like stand-alone firewall isn't going to improve things much
without spending simmilar or more than the cost of a new 2927 and would
involve a whole heap of time trying to get inter-site VPN and other
stuff working whereas I believe I should be able to dump the heavilly
configured settings from the 2926 into a 2927 for a plug&go straight swap.

Thanks for your input though.

Cheers - Pete

[www.GymRats.uk]

On 31/05/2022 17:00, Theo wrote:

> That'll likely be a CPU problem. Not much you can do to improve
performance
> at that end. Some of them have hardware acceleration for networking, but
> many don't (or no drivers, especially on replacement OS installs)

The Draytek 2926 I have at home has hardware acceleration and lots of
other firewall features that are heavily used for blocking server
atacks. e.g. blocking countries and hundres of host subnets etc.
The work router is several models behind so it's missing much of the
good stuff.

<snip>

>
> Depends how much you want to set up, but anything with a decent amount of
> compute: small Intel box (eg search TinyMiniMicro - like a NUC but
cheaper),
> Chinese small Celeron box, Raspberry Pi 4, etc. Preferably one with two
> network interfaces. Perhaps you have something like this lying around?

I.T. equipment, like my vehicles I keep using for as long as they remain
operational whereupon they retire to the graveyard shelf so nothing of
any use I'm afraid.

> If you want to go commercial, Ubiquiti have things like the EdgeRouter,
> Mikrotik have similar small boxes, etc. Possibly an older one can be
picked
> up used for cheap.

Just saw a Ubiquiti USG on ebay but the first vid. showed with "threat
management" off it was doing over 900Mbps but with it switched on it
dropped down to not much over 100Mbps

> Unless you already have suitable hardware, you're going to be
investing in a
> second one anyway. It would seem more awkward to have separate
firewall +
> router boxes where you could have combined box, unless you have
particular
> needs. Although there is something to be said for having a wired
> firewall/router and then a separate wireless access point (located
> whereever's best for wifi signal).
>
> I assume your redundant Drayteks are going to be worse/older than your
> current one, so no help from your pile.

If I remember, I upgraded the home one when for some reason it locked up
and couldn't be reset, what it replaced went to "the shelf". Then
perhaps 12 months later the shop one locked up and couldn't be reset so
out of desperation I pluged the retired home one in, did the factory
reset (RST) configuration etc and it came back to life so everything
else is significant;y older/lower spec. or dead (at time of retirement).

I might have to just run with lower security and no QoS which was
essential on ADSL2+ for VoIP but not so critical now.

Greatly appreciate your input and advice as always.

[www.GymRats.uk]

That takes me back to the early early days when I blagged a redundant
desktop from a random stranger on a usenet group and added an extra NIC
card to run FreeSCO router on a floppy.
Worked perfectly and I even attempted to go more technical by trying to
do the same with OpenBSD but gave up as I wanted to add VoIP and the
Draytek 2600V had 2 POTS ports for 2 "lines" plus so much more in a
fraction of the space and energy use the big box solution was abandoned.

Still have 2 x Draytek 2600V routers and every redundant model since on
the I.T. Graveyard shelf. 2 of everything because I duplicate systems at
home and shop.

[Mark Carver]

On 31/05/2022 16:18, www.GymRats.uk wrote:
> After one absolutely cretinous "engineer" (I reluctantly call him an
> engineer due to his complete incompetence and lack of any ounce of a
> clue about how to run the simplest cabling route in the history of
> installs, nor how to use any of the simple hand tools he's been gifted...)
>

Was he vanilla Openreach, or a contactor from <shudder> Quinn or Kelly ?

[Brian Gregory]

On 31/05/2022 17:08, Angus Robertson - Magenta Systems Ltd wrote:

>> I have a shelf full of redundant Draytek routers and am reluctant
>> to add another to the pile if there was an economical option to
>> bypass its firewall bottleneck.
>
> My Draytek is now on the spares shelf, I replaced it with a Netgate pfSense+
> appliance, range of sizes with varying numbers of ports and speeds, from about

> Ł150 plus VAT:

>
> https://www.netgate.com/pfsense-plus-software/how-to-buy#appliances
>
> https://shop.amicatech.co.uk/product-category/pfsense/pfsense-systems/
>
> The pfSense software they run is Linux open source, and can be run on any Linux
> box or virtual machine, it also runs on a VM in my hosted rack. But buying it
> on a Netgate appliance means it runs out of the box with automatic updating and
> support. There are lots of extras packages you can add.

pfSense is based on FreeBSD, not Linux.

--
Brian Gregory (in England).

[Brian Gregory]

On 31/05/2022 16:18, www.GymRats.uk wrote:

You're unlikely to achieve much by trying to separate the firewall.

I'd go for a new, more powerful router.

[Brian Gregory]

On 03/06/2022 16:53, Brian Gregory wrote:
> You're unlikely to achieve much by trying to separate the firewall.
>
> I'd go for a new, more powerful router.
>

Come to think of it, using the old router as just a wifi access point is
a possibility, and could work well.

[Bob Eager]

On Fri, 03 Jun 2022 16:50:26 +0100, Brian Gregory wrote:

> pfSense is based on FreeBSD, not Linux.

Indeed. My firewall is a standalone HP microserver running off a read
only USB stick. I happen to use ipfw as it was nearer to what I was used
to (the previous firewall was based on OS/2).