Main Menu

Home Firewall/Router

Started by Mark, January 20, 2014, 10:14:09 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Billy Welsh

Quote from: Jeff Zylstra on January 21, 2014, 09:44:56 AM
You're most welcome.  What you're considering is what I ended up doing.  I use a Buffalo WAP along with an old Sonicwall TZ 170 from my office.  I know SW is not your favorite, but it does what I need it to do, is stable, and has enough bandwidth.  The flexibility and stability of a commercial firewall along with the new, stronger wireless is a good combination.   You might want to check out Craigslist or EBay for a used commercial firewall, then add a WAP to it.  Just make sure that updated firmware is available, or it can run WRT or Tomato or something like that.

Hmmm...good food for thought.  I've been through a Cisco and a TP-Link at home (thanks to Han's Woot.com), and both wound up in about the same place - at about a year the issues begin.  Mostly just freezing - DSL modem is synched, no errors on any connected device, and no internet.  Actually have to go upstairs and power cycle the router - won't even come up in a browser even though all pretty the blinking lights give the impression that all is well.  And you can just imagine how it frustrates my lovely non-techie wife, who just wants it working whenever she needs it, period.

We've been using Buffalo NAS units here for some time with no issues, as well as a Cisco WAP.  So maybe my next adventure will be a Buffalo router, or an old retired SonicWall from here with a Buffalo WAP.

For home use, are you concerned at all that the SonicWall isn't being updated for new threats?  Or is the standard SonicWall port control, packet sniffing, etc. enough at home as long as you are running a good anti-virus program?  When we start getting into the details of the actual threats, I am in over my head.
Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

Even with outdated intrusion protection and other countermeasures, I think that the SonicWall's protection is still stronger than what you would get with a residential unit.  I'd be interested in hearing everyone else's take on that, however.  Plus, you get things like VPN support and other things that you wouldn't on a residential unit.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

Really all you *need* at home is all your ports blocked and NAT but any additional features are good.

As far as outdated protection, older things are still out there on the net so I say nothing wrong with that.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Billy Welsh

Realizing you pros are not familiar with my actual router, do you think I could take a retired SonicWall home to do all the heavy lifting, and change the wireless router settings so that it is just operating as a WAP?

I know that might not solve my problems but it seems worth a try in my mind.
Billy Welsh
Director of Accounting
LCMC Health

Mark

Yes, you most definitely could.  To do this, disable DHCP on your wireless router and plug one of the computer ports (NOT THE WAN) into one of the network ports on the sonicwall and you're golden.

I have everyone who gets U-Verse do this.  also avoids having to reconfigure wireless devices for a new router.  I've had nothing but trouble with the U-Verse WiFi!
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: Billy Welsh on January 21, 2014, 02:00:55 PM
Realizing you pros are not familiar with my actual router, do you think I could take a retired SonicWall home to do all the heavy lifting, and change the wireless router settings so that it is just operating as a WAP?

I know that might not solve my problems but it seems worth a try in my mind.

Having done exactly this.  I would say YES!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

I vote for PFsense - build your own firewall. Grab an ALiX board and away you go.

http://www.pcengines.ch/alix.htm

Or - if you want a bit more of a UTM and either have the hardware or are will to spend a bit:

http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
Sysadmin - Parallel42

Billy Welsh

Quote from: Mark on January 21, 2014, 02:03:54 PM
Yes, you most definitely could.  To do this, disable DHCP on your wireless router and plug one of the computer ports (NOT THE WAN) into one of the network ports on the sonicwall and you're golden.

I have everyone who gets U-Verse do this.  also avoids having to reconfigure wireless devices for a new router.  I've had nothing but trouble with the U-Verse WiFi!

You actual pros are so much better than Google!  Yes, the Oracle will reveal the answers, in time, usually more than I care to spare - patience has never been my strong suit  :P

So I managed to impress myself by actually getting this done with an old SonicWall, and it has made a BIG improvement.  So I guess you really do get what you pay for - the sub $100 routers do not seem to have the beef necessary to handle moderate traffic.

The only problem now is the Sonicwall is limited to 10 "nodes."  I never thought to check this, as this puppy served one of our branch offices quite well, so I assumed it could easily handle my modest homestead.  But once I saw the message that the number of allowed nodes had been maxed, I started to realize that hitting 10 in this day & age is pretty darn easy to do.

I have another SW I can try with unlimited nodes, but it has not cooperated so far.  So I am trying to figure out whether to have one more go at it, or if there is a way to get the current unit to play nice.

Does anyone know how SonicWall defines a "node?"  If that is just a limit on my DHCP scope that I can get around with fixed IP's, I'll gladly do that as opposed to continuing to fight with the 2nd unit.
Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

I'm guessing that the "nodes" are any kind of connection (computers, phones, other wifi,etc...) so trying to "fool it" with a static IP address won't get you anywhere.  I would try the other SW with unlimited nodes if you need more connections since you probably can't upgrade that unit by purchasing an unlimited node license.  The license on my SW at home expired 4-5 years ago, but it had unlimited nodes, so I am all set.  I don't think it's worth every buying a limited node device from SonicWall since the price different isn't that great, and I've heard that limited nodes are a pain with SW as it may not always release licenses after a "node" disconnects (or you think it has disconnected).
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Billy Welsh

I've actually got 2 older units, both 10-node, one of which is upgradeable.  But when I glanced at the prices the other day to increase the node count, I could get a really nice brand new firewall for what that would cost.

It is looking like the kids sports activities could get rained out this weekend, so I may have time to take one more run at the 3rd SW.
Billy Welsh
Director of Accounting
LCMC Health

Billy Welsh

I finally smartened up and snagged a used SonicWall TZ190 on ebay for ~$30 including shipping.  I know not all of you real techs are fond of them, but it is the only "real" router I am familiar with so I knew I could get it to work without too much headache  :) .  So for that trifling sum I have a nice working firewall with unlimited nodes.

Only it doesn't work, at least 100%.  The DNS addresses are not making it through from the PPOE login on the new unit - they were on the old unit.  I entered them manually, but I don't like that solution.  If those change, it will be at the worst possible time - when the wife is trying to do something and I am not at home!

I have done some initial Googling, but no joy as of yet.  But you guys are all better than Googling anyway!  Thoughts?
Billy Welsh
Director of Accounting
LCMC Health

Mark

Set a manual DNS that doesn't change. Google: 8.8.8.8. OpenDNS (no account necessary), or the old trusty 4.2.2.2 - though I recently read that we're not really supposed to use that one.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Billy Welsh

#27
All right, my info is going to be really sketchy at best, but diving into this at 11:00pm after picking up the dog from the vet for surgery and hearing from the wife and teenage son about it "not working" several times are hardly ideal conditions!

In going to the log of my SonicWall last night, I saw something I had never seen before - "PPP ECHO" entries.  Whenever I see something new I get concerned.  Can any of you shed light on what these are with this very limited info?  EDIT:  The SonicWall is connected to a DSL modem.

The background if you want it:

Wi-Fi appeared to go kaput, even though all the pretty lights were on (green) and blinking.  Restarts of the WAP did not resolve.  None of the wireless devices were successfully connecting to the WAP.  The WAP is actually a router that I set up to just be a WAP, as it did not handle the full volume or traffic very well when used as router.

So, next I went to the SonicWall, which I restarted for the heck of it - it seemed to be working correctly before the restart though I did not check - was hoping in vain to get lucky.  After the restart I was able to log in to the SonicWall from a wired connection - again all appeared normal as far as the SonicWall.  But the only IP lease was for the station I logged in with - the other wired pc did not appear (it was saying cable unplugged which was not the case).  This makes me suspect the SonicWall - this is the unit I got off ebay that Dell tells me was RMA'd for being defective.

I will dig deeper into connectivity/router issues this weekend.
Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

Try running rebooting the computer in question, running IPCONFIG /ALL from there, and then trying to PING the router to see if there is any connectivity.   
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Billy Welsh

I HATE it when I have a Homer Simpson moment!  DOH!!!

Given the past history, I assumed it was just the same thing or a related issue happening again.  It was not until a couple of unsuccessful hours into it, which of course was during Sunday's playoff games, that I noticed the 5-port D-Link switch was passing NO traffic.

I assume it's given up the ghost - have not plugged it back in yet.  Took it off the network, moving those connections to the suspect SonicWall which thankfully had enough ports.  At that point - touchdown!

The SonicWall did go into Safe Mode about 15 minutes afterwards, requiring a 2nd reboot.  It had been chugging along fine for several weeks before this.  And it has stayed up since then.
Billy Welsh
Director of Accounting
LCMC Health