Greetings and first question!

Getting Started with IPFire
1

Hello Everyone, I hope you are having a Good whatevertimeoftheday !

I went through a few of the other topics before signing up and asking questions and the quality of questions and responses were fantastic !

With such an opening, I hope that my absolutely basic and somewhat long question would generate some responses and nudge me to make better decisions.

The fact is, I want to upgrade my home networking system and I have done my research, but what I lack is feedback on what I want to do.

My question therefore is to please review the plan and recommend if anything better can be done.

Existing setup -
ISP’s line goes to WAN of TPLink Archer A9 ac1900 which gives wireless access to all devices (personal and office laptops, Desktop, wireless cameras, smartwatch, smartphones, printer, FireTV, Echo and a raspberry-pi based home NAS ). There is a TPlink AC1200 that sometimes runs in bridge mode to extend same network to another floor.I also need to plan for scalability.

Terrible practice, I know !

Planned setup -
I intend to use one of the mini-router PCs with multiple NICs (example from Aliexpress) and install IPFire. I should even be able to re-use the old ac1900 as a wireless access point. That AC1200 can be used to expand same or another network wirelessly if needed. I also understand that I should also get a L3 switch for future expansion. Also, my ISP connection is 300 mbps.

Then with firewalls I would implement rulesets like -

  • All Personal laptops and desktops get static IP from the Router (Mac-binding)
  • All Work computers can only talk to internet, but not any other device (DMZ)
  • All mobiles can talk to internet, but also to a select few IOT device (such as printer)
  • [ and more ]

The Must Haves :

  • logging
  • DNS-over-TLS support (or local implementation of DNSMASQ)
  • port-forwarding
  • openvpn
  • dDOS protection
  • IPS
  • Support CIFS (not a deal breaker)

I use openSUSE quite extensively, so documnetation hunting or CLI doesn’t scare me. :sunglasses:
But keeping the internet off fore more than a day on a weekend, does. :fearful:

Questions -
Do you have any feedback on the plan ?
Do you have any recommendation for a better piece of equipment than this router-pc?
Do you have any recommendation for a L3 switch thats suitable for home (something like 8-12 port) ?

2

I have one of the older version device from aliexpress, since you mentioned IPS, and dDOS, depending on how many rules you have, your traffic load, it can consume fair amount of CPU and ram resources. out of curiosity, what kind of dDOS you are looking for, I don’t think there is any sort of efficient existing dDOS solution in IPFire since I focus on this area quite extensively, of course I am still new IFfire user, I might be missing something.

3

Hi, I could be wrong, but as far as I know DMZ is intended to offer its services to the Internet and not as a guest network where nobody can exchange data with each other.
I would see if such a guest network (Internet only) cannot be realised on one of the AC points with its own VLAN, otherwise, the firewall rules are your friend :smiley:

To the Hardware, why you do not use the original?

only an example, the prices are not that far apart to your
and here you know what palatine (mainboard) is used

4

Lost that account, it was on a disposable email,so no way to retrieve. SO had to create another account to be able to post and ask questions.

Many thanks for your attention.

@mumpitz The work (enterprise) laptops do not need to talk to each other and anything else, apart from the internet. This is a three person household, all working in different areas. As you can see, I am the IT person!.
The devices under “Guest” network, also do not need to talk to each other. So I might just dump all of them as one vlan and call it a day.

Eventually, I have moved away from the mini-router PC. Here are the parts I am using. Majority of them are from old builds.

i5 7600
2x8 G DDR4 2400 (can do 4 x 8G too)
Gigabyte GA-H270M-D3H Micro ATX LGA1151
128G NAND M.2 2280 SSD
intel i350T4v2 (quad NIC, PCIE)
TPLink EAP620HD (WAP)
TP Link SG2210P Switch

@vincentmli, I am not really sure what I want in terms of dDOS protection ! This is a home network with no “services” running, so its something interesting to fiddle with.

I am attaching a not-too-great network diagram of what I have been thinking so far -

NW_DIA-1
NW_DIA-1806Ă—800 68.4 KB

Edited to add:: This is now marked as SPAM, and I have no idea why !

5

This was an automatic flag as the question was originally asked by one user at an IP Address and then answered by another user at the same IP Address.

I have removed the Spam Flag from the post.

2 Likes
6

Thank you, that was prompt :slight_smile: