I'm enjoying the series. I've been thinking of migrating all my services off of truenas scale into something like this and this has been a big help in pushing me in that direction. Thank you. .
I have used ESET on 3 PCs for a number of years to do basically what I see as the main options on the Sophos config page (Computer protection, Internet protection, Network protection, Security tools). A Mikrotik router does the Firewall duties. However ESET also extends into my Outlook email accounts for SPAM and Malware detection. I'm wondering if you rely on Sophos in your virtualised Firewall(s) to also filter/protect all your family email traffic. If so, I can drop my ESET subscription - another argument for a Server based network 😃 Many thanks for your excellent material and great delivery style - so easy on the ear.
Thanks! No, I don't use it for any email filtering but you can configure it to work with your own email servers (which I don't use). I'll have to look into it further to see if it's something I can leverage.
@@Jims-Garage I expect to stay with the email server of my ISP rather than self host - but I guess it could be an option with the help of a suitable video. Next I'll have to run my own NameServers LOL
Just found this channel and I love it’s you’re dabbling with exactly the same equipment and softwares that I’ve been planning on looking deeper into. Quick question, which software are you using to make your network diagram?
Appreciate your clear explanations of so many concepts. My Mikrotik RB4011 has nice Firewall functions, but I'm looking forward to picking up more info from this series. Currently have Pi-Hole (recursive) and ADS B (aircraft tracking) running on separate Pi's, but I'm thinking of rolling those functions into the Proxmox world. Then I could deploy the Pi's with monitors around the house to display weather station data etc. Maybe keep a Pi as the redundant DNS server. Enjoyed your network diagram - I did mine using Mindjet MindManager (a mind mapping prog.) - makes it easy to see VLANs off the Mikrotik CRS328 switch ports.
Thank you for all your quick and helpful responses. I added some more thoughts and questions on your 'Recommended hardware' video - hope they make sense.
@jims-garage Great channel. Maybe it would be possible to create a video on how to connect the unifi firewall with wazuh (siem) as additional protection, as well as how to configure the firewall for the server with unifi.
Thanks for the suggestion, I was going to do a video on Wazuh but Chuck beat me to it ha (I've been using it for a while now). I will likely do it in the future.
Jim, it's so interesting you suggested an i350, and that is the one I am using. You know what? I am using the four ports in a single lagg in Pfsense and in those ports I have vlans for everything in my network, INCLUDING the WAN!!! actually, the WAN is connected to a different switch to a port with the same VLAN as the one I have designed for the WAN in pfsense. You don't need two NICs for a firewall if you use an L2 switch. My switch, and the i350 have a much better throughoutput than the other choice of Nic in my Pfsense
Hello again Jim, thanks for the awesome content. I backed up in the series to this point....as you suggested. I really like the extra protection that a sophos home version would provide...but I'm entrenched in my current Ubiquiti ERX and unifi switches already, having just set up my vlans etc to my liking...global firewall rules in place...no open ports yet. Can I skip the sophos portion of this series and revisit later? I have just two Docker containers running now on top of Ubuntu server, portainer and home assistant. Seems like so much to learn and configure!!?? I'm a beginner obviously, want to make sure there isn't a gotcha moment in the next few steps in the journey. I would have to purchase the dual nics for my two intended Proxmox nodes, currently blank...(My starter setup is on a Intel atom PC, which I will migrate over once the two used PCs I found online are prepped.... (Dell and Lenovo towers, both I7/6700, 32gb ram). Thanks so much for your work and previous reply to another question. Southern California Air Force veteran, retired.
You don't need Sophos, any firewall is fine for the series (I also cover OpnSense). I took use unifi access points and switches and show some of my configs. Keep on trucking and if you're stuck hop on Discord.
Hi Jim, wonderful series of videos here! Thank you so much. In a different video you said that you are behind CGNAT ISP (which is what my situation is, actually): Is this fact left aside to reduce complexity from 16:50 min and onwards? I was assuming I would have to rent a VPS Server to make services available to my friends - said I don't have them in my headscale/tailscale network. I would gladly see you explain this point to a total beginner like myself. :-) Best regards!
What's your take on firewalla? I've been deciding between pfsense and firewalla and I am leaning more towards firewalla as just using pfsense would be too much of an undertaking and unfortunately I dont have that much time to spend on it right now.
I'm not overly familiar with them, but I think you need to take a forward looking stance and make a decision. From everything I've read and seen they look like a solid option in a small form factor, with low power draw. However, it is a physical box with no upgradability, so there are limits to what it will do. If you're wanting something you just plug in and it works it's probably a good starting option. Equally you might want to consider the unifi gateways. However, the DIY approach might be the cheapest and best, depending on what you have lying around, and how much time you want to devote...
Hi Jim, Could you explain how you have dmz services on VLAN 5 separated from VLAN 4? Do you have them running on seperate docker VM/LXC or are you using a specific docker network ? Really enjoying your videos
Check out macvlans for docker. They essentially make a container look like a physical machine, i.e. it has its own Mac address and IP that you can put on a vlan.
Hey Jim, first, tnx for this important and interesting video! Second, I was wandering how do u mange to make the IOT vLan and the HomeAssistant (homelab) vLan talk to each other, I have in my homelab an omada controller, and when I tried to define rules I got into some trouble, because in one hand I want my HA to be able to talk to let say my nuki but I don't want my nuki to be able to talk to my homelab, tnx!
Thanks! You should be able to achieve this with simple firewall rules. Put both devices on separate vLANs and then just create rules for the traffic you want, anything else should be dropped by default deny. You'll likely want to set static IPs for devices and then you can create granular rules at the IP level (i.e., the device).
For your proxmox server a quad port is going to be very useful, it will give greater throughput and segmentation. It's especially useful if you're going to virtualise the firewall (as I suspect you are). Do checkout the mellanox connect-x3. They have single and dual port, if you're stateside they are super cheap and will give you 10x throughput per port... The obvious downside would be the need to buy a switch that supports 10Gb sfp+. Probably best to go quad port, and upgrade if needed (that's what I did).
@@Jims-Garage Thank you. I found a i350-T4 for about 90 USD. I do have a EX2300-C that I've not configured yet. However, I would need to purchase a set of SFP if I'd go that route.
@@Jims-Garage I can get the Mellanox Connect X3 for about the same price as the Intel i350-T4. Would that be sufficient for a decent setup going forward if I manage to get the Juniper EX2300C up and running? It has 12 x 1GbE and 2 SFP+ 10Gb uplinks.
@@snowpoked if you're virtualising you have the flexibility of being able to just change to 10Gb with the click of a button in proxmox, so again might be worth being comfortable with 1Gb first. With 10Gb you will basically need to have a 1Gb rj45 for the wan port (internet from the router/modem), and then use 10Gb for your Lan into switch. I'm discussing this a bit more in my latest video (hope to have out later tonight).
Awesome! I can't wait for more 🎉
Thanks 👍
Been in IT for years but still so much I don't know as I don't tinker enough. Being a gamer I've got stuck on that more so good to see this series.
I was in the same boat, hopefully you'll be able to follow these videos and learn new areas. Do reach out if you're stuck.
I'm enjoying the series. I've been thinking of migrating all my services off of truenas scale into something like this and this has been a big help in pushing me in that direction. Thank you.
.
That's great to hear, thanks. I often find myself in that position, sometimes you just need a helping hand (or a push!) Ha.
Interesting series so far. Thanks.
Thanks, Mike. I appreciate the feedback.
I have used ESET on 3 PCs for a number of years to do basically what I see as the main options on the Sophos config page (Computer protection, Internet protection, Network protection, Security tools).
A Mikrotik router does the Firewall duties.
However ESET also extends into my Outlook email accounts for SPAM and Malware detection.
I'm wondering if you rely on Sophos in your virtualised Firewall(s) to also filter/protect all your family email traffic.
If so, I can drop my ESET subscription - another argument for a Server based network 😃
Many thanks for your excellent material and great delivery style - so easy on the ear.
Thanks! No, I don't use it for any email filtering but you can configure it to work with your own email servers (which I don't use). I'll have to look into it further to see if it's something I can leverage.
@@Jims-Garage I expect to stay with the email server of my ISP rather than self host - but I guess it could be an option with the help of a suitable video. Next I'll have to run my own NameServers LOL
Just found this channel and I love it’s you’re dabbling with exactly the same equipment and softwares that I’ve been planning on looking deeper into. Quick question, which software are you using to make your network diagram?
I suspect it was draw.io (that video was a little while ago)
Appreciate your clear explanations of so many concepts.
My Mikrotik RB4011 has nice Firewall functions, but I'm looking forward to picking up more info from this series.
Currently have Pi-Hole (recursive) and ADS B (aircraft tracking) running on separate Pi's, but I'm thinking of rolling those functions into the Proxmox world.
Then I could deploy the Pi's with monitors around the house to display weather station data etc.
Maybe keep a Pi as the redundant DNS server.
Enjoyed your network diagram - I did mine using Mindjet MindManager (a mind mapping prog.) - makes it easy to see VLANs off the Mikrotik CRS328 switch ports.
Thanks, I've recommended some mikrotik gear in my recent video.
Having the Pis on proxmox is really useful. Let me know how you get on.
@@Jims-Garage The first challenge is funding a server 😄
@@Dreamwoodinternational Check my latest video, cheaper than you might think. Happy to help out if needed.
Thank you for all your quick and helpful responses.
I added some more thoughts and questions on your 'Recommended hardware' video - hope they make sense.
@@Dreamwoodinternational thanks, I'll take a look
@jims-garage
Great channel. Maybe it would be possible to create a video on how to connect the unifi firewall with wazuh (siem) as additional protection, as well as how to configure the firewall for the server with unifi.
Thanks for the suggestion, I was going to do a video on Wazuh but Chuck beat me to it ha (I've been using it for a while now). I will likely do it in the future.
Jim, it's so interesting you suggested an i350, and that is the one I am using. You know what? I am using the four ports in a single lagg in Pfsense and in those ports I have vlans for everything in my network, INCLUDING the WAN!!! actually, the WAN is connected to a different switch to a port with the same VLAN as the one I have designed for the WAN in pfsense. You don't need two NICs for a firewall if you use an L2 switch. My switch, and the i350 have a much better throughoutput than the other choice of Nic in my Pfsense
Nice, that's a cool setup.
WOW this really helped me! I'd love to see more of your videos!!!
Glad it helped!
Hello again Jim, thanks for the awesome content. I backed up in the series to this point....as you suggested. I really like the extra protection that a sophos home version would provide...but I'm entrenched in my current Ubiquiti ERX and unifi switches already, having just set up my vlans etc to my liking...global firewall rules in place...no open ports yet. Can I skip the sophos portion of this series and revisit later? I have just two Docker containers running now on top of Ubuntu server, portainer and home assistant. Seems like so much to learn and configure!!?? I'm a beginner obviously, want to make sure there isn't a gotcha moment in the next few steps in the journey. I would have to purchase the dual nics for my two intended Proxmox nodes, currently blank...(My starter setup is on a Intel atom PC, which I will migrate over once the two used PCs I found online are prepped.... (Dell and Lenovo towers, both I7/6700, 32gb ram). Thanks so much for your work and previous reply to another question. Southern California Air Force veteran, retired.
You don't need Sophos, any firewall is fine for the series (I also cover OpnSense). I took use unifi access points and switches and show some of my configs. Keep on trucking and if you're stuck hop on Discord.
Hi Jim,
wonderful series of videos here! Thank you so much.
In a different video you said that you are behind CGNAT ISP (which is what my situation is, actually): Is this fact left aside to reduce complexity from 16:50 min and onwards?
I was assuming I would have to rent a VPS Server to make services available to my friends - said I don't have them in my headscale/tailscale network.
I would gladly see you explain this point to a total beginner like myself. :-)
Best regards!
What's your take on firewalla? I've been deciding between pfsense and firewalla and I am leaning more towards firewalla as just using pfsense would be too much of an undertaking and unfortunately I dont have that much time to spend on it right now.
I'm not overly familiar with them, but I think you need to take a forward looking stance and make a decision. From everything I've read and seen they look like a solid option in a small form factor, with low power draw. However, it is a physical box with no upgradability, so there are limits to what it will do.
If you're wanting something you just plug in and it works it's probably a good starting option. Equally you might want to consider the unifi gateways. However, the DIY approach might be the cheapest and best, depending on what you have lying around, and how much time you want to devote...
Hi Jim,
Could you explain how you have dmz services on VLAN 5 separated from VLAN 4?
Do you have them running on seperate docker VM/LXC or are you using a specific docker network ?
Really enjoying your videos
Check out macvlans for docker. They essentially make a container look like a physical machine, i.e. it has its own Mac address and IP that you can put on a vlan.
Hey Jim, first, tnx for this important and interesting video!
Second, I was wandering how do u mange to make the IOT vLan and the HomeAssistant (homelab) vLan talk to each other, I have in my homelab an omada controller, and when I tried to define rules I got into some trouble, because in one hand I want my HA to be able to talk to let say my nuki but I don't want my nuki to be able to talk to my homelab, tnx!
Thanks! You should be able to achieve this with simple firewall rules. Put both devices on separate vLANs and then just create rules for the traffic you want, anything else should be dropped by default deny. You'll likely want to set static IPs for devices and then you can create granular rules at the IP level (i.e., the device).
I consider purchasing an Intel i350-T4 to upgrade the Proxmox rig. Would you recommend getting a 4 port NIC to best follow the videos going forward?
For your proxmox server a quad port is going to be very useful, it will give greater throughput and segmentation. It's especially useful if you're going to virtualise the firewall (as I suspect you are).
Do checkout the mellanox connect-x3. They have single and dual port, if you're stateside they are super cheap and will give you 10x throughput per port... The obvious downside would be the need to buy a switch that supports 10Gb sfp+.
Probably best to go quad port, and upgrade if needed (that's what I did).
@@Jims-Garage Thank you. I found a i350-T4 for about 90 USD. I do have a EX2300-C that I've not configured yet. However, I would need to purchase a set of SFP if I'd go that route.
@@snowpoked that feels like a fair price.
@@Jims-Garage I can get the Mellanox Connect X3 for about the same price as the Intel i350-T4. Would that be sufficient for a decent setup going forward if I manage to get the Juniper EX2300C up and running? It has 12 x 1GbE and 2 SFP+ 10Gb uplinks.
@@snowpoked if you're virtualising you have the flexibility of being able to just change to 10Gb with the click of a button in proxmox, so again might be worth being comfortable with 1Gb first.
With 10Gb you will basically need to have a 1Gb rj45 for the wan port (internet from the router/modem), and then use 10Gb for your Lan into switch. I'm discussing this a bit more in my latest video (hope to have out later tonight).
Can you do more videos about how to configure Sophos XG instead of just building it and leaving it there.
Sure, I can do that.
@@Jims-Garage awesome ! I’m looking at implementing Sophos XG as well but unsure the best way to make it secure
@@Popcorncandy09 it's default deny, so secure by default. I assume you're wanting to port forward and vlan though?
Yes, correct. I also self-host business websites and have data i want to ensure stays secure@@Jims-Garage