What we want in a Prosumer Network Device Ubiquiti has become extremely popular over the past few years with IT professionals and regular consumers wanting to upgrade from poorly maintained/ secured home network routers. The massive benefit of the the Ubiquiti (UniFi specifically) lineup is that it provides the following features: All-in-one Wireless LAN management IDS/ IPS VPN support Multiple VLAN’s Multiple internet interfaces Polished UI (mostly) The problem is while having all of these professional-grade features in a consumer device, the problem is that while they are all a reasonable step-up from the consumer devices, they fall short of being true professional-grade devices where if you want advanced functionality, you’re severely limited. Before people say, “it’s prosumer, not consumer”, I totally understand! The problem is, Ubiquiti’s EdgeMax line doesn’t really provide the same functionality (especially around WLAN management and UI). Some of the larger pain-points that wishes I had an alternative are: Only 4 WLAN’s available per WLAN Group 1st class support OpenVPN is not great. You can’t use certificates. Internet-failover is supported, but largely requires manual configuration USG-3 doesn’t have enough memory to run a larger (non-default) IDS ruleset. At the time I originaly drafted this, the Sunburst malware was just disclosed and is not covered in the IDS malware updates. When you try and (manually) add a new and larger rule-set, I have run out of memory on the device. So what do I want in a prosumer networking device is as follows: Minimum of 8GB memory First-class support for failing-over (without having to hand-edit files) Fully-featured IDS/ IPS (something similar to Snort) Full VPN support. I realize there’s 1000 options in OpenVPN, but if you could upload a configuration file and not have to worry about manually managing one, that would be amazing! To be honest, there is a reasonable gap here between Professional level gear and what Ubiquiti offers. PFSense is a great option, if you’re not running a wireless network. I do hope that the new UXG-PRO can help fill some of the gaps (although the specs leave me concerned), however for now, we struggle-on hand-editing config.gateway.json hoping we didn’t make a mistake. The future So what’s the future? At this stage there is still a large untapped market with running eBPF on home networks. eBPF only requires a recent Linux kernel and runs exceptionally efficiently which makes it perfect for small NUC-like devices. I can definitely see a company utilizing eBPF to create a pro-sumer network software platform based of a NUC similiar to https://protectli.com/product-comparison/. What I would love to see would be something like this: eBPF (XDP) based firewall eBPF (XDP) based DPI using open-source rules pi-hole software included Self Service VPN (that supports manually configured Open-VPN and Wireguard) A certificate authority WLAN Controller The future is for the taking!
I’ve been wanting to put this article together for some time, a complete guide to implementing iptables on a Linux Server. Firstly, my assumptions: You have a reasonable grasp of Linux and Iptables You want to use Iptables to secure a Linux server The Basics Iptables has by default three chains for the FILTER table: INPUT OUTPUT FORWARD In this case, we’re going to focus on the INPUT chain (Incoming to firewall. For packets coming to the local server) Implementation Automation I implement these rules using the puppet-iptables module. The module is regularly updated and has a very large feature-set. References: https://gist.github.com/jirutka/3742890 http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html