Sign in Subscribe
4 min read system design

The Gateway sub-system

The gateway / firewall / router sub-system is a critical element of a complete home technology system. Athenars selects pfSense as our choice.
The Gateway sub-system

Athenars gateway sub-system

We have decided to utilise pfSense in the Athenars technology stack. The gateway / firewall / router sub-system is a critical piece of a holistic home technology system so this was a really important decision. For abbreviations sake in this article, we'll refer to this sub-system as our edge sub-system. To better understand how our decision fits into our overall design, please see our other posts on our system requirements and considered sub-systems.

This will not be a blow-by-blow, feature comparison. We will however walk through and explain our reasoning for choosing pfSense over the other options. A lot of this won't be surprising when considering our system requirements provided in the previous posts. Importantly, we developed our requirements and needs first, then sat back, thought and considered the options.

The options

Here are the main options that were considered.

  • pfSense
  • OPNsense
  • Microtik RouterOS
  • Unifi
  • Sophos Firewall Home Edition
  • Untangle / Arista NG Firewall Complete

Main feature requirements

We have specific wants and needs for this sub-system. In the end, our decision to use pfSense was fairly easy once we laid things out. The main features we wanted in our edge sub-system are as follows:

  • we would prefer to use open source software.
  • we would prefer a mature platform.
  • we would like to be able to handle (preferably Lets Encrypt) certificates.
  • we would prefer to be able to use wireguard as our VPN of choice and have it on our edge sub-system.
  • we would prefer to have a proxy on the edge.
  • we want it VLAN capable (most or all modern gatways etc are VLAN capable, but we need to mention it explicitly regardless).
  • we would prefer to have ad-blocking in our edge sub-system.
  • we want to be able to have IDS/IPS in our edge sub-system.
  • we would prefer if it was extensible where we can add functionality.
  • the edge sub-system should be DNS capable (a simple functionality, but still we should include it).
  • we want to be able to access the data that is available to an edge sub-system.
  • we want to be able to get the data out of our edge sub-system for longer term storage and analysis.
  • there should be no major concern around the long term development of the chosen platform.
  • we would prefer to be able to enrich our network data with geospatial data from IP data.
  • the chosen features like IDS/IPS, proxies, ad-blocking etc should all be known projects, not obsure, proprietary or otherwise unclear.
  • not essential, but nice to have, the platform should be able to be virtualised for added redundancy (the Athenars system will not include physically redundent edge hardware).

What isn't considered critical in the Athenars system are more enterprise features like multi-site management. While redundancy in many parts of the Athenars system has been considered, we don't consider WAN failover as critical even though pfSense does have that option. This is one area where we drew the line between redunancy and added complexity and cost. Much of our system functionality is from data held on our own site, so this mitigates the need to access the web and having WAN failover to a degree. The main residual concern is if we are away from our home location and want to be able to remote in via wireguard VPN when our WAN is down for some reason.

The best fit for our wants and needs

For our requirements, by far, the most suitable platform is pfSense. It basically ticks all the boxes.

None of the other options are bad. They all have their strengths. Some might be particularly more attractive if you wanted to manage multiple sites. Some might be more attractive if you wanted to prioritise pure ease of use. Depending on your use cases and requirements, some of the other options may be best. But for the Athenars needs, pfSense is our clear choice.

If you'd like to see a somewhat detailed feature-by-feature break-down of a range of options, you could have a look at a video from Tom at Lawrence Systems in the following video.

🙋‍♂️
For clarity's sake, Tom is a long-term user and recommender of pfSense. Additionally, I've personally been using pfSense in my own home network for some years, so I too may be bias and my use of pfSense may have shaped what features I see as important for being in an edge sub-system. Regardless, pfSense is a great choice to meet the desired needs for the Athenars sub-system.

We think the above listed features are a great and natural fit for an edge sub-system. Also, having all of the listed features in the edge sub-system means we don't need to deploy them in our hyper-converged cluster.

Packages

Some of the great packages we enjoy using in pfSense include:

  • acme
  • arpwatch
  • haproxy
  • nmap
  • ntopng
  • pfblockerng
  • suracata
  • telegraf
  • wireguard

There are many other packages of course, and this is one of the main reasons we are comfortable including pfSense as our edge sub-system of choice in the Athenars stack.

pfSense is our edge sub-system of choice.

We also like that there is a company behind pfSense (Netgate) and that it is possible to support ongoing development by purchasing their hardware that comes with pfSense pre-installed. This isn't always a positive or appealing or desired, however for edge devices this is appealing. However one can still install pfSense on whatever hardware we want. So that freedom is nice, and important.

Conclusion

That concludes our logic and reasoning for selecting pfSense as the gateway / firewall / router / edge sub-system for Athenars. It is a mature, actively developed, capable and extensible platform with hardware freedom.

Published by:

Adam Dean

You might also like...

May
03

The hyper-converged cluster sub-system

6 min read
Apr
23

The Athenars sub-systems

9 min read
Apr
23

Defining the requirements of the Athenars system

3 min read