Custom built PC vs Netgate SG-3100

[LFaWolf]

I am looking to either building a simple PC using spare parts vs buying the Netgate SG-3100. This is for home office and we are getting lots of DDOS attacks and I am having concern if my current router NETGEAR 4-Stream Wifi 6 Router (RAX15) can handle it well.

Custom PC parts, and I believe should be adequate -
Intel i7-3700S or 3770t, both can handle AES-NI
ASUS Rampage IV Gene Gen3 M-ATX
16GB DDR3
250GB SSD

Here is where I don't know how to start -
1. Do I need to buy an Intel NIC? I read and found Intel i350-T4 to be compatible. So do I plug in from the Comcast modem (WAN) to any one of the ports?
2. Do I connect one of the ports to my local LAN switch?
3. I need WiFI, so do I connect another port to my WiFi Router LAN port?
4. What is the correct way of doing this - should I enable DHCP and DNS from this machine and disable DHCP/DNS of my current Router, or should I continue to use DHCP/DNS of my current Router?

My concern is I have never used pfSense before, and I wonder how easy is it to install (via a bootable USB drive I believe?) and configure it, vs using the SG-3100 that has all the settings preset? And how long does it take to set up a very tight configuration? Any "preset" configuration that I can download?

Thanks in advance for any help or pointers.

 

[Solaris17]

I personally fond the pfsense UI horrendous and go with opnsense.

thise specs are massively overkill I used a shuttle DS81 with an i3 8gb of ram and a 30gb SSD.

ran suricata without issues.

Edit:: just an addition though. If you are getting DDoSd you should be contacting your ISP. If this is a simple bandwidth attack getting a better home firewall while fun won’t help you as the connection is still saturated.

for residential connections this is always an issue that must be taken upstream.

 

[LFaWolf]

I actually read and thought about OPNSense. I know it is a fork of the pfSense but I don't know enough which is better or easier to use? I run my business and my networking expertise is above mid-level, so I can configure pretty much everything as long as they don't get into too advanced topics.

As for the PC, I have lots of spare parts so that is not an issue at all. I feel the SG-3100 or others like them seemed a bit overpriced, although the low power and portability seems to be good. Does SG-3100 come pre-configured?

My ISP is Comcast and they have promised me that they will do NOTHING to help, unless I upgrade to a business account, which we probably might do in the near future.

 

[Solaris17]

A lot fo questions can't be answered and a lot of problems can't be solved with what you are trying to do.

no way to get around the actual problem. A bandwidth driven DDoS will not be solved with a firewall period.

You then need to get into the world of add-on wifi, since you will be running a firewall/routing appliance that by its very nature does not have built in wifi. So you are then converting either an existing wifi router to AP mode (if it supports it) or purchasing a separate one.

As for which is more usable, idk, that's totally subjective. You can find the option(s) you want "eventually" what you wan't to look at is to taste though.

I'm not sure what you mean by "pre-configured" but you are not talking about some walmart linksys if thats what you mean.

These are routing OSs that are used in production environments. Either at home, or at scale. They have setup wizards, but if you are not strong in networking expect to be asked things you might not understand.

consumer equipment rally dumbs down firewalls, both pfsense and opnsense made it a bit easier on the eyes than say untangle, or sophos. But it's going to be a far cry from pretty buttons.

Your going to be dealing with systems like snort or suricata if you want actual DDoS mitigation. These are IDS/IPS systems, and require attention, they are not set and forget.


I am not saying you shouldn't, and I'm not saying you don't have the skills. I am saying that given what was said in this thread thus far you should re-evaluate your expectations and what you are willing to put in to make this work.

That said however, if comcast is unwilling to help you if you are getting blasted, then this is not a cure. if you have 500/500 internet and someone is saturating your link with 500mb/s of traffic then a firewall does nothing for you. The link is already saturated.

 

[LFaWolf]

So far the DDos attacks are minimal. They come and go and my bandwidth has not been affected.

By "pre-configured" I mean certain important security settings are preset/default so that I would not overlook them, and the default settings is "hardened" to begin with. I am a software developer and I started on the Unix OS. I have set up our VPC on AWS by myself and I have written many C and Bash shell scripts so I am fine with configuring things. However, given how complex network security can get, I want to make sure I don't miss things or leave holes in the "new" router firewall because right now, I am quite confident nothing illegitimate has gone past our current router firewall. If it is a wizard that is fine, but executing scripts is also fine with me. Does that make sense?

I am not sure what you mean by "willing to put in to make this work." Does it take weeks to configure OPNSense or pfSense?

So does the Intel Quad Nic I have listed work? What do you use? I am leaning toward building my machine and give it a try.

I read up on Comcast help with Business Accounts getting DDos and they are also not helping people. Hopefully it won't happen to us.

 

[Solaris17]

It’s going to be vanilla as far as security features. There is no blanket fix so while there are more to choose from there are no more enabled by default than any other router.

As for the NICs I’m not sure, they don’t even need to be intel and support and bugs will come and go with the OS upgrades.

If you already have the parts both are free I’d just try it. You can even spin up a VM and see what you think.