pfSense sounds like a decent firewall but… you have to run it in a VM! So separate resources, from a separate source to address the complete lack of firewall from Qnap themselves. That is why I suggested Synology over Qnap. But I believe the OP bought a QNap if I read his replies right. If money were NO issue, I’d give my existing Qnap TS-251 away and buy the Synology 918+ and load it with 6TBx4 WD Red’s.
Then perhaps one must bite the bullet and setup a proper appliance.
It is possible to dedicate two adapters (one for inbound RJ-45 to the pfSense VM and one for the outbound RJ-45 to the LAN). In this configuration, the VM affords additional security because it’s in a completely different environment and address space than the host and LAN itself. It behaves just as if it were an external appliance on the LAN.
1 Like
If it of any difference, I own a Synology DS1815+ (owned and sold a DS1813+ first).
I now also own a TVS-1282-i7-32GB.
My firewall is the pfSense
The right equipment for the right job .
Either have extra resources somewhere to dedicate or acquire what is needed.
@ChuckPa wow - is this for your business? …without getting into any flame war - what’s your general opinion of Synology v QNAP based on your experience with these 2 devices from a UI and functionality/usability point of view?
@ChuckPa - off topic - I have a TS-453Bmini and pretty sure I cannot run the firewall you are mentioning (my NAS is only for home entertainment). Do you know if there is an idiots guide to VPNing into my NAS so I can see it as a drive remotely when I am working away from home? …or is this a dumb move without a firewall like yours?
You need an appliance like mine, hardware or software, to create the capability (service) on the NAS side of your home.
I have the predecessor to this model. Mine was discontinued in favor of the new packaging. 
Depending on your VPN needs, you might be able to use the
Looks good. Does it sit between your NAS and the router or between your router and the world?
My ISP utilizes PPPoE authentication and packetization.
Therefore, I’ve functionally removed the router from their modem/router.
My configuration:
- ISP modem/router in RFC 1483 transparent bridge mode.
- Port 1 of the modem (it has no IP anymore so isn’t a router) to the pfSense input (WAN) side
- pfSense signs into my ISP , using PPPoE, just as their equipment would.
- The output (LAN) feeds my entire LAN directly by plugging into the switch.
See the flow this way…
ISP Modem -> pfSense (router/firewall) -> Switch (LAN) -> Equipment.
I now have full control of the firewall , firmware updates, and everything else.
I moved us here, out of the OP’s thread. I should know better hhaha
Here’s what I see when downloading in traffic monitor.
I get full stats and totals . more info than I could need,
I also have extremely fine grained control over any aspect of any device on my LAN or anything external.
I do all this personally. At some point, I will connect for work. The environment on this ISP is hostile. I’m not going to sit here with this much data and info without having control over it.
IMHO, a NAS is a storage device, Counting on it to be secure is is putting the eggs in the wrong basket. If someone gets on your LAN, screw any sense of a firewall… you have bigger problems to solve… like getting your identity and financials back.
That’s why my “front door” is bolted down. No packets get in unless:
a) They are an expected reply to a previous outbound request from my LAN
b) They are on port(s) I have designated for specific applications and services to use
c) They are used in conjunction with particular services I am running in the firewall/router itself.
At different times of the year, I get 5,000 hits a day against my firewall from blind scanners.
Because it doesn’t reply , they don’t stop and focus on me. I see the scan, and I see its action “DROP” . Proof it ignored the packet.
That’s why i did this. My career was in secure environments. This is all second nature to me and part of how the world is now.
My steady 25 Mbps download, the ACK packets, and a shot of WiFi traffic.
This is really interesting, I am computer savvy and can write some code, but am a mechanical engineer so my knowledge is limited. I like the look of the SG1000 
You need to size the pfSense appliance with your needs. How much bandwidth is your ISP providing you?
18Mbps up and ~70Mbps down.
I will be getting 150/15 in January. Having the SG-2220 is the right size for me. The SG-1000 would not be able to handle the increased load nor will handle the VPN I will also be running a VPN in it.
If you are budget constrained and do not need to future proof, the SG-1000 is a good appliance to go with.
I agree with Achilles on this.
It’s a good appliance either way. You just need to review its performance limits and see how that fits into your future plans
Maybe this is more helpful .
I am downloading some files from my google drive (full 25 Mbps limit)
This is the loading on the SG-2220 (which has an AES/NI 64 bit CPU)
my usage is private and ad hoc. A little bit fiords using Plex and a little bit me wanting to attach my NAS as a drive when I am away from home (that’s best over VPN, right)?
J.
I agree with what others have said here. Get an appliance if you can.
I personally have been running 2 PFSense VMs with CARP for many years. I have 1Gbps symmetric WAN. With 10Gbps LAN backbone network. All data on the hosts run on a single 10 gig nic per host. PFSense is utilizing VLANs for the different networks. I can successfully push about 4-6Gbps through the firewall. You would need some beefy hosts to accomplish that but it can be done.
If you really know what you are doing you can most certainly run PFSense as VMs. The hardware route is definitely much easier and may save you some sleepless nights 
There is ONE step in setting these up which will save your hair! 
Set it up offline, external to your actual network (use a old dumb switch not plugged into anything).
This way, it’s easy to replicate the existing ISP configuration then “Drop in place” when all ready.
You’ll already know you can talk to it from the LAN and you’ve copied the ISP info in. All you need is to put the ISP equipment in Transparent Bridging mode presuming you don’t need it for cable / voip.
If you do, that’s covered to
thanks for that tip!
