I have limited network knowledge, and am running atm a tp-linkax 1500 router with a NETGEAR JGS516PE switch for a very small business (some computers, server, NAS, vpn , camera and VoIP).
The vpn is from the tp-link config
As gettinga more concerned on cyber security I’m considering to bye a netgate 4200 to replace the tp-link (which works fine but … ).
I would also need wireless AP as I would remove the tp-link.
Any suggestions or comments?
All help is much appriciated and Happy New Year !!!
You could put your existing wireless router in Access Point mode, and then netgate/pfSense will do all the routing.
pfSense → switch → wireless router (AP mode)
Yes you would still need some kind of access point as netgate/pfsense is just a firewall
I sell tons of 4200 for this application all the time. We do Netgate > Unifi Switch > Unifi APs. You could also put your old TP link router in AP mode like someone else said. Even though it is a small business, use best practice and segregate VoIP, Camera/Security, and the regular network with VLANs.
If your server is windows and you use active directory, you can install the NPS role to use radius authentication for openVPN on the pfsense appliance, as well as on your wireless network. Pair this with DUO mfa and you have a pretty secure ecosystem.
For network, i will setup 4 vlan:management network:only for management purpose; server network :only for server\nas\camera server internal; internal network:only for employee; guest network: only for guest.
i think you can setup internal firewall between server and the mainline. its for server security. if you don’t have enough buget, you can take a look at wazuh(open source SIEM).
don’t forget IT documentation.
Is the netgate not also acting as a router? It has DHCP server
Thanks for the advice.
The server is Linux (dedicated application) and I can only use it as a cliënt (not as admin).
This means no active directory.
As the 4200 has the openVPN onboard is there any other way to use mfa?
Its a router/firewall but the device doesnt have any kind of wireless
Are you asking if there is another way to do VPN or MFA (Multi Factor Authentication)?
WireGuard can also be used on pfSense for VPN. MFA can be done with a radius server and Google Authenticator.
Right, that’s why I added thé AP’s for wifi