Mac mini File/VPN/Firewall Server

[palebluedot]

I have a 2012 Mini I want to turn into a home server. I have it setup right now to just host through file sharing some externals to my family. I'd like to get a firewall, VPN, and more sophisticated file sharing setup (specifically auto mount of shared drives or alternatively something like Seafile).

In any event, does anyone here have any experience with firewall or VPN server on the Mac mini? Can I setup a pfsense firewall in MacOS and if so can it sniff all my traffic if it is behind my Time Capsule router?

Any help/thoughts is appreciated!

 

[reukiodo]

I would recommend NetBSD or a linux over MacOS as a firewall. Though your model runs the current MacOS, it does not bode well for future support.

 

[sevoneone]

I would recommend NetBSD or a linux over MacOS as a firewall. Though your model runs the current MacOS, it does not bode well for future support.

Sadly, I have to concur. Unless you are willing to run Sierra (10.12), newer versions of macOS have eliminated the built-in VPN functionality and removed easy access to essential File Sharing settings like ACLs and permissions inheritance. You can install 3rd party options for VPN, and you can still manage ACLs from the command line, but then you've already lost the "Mac-ness" and Apple continues to strip out features completely or the GUI for them anyway. Might as well grab a copy of Ubuntu or NetBSD and go from there...

My suggestion would be to max out the RAM and the internal storage on the Mini. If it is not a Server model, you can get the cable to add a second SATA drive: https://eshop.macsales.com/item/OWC/DIYIMM11D2/
I'd run a free hypervisor like UnRAID, QEMU/KVM or even MS Hyper-V or ESXi and make it really easy to spin up virtual appliances/servers as needed.

 

[2984839]

OpenBSD is perfect for this. Should run great on a Mini.

 

[palebluedot]

Thanks all

Sadly, I have to concur. Unless you are willing to run Sierra (10.12), newer versions of macOS have eliminated the built-in VPN functionality and removed easy access to essential File Sharing settings like ACLs and permissions inheritance. You can install 3rd party options for VPN, and you can still manage ACLs from the command line, but then you've already lost the "Mac-ness" and Apple continues to strip out features completely or the GUI for them anyway. Might as well grab a copy of Ubuntu or NetBSD and go from there...

My suggestion would be to max out the RAM and the internal storage on the Mini. If it is not a Server model, you can get the cable to add a second SATA drive: https://eshop.macsales.com/item/OWC/DIYIMM11D2/
I'd run a free hypervisor like UnRAID, QEMU/KVM or even MS Hyper-V or ESXi and make it really easy to spin up virtual appliances/servers as needed.

Thanks all for the replies/advice! My only issue is I am running iMazing on the server to backup my families iOS devices, so for now at least macOS is a necessity. I suppose I could run VMWare ESXi and run macOS as one of the instances just for that. Or perhaps Docker to run *nix for things like Seattle and firewall?

I guess my real (ignorant) question is can a Mac mini act a network firewall with only one NIC. My understanding is a pfsense box would have to sit in between a router and a modem?

 

[reukiodo]

Ideally (best practice) you would seperate the two networks physically, but it can technically work on one physical interface with multiple IP networks, or multiple VLANs.

 

[hobowankenobi]

What about a third party firewall, or a FW front end?

Murus looks interesting. Could try the free lite version first to test.

Seems easiest to invest in a decent router for both FW and VPN...protect the entire network at the perimiter. Could still lock down the server with the included FW.

 

[palebluedot]

Ideally (best practice) you would seperate the two networks physically, but it can technically work on one physical interface with multiple IP networks, or multiple VLANs.

Is there a package or guide you recommend I read to learn about this further?

 

[MrRabuf]

Can I setup a pfsense firewall in MacOS

pfSense is its own operating system (based on FreeBSD) and not really something you run "in" MacOS. While there might be some way of getting it to work on your Mac, you're getting into more complicated setups especially considering it only has a single NIC. I recommend you do it the right way and use dedicated hardware with at least 2 physical network interfaces. I've used pfSense at home for the past 3 years and really like it but I highly recommend keeping your router/firewall and home server as 2 separate devices. You don't want something as simple as a MacOS update/reboot/etc on your server to take down your entire home network. You can then easily configure VPN in pfSense.

I also don't recommend setting up your own firewall from scratch unless you've done it before and have a bunch of networking experience. It's easy to screw it up. Stick with off the shelf routers/firewalls or established routing software like pfSense, DD-WRT, OpenWRT, etc.

My understanding is a pfsense box would have to sit in between a router and a modem?

You usually use a pfSense box as both your router and firewall. You don't need an additional router. My network is Modem -> pfSense box -> dumb switch -> all my wired devices. Note that my pfSense box is wired only. I use an old router, running OpenWRT in bridged mode, as my wireless access point.

My pfSense box serves as my router, firewall, DHCP server, DNS server, VPN server, and ad blocker. All other server-related duties are done on a separate Linux box.

 

[sevoneone]

Some people love Ubiquity, others don't, but the EdgeRouter X makes for one very capable gateway/firewall for about $50: https://www.ui.com/edgemax/edgerouter-x/ It is SMB/enterprise rated gear so it can handle everything you're looking for. The web gui has really come along, cli access is there for advanced setup and learning, and there is a strong user community around the EdgeMax gear.

I would honestly do that and keep the Mac mini for the file/media server needs.

 

[hobowankenobi]

Some people love Ubiquity, others don't, but the EdgeRouter X makes for one very capable gateway/firewall for about $50: https://www.ui.com/edgemax/edgerouter-x/ It is SMB/enterprise rated gear so it can handle everything you're looking for. The web gui has really come along, cli access is there for advanced setup and learning, and there is a strong user community around the EdgeMax gear.

I would honestly do that and keep the Mac mini for the file/media server needs.

Exactly what I have too.

 

[palebluedot]

Thank you all for the expertise. I was interested in tinkering but it sounds like a Raspberry Pi may be better for that and I should just get an Edgerouter or something.

@MrRabuf, out of curiosity what hardware are you using to run your pfSense box and router?

One final question for everyone... any thoughts on a "endpoint monitoring" solution that can be run off a server. e.g. something like Carbon Black but for a home server and home endpoints without all the cloud junk.

 

[MrRabuf]

out of curiosity what hardware are you using to run your pfSense box and router?

I went the extreme overkill route and built a mini-ITX system based on this Supermicro motherboard and this wall-mounted case. Again, it's much more power than I need and I don't really have a way to justify it. You can definitely get away with cheaper setups. I suggest checkout out pfsense's website/forums/etc if you're looking for suggestions for what hardware to use. Unlike things like DD-WRT/OpenWRT/etc, you typically can't run pfSense on an off-the-shelf router and thus need something a little beefier and closer to a PC.