Building a home firewall - guide

[OVERKILL]

Given some of the subject matter I've covered in recent weeks regarding the state/quality/security of most consumer network gear, I thought it prudent to put together a short guide with screenshots on how you can leverage old hardware or something cheap from E-bay/Kijiji/Craigslist to provide more robust perimeter protection without having to become a networking expert. The main prerequisite is simply something with two (or more) network interfaces, so if you have an old computer that you can add another network card to, that's pretty much all it is going to require.

The most popular firewall distribution has to be pfSense, which is based on FreeBSD. There's a fork of this product called OPNsense, which I've also used which is very similar in terms of installation and operation. If you'd like a guide on that product as well, let me know. Given some of the interaction between the pfSense and OPNsense camps, some of which was quite unprofessional, I personally lean toward supporting the OPNsense group.

This guide is based on execution of the installation on a Hyper-V virtual host for the sake of being able to easily grab screenshots. Installation on physical hardware is effectively identical for the sake of this thread.

Step 1 (pfSense):
Download the installation media from https://www.pfsense.org/download/
You will want to select AMD_64 as the architecture and whether you want the ISO (CD/DVD) or the Memstick installer will depend on whether the hardware you are installing it on, and the computer you are downloading the image on, have an optical drive and you have blank optical media handy:

If you select the Memstick installer, you then have to select the console type. Choose VGA console:

In either instance, the file you download will be a gz ZIP file, so you need an archiver like 7-Zip to extract it. You get this from 7-zip.org.
Once you have 7-Zip installed, right-click the gz file, choose 7-Zip and then "Extract Here":

Step 2 (pfSense):
Once the image is extracted, if you downloaded the ISO, right-click it and choose "burn disc image" (PC):

Or "Burn to Disc..." (Mac):

If you downloaded the Memstick installer, go grab Balena Etcher from balenaEtcher - Flash OS images to SD cards & USB drives:
Then launch that, click "Flash from file":

Select your .img file that you extracted, insert your USB memory stick, click "Select target" and choose that memory stick, then click "Flash!" and it will create the stick for you.

Step 3 (pfSense):
Depending on the hardware you are installing it on, you will need to figure out what the key sequence is to be able to boot from something other than the hard drive. On some computers, that's F12, others it's F11, others still it can be F8, F9 or F10. On an HP system, if you hold down the ESC key during post, you'll get a menu that will allow you to select "Boot menu" and then you can select the bootable device you created (CD/DVD or Memstick).

Step 4 (pfSense):
The image should boot, you'll get a screen with a brief countdown, just wait it out. You'll then be greeted by the pfSense installer and an agreement you need to accept to proceed:

Step 5 (pfSense):
Choose "Install":

Step 6 (pfSense):
If you are using a system with less than 8GB of RAM, select Auto (UFS) on the partitioning screen:

Step 7 (pfSense):
Choose "Entire Disk":

 

[OVERKILL]

Step 8 (pfSense):
Choose "GPT GUID Partition Table" unless the computer you are installing on it is extremely old, in which case, choose MBR.

Step 9 (pfSense):
Select your drive on the next screen:

Step 10 (pfSense):
On the screen that comes up, click "Commit":

Step 11 (pfSense):
On the next screen, click "Reboot":

Step 12 (pfSense):
Remove your installation media and allow the system to boot into the initial system setup screen where you are asked if you want to setup VLAN's. For your average home user, and particularly if you have no idea what a VLAN is, choose "no".

The next step is to detect your interfaces. Make sure nothing is connected to either interface. The first interface it wants to find is WAN (internet), so connect your ISP provided modem then type "a" for auto detect:

Step 14 (pfSense):
Do the same for your LAN network.

Step 15 (pfSense):
From a computer connected to the LAN side, navigate to 192.168.1.1, login with admin/pfsense:

Step 16 (pfSense):
"Next" your way through the initial configuration Wizard. I recommend when you get to Step 5, configure LAN, that you change the subnet to something other than the default, such as 10.10.10.1 for the LAN IP address (leave the subnet size at /24):

Step 17 (pfSense):
Change the admin password to something complex and arrive at the summary screen:

That's it! You've performed the initial configuration and are using the pfSense firewall. From here, you can explore the system, make additional customizations, install additional software to inspect traffic, like ntopng:
pfSense — ntopng 6.1 documentation

 

[OVERKILL]

Part 2:
Argued by some to be a bit simpler, there is also IPFire, which was a fork of the now abandoned IPCop project. If you are more comfortable with a Linux-based firewall than a BSD one, then Part 2 is for you!

Step 1 (IPFire):
Obtain the installation media from the website: www.ipfire.org - IPFire 2.29 - Core Update 184
Choose x86_64 and the same as with pfSense, either the ISO image or the Flash image depending on whether you are going to use a CD/DVD or USB for the installation:

Follow through the pfSense instructions through to Step 3.

Step 2 (IPFire):
Select your language from the first screen:

Step 3 (IPFire):
Choose "Start Installation"

Step 4 (IPFire):
Use the tab key to select and accept the license agreement.

Step 5 (IPFire):
Choose "Delete all data":

Step 6 (IPFire):
Choose "ext4 Filesystem":

The system installs.

Step 7 (IPFire):
Remove the installation media and clock "Reboot":

The system reboots and you are presented with the keyboard language screen, in most cases you will be choosing "us" here.

Step 8 (IPFire):
Choose your time zone

Step 9 (IPFire):
Name your firewall (default is ipfire). Name your domain (localdomain is default).

Step 10 (IPFire):
Create your root password:

Step 11 (IPFire):
Create your admin (webUI) password:

Step 12 (IPFire):
You are presented with three areas of customization:
- Network configuration type. The default (Green + Red) should be the most appropriate for most people's configuration (LAN/WAN)
- Drivers and card assignments
- Address settings

Step 13 (IPFire):
Under Drivers and card assignments, select the network card for your green interface, and your red interface:

Step 14 (IPFire):
Under "Address Settings":

Step 15 (IPFire):
Under Green, adjust your LAN subnet if desired, I'm using 10.10.10.0/24 for the sake of this exercise, which means a LAN IP address of 10.10.10.1 and a mask of 255.255.255.0:

 

[OVERKILL]

Step 16 (IPFire):
Under Red, select your WAN configuration type. Default is static, which most people will NOT be. If you use a DSL connection (also some fibre connections) that require PPPoE, select that, otherwise, typically DHCP is the correct option:

Step 17 (IPFire):
After selecting "Done" on the Address settings page, you are presented with the option to enable and configure your DHCP server:

At this point, setup is complete and the system will reboot. You can then point a browser to the LAN address you assigned for further configuration, port 444. So, for the system I just configured, https://10.10.10.1:444 is the address:

I recommend going to the firewall tab and setting up IPS (Intrusion Prevention System) using one of the provider lists. You can read up on each of them and determine which one best suits your network and system profile. Snort community rules are probably a good starting point:

Under System -> Hardware vulnerabilities, you can also see if your hardware has any unmitigated CVE's:

 

[redhat]

Nice guide @OVERKILL. Well done.

Whats the lowest wattage device you've ran it on with success? I have done no research on it, nor have I ever ran it... but it'd be cool on a lower power Atom or something that took hardly any juice but still could support something like symmetrical gigabit throughput.

Then again if one had a PowerEdge or some other Hyper-V, ESXi, Proxmox host running, you could VLAN/Virtual NIC/physical NIC it off and have probably notice no nominal power usage increase. Then again the worrywart in me would still rest easier knowing it would be fully gaped on a separate box.

Have been running EdgeRouter X's for almost a decade but there will come a time and point where they (A) will be fully EOL and (B) not able to support upcoming ISP carrier speeds... Spectrum just announced DOCSIS 4.0 with a high split. I will be going with one of these when needed.

 

[OVERKILL]

Nice guide @OVERKILL. Well done.

Whats the lowest wattage device you've ran it on with success? I have done no research on it, nor have I ever ran it... but it'd be cool on a lower power Atom or something that took hardly any juice but still could support something like symmetrical gigabit throughput.

Then again if one had a PowerEdge or some other Hyper-V, ESXi, Proxmox host running, you could VLAN/Virtual NIC/physical NIC it off and have probably notice no nominal power usage increase. Then again the worrywart in me would still rest easier knowing it would be fully gaped on a separate box.

Have been running EdgeRouter X's for almost a decade but there will come a time and point where they (A) will be fully EOL and (B) not able to support upcoming ISP carrier speeds... Spectrum just announced DOCSIS 4.0 with a high split. I will be going with one of these when needed.

I'm using a Unifi UDM SE at the present time, so I don't have the time to benchmark one of these but I wouldn't expect the requirements to be too lofty. @terry274 has that Sophos XG 105 that uses an Atom chip and it's running OPNsense, so maybe he can give us his throughput data to see what it's pushing? That might help.

 

[Touring5]

I ran opnsense for about a year and frankly it was not for me. The combination of me not being all that knowledgeable, not needing most of it's capabilities, and some weirdness with the software led me to switch to a much simpler TPL Omada 605 wired router.

Occasionally software updates caused it to stop working. One of the plugins for ad-blocking would prevent checking for updates. And the worst was how some settings changes would seem to be ignored without a complete reboot of the system.

I'm sure both opnsense and pfsense are great solutions for those who are fluent in such things and need the capabilities they possess. But for those of us with modest requirements and knowledge, it's possibly too much.

 

[ka9mnx]

Excellent! Thanks for taking the time to compile and publish!

I spent weeks watching the female Brit's YouTube videos to get mine up and running! After that, I spent more weeks reading the pfSense manual to tweak the system.

My 10 year old i3-3120M is loafing along at 2% CPU usage and 7% of 8GB of memory and using 1GB of the 51GB hard drive. The store bought units are using fan less Celeron processors. Not much computing power needed thanks to Unix.

 

[terry274]

I'm using a Unifi UDM SE at the present time, so I don't have the time to benchmark one of these but I wouldn't expect the requirements to be too lofty. @terry274 has that Sophos XG 105 that uses an Atom chip and it's running OPNsense, so maybe he can give us his throughput data to see what it's pushing? That might help.

I am connected to United Communications fiber. I pay for 500Mbps.

If you give me directions on further testing I will try to get more information.
I have noticed while changing the configuration on the Sophos it is slower to apply a change than the Dell Optiplex 790 small form factor I was using. The Dell is an i5 with 4GB of ram.
With normal web browsing I can tell no difference between the two.

 

[OVERKILL]

I am connected to United Communications fiber. I pay for 500Mbps.

View attachment 208820

If you give me directions on further testing I will try to get more information.
I have noticed while changing the configuration on the Sophos it is slower to apply a change than the Dell Optiplex 790 small form factor I was using. The Dell is an i5 with 4GB of ram.
With normal web browsing I can tell no difference between the two.

If you are paying for 500/500, that seems to be just fine

 

[OVERKILL]

I ran opnsense for about a year and frankly it was not for me. The combination of me not being all that knowledgeable, not needing most of it's capabilities, and some weirdness with the software led me to switch to a much simpler TPL Omada 605 wired router.

Occasionally software updates caused it to stop working. One of the plugins for ad-blocking would prevent checking for updates. And the worst was how some settings changes would seem to be ignored without a complete reboot of the system.

I'm sure both opnsense and pfsense are great solutions for those who are fluent in such things and need the capabilities they possess. But for those of us with modest requirements and knowledge, it's possibly too much.

For you, I'd recommend the new Unifi Cloud Gateway, if you didn't feel like giving IPFire a spin:
Compact UniFi Cloud Gateways - Ubiquiti

 

[Bottom_Feeder]

Thanks for this!

 

[nate379]

What does it do?

Fire wall to me is the 2 layers of 1/2" drywall between the garage and attached house.

 

[OVERKILL]

Thanks for this!

You are quite welcome!

 

[OVERKILL]

What does it do?

Fire wall to me is the 2 layers of 1/2" drywall between the garage and attached house.

Protects your network from WAN-side vulnerabilities, which are becoming a growing concern with consumer-grade network gear as the lists of CVE's grows and bad actors, particularly in China, work to infiltrate devices and use them as proxies and gain access to information.

 

[nate379]

Protects your network from WAN-side vulnerabilities, which are becoming a growing concern with consumer-grade network gear as the lists of CVE's grows and bad actors, particularly in China, work to infiltrate devices and use them as proxies and gain access to information.

So the Chineese get info your wifi?

 

[OVERKILL]

So the Chineese get info your wifi?

Effectively, yes, that's the risk. They can then use your network device as a bot, making it part of a botnet, which can be used to attack other networks, or they can use it as a proxy to route traffic through so that it appears to be coming from your network. If you haven't read the "Camaro Dragon" thread also in this section, take a look at it, it explains a recent occurrence of this with TP-Link branded home devices.

 

[nate379]

Effectively, yes, that's the risk. They can then use your network device as a bot, making it part of a botnet, which can be used to attack other networks, or they can use it as a proxy to route traffic through so that it appears to be coming from your network. If you haven't read the "Camaro Dragon" thread also in this section, take a look at it, it explains a recent occurrence of this with TP-Link branded home devices.

Huh. Way over my head on how that's all done.

I barely figured out the wifi!

 

[chemman]

Thank you!!!!!

 

[OVERKILL]

Thank you!!!!!

You are quite welcome!