I am going to intentionally exclude Unifi and Mikrotik along with the vendors like Cisco, Juniper, Aruba etc from this discussion as I don’t think they are relevant (especially since you can’t run them on your hardware).
- OPNsense: Considered the superior alternative to PFSense. Great firewall, routing capabilities, IDS and certificate authority, advanced features, can be a DNS server etc. Best option all around for x86, but BSD based - take note of available drivers. Don’t even think about running random WiFi antennas unless you confirm good support for them (use a distinct WAP).
- OpenWRT: built for consumer router + switch + WAP boxes on embedded hardware. Great OS and uses very little resources with many features, but doesn’t compete in features with OPNsense if you have x86.
- VyOS: Debian based router + firewall. Linux makes it easier for people to pick up the CLI but I’ve heard complaints about it being difficult to follow. Currently CLI only, at least without third-party solutions, but is powerful and competes directly with OPNsense for features for the most part. Edit: I made a mistake - LTS versions also have their source available for free, you’d just need to compile it with the instructions on their website. Seems to be stable.
- Debian + FRRouting + nftables + heavy SELinux for the paranoid/analogous alternatives on OpenBSD (the latter is considered more secure but YMMV, configuration plays a big part here).
- Freemium: Sophos free version for home use.
Which one of these do you run, and why? What have been your issues with one or the other, and what have you settled on? Any niche customisations that you might have made? I’m very interested to know!
Cheers
Edit: it would seem that OPNsense is a big winner in this space for stability. OpenWRT comes next because of it’s very light nature and ability to run on consumer routers.
Been running virtualised Opnsense on Proxmox for a while and its really awesome. Haven’t had any major issues
IPtables on Debian because I like my life to be boring and unchanging.
I don’t know you, but I love you, complete random stranger. Thanks for the laugh 😂
Does VyOS count?
Is that your firewall? I admit it’s a great idea but do you use something else for routing?
Yep. Firewall, routing, dhcp, dns, everything you’d expect from a gateway device. Plain Debian (or really any distro) can do it all. With a 1gbps bi-directional connection fully saturated it will run at about 10% cpu on my very crappy low power Celeron CPU.
Plus, there’s no web UI full of janky and insecure CGI scripts to exploit, and software updates are forever (well, until x64 is deprecated, so basically forever).
You have really piqued my interest. I have always thought about running my DIY Router + Firewall + switch but had never really spoken to anyone who had done it before (guides on the internet notwithstanding).
However, if I do something like this, it will likely be on OpenBSD. Now, I haven’t delved deep enough into the BSDs to know if it’s better than Debian since all distributions can be made as secure as we want. However, OpenBSD just has a better image in my mind in terms of security and some of their choices in the OS are to my liking.
This was my setup from about four years ago. Other than moving suricata elsewhere, it’s largely the same. Worth a shot if it’s something you’re into!
https://nbailey.ca/post/linux-firewall-ids/
OpenBSD is also great, I’m just more familiar with the Linux tools. All the required tools are in the base image, and they have a great official guide:
Thank you for documenting the process, was a very interesting read.
Indeed, they have great documentation on this. Fantastic to have an official guide on something I’d like to do!
OpenWRT, because it has a nice interface, runs on half a toaster, and I’ve yet to find something that I need it do that it couldn’t do but OPNSense could.
I did try PFSense many years back and it just seemed overly complicated and generally flaky. I had trouble setting it up as tinc vpn client despite that being a trivial task in OpenWRT, so I switched back.
I’ve run Opnsense for quite a few years now, haven’t really had any issues with it.
I’d like to try OpenWRT and move to a nice low power router, but figuring out what hardware is supported is hard, as just “it runs openwrt” isn’t good enough when hardware acceleration often doesn’t work and stuff like that. Overall just too confusing for me to bother with finding hardware that will handle at least 3 Gbps throughput.
VyOS looks interesting but CLI only sounds super rough, I don’t really understand how I would do stuff like see DNS blocklist stats and easily whitelist by clicking on a blocked host, or add a static IP by clicking on the MAC address and that sort of thing.
Honestly you can go buy some random device and it will probability be supported. For instance I bought a Linksys router from Walmart and it runs Openwrt fine.
Finding throughput data is difficult though, basically anything will support like 500Mbps, but hitting 1-2Gbps consistently with internet downloads or transfers crossing VLANs seems a lot tougher.
What kind of extensive network setups are you running at home? I just have a few Wifi-routers with OpenWRT and one server / NAS. (Which also does DNS Ad-blocking.)
Most home setups will likely work fine with just one firewall, but I am planning for 2 at the very least for my network. Also, sometimes it might be better to run a separate router in a VM and have a distinct network behind it if you want to segment said network more thoroughly/want to emulate an enterprise environment etc. I personally see good use for running 2 or more routers (software/hardware) in a lab, but YMMV
Thanks. I was going a bit more for the “what do you need that for” aspect. Emulating an enterprise environment sounds more like tinkering or learning? I mean I get network segmenting if you want to seperate for example an home-office from the entertainment devices in the livingroom from the cheap unpatched IoT devices… And also have a seperate network to experiment in the basement lab… Doing firewalling to keep the TV from transmitting behaviour tracking data to the manufacturer… Stop the kids from accessing the network share… Or you have several servers running at home with lots of containers…
But are that hypothetical use-cases? Or what do people actually use the 2 consecutive firewalls and different network segments for?
I mean I live in a country where electricity isn’t that cheap. I run one server 24/7 and that has to do everything. And since it’s just one machine I can set up a network bridge and a seperate internal network for docker there. Most of the networking isn’t overly complicated and contained within that machine. But my OpenWRT also does additional wifi for the guests and a third network for experimentation.
I get doing it as a hobby. I was just wondering if there are 12 laptops at home, VLANs through the house and 3 servers with lots of storage and webservices and that’s what the OPNsense is for, or if it’s more “because I can”.
Thanks for explaining your rationale for the question. I’m in the US and whilst power isn’t the least expensive in the world, it’s not as bad, as say, Germany.
If you look at my history, in my previous post I was talking about hosting AD. Alongside that, I will also be hosting (sometime in the near future) an IOT controller, messaging, many IOT devices etc. Instead of just creating VLANs (which is certainly a valid approach), I’d like to create a separate network (and bind the VMs behind the router to only be able to pass traffic through that router with ACLs and defining it as the gateway).
I do not have a massive consumer base at home (the nod towards “12 laptops, bunch of PCs and a home datacenter” isn’t really for me), but I will have a lot of service VMs, containers etc. Some of them, I’d like for them to stay contained and not have to write additional firewall rules/ACLs on my main router - I can write those in the config of the secondary router and have a clean separation between a testing network (which is the purpose for the secondary router as a VM, for me) and my actual gateway.
Now, in terms of hardware, I’d like to run 2 different firewalls too. Partly because I’m paranoid about Intel ME - the plan was to run an OpenWRT router which would be connected to the internet, with a second router on x86 (which is why I made this post and was looking forward to this discussion) behind it, whilst intentionally double-NATting myself. I will also be setting up ACLs on the OpenWRT router/firewall to attempt to prevent Intel ME from ever accessing the internet - I believe that even if ME can utilise the same MAC of the NIC to send packets, it cannot use the same IP address. I’m also in the phase of researching other parameters on which I can filter out such traffic and only allow traffic from my trusted node (i.e. router/firewall OS) to access the internet. This argument probably won’t hold up very well against real-world scenarios and I might face hitches along the way, but I want to try it.
Also, I’ll feel safer experimenting on my “main” firewall/router (the x86 box - like I mentioned to another commenter, I might run a DIY OpenBSD router on it) if I have a firewall/NAT setup in front of it to take care of my network.
Thanks for the question, and I’m sure my words don’t make much sense (technically speaking), but this is simply what I cobbled together thinking about what I can realistically do.
Ah. Thanks for explaining :-)
Yeah, the …keeping the mess somewhere else and not doing it on the important firewall… makes sense.
I also like to keep it clean so everything is a bit more modular and better to maintain. (I made the mistake of introducing circular dependencies and overly complicated setups often enough.)
I think the double-NAT is a bad idea. Such things just cause pain and break in unexpected ways. I’d rather focus on getting the firewall right. And the NAT doesn’t add anything here. A firewall is the correct tool to filter packets between two network segments. A NAT is a crude thing that happens to drop incoming connections from the other side. But you could as well instruct your firewall to drop those packets. It’d be the same result just without the added pain.
And I have some IoT devices as well. Half of them use Zigbee, the other half is connected to my main wifi, I never got around to seperate them. But the’re all running open source software and talking to my Home Assistant via MQTT or Esphome. (I don’t own any smart dishwashers or coffee machines.)
I don’t have too much info on IntelME. I suppose it doesn’t do stupid things, or someone would have found out already. And it’s really difficult to protect from. Especially in a setup that isn’t completely locked down. I hope they someday learn and replace that with an open solution.
You’re right, I should have thought a bit more before I answered. Thinking about it, double NAT doesn’t achieve anything. With that said, the main way in which this is a problem is if one were to forward ports, in which case they’d need to forward ports from both firewalls.
Yes, I will be dealing with firewalls on both appliances.
I too will be investing more into Zigbee in the future, but having a central controller with MQTT can help. I haven’t decided if I want to go completely without WiFi. There’s certainly security considerations to going to Zigbee. Like you, I do not plan to utilise many proprietary IOT solutions and buy into the massive appliances being controlled with outdated software. I’ll stick to dumb appliances as much as I can.
I don’t think it’s particularly malicious either, but the problem I have is that it is essentially at ring 0. As such, my OS can’t do anything about it, which means I’m going to have to find alternatives to deal with it. I would have loved to have every device have a FOSS bootloader but I suppose that’s a long way away.
Thanks for your comment.
Zigbee
Sure. I think Zigbee/Matter are proprietary standards. And you don’t have too much control over how it is implemented in the individual devices and any possible security vulnerabilities. It is a separate network though and easy to use. I bought a small Gateway to connect it to Home Assistant after the USB stick I was initially using showed some compatibility issues.
What I really like are those cheap chinese devices that have ESP8266 or ESP32 microcontrollers in them. I can flash Tasmota or Esphome on them, take control and have them run free software. No manufacturer’s cloud needed and updates indefinitely.
Yeah, and we recently talked about smart/dumb appliances. In this household there are lots of older appliances anyways. And we moved a few years ago so they’re just old enough that none of them have wifi. I think that has changed since. Nowadays it’s not an extra 150€ for wifi anymore, but part of most appliances. And you get an App along with your new diswasher per default. I like “smart” with lighting. And having the washing machine turn on 2h before I get home is a huge convenience. Apart of that, I’d like the heating unit to be smart, but it isn’t. I think we could save some energy if the gas heating stopped after everyone left. There is no steady weekly schedule I could program into the central unit, so it’s just some radiators I can turn down. Apart from that, I don’t think I have a good use-case for a smart diswasher, fridge or a bugging device that can play music.
[Intel ME] it is essentially at ring 0
I don’t like it either. It’s just a very stupid design choice to have some uncontrollable extra chips run god knows what with highest privileges. And in the past people already discovered several security vulnerabilities. And there is no alternative to it. I think AMD does the same. And coreboot is a bit niche. I’d have to put quite some effort in and make some trade-offs. And it doesn’t have to be this way. I don’t think the embedded controller firmware is a super valuable trade-secret anyways. They probably keep it a secret and locked down for shady reasons or because they don’t want people to see the amount of vulnerabilities in it. I don’t think it would do Intel or AMD any harm to just open up that part of the system.
I don’t think Zigbee is proprietary, but I might have missed something. Like you, I also really like the ESP controllers that I can get and run my own code/mature projects on them (this is for both Zigbee and WiFi versions)
If you can replace your thermostat, that would make your heating reasonably smart. With that said, I’m now used to manually turning it down when I leave.
I’m on pfSense+, but I’ll be switching to opnSense eventually.
No one can beat the portability and flexibility of openwrt
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point DNS Domain Name Service/System HA Home Assistant automation software ~ High Availability IP Internet Protocol IoT Internet of Things for device controllers LTS Long Term Support software version MQTT Message Queue Telemetry Transport point-to-point networking NAS Network-Attached Storage NAT Network Address Translation Unifi Ubiquiti WiFi hardware brand Zigbee Wireless mesh network for low-power devices
11 acronyms in this thread; the most compressed thread commented on today has 29 acronyms.
[Thread #514 for this sub, first seen 14th Feb 2024, 22:35] [FAQ] [Full list] [Contact] [Source code]
OPNsense all the way. I run it in a VM. I ran PFsense for years then finally went through the pain of migrating. It was worth it for the UI improvements alone. PFsense also corrupted itself twice in about 4-5 years of running it, requiring restores from VM snapshots. OPNsense has been rock solid but it’s only been 2 years since I migrated.
I have used openwrt but only for a WiFi AP, not as a real router. I’ve since moved to a Unifi AP which works fine, but I won’t buy their stuff again for other reasons.
VyOS: Debian based router + firewall. Linux makes it easier for people to pick up the CLI but I’ve heard complaints about it being difficult to follow. Currently CLI only, at least without third-party solutions, but is powerful and competes directly with OPNsense for features for the most part. Seems to be just as stable. my mistake, FOSS version is not LTS but a rolling release and needs to be compiled.
Very misleading statement. Both rolling and LTS are FOSS, they just do not provide LTS binaries for free. Want LTS? build it yourself , all tools and guides(bit outdated) is out there. It will took 30 min you your time to setup.
My apologies, I didn’t realise the LTS version’s source was free. I’ll edit the post, thanks for pointing it out. Could you tell me more about your VyOS setup?
Sorry, what do yo want to know? IT just a linux based router pretended to be a juniper FW. NAT/IPv6/PPPoE/VRFs are working as expected.
Is it your main firewall?
Do you do in-place upgrades, and you do have HA for your firewall?
No HA. Classic HA is evil, shared control plane is good way to loose both FWs. Need redundancy use 2 independent FW + routing protocols. Losing session states during fail-over is not a big problem these days. I did in-place upgrades, but I’m running LTS and not yet done any major version upgrades. So far no problems.
I tried opn/ pfsense, VyOS (the rolling one. Stable is paid only), and a couple commercial options. Surprisingly not a single free/foss option can do IPv6 properly (I was looking specifically for prefix delegation for downstream routers). Cashed out for a single RouterOS CHR license and never bothered since.
But otherwise I tend to like VyOS. the rolling releases as the only free option make it somewhat questionable for something more serious though.
Stable is not “pay only” . Just build it yourself, all tools are available. it will take 30 minutes of your time if you have docker environment ready.
oh, that’s actually a fair point! You’re correct.
DHCPv6-PD is still effectively broken, though.
Has anyone tried running these on a raspberry pi? What’s the verdict?
AFAIK options 2 and 4 only. I can’t trust a USB to ethernet adapter for stability either
deleted by creator