DIY Firewall
Posted on So 26 Mai 2019 in Computer & Electronics
I don't need a new firewall – the capabilities of my Fritzbox router are totally adequate for my needs. But lack of necessity has never stopped me from starting a project! So today, we are going to build our own firewall.
And that doesn't take much:
- A lean OS who's name ends in an "X"
- A small, low power-consumption computer that runs under that OS
- At least two ethernet ports
- A little patience for configuration
Give me an OS...
My first, obvious, thought was using Debian LINUX which is my go to OS for pretty much everything. But while searching the web for DIY firewall information, I ran into pfSense and OPNsense. Both of them are based on FreeBSD – customized for firewall applications. That sparked my curiosity!
I had always wanted to play with BSD, at some point and the prospect of getting a web based GUI for firewall administration sounded really good in my ears. I ended up choosing OPNsense – because it's open source and also because pfsense has recently started to require certain hardware features that I don't need for personal use (AES-NI). During my search, I quickly stumbled upon the remains of a flame war against OPNsense that was apparently launched by some pfsense fan boys that I found rather unprofessional and repelling.
... and a machine
When setting up DIY appliances, the obvious choice, nowadays, is a Raspberry Pi. But I considered that suboptimal, because most versions of the Pi lack gigabit LAN and I would also need to get a case, and use and SD card for storage. Not ideal.
Don't get me wrong: I love the Pi and use it a lot, but rather when its advantages really matter: When I need to go really small or GPIO is required. But why use a Pi if all I really want is a low-power PC in a box?
Next, I went to eBay, Alibaba etc. to find suitable hardware. There are many great offerings with plenty pf ethernet ports, metal cases (some even for 19" racks) etc. But they cost somewhere from 300 to 1200€ depending on specs. That is too much for a little hobby project. And for that money I can simply buy a small commercial firewall from Zyxel or others.
In the end, I found the perfect solution for my needs: A thin client! Those boxes are fairly small, draw little power, come with various connectors and feature a nice case. And they are very non-exotic systems, as they are standard pc-hardware sporting a standard BIOS etc. So installation should be a piece of cake.
After some shopping around I settled upon a HP t610-plus. Mine came with this configuration:
- CPU: AMD T56N 1.65GHz 64bit, dual-core
- 4GB RAM
- 16GB flash drive
- 1x displayport
- 2x DVI-I
- 2x USB 3.0
- 4x USB 2.0
- 2x RS232
- 1x parallel port
- 1x gigabit-Ethernet (Broadcom)
- 2x PS2 (keyboard, mouse)
- 1x PCI-Express slot
- Windows Embedded Standard 7
Nice box with more than enough oomph for a small firewall. But quoting
Dave Jones: "Don't turn it on – take it apart!"
And that's what we'll do now! The case is easy to open w/o tools and this is what's inside:
Originally, it was fitted with a PCI graphics card – we don't need that so it had to go to free the PCI slot. There's plenty to see on the mainboard:
- 2 SATA connectors, one of them holding a 16GB flash drive
- A Mini-PCI Slot – e.g. for a WIFI card
- An ATA connector
- On the back there are two slots for DDR3-SODIMMs.
I like that! The little box has everything we can dream of for a little tinkering.
SSD Upgrade
16GB flash is not a whole lot, but should be sufficient for a small LINUX installation. But the OPNsense page recommends a little more for best results:
- 1.5 GHz multi core cpu
- 4 GB RAM
- 120 GB SSD
CPU and RAM are are fine so I just got a 120GB SSD for close to no money. It fits well but I had no way of securely fastening it. I found all kinds of suggestions ranging from nylon thread over zip-ties to strips of cardboard or metal. The one I liked most was a 3D printed jig. But that had overhangs requiring support structures and I disliked that aspect. So I did what every self respecting tinkerer would do: design my own:
Now we have a snug fit:
Better networking!
In a pinch you could run a firewall on just one network port but that's less than ideal. You really want at least two ports: One facing the dangerous, dark and mean internet and a second one for your safe and cosy local network. Even better to have more than that so you can configure separate networks for different security levels (Thinks guest LAN or IoT VLAN, etc.).
The t610-plus has a PCIe slot, so it's easy enough to add a proper network card. I found a nice 4-port card on eBay (Intel PRO/1000VT PCIe quad port Gigabit Ethernet adapter) giving me a total of 5 ethernet ports: 1x WAN and 4x LAN. Excellent! And this is what it looks like:
The installation went smoothly and now the thin client already looks pretty crowded inside:
If you happen to have a machine w/o the PCIe slot you are not entirely out of luck. You could use a USB3 network adapter. Some devices have the slot but lack space or a suitable cut-out in the case – e.g. the t610 (w/o "plus"). In that case you need to get creative to try and fit a PCI card.
But now let's put the whole thing back together and have a look at our newborn firewall:
Looking around
Before installing the OPNsense firewall OS and software, I was dying to explore the thing a little more. So I installed Debian and took a tour of the system. Let's examine the cpu a little:
> lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 1
NUMA node(s): 1
Vendor ID: AuthenticAMD
CPU family: 20
Model: 2
Model name: AMD G-T56N Processor
Stepping: 0
CPU MHz: 825.000
CPU max MHz: 1650.0000
CPU min MHz: 825.0000
BogoMIPS: 3293.25
Virtualization: AMD-V
L1d cache: 32K
L1i cache: 32K
L2 cache: 512K
NUMA node0 CPU(s): 0,1
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx
mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good
nopl nonstop_tsc extd_apicid aperfmperf pni monitor ssse3
cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm
sse4a misalignsse 3dnowprefetch ibs skinit wdt hw_pstate
vmmcall arat npt lbrv svm_lock nrip_save pausefilter
As advertised: 1.65GHz dual core CPU. That's plenty of power for our needs. AES-NI support may have been nice but for home use that's not important. According to the OPNsense documentation, our configuration should be good enough even for small to midsize businesses.
Next, let's see what we find on the PCI bus:
> lspci
00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 14h Processor Root Complex
00:01.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Wrestler [Radeon HD 6320]
00:01.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Wrestler HDMI Audio
00:04.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 14h Processor Root Port
00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 SATA Controller [IDE mode] (rev 40)
00:12.0 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB OHCI0 Controller
00:12.2 USB controller: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 USB EHCI Controller
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD/ATI] SBx00 SMBus Controller (rev 42)
00:14.2 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] SBx00 Azalia (Intel HDA) (rev 40)
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD/ATI] SB7x0/SB8x0/SB9x0 LPC host controller (rev 40)
00:14.4 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] SBx00 PCI to PCI Bridge (rev 40)
00:15.0 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] SB700/SB800/SB900 PCI to PCI bridge (PCIE port 0)
00:15.2 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] SB900 PCI to PCI bridge (PCIE port 2)
00:15.3 PCI bridge: Advanced Micro Devices, Inc. [AMD/ATI] SB900 PCI to PCI bridge (PCIE port 3)
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 0 (rev 43)
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 1
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 2
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 3
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 4
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 6
00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 5
00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 12h/14h Processor Function 7
01:00.0 PCI bridge: Integrated Device Technology, Inc. [IDT] PES12N3A PCI Express Switch (rev 0e)
02:02.0 PCI bridge: Integrated Device Technology, Inc. [IDT] PES12N3A PCI Express Switch (rev 0e)
02:04.0 PCI bridge: Integrated Device Technology, Inc. [IDT] PES12N3A PCI Express Switch (rev 0e)
03:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
03:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
04:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
04:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
07:00.0 Ethernet controller: Broadcom Limited NetLink BCM57781 Gigabit Ethernet PCIe (rev 10)
08:00.0 USB controller: Texas Instruments TUSB73x0 SuperSpeed USB 3.0 xHCI Host Controller (rev 02)
As expected, there are 5 gigabit network controllers – one builtin (Broadcom) and 4 on the card we installed (Intel). There's USB 2 and USB 3, as well as SATA, VGA and an audio device. The latter is not exactly useful for a firewall but these thin clients make great media centers, too!
Speeeeeed
I was curious how fast the CPU really is. PassMark comes up with a score of 793, which is quite decent for a small box like this.
I also ran the Sysbench CPU benchmark:
> sysbench --test=cpu run
sysbench 0.4.12: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Doing CPU performance benchmark
Threads started!
Done.
Maximum prime number checked in CPU test: 10000
Test execution summary:
total time: 57.5743s
total number of events: 10000
total time taken by event execution: 57.5703
per-request statistics:
min: 5.74ms
avg: 5.76ms
max: 8.69ms
approx. 95 percentile: 5.76ms
Threads fairness:
events (avg/stddev): 10000.0000/0.00
execution time (avg/stddev): 57.5703/0.00
And the memory test:
> sysbench --test=memory run
sysbench 0.4.12: multi-threaded system evaluation benchmark
Running the test with following options:
Number of threads: 1
Doing memory operations speed test
Memory block size: 1K
Memory transfer size: 102400M
Memory operations type: write
Memory scope type: global
Threads started!
Done.
Operations performed: 104857600 (1015721.70 ops/sec)
102400.00 MB transferred (991.92 MB/sec)
Test execution summary:
total time: 103.2346s
total number of events: 104857600
total time taken by event execution: 84.2791
per-request statistics:
min: 0.00ms
avg: 0.00ms
max: 0.25ms
approx. 95 percentile: 0.00ms
Threads fairness:
events (avg/stddev): 104857600.0000/0.00
execution time (avg/stddev): 84.2791/0.00
Certainly not as fast as current hardware but totally adequate for what we have in mind.
OPNsense
Finally, I got an OPNsense image and put it on a usb stick:
sudo dd if=OPNsense-19.1.4-OpenSSL-vga-amd64.img of=/dev/sdc bs=4k
Plug it in, power on, change boot order in BIOS and we are booting into the OPNsense installer. The base installation was no more difficult than your average LINUX installation – disappointingly easy. ;-)
The actual configuration is carried out via the OPNsense web interface. I may write a separate post on this, later.
Expence
So did I save money compared to the custom hardware? Definitely! The entire thing cost less than 100€:
- 46,00€ HP t610-plus ThinClient (used)
- 23,45€ Intenso SSD, 120GB
- 28,40€ Intel PRO/1000VT quad port PCIe Gigabit Ethernet Adapter
Total: 97,85€. Not bad.
For home use, I could have kept the 16GB flash drive that was already there and skimped on the network adapter by getting one with only one or two ports which can be found for 10 or 18€, respectively.
I was curious to find out, what the specs of an up to date Fritzbox router would be, in comparison. Their current top of the line model (7590) has these specs:
- AnyWAN GRX550 dual core CPU mit 1GHz
- 2x USB 3.0
- 512MB RAM
- 512MB Flash
- 4x GBit LAN
- 1x Gbit WAN
- WLAN
- DECT
- Fon, analog
- ISDN
- VDSL
So this Fritzbox has comparatively little RAM, flash or CPU power, but comes with plenty of specialized hardware for telephone and DSL. In a professional environment, you would, most likely, use a separate DSL modem and phone system.
But as mentioned in the beginning, this little build was not out of necessity but for the fun of it. So I'll keep the Fritzbox but use it as a glorified DSL-modem and phone system, while the OPNsense box will serve as my new firewall, DHCP server etc.
Credits
I am certainly not the first person to do this. Search the web for "pfsense thinclient", "OPNsense thinclient" etc. and you'll find plenty of blog posts and videos of people doing the same before me. One site I really want to point out is the excellent page on (Repurposing ThinClients) by David Parkinson. It's a treasure trove for thin client enthusiasts.