I started searching for an edge device solution for my home I could put on x86 hardware after my Linksys E2000 started giving me problems. Initially, I was going with pfSense and set a machine up for that purpose but I came upon 7 32bit Dell Optiplex GX620 machine so I looked for a suitable solution. I wanted to make one of these an edge device. After all, they have more horsepower than any consumer based MIPS or ARM Router / Firewalls. After some searching, testing, more searching and testing, my solution is IPFire. IPFire, in short, could be considered the Linux version of the FreeBSD based pfSense. An Open Source firewall based on Linux that is easy to use, high performant and extensible which makes it usable to a large audience.
The documentation on this project needs some help, it took me some trial and error along with muddling my way through areas I didn’t fully understand to get it set up exactly as I want. Also note, immediately before starting this IPFire project, I set up a pfSense box so my expectations were now set. This is not a comparison to pfSense; that is another project of which is in progress.
This will hopefully help bridge some of the knowledge gaps you may have should you decide to try IPFire and an example of what works for me.
To begin the process, I downloaded the IPfire from here:
Should you be viewing this at a much later date, as in after a new version release click here and select Download from the menu.
I chose the flash image, I could have used the ISO, if I would have removed the drive and written the image directly to that drive. I think I may end up using this method for a future project. More on that later.
To match my hardware situation, I downloaded the 32 bit version of the Flash Image
Once downloaded I verified the image checksum
Which gave me the output
Next I extracted the archive.
tar -xf ipfire-2.21.2gb-ext4.i586-full-core126.img.xz
In order to write the image to the flash drive, I had to check to see what drive I used the dd command as I would have done with pfSense. The instructions for installation where a little light and perhaps I need to help out with it.
In order to flash it to the drive, I first checked to ensure that I wrote it to the correct drive, I plugged in the drive and ran in terminal.
In the last few lines, I was able to identify the drive.
Once extracted, I installed it, using
sudo dd if=ipfire-2.21.2gb-ext4.i586-full-core126.img of=/dev/sdd bs=16k
In only a few moments, the drive was ready for me to begin the installation.
Using 32bit Dell Optiplex GX620, I added an additional Ethernet Card. All I had on hand was a 100 Mbps device. The built in Ethernet Interface is a 1 Gbps so I decided to make that my internal side and the 100 Mbps NIC the external facing side as my max speed is around 60 Mbps.
My modem did make it known that it was not connected to a Gigabit device but until my speeds increase beyond 100 Mbps, I have no intention on changing it out.
The other work this computer needed was a new clock battery a CR2032 lithium button cell. I learned that the Dell Optiplex GX620 will not even boot with a dead clock battery
I had to make a few changes in the BIOS. One is to boot on AC restore so that should I lose power, it would boot as soon as power is restored.
The installation is fairly straight forward, so long as you have a basic understanding of what you want from your Local Area Network. Once your hardware is set, basically any computer with two NICs. The installation can commence.
Just a note, there is a mixture of camera photos of actual installation and VM installation. I should probably invest in a capture card at some point.
The first step is to install the Firewall Solution. You start with your language selection than to start installation.
You have one option on each of the next two screens, to agree to the license agreement and to delete all the data. Pictured below is the “VBOX” hard disk but I had a similar situation with the actual hardware.
In this process, you really only have one decision to make, to choose your file system. I chose ext4, because I know it is well tested and since it was first on the list, I wanted to start there.
After the system is installed you need to reboot to begin the configuration process.
This is a very minimal Linux distribution… is it s a distribution? I don’t know if you call it that but it is a desktop-less interface so there is not much to install.
After the installation you have to complete the basic configuration. What took me a bit to understand was some of the IPFire-isms. For my two NIC setup, there is the Red and Green networks. More on that in a bit.
To start off, set your keyboard and Timezone.
Then your machine Hostname and Domain name.
You will have to set your root and admin passwords. From my experience in using it, the root user is for anything you do in the terminal and the admin is for the web interface. I am not able to ssh using the admin, nor am I able to log into the web interface with root.
The Network configuration menu portion of the install was a bit confusing for me at first. Here is where you must understand what the Red and Green networks do. If I had more than 2 NICs I would have played with the other settings.
The next section is the Drivers and card assignments. It is here that you will decide what NIC is Green and Red.
First I set the Green Network hardware. In my case, I wanted to use the Gigabit NIC on my internal network with my slower 100 Megabit NIC facing the modem to the Internet. This card is not going to be my bottle neck, my provider is still the bottle neck.
The Address settings will define the properties of your NICs.
I started with the Green interface, my internal network. I set the IP address and Network mask here.
The final bit to the Address settings is the Red interface, facing the Internet. My provider requires I set up my device to receive a DHCP address.
The last step is the DNS and Gateway settings. The only setting I filled in was the Primary DNS. Which, to my understanding, needs to be set for local hostname resolution. My primary DNS server is also the address of the IPFire device.
The last step is to Configure the DHCP server. In my case, I set the DHCP range from 192.168.10.100 to 192.168.10.200. My domain name, which was given earlier, was set already filled in.
That is it. Once rebooted, I could now further refine the configuration through the web interface.
First Run and Testing
The Web interface is quite straight forward. It will take some time of clicking around to become acquainted with all the options and once you think you have figured it out, you will find that you forgot where you just found the options you wanted. Not due to any lack of organization but rather due to the great number of options.
There are many, many, many features to highlight with IPFire. I will just show the bits that I find interesting. Even though I have 17 devices connected in my network with quite a few intrusion detection rules. The 16 year old 32 bit CPU doesn’t seem to be under any kind of stress.
It is also worth noting that
Local Name Resolution
My most important feature of a Firewall, Router, etc system is that I have local name resolution. I spend a lot of time in the terminal and I also use Secure Shell for file transferring so it is important that I can address my computers by hostname and not have to figure out what the IP address is. Here is how you do it.
Under DHCP Configuration, ensure that the Primary DNS is set to the the the IPFire device… which is also your DHCP Server as well. It must also be noted that it did take a little while for IPFire to build the IP Tables for me to address the computers by hostname.
DHCP Forwarding from the Access Point
I had no intention of discarding the Linksys E2000 that had been faithfully running my home network. I have chosen to keep it on the wireless as an Access Point.
This was done by setting the Access Point IP, Netmask and the DCHP Type is DHCP Forwarder to the address of the IPFire machine.
That was literally all I had to do and my network was functioning the same as before but more efficiently. Interestingly, if I plug into the AP Ethernet Ports, it acts as a switch or wired access point. Very handy.
Intrusion Detection System
The features that I wasn’t looking for that made me pretty excited was this system of rules you can activate to harden your firewall.
For more inormation about it, you can navigate here and read away.
There are some options as to which rule sets you choose. You can go with community rules or registered rules. I chose the EmergingThreats.net Community Rules. I don’t know yet if they are working as expected but I’m sure I’ll find out soon enough.
Though I don’t have any performance issues with this aged 32 bit hardware, my only issue is the age of the SATA drive sitting in its bowels. It has passed the SMART test but I want to replace it with an SSD before it fails. It will also be interesting to see if I can properly backup all my settings and restore the configurations to the new drive when I make the upgrade.
For now, I am satisfied with my network as it is but I am also considering getting another NIC upon which to put all of my IoT devices. I generally distrust IoT and segregation is good for these useful yet potentially troublesome machines.
Looking back, I started to have problems with my Linksys E2000 in early fall of 2018. I wasn’t sure of the trigger but the router eventually required an intervention shortly before Thanksgiving. Things seemed fine for a while until I added my Kitchen Command Center in December. I would periodically have buffering and network slow downs. I was especially noticeable when I had guests. Running CAT5 to several machines did help somewhat but it pretty obvious the router was operating at levels slightly beyond it’s capability. The router’s average load was high, and that poor little device was doing just a bit too much. Firewall, router, DHCP Server, DNS Server and wireless access point was just a bit too much for that MIPS16 powered device. I didn’t eliminate this router, I reduced its responsibilities to just being an Access Point and now my home network functions fantastically well.
This was a very satisfying project worth every penny I spent on it… which was about 1 gallon of diesel to pick up the hardware. I am not a network guy but I can muddle my way through. If I have made any obviously egregious errors, feel free to let me know by commenting or sending me an email so that I can learn a little and not steer anyone else wrong.