[Semibug] DIY Hardware firewall on OpenBSD

Mike Wayne semibug15 at wayne47.com
Tue Feb 20 10:51:37 EST 2018

On Sun, Feb 18, 2018 at 08:22:13PM -0500, Mark Moellering wrote:
> If I were to build a basic firewall for a small network, to between the
> network and the ISP's router, any suggestions on hardware?  My plan was to
> use pf on OpenBSD

If you are willing to expend the effort, it's REALLY hard to beat the 
Ubiquiti EdgeMax EdgeRouter Lite. ~$100 gets a quiet, power efficient,
small box that will do everything you need including OpenVPN, IPSEC, 
OSPF, BGP (not full routes), Firewalling, NAT. I have a bunch deployed,
including two at home (I'm shuffling networks). 

PF-Sense is more GUI friendly. I'll admit that I'm a command line
guy but PF-Sense has won me over. It's more limited in routing but
much more convenient for firewalling.  I picked up a used WatchGuard
box (~$100) off eBay and converted it to PF-Sense.

I run all of these at the same time at home:

          cable     +-----ER-Lite----FreeBSD box w/ ipfw-----net 1
Net ----- router ---|
                    +-----ER-Lite----PF Sense box------------net 2

net 1 has been running for over 20 years, starting with only the
FreeBSD box and all sorts of routers in front of it. Despite having
had it for all this time, I would NOT redeploy a FreeBSD box to do
this today. I run a bunch of VPNs on the ER-Lite boxes, both OpenVPN
and IPSEC. Even with mss clamping IPSEC is annoying enough that I'm
flipping everyting back to OpenVPN.

I'm REALLY happy with the net 2 setup. The ER-Lite does all the VPN
work as well as some high level firewalling (e.g. block Asia). The
PF-Sense box does all the local firewalling (e.g. this block of
addresses has no Internet access), using colored comments to describe
what the various sections are used for. It delivers a NATted net
just for WiFi and serves as my local ntp and dhcp server (everything
runs dhcp, most stuff gets an IP address asigned via MAC address).

   It seems overly complicated but I have found that decoupling 
   the Internet, including VPN, from local firewalling is a
   net win. I'm now deploying a bunch of IOT stuff and it's nice
   to already have in infrastructure in place to be able to
   block the dirt-cheap Chinese boxes from talking to the Internet
   in any way.

Note that I'm doing things like using VPN and NAT to route real IP
addresses, using NAT and VPN to route traffic for two SIP servers
in different locations, running my own mail servers on real IP
addresses over VPN and shoving most http traffic from my house through
an off-site proxy server. 

Over the years, I have had multiple Internet connections into my
house and used an ER-Lite to do load sharing as well as fail-over,
both of which "just worked".

If you want more info, talk to me tonite.

More information about the Semibug mailing list