There are a variety of successful open-source firewalls, like pfSense software, OPNSense, IPFire, etc. They are quite stable firewall solutions and have a handful of features, commercial-grade performance, timely updates, and great community support.
It is achievable to build the best next-generation firewall (NGFW) for home use combining an open-source firewall, a fanless mini PC, and a packet inspection module.
In this tutorial, we'll describe how to create a next-generation firewall (NGFW) to protect a home network with a few hundred dollars.
What are the System Requirements for Installing the Next-Generation Firewall?
Thanks to the open-source community that it provides very effective security solutions against cyber threats free of charge. Therefore, a cost-effective next-generation firewall solution that requires only a small hardware purchase can be deployed.
The beauty of cooking your own firewall is that you are not limited to some specific black box that you cannot touch, configure, modify or upgrade easily. You're not doomed to buying new hardware whenever your business gets a few more employees or you upgrade your Internet from 50 Mbps to 100 Mbps.
You can install the whole software virtually to any x86 based PC, mini-PC, or even to any virtualization platform on which a standard FreeBSD/Linux Operating system can natively run on, like KVM, VirtualBox, VMware, Proxmox, etc.
Next-generation firewalls for home use can be installed onto retired PCs, workstations, or servers. The only thing that needs to be kept in mind is that at least 8 GB of memory is required to be able to generate faster reports.
If you want really small hardware which is really silent and has the look and feel of a commercial UTM device, you can try Qotom fan-less mini PCs. You can purchase one from their Amazon Store or from Alibaba. Some models even come pre-installed with pfSense/OPNSense. They even have i7 CPU models which have 8 Gig memory pre-installed. We have one in our office (Figure 1) running the latest version of OPNSense and the latest Zenarmor Packet Engine.
Figure 1. Qotom fan-less mini PC running the latest version of OPNSense and latest Zenarmor Packet Engine
To protect the home networks from cyber attacks and provide the kids a safe web surfing by installing a next-generation firewall the following system requirements must be met.
1. Open-source firewall software
One of the following operating systems that have firewall and router capabilities may be used for the next-generation firewall in a home. However, we strongly recommend installing OPNsense which has a robust and powerful next-generation firewall software plugin known as Zenarmor (Sensei). Zenarmor supports all platforms listed below, but it has been especially known as one of the best OPNsense plugins and has been thoroughly tested by the OPNsense community in a variety of circ*mstances since 2017.
OPNsense (OPNsense 23.x - 24.x)
pfSense Software (pfSense® CE software 2.5.x - 2.6.x)
FreeBSD®
Ubuntu Linux
CentOS Linux
Debian Linux
AlmaLinux
2. Next-generation firewall software module
Although open-source firewalls are all great software and they are great alternatives to commercial firewall counterparts, they lack the following features which are essential for Next-Generation Firewalls Category:
Application Control
Web 2.0 Controls
TLS Inspection (Port-agnostic)
Extensive Reporting
Active Directory Integration
Fortunately, an add-on software package developed by Sunny Valley Cybersecurity Inc. is available for these open-source firewalls complementing the missing functionality. Zenarmor Free Edition is made available at no cost to OPNsense users, while the Premium Subscription, which offers more advanced features is available for purchase through the Zenconsole Cloud Management Portal.
The technology behind Zenarmor is a very powerful packet analysis engine that can also provide protection against encrypted cyber-attacks that are gaining momentum. Zenarmor technology enables cyber security tools with utmost visibility, packet classification, and fine-grained policy enforcement for any type of traffic. More packet intelligence means better decision-making. Better decision-making means better success rates in detecting & preventing cyber-attacks. Zenarmor provides rich packet intelligence so that the industry can enjoy great cyber security tools.
Some of the key features that are made available to the open-source firewalls include:
Application Visibility & Control
Drill-down Network Visibility
User based filtering & reports
Web Security & Cloud App Controls
Encrypted Attacks Protection
You may find more information about how Zenarmor works on official documentation.
The Zenarmor plugin is available as an installer file and it can be installed easily by downloading and running the installer script. You may find more information about the installation of this next-generation firewall software package on different FreeBSD-based or Linux platforms mentioned above on the official Zenarmor documentation site.
When the Zenarmor is installed on the OPNsense firewall, the add-on module integrates its web management software into the existing firewall Web UI, so both Zenarmor and OPNsense firewall can be managed from a single web interface.
Managing and configuring the Zenarmor software may also be accomplished using the Zenarmor centralized cloud management portal freely all over the world. If you prefer using other open-source firewalls rather than the OPNSense, you must use this management portal which has a very intuitive interface to configure the Zenarmor as a next-generation home firewall.
3. RAM
At least 2 GB of memory is required for Zenarmor. The installer will not proceed if the total RAM is less than 2 GB. Also, it is recommended to run Zenarmor with 4 GB memory for an improved experience. Beware that since the analytics module depends on Elasticsearch to process large amounts of data, the amount of system memory available is extremely crucial for the overall performance of Zenarmor.
4. CPU
At least a dual-core (preferable 4 core if you host a database on the firewall) CPU system is recommended. A single-core CPU score is more important than having a large number of CPU cores; for this reason, a Quad Core i7 PC system is more likely to outperform a 12-core Intel Xeon server system.
5. Disc Properties
To store large data sets, Zenarmor employs MongoDB or Elasticsearch, or SQLite as its backend. To calculate the required total disc size in your environment, you should allow at least 5 MB of disk space per hour of throughput in megabits per second.
If you're running a 100 Mbps link (about 100 users) which is quite active during the daytime and idle the rest of the day, you can calculate the space needed as follows:
5 MB x 12 hours x 100 Mbps = 6 GB per day.
6 GB x 7 days a week = 42 GB per week.
42 x 4 weeks a month = 164 GB per month.
The following are the recommended minimum hardware requirements to install a next-generation firewall for home use based on the number of devices and the amount of sustained bandwidth.
| Active Devices | Maximum WAN Bandwidth | Minimum Memory | Minimum CPU |
|---|---|---|---|
| 0 - 25 | 200 Mbps | 4 GB | A Dual-Core CPU (x86_64 compatible, single core PassMark score of 200) Note: Deciso A10s and AMD G-SERIES SOC GX Series, Protectli/Qotom Celeron J Series are compatible |
| 25-100 | 500 Mbps 10 Kpps | 4 GB | Intel Dual-Core i3 2.0 GHz (2 Cores, 4 Threads) or equivalent |
| 100-250 | 1 Gbps 20 Kpps | 8 GB | Intel Dual-Core i5 2.2 GHz (2 Cores, 4 Threads) or equivalent |
| 250-1000 | 1-2 Gbps 40 Kpps | 16 GB | Intel Dual-Core i5 3.20 GHz (2 Cores, 4 Threads) or equivalent |
| 1000-2000 | 1-2 Gbps | 32 GB | Intel Quad-Core i7 3.40 GHz (4 Cores, 8 Threads) or equivalent |
| 2000+ | 1-2 Gbps | 64GB | Intel Quad-Core i7 3.40 GHz (4 Cores, 8 Threads) or equivalent |
Table 1. Minimum hardware requirements for next-generation home firewall
You may find more information about the hardware requirements of the next-generation firewall on official documentation of Zenarmor.
Which Firewall Is Better?
There are numerous open-source firewalls available that can be used on a home or a small business network without any hesitation. Open-source operating systems like Linux, FreeBSD, and OpenBSD include a wide range of networking and security features. As a consequence, they are natural platforms for the development of security products, and the vast majority of commercial firewalls are built on one of them.
The main benefits of open source firewalls are as follows:
Consistency: Proprietary code relies on a single author or company to keep it up to date, patched, and functional. Because active open source communities constantly update open source code, it outlives its original authors. Peer review and open standards guarantee that open source code is thoroughly and frequently tested.
Flexibility: Because of its emphasis on modification, open-source code can be used to address problems specific to your company or community. You are not required to use the code in any particular way.
Lower cost: Because open source licensing provides code for free, the only thing you pay for when using an open-source firewall is support, security hardening, and assistance with interoperability management.
No vendor reliance: You can take your open source code with you wherever you go and use it whenever you want.
Open collaboration: Because open source communities are active and helpful, you can find help, resources, and perspectives that go beyond a single interest group or company.
Review: Developers actively check and improve on open source code because the source code is freely available and the open-source community is very active. Consider it living code as opposed to closed code that stagnates.
Transparency: Rather than relying on vendor promises, you can check and track changes in open source code yourself.
There is no doubt that an open-source firewall can safeguard one of your most valuable assets and provide a safe web surfing experience for your lovely kids at your home.
If you have never used an open source firewall before, you should choose some of the available options and give them a try by installing them. You will undoubtedly find the best open source firewall solution for your needs.
Which Firewall Should Be Downloaded?
There are numerous open-source firewall software options available, depending on your level of expertise, the size of the network to be protected, ease of use, and even whether the firewall has a graphical interface.
The following open-source firewalls may be installed as a next-generation firewall at home. All of these firewalls are simple to download and install on any hardware, virtual platform, or cloud. Furthermore, if you like their functions or support and do not want to build your own device, many sell them with pre-configured appliances. But in this article, we will focus on the OPNsense which has a next-generation firewall plugin called os-sensei (Zenarmor).
OPNsense (OPNsense 23.x - 24.x)
pfSense Software (pfSense®software CE 2.5.x - 2.6.x)
FreeBSD (FreeBSD 11,12,13)
Ubuntu Linux (Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS)
CentOS Linux (Centos 7, 8)
Debian Linux (Debian 10)
AlmaLinux (AlmaLinux 1)
How to Download OPNSense?
You may download the OPNsense installation file from the official OPNsense download page. You may select system architecture according to your system's CPU architecture, and also specify image type and mirror location as well.
Figure 1. Downloading OPNsense DVD ISO file
Depending on your hardware and use case different installation files are provided to download and install OPNsense:
dvd: ISO installer image with live system capabilities running in VGA mode. On amd64, UEFI boot is supported as well.
vga: USB installer image with live system capabilities running in VGA mode as GPT boot. On amd64, UEFI boot is supported as well.
serial: USB installer image with live system capabilities running in serial console (115200) mode as MBR boot.
nano: a preinstalled serial image for USB sticks, SD or CF cards as MBR boot. These images are 3G in size and automatically adapt to the installed media size after first boot.
Sample file listing
OPNsense-21.7.1-OpenSSL-cdrom-amd64.iso.bz2
OPNsense-21.7.1-OpenSSL-nano-amd64.img.bz2
OPNsense-21.7.1-OpenSSL-serial-amd64.img.bz2
OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2
The easiest method of OPNsense installation is using the USB-memstick installer. If your target platform has a serial interface choose the serial image to download. If not, select vga for the image type. Choose any mirror for your liking.
How to Install OPNSense?
You may follow the instructions given below to install the OPNsense.
1. Writing OPNsense image to Installation Media
You may write the image to a USB flash drive (>= 1GB), either with dd under FreeBSD or under Windows with physdiskwrite (or Rufus).
Before writing an (iso) image you need to unpack it first (use bunzip2)
Writing OPNsense image on Windows
physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].[img|iso].img
A simple alternative for writing images under windows is Rufus a tool to create bootable USB sticks with a nice GUI.
Writing OPNsense image on Linux
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/sdX bs=16k
Where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage, it's because of the digital signature)
Writing OPNsense image on Mac OS X
sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rdiskX bs=64k
Where r = raw device, and where X = the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage, it's because of the digital signature)
Writing OPNsense image on FreeBSD
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/daX bs=16k
Where X = the device number of your USB flash drive (check dmesg)
Writing OPNsense image on OpenBSD
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rsd6c bs=16k
The device must be the ENTIRE device (in Windows/DOS language: the C partition), and a raw I/O device (the r in front of the device sd6), not a block mode device.
2. Installing OPNsense from USB to Target Device
After configuring your system to boot from a USB device, place the USB stick into the one of USB slots and boot your system. The default behavior is to start the Live environment. Therefore, to start the installation login with user installer and password opnsense.
info
Default OPNsense Installation Username: installer
Default OPNsense Password: opnsense
3. Configure console
The default configuration should be fine for most occasions. You may continue with default settings.
4. Select task
Select the Quick/Easy Install option. It should be fine for most occasions. For installations on embedded systems or systems with minimal disk space you may choose Custom Installation and do not create a swap slice. You may continue with default settings.
5. Are you SURE?
When proceeding OPNsense will be installed on the first hard disk in the system.
6. Reboot
The system is now installed and needs to be rebooted to continue with the configuration.
WARNING
You will lose all files on the installation disk. If another disk is to be used then choose a Custom installation instead of the Quick/Easy Install.
You may also learn how to install OPNsense on Proxmox Virtual Environment by reading the OPNsense Installation Tutorial written by Zenarmor Team. Since OPNsense installation on different platforms have almost the same procedures, this article may be helpful for USB installation also
What should be done after the Installation is Completed?
After installing the OPNsense the following initial configuration steps should be completed.
Network device assignments
IP address settings
Updating OPNsense Firewall
Accessing the OPNsense GUI
Initial configuration of OPNsense Firewall
You may find more information about the initial configuration steps on OPNsense Installation Tutorial written by Zenarmor.
The most important section of the building next-generation firewall at home is installing the Zenarmor which enables OPNsense nodes to inspect the network traffic. Zenarmor is one of the best OPNsense plugins because it adds next-generation firewall features to the OPNsense firewall, such as Application Control, Content Filtering, and All-ports TLS Inspection.
Installing Zenarmor
Zenarmor installation process is quite straightforward and easy. You may install Zenarmor via OPNsense web UI. Basically, you don't have to use ssh to connect and install Zenarmor on OPNsense.
If you prefer to use one of the other open-source firewalls mentioned above rather than OPNsense, you may learn how to install Zenarmor on official documentation. It can also be installed easily by running only one command on CLI.
You can install with the following instructions:
Go to your OPNsense web UI and log in to it as a root user. And after that, you can follow this path. On the left pane of the page, you can click System > Firmware > Plugins.
After the opening of the Plugins page, you can view the installed and not installed plugins. You can search with Ctrl + F key combination with the
os-sunnyvalleykeyword then press the enter button to find out the Zenarmor plugin components.
Figure 2. Installing
os-sunnyvalleyon OPNsense firewallAfter that you should click the plus + button next to the
os-sunnyvalley-Sunny Valley Networks vendor repository-, then you will redirect to the Update menu tab.After the installation, you can see the
os-sunnyvalleyplugin as installed in the Plugin menu bar. If you cannot see the Zenarmor plugin, please refresh your web UI with the F5 button.Figure 3. Verifying
os-sunnyvalleyplugin as installation on OPNsenseYou also should install
os-sensei- Next generation firewall extensions for OPNsense-. You can find out with the Ctrl + F button combination, and you can click the plus + button to install it.Figure 4. Installing
os-senseiplugin on OPNsenseAfter installing Zenarmor, you should see the Zenarmor menu in the left sidebar of the OPNsense web interface. If you couldn't see the Zenarmor menu you may refresh the web UI with the F5 button to verify the installation.
Figure 5. Verifying Zenarmor menu on OPNsense Web UI
After verifying the installation, You will need to complete the Initial Configuration Wizard for Zenarmor to be fully operational. For more information about the initial configuration of Zenarmor on OPNsense, please refer to the official documentation.
Although the preferred method of Zenarmor installation is the web interface (see instructions here), you can also install the plugin using the command line interface via SSH or direct system access. For more information, please refer to Installing Zenarmor on OPNsense via Command Line.
Why Zenarmor Prefers OPNsense?
Zenarmor uses a FreeBSD subsystem called netmap to access raw Ethernet frames. Netmap is a DPDK-like kernel interface that Zenarmor employs to connect your Ethernet Adapter to the Linux/BSD Networking Stack. This enables Zenarmor to inspect packets and take action before they arrive at their destinations.
Netmap offers highly fast and efficient packet I/O in kernel, userspace, and virtual machine platforms. It can handle tens of millions of packets per second, outperforming 10G and 40G ports even with small frames.
Netmap is compatible with FreeBSD, Linux, and some versions of Windows. For FreeBSD and Linux, it is implemented as a single kernel module.
Netmap is already included and enabled by default in recent FreeBSD (>= 10.x), OPNsense(r) and pfSense®software software releases. However, if you want to run Zenarmor in Routed Mode (L3 Mode, Reporting and Blocking available) on supported Linux Distributions (Ubuntu 18.04 LTS & 20.04 LTS, Centos 7, & 8, Debian 10 and AlmaLinux 1) you must install Netmap by yourself. It may be difficult to install netmap on Linux operating systems. If you need information about how to install netmap kernel modules on Linux(Ubuntu 20.04), Netmap Installation in Linux article written by Zenarmor Team may be helpful.
To use all of the Zenarmor's filtering features, you must have the netmap framework installed on your system. Zenarmor Team recommends running your next generation firewall on a FreeBSD-based system because netmap is natively supported by FreeBSD-based systems such as OPNsense and pfSense®software and runs without any unexpected countermeasures on these systems. If you prefer to use a Linux-based firewall such as Ubuntu or Centos, make sure to install netmap kernel modules and be aware that netmap incompatibility issues may arise.
Murat Balaban, founder and CEO of Zenarmor, explains why they suggest the OPNsense firewall:
"The reason we're going to market with OPNsense is that it already offers most of the features available in the top commercial firewalls. Based on a security-centric BSD distribution, HardenedBSD, they have a security-first mindset. The product is very flexible, extendable, and contrary to the general belief about open source products, proves to be very reliable and stable. Trying to build a complete firewall product would be a total waste of resources for us. So instead of creating a full-fledged firewall product, we chose to integrate our technology into one of the top open source network security platforms in the world."
What are the Features that Distinguish OPNSense from Other Security Systems?
OPNsense is an open source firewall distribution based on FreeBSD. OPNsense which is a fork of Pfsense was released in 2015. There are also DHCP servers, DNS servers, VPNs, and other services available in addition to the Firewall. Any person who has little experience in IT may use the OPNsense firewall with Zenarmor plugin, which provides application control and web filtering features, to protect their home networks from cyberattacks easily. It can be installed on both a physical and virtual server.
You will receive the following OPNsense advantages by installing the OPNsense firewall to protect your home network.
OPNsense has a myriad of benefits over competitors, including forward caching proxy, traffic shaping, intrusion detection, and a simple OpenVPN client setup.
Because of the emphasis on security in OPNsense, unique features such as the ability to use LibreSSL instead of OpenSSL (selectable in the GUI) and a custom version based on HardenedBSD are available.
OPNsense's dependable update mechanism allows it to deliver critical security updates on time.
OPNsense has an extensive list of plugins, which is beneficial for multiple users who use different applications.
OPNsense has a friendly and helpful community. One appealing aspect of the OPNSense community is that it has produced a large number of community plugins in a relatively short period of time. OPNsense has more than 70 different community-contributed plugins at the time of writing.
It has intuitive and simple to use without assistance Web UI, particularly for those who are just learning how to use a firewall. Another user-friendly feature of OPNsense is that it provides a search bar to find a menu element that you don't know where it is. It is obvious that OPNSense shines in terms of user interface and usability.
What is the Next-Generation Firewall?
A next-generation firewall(NGFW) is a network security solution with capabilities that go beyond those of a traditional, stateful firewall. A traditional firewall typically allows stateful inspection of incoming and outgoing network packets. It permits or denies network traffic based on source/destination IP, port, and protocol. Also, it filters traffic according to predefined policy rules and provides a virtual private network.
On the other hand, a next-generation firewall includes features such as deep packet inspection, application control, web content filtering, intrusion prevention and cloud-delivered threat intelligence. So, NGFWs may prevent the latest cyber threats such as application layer/L7 attacks and malware.
Next-generation firewalls (NGFWs) have a high level of control and visibility over the applications that they can identify through analysis and signature matching. They may use whitelists or a signature-based intrusion prevention system to differentiate between safe and malicious applications, which are recognized using SSL decryption. NGFWs also have a path for receiving future updates, unlike many traditional firewalls.
A powerful next-generation firewall has the following capabilities listed below:
It provides a fast cyber threat detection capability. It may define attacks in seconds and detect data breaches within minutes.
It should have a variety of deployment options as well as flexible management. It should be deployed on cloud or on-premise, on virtual environments, or on bare metal. It should also allow a wide range of throughput speeds.
It should provide comprehensive network visibility by reporting active applications and websites, where and when a threat originated, threat activity across users, devices, and networks.
A powerful next-generation firewall should also have advanced detection capabilities to identify advanced malware quickly.
It should prevent cyber threats before they get inside, be equipped with the most recent intelligence to stop new threats, have web filtering capabilities to enforce policies on hundreds of millions of URLs.
