Introduction
Here I summarise the install of a dedicated firewall for home use with 'NGFW' (Next-Generation Firewall) features and analytics made up of a combination of OPNsense, CrowdSec and Zenarmor.
History
From 2005 onwards I started using mini-PCs as a network appliance based on Mikrotik's RouterOS installed onto PC Engines WRAP boards supplied by Yawarra Tiny Computers. You can read about them here: https://blog.naturalnetworks.net/2005/08/pc-engines-wrap.html .
Back then these mini-PCs were consuming around 8 to 10 watts after including a wireless adapter. They weren't exactly powerful but could accommodate the bandwidth I was dealing with at the time (<100mbit/s) without issue and didn't need cooling for the CPU. These days a modest mini-PC consuming the same power is 10x more powerful in every regard.
Earlier I had used Sophos XG running on an Intel 5th generation i5 NUC to gain experience with it. It ran well until the NUC died - so I managed to find a replacement NUC board, that ran okay too, until it died... oddly after the same period of time. It has been a year or so and I miss having the added visibility and protection it provided - so time to set up a replacement.
Topology
- Draytek Vigor 167 VDSL2 configured as a bridge.
- Mikrotik RB4011 configured as a firewall router.
- Rest of the wired network connectivity provided by a Mikrotik CSS326 switch.
Hardware
Hypervisor (Proxmox)
- 4 vCPUs (1 socket, 4 cores, x86-64-v2-AES)
- 10GiB memory
- 3 Network Devices (Virtio, mapped to the three Proxmox bridges)
- 32GB Disk
echo "powersave" | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
@reboot echo "powersave" | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor >/dev/null 2>&1
wget https://raw.githubusercontent.com/Meliox/PVE-mods/main/pve-mod-gui-sensors.sh
bash pve-mod-gui-sensors.sh install
OPNsense Installation
Transparent Firewall (Bridge)
General
- Set up configuration backups - 3 revisions
- Configure DNS - I use a pihole running as a container on the NAS
- Update to the latest firmware version
- Logging - set up remote logging to the NAS
- Enable RAM drives for /var and /tmp - use 10% of memory each.
NetFlow/Insight
- Add the WAN and LAN interfaces as NetFlow listening interfaces.
- Set the WAN interface as the... WAN interface
- Tick the 'Capture Local' box to begin to inform the local Insights
Zenarmor
CrowdSec
- Firehol cybercrime tracker list
- Firehol greensnow.co list
- Free proxies list
Intrusion Detection
QEMU Plugin
- Install the QEMU Guest Agent plugin and set 'virtio_console_load' = yes tunable
- In Proxmox, enable the QEMU Guest Agent within the OPNsense VM's options and reboot