Comparison of Firewalls for Home

I’m curious about firewalls. I have a Protectli FW4B along with a backup edge router ER-X and decided to do some testing. There are a handful of different ideas I wanted to explore.

The first had to do with the value of the next-generation firewall capabilities like threat protection. Practically, it doesn’t matter that much for me, it’s just my wife and I, but I was curious if it would be a valuable thing to deploy for my mom and how difficult they would be to be useful.

I’m also interested in separating my crappy Internet of things devices from various no-name manufacturers off onto their own network for privacy and security reasons. I already have some of the network hardware, but I need a router that supports VLANs (they all do) and mDNS repeater software so devices on my secure lan (like my homepod and my phone) can find them.

I currently have 100 Mb symmetrical service at home. Due to the nature of my work, I’m often uploading large files to and from our corporate artifactory. Because I often saturate the network connection, I need to use something like fq_codel help keep my video and audio conference quality high even while moving around large files.

I also wanted to choose a system that could potentially scale to gigabit fiber. We are working on a project at work that might make it a lot more valuable for me to have that kind of connection when remote. That said, it’s not even clear my work VPN concentrator can handle that throughput.

Finally, I use CenturyLink which does not have native dual stack IPV6. I’m curious about using 6RD to enable that, but all my experiments with pfSense ended badly (very degraded download performance). Not sure if that’s a me thing or a them thing 😊.

Here’s the big table of all these capabilities:

Firewallfq_codel6rdEasy Threat IntelligencemDNS repeaterBase OS
pfSenseyesyesnoyesFreeBSD
OPNSenseyesyessort of (Sensei subscription)yesHardenedBSD
UntangleyesnoyesnoLinux (Debian)
IPFireyesnonoyesLinux
Sophos UTMyesnoyesnoLinux
Sophos XGnoyesyesnoLinux
VyOSyesyesnoyesLinux (Debian)

BSD vs Linux

I have an underpowered device for gigabit on BSD. The Protectli FW4B has a Celeron J3160 processor. While this does have AES-NI, it doesn’t support PCI Passthrough when running in virtualization. I learned very quickly that trying to run pfSense under virtualization couldn’t support 100Mb/s uploads.

Due to limitations in the architecture of BSD, PPPoE is single threaded (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203856). This limits the maximum upload and download speeds to the speed of the processor. A low powered Celeron or ARM core will not do gigabit.

While there are some techniques you can do such as deferring interrupt handling to other threads, those also cause extra work and don’t always help as much as you want. This author has a great write up of both performance analysis and the tuning you can do to improve the BSD based routers: https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/. I was hoping the new SG-2100 might be possible, but it also doesn’t have enough single core performance as it has the same processor as the SG-3100 but more RAM (https://www.reddit.com/r/PFSENSE/comments/7g8n5a/gigabit_pppoe_on_sg3100/)

This matters to me because I do a lot of uploading of large single files with a single connection over PPPoE.

The Linux based routers do not have this problem. They introduce multithreading at a lower layer, and therefore all cores can participate in PPPoE handling. It’s possible you’ll still saturate the system. If it takes almost 2 cores just to deal with PPPoE that’s might not be a lot of headroom depending what else you are running.

That leaves me with the choice of either upgrading my hardware to something based on the i3-6100U or better (single thread CPU mark of 1361 vs 624 with the Celeron I have) or using Linux if I want to route gigabit. The i3 also has the benefit of support PCI passthrough, though that’s less valuable because of the PPPoE single core restrictions.
(perf on i3: https://forum.netgate.com/topic/138926/realtek-nic-pppoe-gig-cpu-usage-seems-odd)

Support for Internet of Crap (Things) VLAN

I’m slowly adopting more and more cheap Internet devices for controlling things around my house. Some of them I write the software for myself, others are provided by the vendor and probably have both security and privacy issues associated with them. Instead of identifying the devices one by one and putting firewall rules on them, I am going to create a separate wireless network for all of them and lock it down.

The crux is that once you’ve locked them down on their own network, your primary network with your iPhone can’t talk to them in less you use a mDNS (aka Bonjour) repeater between the networks. There is a free one named Avahi used in standalone form or bundled with the router.

Untangle and the Sophos products do not support this in their offering. You’ll be stuck setting one up manually either on the firewall itself (gulp) or on a separate device.

This idea can also be done on a raspberry pi on ethernet: http://chrisreinking.com/need-bonjour-across-vlans-set-up-an-avahi-gateway/

Miscellaneous comments

Untangle

By far the easiest set up and the best dashboards out of the box. There is a free version; $50 annual subscription; and $150 annual subscription. The free version does simple routing. Configuring fq_codel was dead simple. To do IPSEC VPN you need the $50 subscription, Wireguard is $150. OpenVPN is free but I worry about performance.

If they supported mDNS repeating I would be using this.

pfSense/OPNsense

These tools let you do anything and have a tremendous amount of third-party packages available for them. Configuring them is a pain (especially tools like fq_codel) as all that flexibility comes at a cost. They are also the most popular solutions out there in terms of finding free support and reference documentation.

But using them is a challenge in my use case. Due to the performance issues around PPPoE and my cheap hardware I don’t have a cheap clean upgrade path if I increase my network connection speed.

IPFire

IPFire makes efficient use of the underlying hardware. Its initial set up is pretty awkward as it forces you to switch between a text only and keyboard only mode for the basic configuration before allowing you to use a web browser. Certain changes aren’t available in the web UI (i.e. changing you from 2 to 3 networks) and force you to drop into the command line and rerun the text only tool. Graphing is not live.

The primary author has some very strong opinions about what capabilities should and should not be in a firewall. His arguments are well reasoned and forced me to reevaluate the some of my preconceived notions (i.e. using a VPN vs an http proxy). But at the same time his viewpoint hasn’t been adopted by the community at large. That makes implementing privacy enhancing controls at a network level more difficult (for example most commercial proxy providers don’t target privacy enhancement). See this discussion for more details: https://community.ipfire.org/t/protect-users-who-get-spammy-phishing-links-in-emails/4111/8

Sophos

I’m just going to clump UTM and XG together. UTM is their older product that they are sunsetting but supports fq_codel but NOT 6rd. XG is the newer product line that does not support fq_codel but does support 6rd. I love the fact that they offer both of these free for home users. UTM only supports 50 devices and it wasn’t clear to me that it has a bypass mode like Untangle does.

I really tried to make XG work for me as that’s their investment area (https://ideas.sophos.com/forums/17359-sg-utm/suggestions/7131408-allow-more-ip-s-on-home-free-utm) but no fq_codel was a deal breaker in the end.

Conclusion

I’m giving IPFire a shot. I plan on reusing Blue (Wireless) as my IoT network. The default configuration has it separated with its own DHCP server so its 90% of the way there for my needs.

But I’m not thrilled with any of my choices. I like to tinker. Untangle and IPFire are not great for tinkering but work well on my hardware. Sophos XG is difficult and allows tinkering, but no fq_codel (therefore if I upgrade to gigabit could be a contender). Ideally I would have a pfSense that worked well on my hardware. The VyOS commandline would make me cranky.

Hmm. I wonder if Untangle in Proxmox would work well enough that I could run a separate VM for Avahi…

IPFire and Centurylink Fiber

I recently switched from pfSense to https://www.ipfire.org and got to learn the hoops needed for PPPoE over a vlan like Centurylink needs.

In IPFire this is considered a VDSL connection and isn’t available during the guided setup. But overall it’s a pretty easy process. You’ll need your PPPoE username and password from centurylink to get started.

During initial setup select the Dialup option (even though you are on Fiber 🙂 ).

PPP Dialup sets things up mostly right

Go ahead with the rest of the setup, you’ll finish up later.

After restarting and logging into the device via your browser go to System->Dialup

Then switch the type to VDSL and fill out as follows:

That’s it. Go back to the main page System->Home and you’ll see the connection there (if not, wait a few seconds and refresh the page).

Kindle Oasis holder for Levo Book Holder

I have an older Levo Book holder. If you enjoy reading books and value your neck, I highly recommend this product. I get no kickbacks from the company for this, just a very satisfied customer (https://levostore.com/collections/levo-for-books/products/levo-book-holder-floor-stand).

I have an older holder and can no longer purchase parts for it. Therefore I went ahead and designed a holder for my Kindle Oasis so that it doesn’t keep falling on the floor and getting damaged.

Medication Alarm

I take medications. I’m also very sensitive to medications therefore I take them in liquid form so I can get the dosing dialed and just right. But I have a dilemma. They all look very similar, several of them even begin with the same letter, but I take them at different times of day. After a recent incident where I accidentally took the wrong one in the evening, and took five times my normal dose I decided to build this contraption to help remind me if I try and take out the wrong one at the wrong time of day.

Hardware:

  • DoIT ESP32 board
  • A handful of lever arm switches
  • Custom 3d printed shell
  • A far too loud beeper
  • I2C RTC Chip in case Wifi goes down

The device works by connecting to my local Wi-Fi to grab the current time. I then hardcoded what times the various medications are allowed to be out of their slots. If I pull out a medication at the wrong time an alarm goes off

Running HAM Radio cables

I’ve been struggling with running my radio cables through the wall. For many years I drilled some holes in the frame that held our cat door, but as you can see below, we stopped using the cat door. With the recent bout of horrible wildfire smoke here in Seattle I was forced to remove the cat door and hole up inside and was unable to use my radio. That prompted me to finally get up the courage to drill a hole in the wall of my house.

I used some electrical conduit, a demarcation box off ebay, plenty of caulk, and a 3D printed adapter for the inside of the wall to make this all work. One thing I didn’t figure out beforehand was what the minimum bend radius was on some of my cabling, which made things a little awkward. Thankfully I had some cabling that worked with 1 inch min bend radius, but that wasn’t the cable I was planning on using.

Configure IC-7300 with HRD and SDRuno as a panadapater

I have an MFJ-1788 Mag Loop antenna. I can tune it very easily by using my RSPdx to view the waveform. In the picture attached you’ll notice that the antenna is tuned a little bit high for my current frequency. This makes it super easy to tune without worrying about having to put signal out on the antenna. But I kept having a problem where I was neglecting to change the frequency in SDRuno to match the one on my radio, and then inadvertently tuned the antenna to the wrong frequency. Attempting to transmit into that did not make my radio happy.

Therefore I wanted SDRuno to follow my IC-7300 but not the other way around as I like the freedom to poke around in the band in SDRuno without changing the radio. This guide walks through how you would set up everything with Ham Radio Deluxe and some other tools. Honestly, this is partially my own documentation so I don’t forget this in the future as it was hard-won knowledge.

There are a lot of little knobs to turn.

  • You use HRD as the primary connection to the IC-7300.
  • Create a virtual serial connection between two serial ports
  • Then enable a 3rd Party Serial Port in HRD. That exposes a ‘Kenwood’ serial port that does simple frequency rig control. Connect that to one end of the virtual ports.
  • Configure OmniRig to connect to the other end of the virtual serial port
  • Configure SDRuno to use OmniRig with a Virtual Reciever
  • Attach that Virtual Receiver to OmniRig
Block Diagram of how everything fits together. Pick your own COM port numbers.

Create a virtual serial connection between two serial ports

This is the menu item in HRD to enable the serial port.
Match this with one end of the virtual serial port cable.
Match Omnirig with the other.

If you mess this up and only have Stop bits == 1, SDRuno will miss the occasional frequency change.

A quick call out on the picture above as there is a lot going on.
1) You bring up RX Settings by clicking on SETT.
2) You need to scroll the tabs to get to ORIG (short for OmniRig)
3) After you configure the ORIG panel and close it click on RSYN1 as that assigns OmniRig to this VRX.

SETT. to bring this up and confirm OmniRig is working right.

Ta da!

Black and Decker Portable AC

I recently picked up a Black and Decker Portable AC https://www.amazon.com/Black-Decker-Portable-Conditioner-Display/dp/B01DLPUWG2 and wanted to port over a Blynk project I had created. I couldn’t find anything online about what the infrared protocol is for the remote. So here you go:

Protocol  : TCL112ACCode      : 0x23CB26010024030D00000000C009 (112 Bits)Mesg Desc.: Power: On, Mode: 3 (Cool), Temp: 18C, Fan: 0 (Auto), Econo: Off, HealProtocol  : TCL112AC
Code      : 0x23CB26010024030D00000000C009 (112 Bits)
Mesg Desc.: Power: On, Mode: 3 (Cool), Temp: 18C, Fan: 0 (Auto), Econo: Off, Health: Off, Light: On, Turbo: Off, Swing(H): Off, Swing(V): Off
uint16_t rawData[227] = {3134, 1586,  496, 1174,  504, 1166,  502, 334,  494, 366,  474, 362,  476, 1166,  502, 332,  496, 340,  498, 1170,  498, 1172,  496, 366,  474, 1194,  474, 336,  502, 358,  470, 1174,  506, 1164,  504, 332,  496, 1174,  494, 1176,  504, 358,  472, 336,  502, 1166,  502, 334,  494, 340,  500, 1168,  500, 336,  504, 358,  472, 336,  502, 358,  470, 364,  476, 332,  496, 364,  474, 360,  468, 366,  472, 362,  478, 358,  472, 334,  504, 356,  472, 362,  476, 358,  470, 364,  474, 360,  470, 1172,  496, 366,  474, 334,  494, 1174,  504, 330,  498, 336,  502, 1166,  502, 1168,  500, 334,  496, 340,  498, 362,  476, 332,  498, 336,  502, 332,  496, 1172,  496, 338,  502, 1168,  500, 1170,  498, 336,  504, 358,  470, 364,  474, 360,  470, 364,  474, 362,  468, 340,  498, 360,  468, 366,  472, 362,  476, 332,  496, 364,  476, 332,  496, 366,  476, 332,  496, 338,  500, 360,  468, 366,  472, 336,  504, 356,  472, 364,  476, 358,  470, 364,  476, 358,  470, 364,  474, 360,  468, 366,  474, 360,  468, 340,  500, 362,  468, 366,  472, 362,  476, 358,  470, 364,  474, 332,  498, 364,  476, 332,  496, 366,  474, 360,  468, 366,  472, 362,  476, 330,  498, 1198,  472, 1172,  496, 1174,  496, 338,  500, 362,  478, 1164,  504, 330,  498, 364,  476, 360,  468, 366,  474};  // TCL112AC
uint8_t state[14] = {0x23, 0xCB, 0x26, 0x01, 0x00, 0x24, 0x03, 0x0D, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x09};
th: Off, Light: On, Turbo: Off, Swing(H): Off, Swing(V): Offuint16_t rawData[227] = {3134, 1586,  496, 1174,  504, 1166,  502, 334,  494, 366,  474, 362,  476, 1166,  502, 332,  496, 340,  498, 1170,  498, 1172,  496, 366,  474, 1194,  474, 336,  502, 358,  470, 1174,  506, 1164,  504, 332,  496, 1174,  494, 1176,  504, 358,  472, 336,  502, 1166,  502, 334,  494, 340,  500, 1168,  500, 336,  504, 358,  472, 336,  502, 358,  470, 364,  476, 332,  496, 364,  474, 360,  468, 366,  472, 362,  478, 358,  472, 334,  504, 356,  472, 362,  476, 358,  470, 364,  474, 360,  470, 1172,  496, 366,  474, 334,  494, 1174,  504, 330,  498, 336,  502, 1166,  502, 1168,  500, 334,  496, 340,  498, 362,  476, 332,  498, 336,  502, 332,  496, 1172,  496, 338,  502, 1168,  500, 1170,  498, 336,  504, 358,  470, 364,  474, 360,  470, 364,  474, 362,  468, 340,  498, 360,  468, 366,  472, 362,  476, 332,  496, 364,  476, 332,  496, 366,  476, 332,  496, 338,  500, 360,  468, 366,  472, 336,  504, 356,  472, 364,  476, 358,  470, 364,  476, 358,  470, 364,  474, 360,  468, 366,  474, 360,  468, 340,  500, 362,  468, 366,  472, 362,  476, 358,  470, 364,  474, 332,  498, 364,  476, 332,  496, 366,  474, 360,  468, 366,  472, 362,  476, 330,  498, 1198,  472, 1172,  496, 1174,  496, 338,  500, 362,  478, 1164,  504, 330,  498, 364,  476, 360,  468, 366,  474};  // TCL112ACuint8_t state[14] = {0x23, 0xCB, 0x26, 0x01, 0x00, 0x24, 0x03, 0x0D, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x09};
Protocol  : TCL112ACCode      : 0x23CB26010020030D00000000C106 (112 Bits)Mesg Desc.: Power: Off, Mode: 3 (Cool), Temp: 18C, Fan: 0 (Auto), Econo: Off, Health: Off, Light: On, Turbo: Off, Swing(H): Off, Swing(V): Offuint16_t rawData[227] = {3138, 1582,  502, 1170,  498, 1170,  498, 364,  476, 360,  468, 366,  472, 1196,  472, 364,  476, 360,  468, 1200,  478, 1166,  502, 332,  496, 1200,  468, 368,  472, 362,  476, 1192,  476, 1166,  502, 362,  478, 1192,  476, 1168,  500, 362,  478, 356,  472, 1196,  472, 364,  474, 360,  468, 1200,  478, 330,  498, 364,  476, 360,  468, 364,  474, 360,  468, 366,  472, 362,  476, 358,  470, 364,  474, 360,  468, 364,  474, 360,  468, 366,  472, 362,  476, 358,  470, 364,  474, 360,  468, 364,  474, 360,  468, 366,  472, 1194,  474, 362,  476, 358,  470, 1198,  470, 1174,  504, 358,  470, 364,  474, 360,  468, 366,  474, 362,  478, 358,  470, 1196,  472, 366,  474, 1194,  474, 1170,  498, 364,  476, 360,  468, 366,  474, 360,  468, 368,  472, 362,  476, 358,  470, 366,  474, 362,  466, 366,  474, 362,  468, 366,  472, 362,  476, 360,  470, 364,  474, 360,  468, 366,  474, 362,  478, 356,  472, 364,  476, 358,  470, 366,  474, 362,  478, 356,  472, 366,  474, 358,  470, 364,  474, 360,  468, 366,  472, 362,  478, 356,  472, 362,  476, 358,  470, 364,  474, 360,  468, 366,  474, 1196,  474, 336,  504, 358,  472, 364,  474, 360,  468, 366,  472, 1194,  474, 1170,  498, 364,  476, 1194,  474, 1170,  498, 362,  476, 360,  470, 366,  474, 362,  476, 358,  472};  // TCL112ACuint8_t state[14] = {0x23, 0xCB, 0x26, 0x01, 0x00, 0x20, 0x03, 0x0D, 0x00, 0x00, 0x00, 0x00, 0xC1, 0x06};