Dedicated appliances for router and firewall

M

marshen0110

I recently put together two mini-itx systems and going to redo my network to replace my router/firewall with dedicated edge/router and a dedicated firewall/NGFW. For the edge/router, putting FreeBSD base and for firewall was thinking of using Opnsense but on the fence with just installing FreeBSD as well and utilizing PF for firewalling and just adding some extras to do the UTM functions.
My question is for my edge/router set up with FreeBSD, what is the minimum set up needed to do the Job? What is the firewall capabilities that need to be on this edge/router?

My setup will look like the following:
edge/router (FreeBSD) >>> Firewall (OPNsense OR FreeBSD) >>> (tl-sg2218) managed switch with vlan (wax214 AP hooked in ) >>> internal devices.
 
SirDice said:
Why split these? A single FreeBSD machine could easily do both.
Click to expand...
Because Im bored with life and like to make things difficult. No really cause I want to practice with a posture with Defense in Depth, by having two layers of firewalls (edge router + firewall appliance) helps to mitigate risks and provides redundancy in case one firewall is compromised or fails, I also understands adds to complexity.

The edge router can handle basic routing and filtering tasks, while the internal firewall appliance can focus on more detailed inspection and security policy enforcement. I wan't one machine just to be a beefy router and the other to be the advanced firewall. I build it with some additional storage and memory to retain information local on appliance to do some UTM functionality.

And I want to make a box that is completely just used as a NGFW as a routed firewall, bit of a over kill but figured probably best way to learn cause I believe most small business to corporate will set up in this fashion where the have there edge and then there internal firewalls.

I thought about using bsdrouter project for my edge/router but figured my home network is of no use to that type since its catered to like small ISP's with its BGP routing protocols and such. Also will be building out my own company network in a few months so wanted to get the experience in this way as well.

But just out of curiosity how would you do it on one machine? Would you separate them in different Jails?
 
marshen0110 said:
But just out of curiosity how would you do it on one machine?
Click to expand...
Similar to how I have my own home router set up. Routing doesn't require a lot of CPU power, I used to have an Intel Atom firewalling and routing for my 600Mbit cable connection and gigabit home network. It barely registered CPU load even when I had several streams going and Steam downloads at max speed. My home network is split up into several VLANs, one for servers (my homelab), one for 'normal' usage (gaming desktops, TV, streaming clients, phones, etc), and a VLAN specifically for Wifi guests access. Because everything is routed through my firewall I can put rules there to limit access between those VLANs. The guest wifi for example can only access the internet, it does not have access to anything else on my network. This firewall/router host also takes care of DHCP and DNS (linked so dynamic addresses are registered in DNS) for my home network.

marshen0110 said:
Would you separate them in different Jails?
Click to expand...
I wouldn't do the routing and firewalling in a jail, but you could run a (reverse) proxy in a jail for example. I have HAProxy running on the host, but you could run this in a jail if you wanted to. With HAProxy I can have multiple different "websites" running on one external IP address and have it proxy the request to different server backends based on the http host headers.

The homelab mainly consists of a bunch of VMs running on an old dual Xeon. I have VMs for Zabbix, Puppet, Jenkins, gitlab-runners and few other things I like to play around with.
 
SirDice said:
Similar to how I have my own home router set up. Routing doesn't require a lot of CPU power, I used to have an Intel Atom firewalling and routing for my 600Mbit cable connection and gigabit home network. It barely registered CPU load even when I had several streams going and Steam downloads at max speed. My home network is split up into several VLANs, one for servers (my homelab), one for 'normal' usage (gaming desktops, TV, streaming clients, phones, etc), and a VLAN specifically for Wifi guests access. Because everything is routed through my firewall I can put rules there to limit access between those VLANs. The guest wifi for example can only access the internet, it does not have access to anything else on my network. This firewall/router host also takes care of DHCP and DNS (linked so dynamic addresses are registered in DNS) for my home network.


I wouldn't do the routing and firewalling in a jail, but you could run a (reverse) proxy in a jail for example. I have HAProxy running on the host, but you could run this in a jail if you wanted to. With HAProxy I can have multiple different "websites" running on one external IP address and have it proxy the request to different server backends based on the http host headers.

The homelab mainly consists of a bunch of VMs running on an old dual Xeon. I have VMs for Zabbix, Puppet, Jenkins, gitlab-runners and few other things I like to play around with.
Click to expand...
Nice, very good info, thank you. In my scenario where I want to split up the edge router >> going to the internal firewall, what kind of basic firewall rules would you place on the edge freebsd router/firewall?

From the edge router/firewall I would have a prefix size of /30 to have a one to one connection to my internal firewall appliance and probably spoof the MAC address for good measures.

Would you place the DHCP and DNS configs on the edge still OR that internal FW? Im guessing the internal routed FW. The managed switch I will be connected to can handle all the VLAN routing, but will still be able to place the rules for communications between on the FW I presume.

I am kinda following this set up
cryptsus.com

Edge OpenBSD PF Firewall - securing the first gate of your network — Cryptsus Blog

Cryptsus is a security consulting group of expert hackers specializing in securing systems and networks, authentication systems and vulnerability management.
cryptsus.com cryptsus.com
 
You must log in or register to reply here.
Back
Top