Securing Your Home Fences

Securing Your Home Fences

Andrea Covello
by Andrea Covello
time to read: 30 minutes

You don’t have to be an ICT security professional these days to know that your Internet access device at home has not the best security reputation. Just look for home router vulnerabilities in your favorite search engine and you’ll discover plenty of information:

The list goes on. I don’t see things getting better in the future. Your Internet provider (cable, xDSL, EDGE/G3/LTE) wants to provide network access and functionality (WLAN, IP-VOICE) all packed in a small device (which is more often than not free) at a competitive price to as many customers as possible. Now think about your small box you have at home: do you think there is room for security? I mean real security. Well, make an educated guess. If you care about your digital properties at home, you should start securing your fences right after your provider gives you router access. Setting an open-source firewall on an old PC would do the trick, but the majority of us have to deal with installation in the living room near the TV or in rooms were we cannot afford to have big and noisy devices. And don’t forget the power consumption.

Dedicated Home Firewall Project

Let’s start a small project on building our personal firewall appliance. To make it work our security design has to fullfil following requirements:

It’s just like the Internet provider’s device but with one difference: the device will cost a bit more. Security will always have a higher cost on our budget but for this project we’ll set a limit of 200 $/CHF.

Let’s implement following simple network design:

A fully functional home network for $200 or 200 CHF - Click to Enlarge

I’ve found a custom made appliance that fulfills all requirements and it’s made by a nice and small Swiss company called PC Engines. They have several models that fits for a number of use cases and in our case we’ll take the so called APU for this firewall project. The APU appliance has the size of a small chocolate box and fits almost everywhere and here are the technical specs:

More detailed documentation is available here

Those specs are rather amazing. We could use the same hardware for a number of other interesting projects like home automation, NMS, Network Analysis and much more. This time we’ll create a Firewall that has all features for our home security but it could easily secure small to medium business. Here are the needed components:

4GB RAM Appliance

Component Reference CHF USD
Board PCEngines apu1d4 150.00 150.00
Storage PCEngines msata16d SSD Module 20.00 20.00
Power supply PCEngines ac12veur2 AC adapter with euro plug 5.00 5.00
Enclosure PCEngines case1d2bluu Enclosure 3 LAN USB blue 10.00 10.00

Optional parts

Component Reference CHF USD
Null Modem Cable PCEngines db9cab1 Null Modem Cable 2.00 2.00

Alternative 2GB RAM Appliance

Component Reference CHF USD
Board PCEngines apu1d System Board 125.00 127.00

The hardware appliance is just like a normal x64 PC without video card, so you could install various operating systems on it like Linux, FreeBSD, OpenBSD but they need to redirect the console output to the serial port.

Firewall Software

I recommend a FreeBSD-based open-source firewall distribution called OPNsense. Feel free to find out more about the distribution’s features and architecture on their website. Here are my personal views on why OPNsense is the way to go:

Prepare the Appliance

Once we get the Hardware, we need to assemble it. I highly recommend following the guides on PCEngine’s website

Board mounted on case - Click to Enlarge

For the setup process we need following:

Prepare The Installation Media

The following steps were done on Linux. Feel free to use your preferred environment:

wget http://sourceforge.net/projects/opnsense/files/15.1.7/OPNsense-15.1.7-serial-amd64.img.bz2
wget http://sourceforge.net/projects/opnsense/files/15.1.7/OPNsense-15.1.7-checksums-amd64.sha256

 

root@blacknovo:~/Downloads# cat OPNsense-15.1.7-checksums-amd64.sha256
SHA256 (OPNsense-15.1.7-cdrom-amd64.iso.bz2) = e46bb9acd010977d24d862bbe0a85ebfbdcc42dd633851056ad52402bec4b119
SHA256 (OPNsense-15.1.7-serial-amd64.img.bz2) = 869e985fc21d083e2530a81e96eb274caf753b4b9db33d04bda86d4e427a240a
SHA256 (OPNsense-15.1.7-vga-amd64.img.bz2) = b9c71b431cf2ffa399da6a7b11f50d971f7c1747512e794bb7e930dde6d5daeb

root@blacknovo:~/Downloads# sha256sum OPNsense-15.1.7-serial-amd64.img.bz2
869e985fc21d083e2530a81e96eb274caf753b4b9db33d04bda86d4e427a240a  OPNsense-15.1.7-serial-amd64.img.bz2

 

root@blacknovo:~/Downloads# bunzip2 OPNsense-15.1.7-serial-amd64.img.bz2
...
[1777015.998438] sd 6:0:0:0: [sdb] 1984000 512-byte logical blocks: (1.01 GB/968 MiB)
[1777016.007803]  sdb: sdb1
[1777016.425180] FAT-fs (sdb1): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
[1777016.429920] FAT-fs (sdb1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
...

 

Disk /dev/sdb: 1015 MB, 1015808000 bytes
255 heads, 63 sectors/track, 123 cylinders, total 1984000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           2     1983999      991999    b  W95 FAT32

 

root@blacknovo:~/Downloads#  dd if=./OPNsense-15.1.7-serial-amd64.img of=/dev/sdb bs=16K
39069+0 records in
39069+0 records out
640106496 bytes (640 MB) copied, 86.1828 s, 7.4 MB/s

 

Disk /dev/sdb: 1015 MB, 1015808000 bytes
255 heads, 63 sectors/track, 123 cylinders, total 1984000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x90909090

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb4   *           0       49999       25000   a5  FreeBSD

 

Configure The Terminal Console Environment

When configuring the terminal console environment you need a PC/Laptop with a serial port or a USB to Serial adapter. Use your preferred terminal console program and set it to 115200,8,N,1 meaning: 115200 baud, 8 bit, parity None, stop-bit 1. I use minicom in a privileged Linux terminal session. Here are the configuration steps:

   +-----------------+---------[Comm Parameters]----------+----------------+
    | A -    Serial De|                                    |                |
    | B - Lockfile Loc|     Current: 115200 8N1            |                |
    | C -   Callin Pro| Speed            Parity      Data  |                |
    | D -  Callout Pro| A: <next>        L: None     S: 5  |                |
    | E -    Bps/Par/B| B: <prev>        M: Even     T: 6  |                |
    | F - Hardware Flo| C:   9600        N: Odd      U: 7  |                |
    | G - Software Flo| D:  38400        O: Mark     V: 8  |                |
    |                 | E: 115200        P: Space          |                |
    |    Change which |                                    |                |
    +-----------------| Stopbits                           |----------------+
            | Screen a| W: 1             Q: 8-N-1          |
            | Save set| X: 2             R: 7-E-1          |
            | Save set|                                    |
            | Exit    |                                    |
            | Exit fro| Choice, or <Enter> to exit?        |
            +---------+------------------------------------+

 

    +-----------------------------------------------------------------------+
    | A -    Serial Device      : /dev/ttyUSB0                              |
    | B - Lockfile Location     : /var/lock                                 |
    | C -   Callin Program      :                                           |
    | D -  Callout Program      :                                           |
    | E -    Bps/Par/Bits       : 115200 8N1                                |
    | F - Hardware Flow Control : Yes                                       |
    | G - Software Flow Control : No                                        |
    |                                                                       |
    |    Change which setting?                                              |
    +-----------------------------------------------------------------------+

 

On the bottom line of the terminal windows you should see this line:

[CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.6.1  | VT102 |      Offline ]

Install OPNsense

Now power-on the APU board using this procedure:

You should see the BIOS POST messages on your terminal console:

PC Engines APU BIOS build date: Apr  5 2014
Reading data from file [bootorder]
SeaBIOS (version ?-20140405_120742-frink)
SeaBIOS (version ?-20140405_120742-frink)
Found coreboot cbmem console @ df150400
Found mainboard PC Engines APU
Relocating init from 0x000e8e71 to 0xdf1065e0 (size 39259)
Found CBFS header at 0xfffffb90
found file "bootorder" in cbmem
CPU Mhz=1001
Found 27 PCI devices (max PCI bus is 05)
Copying PIR from 0xdf160400 to 0x000f27a0
Copying MPTABLE from 0xdf161400/df161410 to 0x000f25b0 with length 1ec
Copying ACPI RSDP from 0xdf162400 to 0x000f2590
Copying SMBIOS entry point from 0xdf16d800 to 0x000f2570
Using pmtimer, ioport 0x808
Scan for VGA option rom
EHCI init on dev 00:12.2 (regs=0xf7f08420)
Found 1 lpt ports
Found 2 serial ports
AHCI controller at 11.0, iobase f7f08000, irq 11
EHCI init on dev 00:13.2 (regs=0xf7f08520)
EHCI init on dev 00:16.2 (regs=0xf7f08620)
Searching bootorder for: /pci@i0cf8/*@11/drive@0/disk@0
AHCI/0: registering: "AHCI/0: SATA SSD ATA-10 Hard-Disk (15272 MiBytes)"
Searching bootorder for: /rom@img/setup
Searching bootorder for: /rom@img/memtest
OHCI init on dev 00:12.0 (regs=0xf7f04000)
OHCI init on dev 00:13.0 (regs=0xf7f05000)
OHCI init on dev 00:14.5 (regs=0xf7f06000)
OHCI init on dev 00:16.0 (regs=0xf7f07000)
Searching bootorder for: /pci@i0cf8/usb@16,2/storage@1/*@0/*@0,0
Searching bootorder for: /pci@i0cf8/usb@16,2/usb-*@1
USB MSC vendor='Multiple' product='Card  Reader' rev='1.00' type=0 removable=1
USB MSC blksize=512 sectors=1984000
All threads complete.
Scan for option roms
Running option rom at c000:0003

iPXE (http://ipxe.org) 00:00.0 C000 PCI2.10 PnP PMMpmm call arg1=1
pmm call arg1=0
+DF0E94B0pmm call arg1=1
pmm call arg1=0
+DF0494B0 C000

Searching bootorder for: /rom@genroms/pxeboot.rom

Build date: Apr  5 2014
System memory size: 4592 MB

Press F12 for boot menu.

 

  ______               ____   _____ _____
 |  ____|             |  _ \ / ____|  __ \
 | |___ _ __ ___  ___ | |_) | (___ | |  | |
 |  ___| '__/ _ \/ _ \|  _ < \___ \| |  | |
 | |   | | |  __/  __/| |_) |____) | |__| |
 | |   | | |    |    ||     |      |      |
 |_|   |_|  \___|\___||____/|_____/|_____/    ```                        `
                                             s` `.....---.......--.```   -/
 +------------Welcome to FreeBSD-----------+ +o   .--`         /y:`      +.
 |                                         |  yo`:.            :o      `+-
 |  1. Boot Multi User [Enter]             |   y/               -/`   -o/
 |  2. Boot [S]ingle User                  |  .-                  ::/sy+:.
 |  3. [Esc]ape to loader prompt           |  /                     `--  /
 |  4. Reboot                              | `:                          :`
 |                                         | `:                          :`
 |  Options:                               |  /                          /
 |  5. [K]ernel: kernel (1 of 2)           |  .-                        -.
 |  6. Configure Boot [O]ptions...         |   --                      -.
 |                                         |    `:`                  `:`
 |                                         |      .--             `--.
 |                                         |         .---.....----.
 +-----------------------------------------+

 

/boot/kernel/kernel text=0x11ae738 data=0x6d65b0+0x215440 syms=[0x8+0x1720b0+0x
Booting...
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2014 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.1-RELEASE-p6 #0 5aa5ada(master): Thu Feb 26 16:26:03 CET 2015
    root@sensey64:/usr/obj/usr/src/sys/SMP amd64
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
....

 

Waiting for backend...


                   =========== Configure Console ===========
                   |                                       |
                   | Your selected environment uses the    |
                   | following console settings, shown in  |
                   | parentheses. Select any that you wish |
                   | to change.                            |
                   |                                       |
                   | < Accept these Settings >             |
                   | < Change Video Font (default) >       |
                   | < Change Screenmap (default) >        |
                   | < Change Keymap (default) >           |
                   =========================================

 

                       < Quick/Easy Install >


                  ============== Are you SURE? ==============
                  |                                         |
                  | Easy Install will automatically install |
                  | without asking any questions.           |
                  |                                         |
                  | WARNING: This will erase all contents   |
                  | in your first hard disk! This action is |
                  | irreversible. Do you really want to     |
                  | continue?                               |
                  |                                         |
                  | If you wish to have more control on     |
                  | your setup, choose Custom Installation  |
                  | from the Main Menu.                     |
                  |                                         |
                  |           < OK >  < Cancel >            |
                  ===========================================

 

                   ================= Reboot ================
                   |                                       |
                   | This machine is about to be shut down.|
                   | After the machine has reached its     |
                   | shutdown state, you may remove the CD |
                   | from the CD-ROM drive tray and press  |
                   | Enter to reboot from the HDD.         |
                   |                                       |
                   | < Reboot >  < Return to Select Task > |
                   =========================================

 

After the reboot is complete, open a web browser and
enter https://192.168.1.1 (or the LAN IP Address) in the
location bar.

You might need to acknowledge the HTTPS certificate if
your browser reports it as untrusted. This is normal
as a self-signed certificate is used by default.

*DEFAULT Username*: root
*DEFAULT Password*: opnsense

Rebooting in 5 seconds. CTRL-C to abort.

 

F1  FreeBSD

F6 PXE
Boot:  F1

...
...
...

Loading configuration...done.

Default interfaces not found -- Running interface assignment option.

Valid interfaces are:

re0    00:0d:b9:37:12:bc   (up) RealTek 8168/8111 B/C/CP/D/D/F/G PCIe Gigabit Ethernet
re1    00:0d:b9:37:12:bd   (up) RealTek 8168/8111 B/C/CP/D/D/F/G PCIe Gigabit Ethernet
re2    00:0d:b9:37:12:be   (up) RealTek 8168/8111 B/C/CP/D/D/F/G PCIe Gigabit Ethernet

Do you want to set up VLANs first?

If you are not going to use VLANs, or only for optional interfaces, you should
say no here and use the webConfigurator to configure VLANs later, if required.

Do you want to set up VLANs now [y|n]?

 

If you do not know the names of your interfaces, you may choose to use
auto-detection. In that case, disconnect all interfaces now before
hitting @a@ to initiate auto detection.

Enter the WAN interface name or @a@ for auto-detection: re2

 

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(or nothing if finished): re0

 

Enter the Optional 1 interface name or 'a' for auto-detection
(or nothing if finished): re1

 

Enter the Optional 2 interface name or 'a' for auto-detection
(or nothing if finished):

The interfaces will be assigned as follows:

WAN  -> re2
LAN  -> re0
OPT1 -> re1

 

Do you want to proceed [y|n]? y

Writing configuration...done.
Updating configuration...done.
Cleaning backup cache...done.
Setting up extended sysctls...done.
Setting timezone...done.
Configuring loopback interface...done.
Starting syslog...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting DNS forwarder...done.
Starting NTP time client...done.
Starting DHCP service...done.
Starting DHCPv6 service...done.
Configuring firewall......done.
Generating RRD graphs...done.
Starting syslog...done.
Starting CRON... done.

*** Welcome to OPNsense 15.1.7-78bdb9aef (amd64) on OPNsense ***

 WAN (re2)       -> v4/DHCP4: 192.168.169.155/24
 LAN (re0)       -> v4: 192.168.1.1/24
 OPT1 (re1)      ->

FreeBSD/amd64 (OPNsense.localdomain) (ttyu0)

login:

 

login: root
Password:
FreeBSD 10.1-RELEASE-p6 (SMP) #0 5aa5ada(master): Thu Feb 26 16:26:03 CET 2015

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
 0) Logout                             7) Ping host
 1) Assign Interfaces                  8) Shell
 2) Set interface(s) IP address        9) pfTop
 3) Reset the root password           10) Filter Logs
 4) Reset to factory defaults         11) Restart web interface
 5) Reboot system                     12) Upgrade from console
 6) Halt system                       13) Restore a configuration

Enter an option:

 

Available interfaces:

1 - WAN (re2 - dhcp, dhcp6)
2 - LAN (re0 - static)
3 - OPT1 (re1 - static)

Enter the number of the interface you wish to configure:

 

Enter the new OPT1 IPv4 address.  Press <ENTER> for none:
> 192.168.168.254

Subnet masks are entered as bit counts (as in CIDR notation) in OPNsense.
e.g. 255.255.255.0 = 24
     255.255.0.0   = 16
     255.0.0.0     = 8

Enter the new OPT1 IPv4 subnet bit count (1 to 31):
> 24

For a WAN, enter the new OPT1 IPv4 upstream gateway address.
For a LAN, press <ENTER> for none:
>

Enter the new OPT1 IPv6 address.  Press <ENTER> for none:
>

Do you want to enable the DHCP server on OPT1? (y/n) n

Do you want to revert to HTTP as the webConfigurator protocol? (y/n) n

Please wait while the changes are saved to OPT1...
 Reloading filter...
 DHCPD...

The IPv4 OPT1 address has been set to 192.168.168.254/24

Press <ENTER> to continue.

Reboot the appliance

 

OPNsense will reboot.
This may take a minute, depending on your hardware.

Do you want to proceed [y|n]? y

OPNsense is rebooting now.

*** FINAL System shutdown message from root@OPNsense.localdomain ***

System going down IMMEDIATELY

We’re finally done with the APU appliance installation.

Accessing The WebAdmin GUI

Wait for the appliance to be up again and access the Webadmin GUI on https://192.168.1.1

Enter the default credential to enter the admin console.

Without configuration your appliance will provide DHCP leases on LAN, respond on DNS requests and allow outgoing IP communication from LAN to WAN on all IP protocols. That’s why at first login you’ll be presented with the OPNsense Setup Wizard. Just go ahead and follow the wizard…

In our design we have to uncheck Block RFC1918 Private Networks otherwise the communication to our internet router/modem and WLAN AP is blocked.

Guess what? Change the password!

Reload the configuration to be active:

You may need to refresh your browser or re-login, let me direct your attention to the nice and clean look of the dashboard:

The dashboard is fully customizable with several widgets that show aspects of the firewall appliance. Just click on add widget and select the information you want to see at glance, like interface statistics, latest logs, disk status, services status and more.

I’m not going to explain how to configure all the various OPNsense features as this is very intuitive and well documented on the project’s wiki. There are very powerful features equal to enterprise class firewalls such as cluster support (CARP), complete DNS server (DNS Resolver), full IPv6 support (DHCPv6 Server/RA), Captive Portal (similar to the WLAN portal you see in hotels and public access spots), Load Balancer, VPN Server and more. Showing all configurations would require a dedicated article and is out of scope here.

Basic Firewall Appliance Configuration

To finish the project let’s do the minimum configuration for our design to work. Let’s configure internet access for home network (LAN) and for the WLAN Access Point network (OPT1). We need following:

  1. Select Firewall, click on NAT and select Outbound tab
  2. Ensure that Automatic outbound NAT rule generation is selected (of course you can do all by yourself manually)
  3. Now, click on Rules and select LAN tab
  4. The defaults here are already fine for our basic configuration (feel free to change a your pleasure)
  5. Let’s configure the OPT1 interface by clicking on OPT1 tab
  6. Click the + button to add a rule (and remember by default all is denied; so, no rule = no access)

Check For Updates and Upgrade

Finally, to close this project before going in production make sure to check your system for available updates: select system, firmware.

Select upgrade and you’ll see the progress window:

Reboot (if needed) and you’ll be all set.

Final Thoughts

This configuration is of course basic and you’ll need to finalize your firewall policy, but you can configure this firewall appliance to fit your needs. You can configure Dynamic DNS and use it as remote access with IPSEC or openVPN the features or you can enhance the appliance with a WLAN mPCI slot (and you have 2).

Just in case you like to play on Console, leave it attached to the provider router network; double NAT is not really fun if you play with your friends over the net, believe me: you’ll regret it otherwise.

Should you have concerns about your game data, then you better rethink. All your valuable data is already in the cloud (Microsoft, Sony, Nintendo and more) and we better don’t start this discussion here, do we? Games are fun, either take what you get or don’t, it’s that simple.

OPNsense is a fairly new project and will become more mature in the next few months, therefore some minor issues may need a fix. Still, I see no risk in day to day usage: the underlaying base is solid and started 12 years ago with m0n0wall.

Now, take it from here and make it better!

About the Author

Andrea Covello

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

Links

You want to test the security of your firewall?

Our experts will get in contact with you!

×
Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here