Guide to Turn a Project TinyMiniMicro Node into a pfSense Firewall

RTM

Active Member
Jan 26, 2014
574
206
43
Sure you can do this, but honestly I think it is a bad idea.

Here are some reasons:
  1. Some switches are difficult/impossible to prevent access to the management interface, from the physical port you use as WAN
  2. Switches often leak information about the IP of the management interface, the version of software on it, via protocols like LLDP
  3. Boxes like this that support stuff like Intel AMT or AMD DASH on the NIC, software like that is known to have had vulnerabilities in the past, do you really want this on the WAN interface? (even if only via a VLAN)
Other reasons (a little more subjective):
  1. Switches are for the most part not security devices, using firewalls to separate zones is a good way to achieve better security
  2. There are plenty of machines that have more than one NIC, surely those would be better options
Of course there are plenty of caveats to the above, for one using an enterprise switch (that may well be designed to be used like this) over a cheap TP-link (the first reason I mentioned) should limit the risk. Likewise if you do some hardening, you can mitigate much of the risk (an example with Mikrotik equipment, is they enable what they call L2 telnet and winbox on all interfaces (AFAIK), by disabling this the risk should be effectively mitigated).
 

TXAG26

Active Member
Aug 2, 2016
274
81
28
Great article. As an add-on or Part 2, additional discussion about TinyMiniMicro PC's that support 2 or more NIC's would be very helpful!
 
  • Like
Reactions: Geran