Guide to Turn a Project TinyMiniMicro Node into a pfSense Firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Sure you can do this, but honestly I think it is a bad idea.

Here are some reasons:
  1. Some switches are difficult/impossible to prevent access to the management interface, from the physical port you use as WAN
  2. Switches often leak information about the IP of the management interface, the version of software on it, via protocols like LLDP
  3. Boxes like this that support stuff like Intel AMT or AMD DASH on the NIC, software like that is known to have had vulnerabilities in the past, do you really want this on the WAN interface? (even if only via a VLAN)
Other reasons (a little more subjective):
  1. Switches are for the most part not security devices, using firewalls to separate zones is a good way to achieve better security
  2. There are plenty of machines that have more than one NIC, surely those would be better options
Of course there are plenty of caveats to the above, for one using an enterprise switch (that may well be designed to be used like this) over a cheap TP-link (the first reason I mentioned) should limit the risk. Likewise if you do some hardening, you can mitigate much of the risk (an example with Mikrotik equipment, is they enable what they call L2 telnet and winbox on all interfaces (AFAIK), by disabling this the risk should be effectively mitigated).
 

TXAG26

Active Member
Aug 2, 2016
397
120
43
Great article. As an add-on or Part 2, additional discussion about TinyMiniMicro PC's that support 2 or more NIC's would be very helpful!
 
  • Like
Reactions: Geran

Parallax

Active Member
Nov 8, 2020
417
208
43
London, UK
Nice box but the choice of Realtek LAN ports is a shame. I'm not an Intel zealot but I ended up having to replace an i5-8250 box with a Lenovo Tiny running Intel NICs because very hard to diagnose I/O wait and nmap problems on the two Realtek NICs.
 

maes

Active Member
Nov 11, 2018
102
69
28
For those units that have a configurable rear IO option that can fit a DE-9 or VGA connector (I have a Dell 5050 micro), I stumbled on a 2230-size m.2 gigabit network card that uses an intel i210-AT and works pretty damn well as a replacement to the wifi card.
Commell M2-210 M.2(NGFF) Gigabit Ethernet Card

With a bit of 3D printing to make a compatible retainer bracket, it's an effective way to get a 2nd LAN port that's not Realtek based.
 
  • Like
Reactions: Aluminat

kapone

Well-Known Member
May 23, 2015
1,095
642
113
Sure you can do this, but honestly I think it is a bad idea.

Here are some reasons:
  1. Some switches are difficult/impossible to prevent access to the management interface, from the physical port you use as WAN
  2. Switches often leak information about the IP of the management interface, the version of software on it, via protocols like LLDP
  3. Boxes like this that support stuff like Intel AMT or AMD DASH on the NIC, software like that is known to have had vulnerabilities in the past, do you really want this on the WAN interface? (even if only via a VLAN)
Other reasons (a little more subjective):
  1. Switches are for the most part not security devices, using firewalls to separate zones is a good way to achieve better security
  2. There are plenty of machines that have more than one NIC, surely those would be better options
Of course there are plenty of caveats to the above, for one using an enterprise switch (that may well be designed to be used like this) over a cheap TP-link (the first reason I mentioned) should limit the risk. Likewise if you do some hardening, you can mitigate much of the risk (an example with Mikrotik equipment, is they enable what they call L2 telnet and winbox on all interfaces (AFAIK), by disabling this the risk should be effectively mitigated).
While you're not entirely wrong, the approach laid out here is not exotic or esoteric at all. It's been in use in production for many many organizations forever. It's called Router-On-A-Stick. (I use the same exact approach for my home and business)

Most, if not all of your concerns boil down to configuring things right, this little box (or any other box) not withstanding. And there's the rub. Router on a stick is easy in concept, principle and implementation (hell, I've posted here many many times of how to do it with Brocade switches), the complexity comes after. For the hardening, and security.

I applaud the author for a very easy to understand article, for the masses. I'd welcome a follow on article that actually talks about what to do "the morning after" :)
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
While you're not entirely wrong, the approach laid out here is not exotic or esoteric at all. It's been in use in production for many many organizations forever. It's called Router-On-A-Stick. (I use the same exact approach for my home and business)

Most, if not all of your concerns boil down to configuring things right, this little box (or any other box) not withstanding. And there's the rub. Router on a stick is easy in concept, principle and implementation (hell, I've posted here many many times of how to do it with Brocade switches), the complexity comes after. For the hardening, and security.

I applaud the author for a very easy to understand article, for the masses. I'd welcome a follow on article that actually talks about what to do "the morning after" :)
You are entitled to your own opinion, and I know that this is something that is sometimes done in enterprise environments.

That said I think you are glossing over one of the points, that I was trying to make: not all hardware is suitable.

There is a fairly large difference between a Brocade (enterprise grade) switch and a cheap switch where you can not even limit access to the switch's management interface from the WAN port (I have a TP-link that is like this). While both might be capable to work in this type of configuration, it does not mean that they are equally suitable.

In my opinion the same holds true for the platform you use for the router, mostly in the form of the network interface used (I would not want to use the same interface that holds AMT/DASH management).