Ipfire or ? in 2024

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Napalm

New Member
Sep 8, 2021
24
1
3
I'm new to the roll your own router game, and I'm coming from a ubiquity edge router device. I have a symmetric 1gb connection and might later move to a 2gb. the price is surprisingly cheap 85 per month.

anyway I'm got a nas server box and I like to tinker so this is the next project. I plan on getting either a topton or similar box from aliexpress with n100, 8gb ram, and 128gb M.2, with the 4 v226 nic's. OR I get an Ikoolcore R2 device. But the topton is cheaper.

and I've read a number of things about various router OS's but a lot of the bits I read are from pre 2020. and while I know PFsense is the auto knee jerk answer, I was wondering if I'd be better off elsewhere. also I hear terrible things about pfsense support.

I'm curious if there is new better info out there. Alot of reads point to IPfire working very well, and others point to OPNsense but I think I want a linux distro based router os. Besides everything else I run is linux based.
 

Tech Junky

Active Member
Oct 26, 2023
348
119
43
I run Ubuntu and for the FW just use IP tables. Just Google homebrew router Linux and you'll get a walk through.
 

Stephan

Well-Known Member
Apr 21, 2017
929
706
93
Germany
85 for 1/1, Switzerland?

Doing the same but on Arch. Highly custom and full customizability with iptables and ebtables (old school), like NAT'ing outgoing port 25 SMTP via an external IP in a datacenter so mail delivery is working nicely.

I suspect he wants a GUI solution though. For 1 Gbit/s a Skylake-class CPU is necessary. N100 should be enough. Question is, what should the firewall do except NAT and except not allow mostly anything. Feature-set determines solution. Another question, what should the learning curve be. Just GUI click click done or learn something about security and networking?

There is also OpenWRT for x86. Could be enough. Usually very stable. Just make sure to qualify the cheap china hardware i.e. torture tests on CPU and RAM for a couple days to see if truly stable. Get a second power supply because those go first and try to activate a hardware-assisted watchdog that resets the box should it hang.
 

louie1961

Active Member
May 15, 2023
163
62
28
I have a version of the Topton device you describe, but it was branded "Hunsn" I bought it on Amazon. Its the N100 chip, 4 ethernet ports. I am running pfSense plus. I pay the $120/year for Taclite support and so far the support has been great. I originally paid for the support/license on a J4125 box, and when I decided to move to an N100 box, they cheerfully helped me move the license. In my home lab I run 3 Proxmox nodes, 12 docker images, 4 NAS devices (2 virtualized), etc. All of which is to say I have fullty embraced Linux, I am not afraid of more complicated projects, or the command line. I couldn't imagine rolling my own firewall software. pfSense has been great. I have it configured to do dual WAN, with routing rules so some of my VLANs go out one WAN port, and one special VLAN goes out the other WAN port. I also have WAN failover configured. On the back side, I have a link aggregation (LACP) set up between the N100 box and my managed switch. So all four of the N100 ports are used. I use the firewall rules (obviously), I use the DNS resolver function for internal DNS resolution for fully qualified domain names in my lab, I have a Tailscale interface running, I use the pfBlockerNG instead of pi hole, and I am starting to play with snort and surricata. In my experience, pfSense has been great. Yes, it is not Linux. But it is pretty darn good in its own right.
 

rtech

Active Member
Jun 2, 2021
299
106
43
I use Ipfire
Couple of points about it:
- rock stable in my use case
- IPv4 only IPv6 is in development like for 10 years so do not expect it any time soon
- do you need VPN? it supports OpenVPN & Ipsec only.
-i do not use its GUI so i cant tell you more about that.
Above posters suggest general purpose distro and Iptables which is fine but compared to that Ipfire is very stripped down distro which means less attack surface.

In terms of networking Linux is faster than BSD so you will have easier time to achieve your 1G throughoutput so for your use case i would definitely go some Linux based distro.
 

Napalm

New Member
Sep 8, 2021
24
1
3
OH right fair. So my goals that I know of. again I'm new to this replacing a Ubiquiti Edge router.

VPN I'd like to run something, and I hear alot about wireguard. I have a Server, stream, dl machine that is truenas scale suports my jellyfin habit and will eventually become my music repository too.

while I have symetric 1gb today, I would like to do some security like packet inspects and intrusion detection/prevention.

I'd also like to run something like pihole on it.
 

Tech Junky

Active Member
Oct 26, 2023
348
119
43
packet inspects and intrusion detection/prevention.
If you only allow originated traffic to come back in it's useless. Ntopng though will provide stats for free if you want to look at flows or gather metrics.

So, the best option is probably Nord for covering the whole network and auto connecting upon boot. Works on Linux but not sure about BSD.
 

rtech

Active Member
Jun 2, 2021
299
106
43
@Tech Junky
Wont allow originated traffic interfere with certain types of traffic like P2P or hosting services?

I use VPN server installed on one of VM i have. Having VPN on firewall is not strictly necessary.
IPfire does have IDS/IPS: Suricata
Ipfire can use qemu to run VMs so if you want to run any VPN on your firewall you can just run it in VM.
 

Tech Junky

Active Member
Oct 26, 2023
348
119
43
@rtech

Well, if you put the "router" at the ISP connection that's where the FW rules exist. If you don't allow originated traffic to exit the network then you have no internet. Then if you don't allow it into the FW you have the same result.

VPNs are a different subject that simply obfuscated the traffic from others being able to see it and know what's being moved outside of your network. If you're using a paid VPN it's basically a proxy to hide your identity and not much more. If you're doing site to site then it's cloaking the traffic inside of the tunnel.

VM based options still need internet access unless you're doing lab work and setting them up for S-2-S between them.

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o wwan0 -j MASQUERADE
COMMIT
If you KISS then it's easy to manage. If you want metrics then add more "log" commands to get those stats w/o affecting the traffic. The more rule you have the more impact on speed due to excessive processing needed. Also, rules are processed from the top down. If there's a match at the top the packet moves on or is dropped so, put your LAN stuff on top i.e. Lo/Br0. I've been running things this way for years and have tried all of the other junk posted online. There just as many recommendations as there are people with opinions though... everyone has at least 1.

I used to put explicit drop statements the end of each section but, I still get the packet counts in the summary view as noted.
1711723639444.png

So, even with originated traffic it's still picking up stuff that doesn't match the rules and dropping it. So, there's probably some dumb device randomly waking up and bursting some traffic and getting dropped. Mind you the uptime right now is less than 24 hours since I rebooted to apply some GPU updates but, it's quite effective in blocking bad packets efficiently.
 

Napalm

New Member
Sep 8, 2021
24
1
3
85 for 1/1, Switzerland?
No it's $60 for 1/1 and 85 for 2/2 or might be 2/1 now that I think about it. I'm in Mississippi using Cspire, had fibre to the house for over 7 years now. They also offer an 8Gb package but it's too spendy for me. also crazy overkill for what I do. I think it's pretty reasonable. I have no real need for the 2Gb setup unless I up my seedbox significantly.
 

Napalm

New Member
Sep 8, 2021
24
1
3
ALso as of right now I'm leaning towards either IPfire or OpenWRT. keeping an open mind to moving to PF or Opn sense if I don't like what I start with.
 

Napalm

New Member
Sep 8, 2021
24
1
3
OpenWRT is out I think. So back to IPfire, or OPNsense. or PFsense. again for the most part I see nothing wrong with OPN sense or PF but I was hoping for a linux based solution.

VyOS seems overly difficult and not meant for me, or rather not meant for a non enterprise admin or such.
 

Napalm

New Member
Sep 8, 2021
24
1
3
I thought it was. Nothing wrong with the freebsd setup but I wonder just how long it will continue to update or maintain performance