Skip to main content

How to Build your Own Next-Generation Firewall(NGFW) at Home?

There are a variety of successful open-source firewalls, like pfSense software, OPNSense, IPFire, etc. They are quite stable firewall solutions and have a handful of features, commercial-grade performance, timely updates, and great community support.

You may find more information about open-source firewalls in the Best Open-Source Firewall article written by Sunny Valley Networks.

It is achievable to build the best next-generation firewall(NGFW) for home use combining an open-source firewall, a fanless mini PC, and a packet inspection module.

In this tutorial, we'll describe how to create a next-generation firewall(NGFW) to protect a home network with a few hundred dollars.

What are the System Requirements for Installing the Next-Generation Firewall?#

Thanks to the open-source community that it provides very effective security solutions against cyber threats free of charge. Therefore, a cost-effective next-generation firewall solution that requires only a small hardware purchase can be deployed.

The beauty of cooking your own firewall is that you are not limited to some specific black box that you cannot touch, configure, modify or upgrade easily. You're not doomed to buying new hardware whenever your business gets a few more employees or you upgrade your Internet from 50 Mbps to 100 Mbps.

You can install the whole software virtually to any x86 based PC, mini-PC, or even to any virtualization platform on which a standard FreeBSD/Linux Operating system can natively run on, like KVM, VirtualBox, VMware, Proxmox, etc.

Next-generation firewalls for home use can be installed onto retired PCs, workstations, or servers. The only thing that needs to be kept in mind is that at least 8 GB of memory is required to be able to generate faster reports.

If you want really small hardware which is really silent and has the look and feel of a commercial UTM device, you can try Qotom fan-less mini PCs. You can purchase one from their Amazon Store or from Alibaba. Some models even come pre-installed with pfSense/OPNSense. They even have i7 CPU models which have 8 Gig memory pre-installed. We have one in our office (Figure 1) running the latest version of OPNSense and the latest Sunny Valley Networks Packet Engine.

Qotom fan-less mini PC running latest version of OPNSense and latest Sunny Valley Networks Packet Engine

Figure 1. Qotom fan-less mini PC running the latest version of OPNSense and latest Sunny Valley Networks Packet Engine

To protect the home networks from cyber attacks and provide the kids a safe web surfing by installing a next-generation firewall the following system requirements must be met.

1. Open-source firewall software#

One of the following operating systems that have firewall and router capabilities may be used for the next-generation firewall in a home. However, we strongly recommend installing OPNsense which has a robust and powerful next-generation firewall software plugin known as Sensei (ZENARMOR). Sensei (ZENARMOR) supports all platforms listed below, but it has been especially known as one of the best OPNsense plugins and has been thoroughly tested by the OPNsense community in a variety of circumstances since 2017.

  • OPNsense (OPNsense 19.x - 21.x)
  • pfSense Software (pfSense® software 2.5.x)
  • FreeBSD®
  • Ubuntu Linux
  • CentOS Linux
  • Debian Linux
  • AlmaLinux

2. Next-generation firewall software module#

Although open-source firewalls are all great software and they are great alternatives to commercial firewall counterparts, they lack the following features which are essential for Next-Generation Firewalls Category:

  • Application Control
  • Web 2.0 Controls
  • TLS Inspection (Port-agnostic)
  • Extensive Reporting
  • Active Directory Integration

Fortunately, an add-on software package developed by Sunny Valley Networks is available for these open-source firewalls complementing the missing functionality. Sensei (ZENARMOR) Free Edition is made available at no cost to OPNsense users, while the Premium Subscription, which offers more advanced features is available for purchase through the Sunny Valley Networks Cloud Management Portal.

The technology behind Sensei (ZENARMOR) is a very powerful packet analysis engine that can also provide protection against encrypted cyber-attacks that are gaining momentum. Sensei (ZENARMOR) technology enables cyber security tools with utmost visibility, packet classification, and fine-grained policy enforcement for any type of traffic. More packet intelligence means better decision-making. Better decision-making means better success rates in detecting & preventing cyber-attacks. Sensei (ZENARMOR) provides rich packet intelligence so that the industry can enjoy great cyber security tools.

Some of the key features that are made available to the open-source firewalls include:

  • Application Visibility & Control
  • Drill-down Network Visibility
  • User based filtering & reports
  • Web Security & Cloud App Controls
  • Encrypted Attacks Protection

You may find more information about how Sensei (ZENARMOR) works on official documentation.

The Sensei (ZENARMOR) plugin is available as an installer file and it can be installed easily by downloading and running the installer script. You may find more information about the installation of this next-generation firewall software package on different FreeBSD-based or Linux platforms mentioned above on the official Sensei (ZENARMOR) documentation site.

When the Sensei (ZENARMOR) is installed on the OPNsense firewall, the add-on module integrates its web management software into the existing firewall Web UI, so both Sensei (ZENARMOR) and OPNsense firewall can be managed from a single web interface.

Managing and configuring the Sensei (ZENARMOR) software may also be accomplished using the Sunny Valley Network centralized cloud management portal freely all over the world. If you prefer using other open-source firewalls rather than the OPNSense, you must use this management portal which has a very intuitive interface to configure the Sensei (ZENARMOR) as a next-generation home firewall.

3. Ram#

At least 2 GB of memory is required for Sensei (ZENARMOR). The installer will not proceed if the total RAM is less than 2 GB. Also, it is recommended to run Sensei (ZENARMOR) with 4 GB memory for an improved experience. Beware that since the analytics module depends on Elasticsearch to process large amounts of data, the amount of system memory available is extremely crucial for the overall performance of Sensei (ZENARMOR).

4. CPU#

At least a dual-core (preferable 4 core if you also host a database on the firewall) CPU system is recommended. A single-core CPU score is more important than having a large number of CPU cores; for this reason, a Quad Core i7 PC system is more likely to outperform a 12-core Intel Xeon server system.

5. Disc Properties#

To store large data sets, Sensei (ZENARMOR) employs MongoDB or Elasticsearch, or SQLite as its backend. To calculate the required total disc size in your environment, you should allow at least 5 MB of disk space per hour of throughput in megabits per second.

If you're running a 100 Mbps link (about 100 users) which is quite active during the daytime and idle the rest of the day, you can calculate the space needed as follows:

5 MB x 12 hours x 100 Mbps = 6 GB per day.

6 GB x 7 days a week = 42 GB per week.

42 x 4 weeks a month = 164 GB per month.

The following are the recommended minimum hardware requirements to install a next-generation firewall for home use based on the number of devices and the amount of sustained bandwidth.

Active DevicesMaximum WAN BandwidthMinimum MemoryMinimum CPU
0 - 25200 Mbps4 GBA Dual-Core CPU (x86_64 compatible, single core [PassMark]https://www.cpubenchmark.net/) score of 200) Note: Deciso A10s and AMD G-SERIES SOC GX Series, Protectli/Qotom Celeron J Series are compatible
25-100500 Mbps 10 Kpps4 GBIntel Dual-Core i3 2.0 GHz (2 Cores, 4 Threads) or equivalent
100-2501 Gbps 20 Kpps8 GBIntel Dual-Core i5 2.2 GHz (2 Cores, 4 Threads) or equivalent
250-10001-2 Gbps 40 Kpps16 GBIntel Dual-Core i5 3.20 GHz (2 Cores, 4 Threads) or equivalent
1000-20001-2 Gbps32 GBIntel Quad-Core i7 3.40 GHz (4 Cores, 8 Threads) or equivalent
2000+1-2 Gbps64GBIntel Quad-Core i7 3.40 GHz (4 Cores, 8 Threads) or equivalent

Table 1. Minimum hardware requirements for next-generation home firewall

You may find more information about the hardware requirements of the next-generation firewall on official documentation of Sensei (ZENARMOR).

Which Firewall Is Better?#

There are numerous open-source firewalls available that can be used on a home or a small business network without any hesitation. Open-source operating systems like Linux, FreeBSD, and OpenBSD include a wide range of networking and security features. As a consequence, they are natural platforms for the development of security products, and the vast majority of commercial firewalls are built on one of them.

The main benefits of open source firewalls are as follows:

  • Consistency: Proprietary code relies on a single author or company to keep it up to date, patched, and functional. Because active open source communities constantly update open source code, it outlives its original authors. Peer review and open standards guarantee that open source code is thoroughly and frequently tested.
  • Flexibility: Because of its emphasis on modification, open-source code can be used to address problems specific to your company or community. You are not required to use the code in any particular way.
  • Lower cost: Because open source licensing provides code for free, the only thing you pay for when using an open-source firewall is support, security hardening, and assistance with interoperability management.
  • No vendor reliance: You can take your open source code with you wherever you go and use it whenever you want.
  • Open collaboration: Because open source communities are active and helpful, you can find help, resources, and perspectives that go beyond a single interest group or company.
  • Review: Developers actively check and improve on open source code because the source code is freely available and the open-source community is very active. Consider it living code as opposed to closed code that stagnates.
  • Transparency: Rather than relying on vendor promises, you can check and track changes in open source code yourself.

There is no doubt that an open-source firewall can safeguard one of your most valuable assets and provide a safe web surfing experience for your lovely kids at your home.

If you have never used an open source firewall before, you should choose some of the available options and give them a try by installing them. You will undoubtedly find the ideal open source firewall solution for your needs.You may find more information about the open source firewall that can be used at your home network in Best Open-source firewalls article written by Sunny Valley Networks.

Which Firewall Should Be Downloaded?#

There are numerous open-source firewall software options available, depending on your level of expertise, the size of the network to be protected, ease of use, and even whether the firewall has a graphical interface.

The following open-source firewalls may be installed as a next-generation firewall at home. All of these firewalls are simple to download and install on any hardware, virtual platform, or cloud. Furthermore, if you like their functions or support and do not want to build your own device, many sell them with pre-configured appliances. But in this article, we will focus on the OPNsense which has a next-generation firewall plugin called Sensei (ZENARMOR).

  • OPNsense (OPNsense 19.x - 21.x)
  • pfSense Software (pfSense®software 2.5.x)
  • FreeBSD (FreeBSD 11,12,13)
  • Ubuntu Linux (Ubuntu 18.04 LTS, 20.04 LTS)
  • CentOS Linux (Centos 7, 8)
  • Debian Linux (Debian 10)
  • AlmaLinux (AlmaLinux 1)

How to Download OPNSense?#

You may download the OPNsense installation file from the official OPNsense download page. You may select system architecture according to your system's CPU architecture, and also specify image type and mirror location as well.

 Downloading OPNsense DVD ISO file

Figure 1. Downloading OPNsense DVD ISO file

Depending on your hardware and use case different installation files are provided to download and install OPNsense:

  • dvd: ISO installer image with live system capabilities running in VGA mode. On amd64, UEFI boot is supported as well.

  • vga: USB installer image with live system capabilities running in VGA mode as GPT boot. On amd64, UEFI boot is supported as well.

  • serial: USB installer image with live system capabilities running in serial console (115200) mode as MBR boot.

  • nano: a preinstalled serial image for USB sticks, SD or CF cards as MBR boot. These images are 3G in size and automatically adapt to the installed media size after first boot.

Sample file listing

  • OPNsense-21.7.1-OpenSSL-cdrom-amd64.iso.bz2
  • OPNsense-21.7.1-OpenSSL-nano-amd64.img.bz2
  • OPNsense-21.7.1-OpenSSL-serial-amd64.img.bz2
  • OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2

The easiest method of OPNsense installation is using the USB-memstick installer. If your target platform has a serial interface choose the serial image to download. If not, select vga for the image type. Choose any mirror for your liking.

How to Install OPNSense?#

You may follow the instructions given below to install the OPNsense.

1. Writing OPNsense image to Installation Media#

You may write the image to a USB flash drive (>= 1GB), either with dd under FreeBSD or under Windows with physdiskwrite (or Rufus).

Before writing an (iso) image you need to unpack it first (use bunzip2)

Writing OPNsense image on Windows

physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].[img|iso].img

A simple alternative for writing images under windows is Rufus a tool to create bootable USB sticks with a nice GUI.

Writing OPNsense image on Linux

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/sdX bs=16k

Where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage, it's because of the digital signature)

Writing OPNsense image on Mac OS X

sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rdiskX bs=64k

Where r = raw device, and where X = the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage, it's because of the digital signature)

Writing OPNsense image on FreeBSD

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/daX bs=16k

Where X = the device number of your USB flash drive (check dmesg)

Writing OPNsense image on OpenBSD

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rsd6c bs=16k

The device must be the ENTIRE device (in Windows/DOS language: the C partition), and a raw I/O device (the r in front of the device sd6), not a block mode device.

2. Installing OPNsense from USB to Target Device#

After configuring your system to boot from a USB device, place the USB stick into the one of USB slots and boot your system. The default behavior is to start the Live environment. Therefore, to start the installation login with user installer and password opnsense.

info
  • Default OPNsense Installation Username: installer

  • Default OPNsense Password: opnsense

3. Configure console#

The default configuration should be fine for most occasions. You may continue with default settings.

4. Select task#

Select the Quick/Easy Install option. It should be fine for most occasions. For installations on embedded systems or systems with minimal disk space you may choose Custom Installation and do not create a swap slice. You may continue with default settings.

5. Are you SURE?#

When proceeding OPNsense will be installed on the first hard disk in the system.

6. Reboot#

The system is now installed and needs to be rebooted to continue with the configuration.

WARNING

You will lose all files on the installation disk. If another disk is to be used then choose a Custom installation instead of the Quick/Easy Install.

You may also learn how to install OPNsense on Proxmox Virtual Environment by reading the OPNsense Installation Tutorial written by Sunny Valley Networks. Since OPNsense installation on different platforms have almost the same procedures, this article may be helpful for USB installation also

What should be done after the Installation is Completed?#

After installing the OPNsense the following initial configuration steps should be completed.

  1. Network device assignments
  2. IP address settings
  3. Updating OPNsense Firewall
  4. Accessing the OPNsense GUI
  5. Initial configuration of OPNsense Firewall

You may find more information about the initial configuration steps on OPNsense Installation Tutorial written by Sunny Valley Networks.

The most important section of the building next-generation firewall at home is installing the Sensei (ZENARMOR) which enables OPNsense nodes to inspect the network traffic. Sensei (ZENARMOR) is one of the best OPNsense plugins because it adds next-generation firewall features to the OPNsense firewall, such as Application Control, Content Filtering, and All-ports TLS Inspection.

Installing Sensei (ZENARMOR)#

Sensei (ZENARMOR) installation process is quite straightforward and easy. You may install Sensei (ZENARMOR) via OPNsense web UI. Basically, you don't have to use ssh to connect and install Sensei (ZENARMOR) on OPNsense.

If you prefer to use one of the other open-source firewalls mentioned above rather than OPNsense, you may learn how to install Sensei (ZENARMOR) on official documentation. It can also be installed easily by running only one command on CLI.

You can install with the following instructions:

  1. Go to your OPNsense web UI and log in to it as a root user. And after that, you can follow this path. On the left pane of the page, you can click System > Firmware > Plugins.
  2. After the opening of the Plugins page, you can view the installed and not installed plugins. You can search with Ctrl + F key combination with the os-sunnyvalley keyword then press the enter button to find out the Sensei (ZENARMOR) plugin components.

OPNSense OS-SunnyValley on List

Figure 2. Installing os-sunnyvalley on OPNsense firewall

  1. After that you should click the plus + button next to the os-sunnyvalley -Sunny Valley Networks vendor repository-, then you will redirect to the Update menu tab.
  2. After the installation, you can see the os-sunnyvalley plugin as installed in the Plugin menu bar. If you cannot see the Sensei (ZENARMOR) plugin, please refresh your web UI with the F5 button.

Verifying `os-sunnyvalley` plugin as installation on OPNsense Figure 3. Verifying os-sunnyvalley plugin as installation on OPNsense

  1. You also should install os-sensei - Next generation firewall extensions for OPNsense-. You can find out with the Ctrl + F button combination, and you can click the plus + button to install it.

 Installing `os-sensei` plugin on OPNsense Figure 4. Installing os-sensei plugin on OPNsense

  1. After installing Sensei (ZENARMOR), you should see the Sensei (ZENARMOR) menu in the left sidebar of the OPNsense web interface. If you couldn't see the Sensei (ZENARMOR) menu you may refresh the web UI with the F5 button to verify the installation.

Verifying Sensei (ZENARMOR) menu on OPNsense Web UI

Figure 5. Verifying Sensei (ZENARMOR) menu on OPNsense Web UI

  1. After verifying the installation, You will need to complete the Initial Configuration Wizard for Sensei (ZENARMOR) to be fully operational. For more information about the initial configuration of Sensei (ZENARMOR) on OPNsense, please refer to the official documentation.

Although the preferred method of Sensei (ZENARMOR) installation is the web interface (see instructions here), you can also install the plugin using the command line interface via SSH or direct system access. For more information, please refer to Installing Sensei (ZENARMOR) on OPNsense via Command Line.

Why Sunny Valley Prefers OPNsense?#

Sensei (ZENARMOR) uses a FreeBSD subsystem called netmap to access raw Ethernet frames. Netmap is a DPDK-like kernel interface that Sensei (ZENARMOR) employs to connect your Ethernet Adapter to the Linux/BSD Networking Stack. This enables Sensei (ZENARMOR) to inspect packets and take action before they arrive at their destinations.

Netmap offers highly fast and efficient packet I/O in kernel, userspace, and virtual machine platforms. It can handle tens of millions of packets per second, outperforming 10G and 40G ports even with small frames.

Netmap is compatible with FreeBSD, Linux, and some versions of Windows. For FreeBSD and Linux, it is implemented as a single kernel module.

Netmap is already included and enabled by default in recent FreeBSD (>= 10.x), OPNsense(r) and pfSense®software software releases. However, if you want to run Sensei (ZENARMOR) in Routed Mode (L3 Mode, Reporting and Blocking available) on supported Linux Distributions (Ubuntu 18.04 LTS & 20.04 LTS, Centos 7, & 8, Debian 10 and AlmaLinux 1) you must install Netmap by yourself. It may be difficult to install netmap on Linux operating systems. If you need information about how to install netmap kernel modules on Linux(Ubuntu 20.04), [Netmap Installation in Linux(/docs/guides/netmap-installation-on-linux) article written by Sunny Valley Networks may be helpful.

To use all of the Sensei (ZENARMOR)'s filtering features, you must have the netmap framework installed on your system. Sunny Valley Networks recommends running your next generation firewall on a FreeBSD-based system because netmap is natively supported by FreeBSD-based systems such as OPNsense and pfSense®software and runs without any unexpected countermeasures on these systems. If you prefer to use a Linux-based firewall such as Ubuntu or Centos, make sure to install netmap kernel modules and be aware that netmap incompatibility issues may arise.

Also, Murat Balaban, founder and CEO of Sunny Valley Networks, explains why they suggest the OPNsense firewall:

"The reason we're going to market with OPNsense is that it already offers most of the features available in the top commercial firewalls. Based on a security-centric BSD distribution, HardenedBSD, they have a security-first mindset. The product is very flexible, extendable, and contrary to the general belief about open source products, proves to be very reliable and stable. Trying to build a complete firewall product would be a total waste of resources for us. So instead of creating a full-fledged firewall product, we chose to integrate our technology into one of the top open source network security platforms in the world."

What are the Features that Distinguish OPNSense from Other Security Systems?#

OPNsense is an open source firewall distribution based on FreeBSD. OPNsense which is a fork of Pfsense was released in 2015. There are also DHCP servers, DNS servers, VPNs, and other services available in addition to the Firewall. Any person who has little experience in IT may use the OPNsense firewall with Sensei (ZENARMOR) plugin, which provides application control and web filtering features, to protect their home networks from cyberattacks easily. It can be installed on both a physical and virtual server.

You will receive the following OPNsense advantages by installing the OPNsense firewall to protect your home network.

  • OPNsense has a myriad of benefits over competitors, including forward caching proxy, traffic shaping, intrusion detection, and a simple OpenVPN client setup.
  • Because of the emphasis on security in OPNsense, unique features such as the ability to use LibreSSL instead of OpenSSL (selectable in the GUI) and a custom version based on HardenedBSD are available.
  • OPNsense's dependable update mechanism allows it to deliver critical security updates on time.
  • OPNsense has an extensive list of plugins, which is beneficial for multiple users who use different applications.
  • OPNsense has a friendly and helpful community. One appealing aspect of the OPNSense community is that it has produced a large number of community plugins in a relatively short period of time. OPNsense has more than 70 different community-contributed plugins at the time of writing.
  • It has intuitive and simple to use without assistance Web UI, particularly for those who are just learning how to use a firewall. Another user-friendly feature of OPNsense is that it provides a search bar to find a menu element that you don't know where it is. It is obvious that OPNSense shines in terms of user interface and usability.

You may find more information about the features of OPNsense on Best Open-source Firewalls article written by Sunny Valley Networks.

What is the Next-Generation Firewall?#

A next-generation firewall(NGFW) is a network security solution with capabilities that go beyond those of a traditional, stateful firewall. A traditional firewall typically allows stateful inspection of incoming and outgoing network packets. It permits or denies network traffic based on source/destination IP, port, and protocol. Also, it filters traffic according to predefined policy rules and provides a virtual private network.

On the other hand, a next-generation firewall includes features such as deep packet inspection, application control, web content filtering, intrusion prevention and cloud-delivered threat intelligence. So, NGFWs may prevent the latest cyber threats such as application layer/L7 attacks and malware.

Next-generation firewalls (NGFWs) have a high level of control and visibility over the applications that they can identify through analysis and signature matching. They may use whitelists or a signature-based intrusion prevention system to differentiate between safe and malicious applications, which are recognized using SSL decryption. NGFWs also have a path for receiving future updates, unlike many traditional firewalls.

A powerful next-generation firewall has the following capabilities listed below:

  • It provides a fast cyber threat detection capability. It may define attacks in seconds and detect data breaches within minutes.
  • It should have a variety of deployment options as well as flexible management. It should be deployed on cloud or on-premise, on virtual environments, or on bare metal. It should also allow a wide range of throughput speeds.
  • It should provide comprehensive network visibility by reporting active applications and websites, where and when a threat originated, threat activity across users, devices, and networks.
  • A powerful next-generation firewall should also have advanced detection capabilities to identify advanced malware quickly.
  • It should prevent cyber threats before they get inside, be equipped with the most recent intelligence to stop new threats, have web filtering capabilities to enforce policies on hundreds of millions of URLs.