Combining an open source firewall, a fan-less mini PC and a packet inspection module, you can build your own Next Generation Firewall at home. In this blog post, we’ll try to show you how to create yours with a few hundred dollars.
You are using those famous open source firewalls like pfSense, OPNSense, IPFire etc. You love them as we do. They are very successful firewall projects. Handful of features, quite stable, commercial grade performance, timely updates and great community support.
In this blog post, we’re going to try to show you how to turn these great firewalls to their Next Generation counterparts.
What are the ingredients?
- An open source firewall software. E.g. OPNSense, pfSense, IPFire etc.
- A hardware / VM platform
- A software module to provide the next generation firewall features
Which Open Source Firewall?
pfSense, OPNSense, Endian, IPFire etc. They are all great. But we will go with OPNSense, because for the time being, the next generation add-on software by Sunny Valley Networks is made available only for OPNSense.
Which Platform to install?
Beauty of cooking your own firewall is that you are not limited to some specific blackbox which you cannot touch, configure, modify or upgrade easily. You’re not doomed to buying a new hardware whenever your business gets a few more employees or you upgrade your Internet from 50 Mbps to 100 Mbps.
You can install the whole software virtually to any x86 based PC, mini-PC or even to any virtualization platform on which a standard FreeBSD/Linux Operating system can natively run on, like KVM, VirtualBox, VMware, Proxmox etc.
You can install it onto one of your retired PCs, workstations or servers. The only thing that you need to keep in mind is that you’ll need at least 8 GB of memory to be able to generate faster reports.
If you want a really small hardware which is really silent and have the look and feel of a commercial UTM device, you can try Qotom fan-less mini PCs. You can purchase one from their Amazon Store or from Alibaba. Some models even come pre-installed with pfSense/OPNSense. They even have i7 CPU models which have 8 Gig memory pre-installed. We have one in our office (picture above) running latest version of OPNSense and latest Sunny Valley Networks Packet Engine.
Next Generation Add-On Module
Now that we have the base firewall software and the platform to install the whole stuff on, what’s next?
Although open source firewalls are all great software and they are great alternatives to commercial firewall counterparts, they lack several features which are essential for Next Generation Firewalls Category:
- Application Control
- Web 2.0 Controls
- TLS Inspection (Port-agnostic)
- Extensive Reporting
- Active Directory Integration
Good news. Sunny Valley Networks is providing an add-on software package for these open source firewalls complementing the missing functionality. The add-on package is available as an installer file, so you just download and run the installer script (Explained in detail later in this blog post). After the installation, add-on module integrates its web management software into the existing firewall Web UI, so you can manage the whole software from a single web interface.
Not so good news is that this module is currently only available for OPNSense. But hey! OPNSense is already a great software, you can give it a try.
In this blog post, we’re going to show how you can install Sensei Next Generation FW plugin on OPNsense Next Generation Firewall. First of all you have to install OPNsense and have enough system resources for Sensei next generation DPI.
If you have not install OPNsense yet, please click this link to install OPNsense: https://sunnyvalley.io/how-to-setup-opnsense/
If you have a installed OPNsense system, you need to check it out your system resources in order to install Sensei to be ensure as enough as to install.
To ensure your hardware is enough to work with Sensei please check CPU, RAM, CPU, disk space and bandwidth as follow:
CPU & RAM
Because the analytics module relies on Elastic Search to do Big Data processing, amount of the memory available in the system is crucial for the performance of the whole product.
At least dual-core (i5 and equivalent) and 4GB RAM or preferably quad-core modern CPU (i7 and equivalent) and 8 GB RAM would be advisable.
Recommended minimum hardware requirements for Sensei based on the number of users and the bandwidth:
|Number of Users||WAN Bandwidth||Recommended Minimum Memory||Recommended Minimum CPU Configuration|
|0-25||20 Mbps||8 GB||Intel Dual-Core i3 2.0 GHz|
(4 threads) or equivalent
|8 GB||Intel Dual-Core i5 2.0 GHz|
(4 threads) or equivalent
|16 GB||Intel Dual-Core i5 2.20 GHz|
(4 threads) or equivalent
|32 GB||Intel Dual-Core i7 2.0 GHz|
(4 threads) or equivalent
|64 GB||Intel Dual-Core i7 3.4 GHz|
(8 threads) or equivalent
Sensei uses Elastic Search Engine as its backend to process the Big Data. Please spare at least 5 MB of disk space per hour per megabit/second throughput.
If you’re running a 100 Mbps link (about 100 users) which is quite active during the daytime and idle rest of the day, you can calculate the space needed as follows:
5 MB x 12 hours x 100 Mbps = 6 GB per day.
6 GB x 7 days a week = 42 GB per week.
42 x 4 weeks a month = 164 GB per month.
As of 0.7.0 (changelog), Sensei retires reports data to open up space for the new coming data. After the configured timespan, existing reports data is automatically purged to save space for fresh data.
Sensei requires at least 4 GB of memory. Installer will not continue if you have less than 4 GB of RAM.
A roadmap feature – Cloud reporting – will enable you to install Sensei to devices which have limited amount of memory. E.g. you’ll be able to install Sensei to a Raspberry Pi.
Sensei requires at leasat 4 GB of memory. Installer will not continue if you have less than 4 GB of Ram.
A roadmap feature – Cloud reporting – will enable you to install Sensei to Devices which have limited amount of memory. E.g. you’ll be able to install Sensei to a Raspberry Pi.
2. Installing OPNSense
Need help installing OPNSense?
Do you want to install it into a Virtual system. Read this blog post for instructions on how to do it: https://linoxide.com/firewall/install-opnsense-virtualbox/
Or else, if you want to install it into a PC / mini PC: read on: https://www.sunnyvalley.io/post/installing-opnsense-firewall-to-a-fan-less-mini-pc/
3. Installing Sunny Valley Networks Packet Engine
This process is quite straight-forward and easy. Basically you don’t have to use ssh to connect and install Sensei. You can install Sensei via OPNsense web UI.
You can install with following instructions:
1. Go to your OPNsense web UI and login to it as a root user. And after that you can follow this path. On the left pane of the page, you can click System > Firmware > Plugins
2. After the opening of the Plugins page, you can view the installed and not installed plugins. You can search with
Ctrl + F key combination with the “os-sunnyvalley” keyword then press the enter button to find out the Sensei plugin components.
3. After that you should click the plus
+ button, than you will redirect to the Update menu tab.
4. After the installation you can see the Sensei plugin in the Plugin menu bar. If you cannot see Sensei plugin, please refresh your web UI with
5. You also shoud install “os-sensei”. You can find out with
Ctrl + F button combination, and you can click the plus
+ button to install it.
6. If you couldn’t see Sensei menu you may refresh web UI with the F5 button to verify installation.
7. After verifying the installation, you can follow this simple step to finish Sensei install.
When you click the Dashboard sub-menu under the Sensei menu, you will face with the “Welcome Page” of Sensei. This is the last step of installation. You should read the “END USER LICENSE AGREEMENT FOR SUBSCRIPTION SOFTWARE” and then you should accept and click the “I agree, let’s get going” button at end of the agreement to finish install.
8. After the acceptation you can see the summary of assessment of your computer’s system resources. If you see “low-end hardware” warning, please don’t worry about it if your system resources are above the minimum system requirements. Then clik the “Install Database & Proceed” button.
9. After the Database Installation you need to click “Next” button on the popup menu. Then you should select “Deployment Mode” as “Routed Mode” because other options is experimental. Then you should double click to the LAN interface under the “Available Interfaces” menu bar. You will see the LAN interface from “Available Intefaces” to the “Protected Interfaces” side. Then you should click “Next” button the bottom of right of web UI.
10. You can select and deselect cloud servers on the web page. After selection you should click the “Next” button. You can also write a local domain name to exclude queries.
11. You can specify the TCP Service Password. This password protects the command line based CLI access to the packet engine. It is advisable to change this. After that you’ll be asked how you’d like to be receive updates to the software. Change these settings to your liking and you’re done.
12. You have some options about “Updates and Support” and Health Check. You can specify automatic update for plugin, and its database. You can enable/disable generation of support data automatically. You can also control “Health Check” and “Enable engine heartbeat monitoring” features. Then click the “Next” button.
13. At the next page you can select your deployment size as a user. After selection please click “Next” button. End of the installation you may enter your email to stay up to date. Then click the “Finish” button to finish installation. Depending on the speed of your computer and your Internet connection, it might take 2-4 minutes to complete the whole installation.
You can start enjoying your new Next Generation Firewall.
We’ll have more blog posts on the advances features of the add-on software.