Zen Firewall Guide
When setting up networks, you want the most simple and secure configuration possible. This guide will provide principles for such a common reference network scenario.
The target audience for this guide is for those who are new to networking, and want to setup or understand network security. Having a moderate understanding of networking will be helpful but not required.
Our base reference network is a simple Firewall + WiFi setup:
A Firewall connected to the internet via the ISP router (ISP Dev) in bridge/passthrough mode
WiFi AP connected to the internet via Firewall
Wired Devices connect to Firewall via an Ethernet switch (not shown)
Wired and WiFi devices are isolated from each other
WiFi devices are isolated too
The diagram for the reference net:
+----------+ +----------+ +---------+
| internet | <-> (ISP Dev) <=> | Firewall | <=> | WiFi AP |
+----------+ +----------+ +---------+
^^ ^
|| |
vv v
+---------------+ +--------------+
| Wired Devices | | WiFi Devices |
+---------------+ +--------------+
Note
Many other possible network configurations exist, but this is the simplest seen in the typical SOHO. Use this reference network as a starting point before venturing off to other configurations.
Basic Terminology:
FOSS: Free open source software
Firmware: Firewall or WiFi software that is loaded onto a firewall appliance
AP: Access Point for WiFi
FQDN: Fully Qualified Domain Name: Ex: www.google.com
IP or IP number: An internet IPv4 number. Ex: 1.1.1.8
DNS: Domain Name Service translates FQDN to IP numbers
DHCP: Dynamic Host Configuration Protocol assigns IP addresses to devices
NTP: Network Time Protocol: Time service used to synchronize computer clocks
ISP: Internet Service Provider (e.g., Spectrum, Google Fiber, Comcast, etc.)
Firewall: The main firewall of the reference network. If lowercase, we mean firewalls in general.
Hardware and Software
Firewall and AP Hardware must meet your overall network speed requirements. Make sure you check raw speed capacity before you buy.
Software is also equally important. We generally recommend FOSS software for all appliances. This typically means you have to either buy the appliance with FOSS software (rare) or you have to flash your appliances (common). This is the way.
Software
The software you run on your Firewall is a critical component. Don’t settle for consumer-grade software/firmware that comes with many commercial appliances, that are often poorly written and have insecure default settings.
Firewalls: Always use FOSS grade firewall software at minimum. Don’t use consumer-grade firewalls unless you know what you are doing. Good choices are:
opnSense: https://opnsense.org/
pfSense: https://pfsense.org
ipFire: https://ipfire.org
These choices will provide nearly every service you need to run a home or SOHO network. Services include:
DHCP
DNS
NTP
VPN
WiFi AP: When possible, use an open-source grade WiFi AP software. Avoid consumer-grade AP that have their own in-house firmware, that are often buggy, outdated, and have incredibly poor default security. Good choices are:
FreshTomato: https://freshtomato.org
OpenWrt: https://openwrt.org
AsusWrt-Merlin: https://www.asuswrt-merlin.net
Hardware:
Firewall Hardware:
We chose to speak about firewall firmware first to enhance our hardware discussion now. The hardware supports the firmware and vice-versa.
Buy your own firewall appliance hardware online. Don’t trust consumer-grade commercial firewall appliances. These usually are under-powered, have inferior software, and are not secure by default. Amazon has good firewalls starting at $225 (circa 2024). If you need help selecting, please ask an expert or email us. Make sure you buy hardware that supports your choice of FOSS firewall software (see above). Some devices come pre-loaded with FOSS firmware. Go to Amazon and search for “opnsense firewall” for example.
Make sure you purchase an appliance that:
supports your firmware
has at least 4GB of memory and 32GB storage
has at least 4 gigabit capable Ethernet ports
if possible, is pre-installed with your firmware choice
WiFi AP. These are available pre-installed with OpenWrt on Amazon for under $75. This is a good secure option. Good choices include:
Devices that support OpenWrt:
GL.iNet GL-MT3000
GL.iNet GL-MT6000
Netgear R7800
Devices that support FreshTomato:
NETGEAR Nighthawk R7000
ASUS RT-AC1900P
Devices that support AsusWRT-Merlin:
ASUS RT-AX3000 V2
Networking
Always configure your ISP router in passthrough (AKA bridge) mode.
In this mode, the ISP router is transparent and allows your Firewall to handle all the security.
This gives you full control and transparency.
ISP routers are notoriously ill-secured and opaque.
You may have to ask your ISP to configure their router in passthrough/bridge mode.
Don’t use your ISP router WiFi.
Instead buy your own WIFI AP and connect it to your Firewall (see above).
ISP WiFi routers are notoriously insecure and ISPs often monitor their ISP devices, so your privacy is kaput.
Your WiFi AP should be as dumb as possible, ensuring services are passed to your Firewall where you have good control and visibility.
Network Policy refers to policy YOU set in the appliance software. These are the rules of network access.
General Policy
Appliances that are not required to communicate to the internet should not have a gateway setting. This will prevent them from leaking private information. Devices that should not have a gateway include:
Printers
Scanners
File Servers
IoT (Internet of Things) devices like your TV, refrigerator, toaster, etc…
Firewall Policy
Firewalls should operate from the Least Privilege principle.
Never allow traffic out of your LAN that should be handled locally, i.e.: DNS, DHCP, NTP, etc…
Use aliases as much as possible to reduce the number of rules. An alias allows you to associate a name with multiple computers, networks, or ports. This allows you condense your firewall rules down to a small few. Complexity leads to mistakes which lead to broken security.
WiFi AP Policy
All WiFi devices should be run in AP (dumb) mode. Such WiFi devices should only provide wireless authentication for your SSID (the WiFi name). In particular, a dumb AP should provide:
WiFi Authentication: Checks username and password for the AP
No DNS
No DHCP
No Time service
No VPN
No internal AP firewall
No other services whatsoever!
All those services should be provided by your main Firewall.
WiFi devices should not talk to one another, to prevent spread of viruses or other malware infection. This is called “AP Isolation”.
What is Next!
In the interest of simplicity and clarity, we did not discuss any advanced topics that are important to modern networks. We deliberately exclude all discussion about:
Advanced Firewall Topics
Public vs Private networks
Network Address Translation
Firewall Rule Construction
Virtual Private Networks (VPNs)
VPN in General
Wireguard
Domain Name Service (DNS)
DNS in General
DNS over TLS (DoT)
Advanced Networking
Demilitarized Zone (DMZ) Networks
Network Bridge
VLAN: Virtual Local Area Networks
DHCP
DHCP General Setup
DHCP: Static Maps
IPv6 networks
Firewall redundancy and failover
Logging and Monitoring
Contact Us
You can contact us at https://fortuitous.com/about/