Zen Firewall Guide

When setting up networks, you want the simplest and most secure configuration possible. This guide will provide principles for a common reference network scenario.

The target audience for this guide is for those who are new to networking, and want to setup or understand network security. Having a moderate understanding of networking will be helpful but not required.

Our reference network is a simple Firewall + WiFi setup:

1. A Firewall connected to the internet via the ISP router (ISP Dev) in bridge/passthrough mode

2. WiFi AP connected to the internet via Firewall

3. Wired Devices connect to Firewall via an Ethernet switch (not shown)

4. Wired and WiFi devices are isolated from each other

5. WiFi devices are isolated too

The reference network diagram:

+----------+                   +----------+        +---------+
| internet | <-> (ISP Dev) <=> | Firewall |   <=>  | WiFi AP |
+----------+                   +----------+        +---------+
                                    ^^                  ^
                                    ||                  |
                                    vv                  v
                             +---------------+   +--------------+
                             | Wired Devices |   | WiFi Devices |
                             +---------------+   +--------------+

Note

Many other possible network configurations exist, but this is the simplest seen in the typical SOHO. Use this reference network as a starting point before venturing off to other configurations.

Basic Terminology:

• FOSS: Free open source software

• Firmware: Firewall or WiFi software that is loaded onto a firewall appliance

• AP: Access Point for WiFi

• FQDN: Fully Qualified Domain Name: Ex: www.google.com

• IP or IP number: An internet IPv4 number. Ex: 1.1.1.8

• DNS: Domain Name Service translates FQDN to IP numbers

• DHCP: Dynamic Host Configuration Protocol assigns IP addresses to devices

• NTP: Network Time Protocol: Time service used to synchronize computer clocks

• ISP: Internet Service Provider (e.g., Spectrum, Google Fiber, Comcast, etc.)

• Firewall: The main firewall of the reference network. If lowercase, we mean firewalls in general.

Hardware and Software

Firewall and AP Hardware must meet your overall network speed requirements. Make sure you check raw speed capacity before you buy.

Software choice is critically important. We generally recommend FOSS software for all appliances. This typically means you have to either buy the appliance with FOSS software (rare) or you have to flash your appliances (common). This is the way.

Software

The software you run on your Firewall is a critical component. Don’t settle for consumer-grade software/firmware that comes with many commercial appliances, that are often poorly written and have insecure default settings.

• Firewalls: Always use FOSS grade firewall software at minimum. Don’t use consumer-grade firewalls unless you know what you are doing. Good choices are:

  • opnSense: https://opnsense.org/

  • pfSense: https://pfsense.org

  • ipFire: https://ipfire.org

  These choices will provide nearly every service you need to run a home or SOHO network. Services include:

  • DHCP

  • DNS

  • NTP

  • VPN

• WiFi AP: When possible, use an open-source grade WiFi AP software. Avoid consumer-grade AP that have their own in-house firmware, that are often buggy, outdated, and have incredibly poor default security. Good choices are:

  • FreshTomato: https://freshtomato.org

  • OpenWrt: https://openwrt.org

  • AsusWrt-Merlin: https://www.asuswrt-merlin.net

Hardware:

• Firewall Hardware:

  We chose to speak about firewall firmware first to enhance our hardware discussion now. The hardware supports the firmware and vice-versa.

  Buy your own firewall appliance hardware online. Don’t trust consumer-grade commercial firewall appliances. These usually are under-powered, have inferior software, and are not secure by default. Amazon has good firewalls starting at $225 (circa 2024). If you need help selecting, please ask an expert or email us. Make sure you buy hardware that supports your choice of FOSS firewall software (see above). Some devices come pre-loaded with FOSS firmware. Go to Amazon and search for “opnsense firewall” for example.

  Make sure you purchase an appliance that:

  • Supports your firmware

  • Has at least 4GB of memory and 32GB storage

  • Has at least 4 gigabit capable Ethernet ports

  • If possible, is pre-installed with your firmware choice

• WiFi AP. These are available pre-installed with OpenWrt on Amazon for under $75. This is a good secure option. Good choices include:

  • Devices that support OpenWrt:

    • GL.iNet GL-MT3000

    • GL.iNet GL-MT6000

    • Netgear R7800

  • Devices that support FreshTomato:

    • NETGEAR Nighthawk R7000

    • ASUS RT-AC1900P

  • Devices that support AsusWRT-Merlin:

    • ASUS RT-AX3000 V2

Networking

• Always configure your ISP router in passthrough (AKA bridge) mode.

  • In this mode, the ISP router is transparent and allows your Firewall to handle all the security.

  • This gives you full control and transparency.

  • ISP routers are notoriously ill-secured and opaque.

  • You may have to ask your ISP to configure their router in passthrough/bridge mode.

• Don’t use your ISP router WiFi.

  • Instead buy your own WIFI AP and connect it to your Firewall (see above).

  • ISP WiFi routers are notoriously insecure and ISPs often monitor their ISP devices, so your privacy is kaput.

  • Your WiFi AP should be as dumb as possible, ensuring services are passed to your Firewall where you have good control and visibility.

• Network Policy refers to policy YOU set in the appliance software. These are the rules of network access.

General Policy

• Appliances that are not required to communicate to the internet should not have a gateway setting. This will prevent them from leaking private information. Devices that should not have a gateway include:

  • Printers

  • Scanners

  • TVs

  • Thermostats

  • Smart cameras, baby monitors

  • File Servers

  • IoT (Internet of Things) devices: refrigerators, toasters, smart bulbs, etc…

Firewall Policy

• Firewalls should be configured according to the Least Privilege Principle.

• Never allow traffic out of your LAN that should be handled locally, i.e.: DNS, DHCP, NTP, etc…

• Use aliases as much as possible to reduce the number of rules. An alias associates a name with multiple computers, networks, or ports. This allows you condense your firewall rules down to a minimum. Complexity leads to mistakes that lead to broken security.

WiFi AP Policy

• All WiFi devices should be run in AP (dumb) mode. Such WiFi devices should only provide wireless authentication for your SSID (the WiFi name). In particular, a dumb AP should have:

  • WiFi Authentication: Checks username and password for the AP

  • No DNS

  • No DHCP

  • No Time service

  • No VPN

  • No internal AP firewall

  • No other services whatsoever!

  All those services should be provided by your main Firewall.

• WiFi devices should not talk to each other, to prevent spread of viruses or other malware infection. This is called “AP Isolation”.

What is Next!

In the interest of simplicity and clarity, we did not discuss any advanced topics that are important to modern networks. We deliberately exclude all discussion about:

• Advanced Firewall Topics

  • Flashing Firmware

  • Public vs Private networks

  • Network Address Translation

  • Firewall Rule Construction

• Virtual Private Networks (VPNs)

  • VPN in General

  • Wireguard

• Domain Name Service (DNS)

  • DNS in General

  • DNS over TLS (DoT)

• Advanced Networking

  • Demilitarized Zone (DMZ) Networks

  • Network Bridge

  • VLAN: Virtual Local Area Networks

• DHCP

  • DHCP General Setup

  • DHCP: Static Maps

• IPv6 networks

• Firewall redundancy and failover

• Logging and Monitoring

Contact Us

You can contact us at https://fortuitous.com/about/