Finally installed my own Firewall
from pimpampoom@lemmy.zip to selfhosted@lemmy.world on 31 Jan 10:59
https://lemmy.zip/post/58142963
from pimpampoom@lemmy.zip to selfhosted@lemmy.world on 31 Jan 10:59
https://lemmy.zip/post/58142963
Finally ditched my ISP’s router and installed my own opnsense firewall with my own Access Point. I have crowdsec running on opnsense to block attacks + adguard to block ads and malicious domains. My network is segmented between my homelab that is exposed and my AP.
Finally feels quite safe in my network 😅
threaded - newest
.
Looks like one of the qotom/topton boxes you can find on aliexpress.
Can also pick them up with preinstalled *sense from Protectli (which I did I regretted nothing, totally great experience.)
Indeed it’s a topton mini pc/firewall. It’s costs 300€ on AliExpress :) I removed Pfsense and installed opnsense
Is that pretty standard a price for a standalone firewall?
It’s the most cost effective I found that had a decent CPU and multiple Ethernet ports. I was not able to find a local alternative in the same form factor
Good to know. Thank you 🙏
That looks exactly like the box I grabbed. Are you running your opnsense on the bare metal, or are you virtualizing it? My only regret for mine was not picking up more ram.
I’m running on bare metal. I have a physical homelab behind. Can’t you add ram?
I could, if it wasn’t so damn expensive for 32gb
In some places you can still get 32GB DDR4 for a kidney if you‘re lucky.
I’ve had pretty good fortune with www.memorystock.com
I will get them a look
I can’t imagine why you need 32gb for opnsense. I can run it on a single core and 1gb, unless I literally want every DNS blacklist loaded in which case 4gb
I’m running a proxmox instance on mine, with opnsense in a vm and plex, Jellyfin pihole and my omada controller on lxc. 16gb is just enough for everything, but I like to future proof and buffer things, so it makes me a bit nervous utilizing 12 of that 16 gb and only leaving 4gb for proxmox.
Networking isn’t my strong suit, so this might be a stupid question. But what exactly is a hardware firewall? Is it the same thing as my Internet facing router blocking incoming packets which haven’t been requested from “inside the home” network?
A hardware firewall generally indicates a standalone appliance that is dedicated to being a firewall. Not to be confused with a software firewall as you would see with UFW, or Windows Defender. Modern routers do possess some of the same tenets of a hardware firewall, but a dedicated hardware firewall usually gives a broader range of defenses such as IDS/IPS, filtering, etc.
I have a dedicated hardware firewall in the form of pFsense. The ‘black box’ in OP’s picture is the hardware firewall.
OP, you may want to look into ntopng. I think opnsense has a ntopng plugin. I find it very useful for traffic analysis.
Will have a look, thanks!
Good for you. I use OpenWrt on a decent router yet it’s so flexible. I can create multiple VLANs with different firewall rules, multiple APs, Ad and IP blocking etc.
Honestly I can’t imagine going back to a shitty ISP router ever.
Even the wrong non-isp routers are ridiculous compared to OpenWrt capable ones. You’re telling me I’m paying a huge premium to get a cutting edge Nighthawk, and then they shove a subscription service in my face to use any of these features? Let alone the security implications of having all your traffic routed through proprietary software. No thank you.
I don’t think we are the target audience for those, though, as weird as that sounds. More likely intended to be sold to less tech savvy people who are willing to pay for the convenience of some company handling their security.
I always get my isp outers as pass through so network is controlled by my entry. I have never bothered doing much with it but it’s nice to have the option.
I used to use a ddwrt firmware for years but eventually my hardware could never keep up with my net speeds and manufacture firmware was faster. Trying an Omada network now seems alright but haven’t added their wifi.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
4 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #47 for this comm, first seen 31st Jan 2026, 16:30] [FAQ] [Full list] [Contact] [Source code]
Doing the lords work! 🫶
Nice.
Running different SSIDs too?
I put all my IoT stuff on a dedicated 2.4-only network, VLANd it to the (pfsense) firewall which allows the VLAN trunk to be split into separate logical NICs that I apply different policies to, like no access to the internet, etc…
At the moment I only have one WiFi instance, not planning to separate yet but it could be a future upgrade since I have a few IoT devices.
Why crowdsec?
Personal preference, it’s what I’ve been using since I started my homelab and I think it works well enough.
Are you exposing things to the internet?
Yes
Crowdsec is a pretty good package. It does blocking, but is geared more to being an IDS. Opnsense supports Suricata which is a more aggressive, and all encompassing IDS/IPS. I don’t think opnsense supports it’s cousin Snort.
I considered suricata but for now I think crowdsec works well enough, I’ll see later if I think suricata could be more useful
Cool, cool. I was just throwing it out there if you hadn’t considered it. It’s quite a powerful package.
i recommend getting a fan blowing on that box. these get really hot at the slightest hint of some load.
I bought a topton router with Intel N150. I was and still am disappointed with how much it heats up. Enev at idle it’s not really comfortable to touch it.
A muffin fan with 4 stand offs would to the trick. Must be this particular model that gets hot.
check thermal paste and get a fan attached to it. computer 120mm fans fit just right.
I don’t think thermal paste is the problem here, the whole box is god damn hot, so it conducts heat well. At wall it measures 14-15w consumption, got it there from like 20-22w that was on defaults. Given that N150 is 6W TDP, the whole system just runs hot.
A fan would help, but I wanted fanless for a reason.
it’s good to check because some of them come with bad paste and/or contact between the sink and cpu. it could simply be soaking.
in any case you can also remove the front and back pieces of the case for slighly better temperatures without adding a fan or messing with thermal paste.
the really shitty thermal paste - pack some Arctic Silver onto that bad boy and if you can -increase the heat sink size or type - I don’t know what kind of room you have to work with.
the chassis itself is the heatsink
TDP is a very misunderstood concept these days because it used to be a hard upper limit but now it’s god knows what. The Spec Sheet is calling it “Processor Base Power”. What might that be you ask? Well of course it is
In other words it’s just marketing mumbo jumbo. According to other users the N150 can draw as much as 20 up to 35 watts even. The fact that the heat is radiating well through your case sounds like a positive if anything. This is x86 we’re talking about. The added complexity of that architecture over ARM comes at a price.
It wouldn’t be a bad idea. Right at this moment my temps are as such:
IIRC, the case temp is like 194 freedom units. I’ve never really seen it get much higher than it is now.
Me too /j
sounds like you need a fan blowing on dat box
Why my firewall is a fanless sign PC. Never really heats up, and I don't need to worry about the unreliability added by fans.
What do you think of Keenetic? Security-wise, do you trust it?
I just got it, it’s only being used as an access point so can’t really say about all their features.
The reason I ask is that Keenetic has substantial ties with Russia. And there is a big chance the firmware development is still done in Russia.
Share some pictures and stats of you could. Do u see many probes?
You want pictures and stats of what?
Cats, if you have them, dogs if not.