Mountain%20Landscape_edited_edited.jpg
  • Hannah Lee

Setup a Home WiFi SPI Firewall With IPFire on Raspberry Pi 3 (Using Native Interfaces Only!)

This tutorial show you how to turn your Raspberry Pi into an IPFire hardware firewall for WiFi connections. This DIY will:

This is the topology we are aiming to achieve today:

In this topology, you can setup all of your wireless devices behind the firewall, separated from the rest of your home network. This doesn't prevent you from connecting your wireless devices directly to your wireless router as normal, but it gives you the option to put the unsecure wireless devices (**cough cough** **IoT** **smart TV** **security cameras** **anything without antivirus**) behind an SPI firewall with an intrusion prevention system (IPS). I won't actually be getting into the IPS configurations in this tutorial, that's a whole can of worms for another day.

IPFire does a thorough job at separation, so you may just want to put your entire home network behind this firewall. This could also be a good option, but if you have any ethernet-connected devices, you will need to acquire an additional ethernet interface. These can be purchased fairly inexpensively, but you need to make sure that the interface you purchase is compatible with IPFire. Check the compatibility list here. If you have more than one ethernet-connected device, you will also need to obtain a switch.

With an additional ethernet interface, you can obtain these topologies:

Today, I'm not going to make you buy anything extra. I'll do a tutorial for the addition of the GREEN network in the future. You will probably be able to figure it out yourself at the end of this tutorial, but, because we're only working with the native Raspberry Pi interfaces here, we're going to be doing a little bit of NIC musical chairs that is unnecessary if you have an extra interface.


PREREQUISITES:


Hardware:

- Raspberry Pi 3 Model B ($35-$50)

2 Model B and 3 Model B+ are also compatible, but 4 Model B is not compatible. If you want to try this on another single-board computer (SBC), check compatibility first. However, this tutorial is specific to the Raspberry Pi 3 Model B.

- 16 GB micro SD card (~$10)

- Ethernet Cable (you probably have one at home for $0)

To connect your Raspberry Pi to your router.


Peripheral Equipment:

- Monitor

- Keyboard

- HDMI Cable

- 2.5 amp Micro USB Power Supply

- Computer

To image the SD card and login to web GUI. It is assumed in this tutorial that this computer is connected to your home router and that your router permits clients to communicate with each other.


NOTE: IF AT ANY POINT IN THIS TUTORIAL IPFIRE ISN'T BEHAVING AS IT SHOULD, REBOOT. EVEN IF I DON'T TELL YOU TO. THIS FIXES 99% OF THE PROBLEMS.


Step 1: Download and Install Image


a. Go to https://www.ipfire.org/download/ and download the Flash image torrent under "arm":


b. Use the torrent software of your choice to download the image.


c. Use the Raspberry Pi imager to load the image onto your SD card:

When selecting the Operating System, scroll down to "Use custom" and select your IPFire image.


d. With your SD card still inserted, navigate to the SD card filesystem and edit "uEnv.txt":

TIP: If you are on Windows and you are getting a formatting error, DO NOT REFORMAT. Go to the Task Manager and restart the File Explorer service, then try again.

Find this:

SERIAL-CONSOLE=ON

Change to OFF:

SERIAL-CONSOLE=OFF

e. Eject your SD card and insert it into your Pi. Plug up the peripherals (power, monitor, keyboard), connect your Pi to your router with your ethernet cable, and power on.



Step 2: Setup IPFire


a. Once booted, a setup menu will appear. Choose your keyboard layout, time zone, hostname, domain name, root password, and admin password.


b. Select Network configuration type >> GREEN + RED


c. Select Drivers and card assignments.

Set RED to sdio: brcmfmac

Set GREEN to usb: Microchip Technology, Inc


d. Configure the interfaces:

GREEN:

- Choose an IP address for the green interface. This IP should be on your router's subnet, for example if your router is 192.168.0.1 you could choose 192.168.0.254. If you choose an IP that is not on your router's subnet (e.g. 192.168.1.2), then you will not be able to access the web GUI from your computer.

- Leave the subnet as "255.255.255.0".


RED:

- Select DHCP.

- Choose a DHCP Hostname.

- Leave "Force DHCP MTU" blank.

- IP Address will also be left blank, since it will be assigned by DHCP

- Select OK


Select Done


e. Configure the gateway:

Enter your router's IP address for the "Default gateway":

e.g. 192.168.0.1


Select OK to get back to the Network Configuration menu.

On the Network Configuration Menu, select Done.


f. Configure DHCP.

- Enable DHCP.

- Choose a start address.

- Choose your ending address.


g. Select Done to finish setup. These settings can be changed later with the command "setup" from the command line, or from the web GUI.



Step 3: Forward GREEN Traffic to RED


By default, IPFire only lets you login to the web GUI from the GREEN interface (i. e. behind the firewall, on a ethernet connection). To access the web GUI from the RED interface (i. e. in front of the firewall), you will need to forward GREEN traffic on port 444 (the web GUI port) to RED in the firewall rules. Because we will not have a GREEN interface at the end of this tutorial, this is not optional.


a. In a browser on your computer, navigate to port 444 on your GREEN interface's IP to access the web GUI:

(Go back to step 2.d if you forgot what you set it to!)

e.g. 192.168.0.254:444

Login with your admin username and password.


b. At the navigation menu, go to Firewall >> Firewall Rules.


c. Click New Rule and add add the following:


d. Apply Changes:

Now your web GUI traffic is forwarded to your RED interface. We will now go back into the CLI and adjust the settings to enable internet connectivity and WiFi on your firewall.



Step 4: Update Interface Configurations


a. Back on your Raspberry Pi, login as root in the terminal and run the following command:

setup

b. Select Network configuration >> Network configuration type >> GREEN + RED + BLUE

- You will get a warning stating "Not enough netcards for your choice".

- Select OK.


c. Select Drivers and card assignments:

- You will get a status of which NIC's are assigned to which interface.

- Select OK.


d. Remove the interfaces from both GREEN and RED interfaces.

(with the target interface highlighted, navigate to "Remove" with the arrow keys and press enter)


e. Set the interfaces as follows:

RED: "usb: Microchip Technology, Inc"

BLUE: "sdio: brcmfmac"

GREEN: "unset"


- Select Done.


f. At the "Network configuration menu", select Address settings >> BLUE

- Pick an IP address. This will be the gateway address of your wireless network. This should be on a separate subnet than you other networks, for example 10.1.0.1

- Leave Network mask as 255.255.255.0.

- Select OK.


g. Exit the menu:

- At Address settings, select Done.

- Network configuration menu, select Done.

- You'll get an error stating "No GREEN interface assigned". Select Ignore.

- Once it is done applying your configuration changes, select Quit and reboot your device.



Step 5: Update System and Install hostapd


a. Login to root and check internet connectivity:

ping google.com

If this didn't work, run "setup" again and ensure your gateway is set to your router.


b. Check which IP was assigned to your RED interface:

ip a

Find the IP next to interface "red0"


c. Back on your browser, navigate to your RED interface's IP on port 444:

e.g. 192.168.0.138:444


d. In the navigation menu, go to IPFire >> Pakfire.


e. Once you're on the "Pakfire Configuration" page, click the tiny update button to the right of the "System Status" section:

Give your system a little while to update. During the update, you might get an "Internal Server Error" or "Forbidden" screen. That's ok, just refresh the page. It's still actively working on updating in the background.


f. Once the update is complete, reboot your device.

(You can do this in the webGUI under System>>Shutdown>>Reboot or at the CLI.)


g. Once booted, navigate back to Pakfire and find "hostapd" under "Available Addons" and click the little "+" to install:

On the next page, click the green arrow to proceed.



Step 6: Configure Wireless Network


a. At the navigation menu, navigate to IPFire >> WLanAP

At the "Access Point Configuration" page, you will be asked to select your wireless LAN interface. There will only be one, so confirm it is your "blue0" interface and click Select Interface.


b. Configure your wireless network settings to your liking. Head over to IPFire's wireless configuration page for more details.

- for more details. the following for Raspberry Pi 3 Model B

- Encryption: WPA3 may result in an "incorrect password" error. If this is the case,

Here is an example:

Click Save when finished.


Once your settings have been saved, you will see your Access Point status turn to "RUNNING". This access point is now broadcasting. But wait! Before you can connect to the WiFi, you'll need to enable your BLUE interface's DHCP server.


c. At the navigation menu, go to Network >> DHCP Server.


d. Check the "Enabled" box, enter your start address and end address, and click Save:


e. Connect a device to the WiFi.

Buuuuut wait, there's more! At this point, you should be successfully connected, but without internet. Remember, this is a firewall! Upon the first connection of a device, you have to manually approve the connection.


e. At the navigation menu, go to Firewall >> Blue Access.


f. Find your device under "Current DHCP leases on BLUE" and click the blue pencil/plus sign next to it:

You will now see your device added to the "Devices on BLUE" section and you are finally connected to the internet through your firewall!



Step 7: Harden Your Network!


This is where I'm going to leave you today. Ok, so I lied a little before-- you may have to go buy a WiFi repeater to extend the range of your firewall to all of your IoT devices. Once you have connected all of your IoT devices to this firewall, your home network is just a little more secure. Now, if anyone hacks your IoT device, they have to get through your firewall to get to the rest of your network!

There are many other things you can do with IPFire to ensure nobody makes it past your firewall. Beyond SPI, these default configurations alone don't do much more than a normal router can do for you. I highly recommend you start at IPFire's IPS page. I'll follow up with more tips and tutorials to harden your home network security with IPFire, but there's plenty of good info on IPFire's wiki until then!