Hello, and welcome.

In the last couple firewall articles I went through and explained the differences in some popular distributions.  Ultimately, I stuck with pfSense for quite a long time, and it has come a long ways since I did my original review having made many things easier in both interface and installation.

Recently, I bought into the idea of getting an account from an “anonymous”/no-log VPN service to help maintain a little extra “anonymity” on the internet.  As always, pfSense is amazing in that it was one of the firewalls specifically listed from my provider with steps on how to support it.

It does make for a bit of a complicated setup, wanting all my default internet traffic to route through the VPN but still allow my DMZ ports to forward through to my web/mail servers and make it back out the standard WAN interface.  Surprisingly, pfSense handles this with ease, but I was running into an issue that when I was maxing my internet connection the OpenVPN client would reset and internet would briefly drop and re-establish.

This was an annoyance, so I decided to go on the search for another firewall distribution (I like to change things up anyway).  As a side note, I’ve recently established an interest in the Single Board Computer market (such as the Raspberry Pi, Pandaboard, ODROID, NanoPC-T1 etc.)  As such, while I was searching around for new firewalls to try I also came across some “DIY”-style firewall appliances (largely thanks to dd-wrt’s x86 wiki, unfortunately I never did try their firmware).  Instead of using an old computer, you can buy a little SBC with a case and voila: instant router-sized firewall (assuming you can find a firewall distro that supports the architecture.)

The two biggest players it seems (or at least the ones I see mentioned most) are PC-Engines and Soekris Engineering.  While both had great devices, I really wanted at least 3 ethernet ports, and at least one gigabit, for total (with PSU/Case) to be less than $200.  I finally figured out that PC-Engines just this year released the APU series line which is actually x86 based, so most firewalls (in theory) should work, and has 3 gigabit ports.  Total for all parts (with free shipping) was $197 for the APU1C4.  There is no CD-ROM, but the device boots from SD and USB so we’ll try those.

Armed with my new little appliance and case, and some spare time, I embarked on trying to figure out a firewall that would allow me to run a DMZ with an OpenVPN client running that didn’t reset on an APU1C4 device.  One thing to note about the APU1 is that the DB9 serial port (which is it’s only console) is a MALE DB9 port, and both of my USB to Serial adapters also had male drops.  It doesn’t make a ton of sense to me to put a Male port on the device.  Therefore, I’m using an old rackmount server that has built-in Serial and a Ethernet->Serial adapter to manage the device.  If you plan to buy one, get a Female/Female adapter or a USB converter that has a female end (USB to Null Modem Adapter) to make this much easier.

Next page, we’ll have a quick summary of all the firewalls I tried to get running on the APU board and my various results.

Endian Community – A firewall I’ve used (and reviewed) before, it’s a great system for new users with a spare PC on hand.  I used Unetbootin to create a bootable USB drive.  Unfortunately, it doesn’t support serial out by default, and so after doing research and finding this thread (including fixing the initrd image), and setting all the bootloaders on the SD card to append “serial=/dev/ttyS0,115200”, I finally got it up and running and was able to run the installer.  However, on reboot, the kernel would not boot.  Just ended in boot loop.  So, this one failed on the APU1.C4.

Alpine Linux – An *extremely* small linux distribution.  While this does have a web interface, you have to install it, and all the modules you might want, and then manually configure everything.  I did have to follow their wiki to get serial working, and it did boot.  Ultimately though, I decided this required way too much work and effort configuring every rule via the Awall interface (which was not much easier than just writing iptables rules yourself, though it is flexible, which I guess is the point.)   However, had the same issue other firewalls had:  With the VPN client active and acting as a Default Gateway, the DMZ ports failed to forward properly.  I’m not sure how pfSense manages to do this, it must use bsd’s form of “custom tables” for routing by default.

m0n0wall – The inspiration for pfSense.  Also, like pfSense, provides a SD/CF card image that can be written directly to an SD card to boot.  In fact, this was the only firewall I tried that required zero manual input from serial once flashed to work.  It was pre-configured to detect the first interface and make it the LAN and setup default IP and DHCP server so clients could connect.  This was the easiest firewall on this list to get running on the APU.  However, OpenVPN support was lackluster (read: non-existent).  Bummer.

Zeroshell – This one also provides a flashable SD img file instead of an ISO.  It also worked and booted fine.  However, it was a pain trying to get the OpenVPN working right.  For one thing, it defaults to using TAP interfaces, not TUN, and there were a lot of advanced configuration options I had to add into the LAN-2-LAN options page to get my tunnel established.  Once there, I had the same problem as all the other linux-based firewalls:  Default Gateway really means Default, and I was unable to let my DMZ send return traffic out the WAN when requests came in for my site.

IPCop – Definitely one of the more well-known firewall distributions, and is the gold standard for “easy plug-n-play” firewall on a regular old x86 PC.  For the APU however, I had a number of issues.  Couldn’t get the ISO to boot from USB properly, and they don’t have an SD image, so I ended up following several tutorials on figuring out how to boot IPCop over PXE with serial.  Like here and here.  This ultimately installed.  However, still couldn’t get OpenVPN client setup working properly here either.

Smootwall Express – Couldn’t get this to boot correctly.  I hesitate though to say it won’t work, because I didn’t spend near as much time working on it as I did IPCop and Endian.  By the time I tried this firewall I was getting discouraged/annoyed at how much tinkering was needed just to get a simple installer to run over serial.

pfSense – Proving still to be the firewall to rule them all.  pfSense provides a flashable SD/CF image, but it will still go through standard pfSense setup on boot so you will need access to a serial port.  It does support serial out by default, (at 9600 baud rate though, while the APU defaults to 112400 or 115200, so you’ll need to run your minicom or terminal emulator at 9600 and deal with garbage while the APU bootloader goes until it boots from SD.)  You will need to follow these steps to get it to properly boot the first time. OpenVPN client works out of the box, enabling “Manual NAT” in the interface allows me to only allow the LAN through the VPN and the DMZ through both VPN and WAN, and VPN is the default for all outgoing traffic.  Port forwarding still works.  It all really just works.  For now, I just have to put up with the VPN resets until I can find a way to try a newer OpenVPN binary (maybe direct from FreeBSD) or figure out some other reason why this keeps happening.  However, after the latest flash, it seems to have gotten better. Note: pfSense operates on 115200 now, and the manual steps aren’t required to boot with the latest image. pfSense just works on an APU1C4. I resolved the VPN dropouts by using TCP instead of UDP.

So, there we have it.  I’ve tested 7 firewall distributions in the last 4-5 days in my spare time.  3 had flashable SD images that worked with little to no hassle (m0n0wall, Zeroshell, pfSense), 2 that I could not get to work at all (Smoothwall, Endian), and IPCop that worked but only after a *lot* of headache to get it installed which is sort of against it’s whole “easy” mantra that really sets IPCop apart from the competition. Then there is Alpine, which is to SOHO servers what Gentoo is to Linux.

One method of installation I did *not* do that is recommended by many places, is to run the regular CD installers on another computer and install it to the SD card, then take the SD card and put it into the APU.  I may try that with Smoothwall and Endian again to see if that works, but after I’ve had a break for a while.

Stay Secure.