Complete Guide to Setting Up a Raspberry Pi as a Firewall: How to Configure IPFire on Your LAN

April 8, 2024

In an increasingly connected world, safeguarding your home/small office network from external threats is paramount. One effective solution is to deploy a firewall, a barrier that monitors and controls incoming and outgoing network traffic based on predetermined security rules. With the ubiquity of Raspberry Pi and the robustness of IPFire, a Linux-based firewall distribution, creating a small yet powerful home firewall has become more accessible than ever.

This guide will help to through the process of setting up a Raspberry Pi as a firewall using the IPFire distribution. Whether you're looking to protect your personal devices, secure IoT gadgets, or simply enhance your network's defense, this project offers a cost-effective and customizable solution.

IPFire

IPFire is an open-source Linux distribution designed to provide a robust firewall solution for small to medium-sized networks. It offers a wide range of features including firewall, VPN, proxy, Intrusion Detection System (IDS), Quality of Service (QoS), and more. IPFire is known for its security-focused design and regular updates to address emerging threats.

Here are some key features of IPFire:

Firewall: IPFire includes a powerful firewall that allows you to define rules to control incoming and outgoing traffic based on various criteria such as source/destination IP address, port, protocol, and interface.

Virtual Private Network (VPN): IPFire supports VPN connections, allowing you to securely connect remote devices or offices to your network. It supports various VPN protocols including OpenVPN and IPsec.

Proxy Server: IPFire includes a proxy server that can cache web content, filter content based on URL or content type, and provide additional security by inspecting and filtering web traffic.

Intrusion Detection System (IDS): IPFire includes an IDS called Snort, which monitors network traffic for suspicious activity and alerts you to potential security threats.

Quality of Service (QoS): IPFire allows you to prioritize network traffic to ensure that critical applications or services receive adequate bandwidth and performance.

Updates and Security: IPFire receives regular updates to address security vulnerabilities and includes features like packet filtering, Stateful Packet Inspection (SPI), and network address translation (NAT) to enhance network security.

Installation

1.Download IPFire:Download the ARM image suitable for Raspberry Pi: https://downloads.ipfire.org/releases/ipfire-2.x/2.29-core183/ipfire-2.29-core183-aarch64.img.xz

2.Prepare the MicroSD card:Use software like Raspberry Pi Imager to flash the IPFire image onto the MicroSD card.

3.Configure IPFire:Connect the Raspberry Pi to your network router using the Ethernet cable and power on the Raspberry Pi.

4.Initial Setup:Once booted, the Raspberry Pi will start the IPFire setup process.Follow the on-screen instructions to configure IPFire. Set passwords, network configuration, and other preferences.

Configuration

When installing IPFire on a Raspberry Pi, the network setup is similar to other platforms but may have some specific considerations due to the Raspberry Pi's hardware and network interfaces. Here's a guide to the standard IPFire installation network setup on a Raspberry Pi:

1. Green Network (LAN):

This network segment represents your trusted internal network where your local devices reside.

Connect the Raspberry Pi's Ethernet port (eth0) to your local network switch or router using an Ethernet cable.

During the IPFire installation process, assign the Ethernet interface (eth0) to the Green network segment.

Configure the Green network with an appropriate IP address range (e.g., 192.168.x.x or 10.x.x.x) and subnet mask that matches your existing LAN setup.

You can also configure the Green network to provide DHCP services to your local devices if desired.

2. Red Network (WAN - Internet):

This network segment represents the untrusted external network that connects to the internet.

Connect the Raspberry Pi's USB Ethernet (eth1) to your internet modem or router using another Ethernet cable.

During the IPFire installation process, assign the Ethernet interface (eth1) to the Red network segment.

By default, IPFire will attempt to obtain an IP address for the Red network interface dynamically via DHCP from your ISP. If you have a static IP address from your ISP, you can configure it during the installation process.

3. Optional Networks (Blue, Orange, etc.):

If you have additional network segments (e.g., guest network, IoT network), you can configure them as optional networks during the IPFire installation process.

Connect additional Ethernet adapters (if available) to the Raspberry Pi's USB ports and assign them to the desired network segments (e.g., Blue, Orange) during installation.

The last thing to configure is the DHCP (Dynamic Host Configuration Protocol) Server for the Green Interface.

The configuration of DHCP with the program setup is possible during installation only. However, you can change all these settings after installation with IPFire's Web UI . Which occurs after you type in browser https://ipfire.localdomain:444 or https://ipfire:444 or https://192.168.1.1:444

You will be prompted to log in to the IPFire web interface. Use the credentials you set up during the initial configuration.

Configuring Services:

Once logged in, navigate to the "Services" tab in the web interface. Here you'll find various services that you can configure according to your needs.

DHCP Server:
Under the "Services" tab, click on "DHCP Server" to configure DHCP settings.

You can set up the DHCP server to automatically assign IP addresses to devices on your network.

Configure the DHCP lease range, DNS settings, and other options as needed.

Firewall:
Navigate to the "Firewall" tab to configure firewall rules.

You can create rules to allow or block traffic based on various criteria such as source/destination IP addresses, ports, and protocols.

Configure port forwarding, NAT rules, and other firewall settings as required.

Proxy Server:

If you want to use the proxy server feature of IPFire, navigate to the "Proxy" tab.Configure proxy settings such as cache size, access control lists, and logging options.You can also enable content filtering and set up URL filtering rules.

VPN (Virtual Private Network):
IPFire supports various VPN protocols including OpenVPN and IPsec.Navigate to the "VPN" tab to configure VPN settings.You can set up VPN clients and servers, configure VPN tunnels, and manage certificates and keys.

After configuring the desired services, make sure to save your changes and apply them.Some changes may require a restart of specific services or the entire system.

Monitor and Troubleshoot:
After configuring services, monitor their performance and troubleshoot any issues that may arise.

IPFire provides logs and monitoring tools to help you keep track of network activity and service status.