Network upgrade KingNovyPC Firewall Micro Appliance

Last year, I expanded my network with a Proxmox server, among other things, with which various services are also (supposed to be) available via the Internet. So it was time to do something more for security.

Introduction

As already described, I have converted an Asrock Deskmini H470 with Proxmox into a server that runs my Nextcloud, among other things. Proxmox has its own firewall that can be used to restrict access to the machine or to the VM or LXC. Here, for example, you can specify for an LXC that access via HTTP(S) may only come from the local network. The same applies to SSH access, for example.

Nevertheless, you still need to think about securing your own network. This involves things such as separating different areas, e.g. LAN from WLAN, or the servers/services that you offer on the Internet are also configured in a separate and distinct network.

And that’s where the idea of setting up a firewall with OPNSense came up.

The Hardware

There are now various manufacturers of such micro PCs, the best known of which is probably Protectli. Protectli is quite expensive, but there is a large selection of such firewall PCs on Amazon. What they all have in common is that they are mostly equipped with the economical Pentium CPU. In addition, almost all of them have 4 or more network ports, which have recently been designed for 2.5 GBit networks.

The version I chose has 6×2.5 GB network connections and is fanless with an Intel N5105. Such a device without RAM or SSD is around 250,– €, if you get there with 4 network connections, it is under 200,– €.

The Mini PC can be equipped with 2 bars of DDR4 RAM and either an NVMe or a SATA SSD.

Requirements and operation

OPNSense is quite frugal in terms of operation. OPNSense specifies 4GB RAM and 40GB SSD for sufficient hardware. So if you go for 8 GB here and equip the Mini PC with a 256 GB SSD, you should be on the safe side.

However, I have equipped my firewall with 32 GB RAM and a 500 GB SSD. And I’ve decided to virtualize the firewall with Proxmox, so I can use the device for other services and applications.

Incidentally, the hardware is quite economical, even with 4 connected devices the average consumption is around 10W, so the KingNoVY PC is perfectly suitable for continuous use as a router and firewall.

Exposed Host

There are some tips on the net on how to operate a Fritzbox as a modem only, so to speak, but 2 attempts have failed for me. I would also have had problems with WLAN and, above all, telephony.

I therefore left my FritzBox for WLAN and VoIP as it was and placed the OPNSense firewall logically behind it. All I had to do was define the firewall as an exposed host in the Fritzbox. This means that all traffic from the Internet is routed to the firewall. This gave me the opportunity to configure OPNSense at my leisure.

I will report on the next steps in Part 2.