For the past few months, I’ve been working continuously on our home firewall. I was pretty happy with pfsense firewall back when we had 70 Mbps Comcast cable modem, but I was somewhat concerned about the trust I was putting into all the “Internet of Things” type devices we have installed in our house. The AT&T 600+ Mbps fiber connection came with its own wifi/router, and you are required to use it as your LAN router. It terminates the fiber link, and it’s also the gateway (if you buy them) to their voice over IP services. As a weird legacy note, it also has a coax cable port on the back, and supports MoCA (IP over 50 ohm coax cable). The only other products I’ve seen that support MoCA are TiVos.
The AT&T gateway presented a few issues, problems. First, I didn’t want to rely on their gateway as our sole defense against the Internet. It’s under the company’s control, which means it can be remotely controlled. I learned from the gateway’s web gui and logs that AT&T only supports IPv4 on their fiber network. The gateway runs tunrd IPv6 over IPv4 tunnel software to let the LAN connect to IPv6. This wouldn’t be a problem, if they’d let me have a larger network than that single /64 subnet. The menus show that the gateway does allocate a larger /60 range (16 subnets) and uses the first one on the LAN, but they make no way available for me to make use of any of the other 15 subnet ranges, so fail.
At first, I tried to survive on a single LAN, and make my pfsense firewall support bridging mode, but after a few days, I gave up and switched to a Linux firewall running Shorewall (and Shorewall6), because I knew that would work. I was able to keep the single IPv4 /24 and single IPv6 /64 ranges for everything. The bridging mode in Shorewall works great, and let me keep devices that are human operated (tablets, phones, laptops) in one more-trusted security zone, while leaving everything else in the house (thermostat, TiVo, etc) in a less-trusted zone. That way I could allow everybody out to the internet, but keep a tighter rein on the “Internet of Things” devices in the house, by not letting them connect to the trusted zone devices.
The first problem appeared when I setup BitTorrent to work on my Mac. I setup a port forward rule on the gateway to point a high port at my host. It worked great for my IPv4 address, but the gateway had no way to open up the IPv6 port, and kept refusing all incoming connections to that port on my IPv6 address. I decided the bridging mode was too complex, I wanted multiple subnets, and the AT&T IPv6 firewall was a purposely broken feature. I already knew AT&T customer support would take forever and probably just end up being frustrating, so I didn’t even bother. I concluded that a single bridged LAN wasn’t going to cut it with my lab. I wanted my firewall to route, and I wanted it to handle IPv6 properly.
I worked around the IPv6 issue quickly by turning off IPv6 on the AT&T gateway LAN, and running my own firewall with it’s own free 6-over-4 tunnel to Hurricane Electric. They allocated me a /48 range (64k subnets), which is way more than I need, but awesome. Switching the IPv4 connection from the gateway to my firewall to a routed mode was straightforward. Shorewall lets me setup a range of IP aqddresses to use on the red net for outbound NAT’d internal traffic. It also lets me setup static NAT IP addresses, to provide services, like my Bittorrent server.
I did try connecting the firewall to an Internet VPN service, and routing all our IPv4 traffic over the VPN. It works, but even on a 600+ Mbps fiber link, VPNs slow everything down, add high latency, and break HD video streaming. It wasn’t going to work to route everything through the tunnel, so I turned it back off.
I’m forwarding all Shorewall logs to an instance of Splunk Light, where I can view reports on what untrusted LAN devices are using what protocols, and where are they connecting to, etc. As I’ve learned what’s normal, like the TiVo updating its program guide, I’ve added rules to allow that traffic without logging, so all that gets logged now is the UNusual traffic. If anybody ever were to take over control of one of our Internet of Things devices, I’d learn about it quickly.
I did wonder about the performance of the firewall, particularly because the fanless server it’s running on is not particularly fast. But fast.com and speedtest.net rates on my Mac are the same with or without the firewall, so I’m satisfied it’s fast enough. I should bring my laptop downstairs, plug it in, and see if I can drive the firewall up to the fiber network’s 600 Mbps peak with a gig ethernet connection instead of wifi.