Home Lab Guides: Proxmox 6 — IPFire Firewall

Elijah Liedtke
4 min readJan 10, 2021

--

https://www.commander1024.de/wordpress/wp-content/uploads/2009/10/ipfire01.png

This guide will take you through the process of installing IPFire, updating routing for devices, and creating a few rules to secure access. IPFire is a free, open-sourced firewall and Intrusion Detection/Prevention System that can help prevent Denial-of-Service (DoS) attacks as well as help protect against attacks from external networks.

This guide was designed for IPFire v2.25.

Home Lab Guides: Proxmox 6

Part 1: Basic Setup and Installation
Part 2: PCI(e) Passthrough with NVIDIA
Part 3: IPFire Firewall
Part 4: Pi-hole
Part 5: Network and System Monitoring with Grafana, InfluxDB and Telegraf
Part 6: Automation with Ansible

Table of Contents

1.0 Preparation
1.1 Download the ISO
1.2 Create a VM
1.2.1 General
1.2.2 OS
1.2.3 System
1.2.4 Hard Disk
1.2.5 CPU
1.2.6 Memory
1.2.7 Network
1.3 Add second NIC
2.0 IPFire
2.1 Install IPFire
2.2 Configure IPFire
2.2.1 Network configuration menu
2.2.2 DHCP server configuration
2.3 Access WebUI
2.4 Update protect machines
3.0 References
4.0 Author's Notes

1.0 Preparation

If you don’t know how to create a new virtual machine, check out part 1–4.2 Create a Virtual Machine of the Home Lab Guide series.

Minimum Requirements

  • Processor: x86_64 CPU with 1 GHz or better or a supported ARM SBC
  • Memory: 1GB or greater
  • Storage: at least 4GB of hard disk storage
  • Network: at least two Ethernet network adapters

1.1 Prepare the ISO

  1. Go to https://www.ipfire.org/download to get the latest ISO from the official source.
  2. Upload the ISO to your Proxmox ISO storage.

1.2 Create a VM

If not mentioned, leave the defaults.

1.2.1 General

  1. Select Advanced to display advanced options.
  2. Select Start at boot.
  3. Set Start/Shutdown order to 1 so the firewall is the first system started after the host system boots.

1.2.2 OS

  1. Select your ISO.
  2. Set Guest OS Type to Other.

1.2.3 System

Leave the defaults.

1.2.4 Hard Disk

  1. Set Disk Size to 8GB. IPFire suggests 4GB minimum if you’re limited on space.
  2. Select SSD emulation if your storage disk is an SSD drive.

1.2.5 CPU

Leave the defaults.

1.2.6 Memory

  1. Set Memory to 1024. IPFire suggests 1GB minimum.

1.2.7 Network

  1. Change Model to VirtIO (paravirtualized).
  2. Click Next then Finish to complete the VM setup

1.3 Add second NIC

  1. Select your IPFire VM in the left column to open the VM config page.
  2. Select Hardware in the VM config page.
  3. Click Add and choose Network Device.
  4. Change Model to VirtIO (paravirtualized).
  5. Click Add to install the NIC.

2.0 IPFire

Note: Press TAB to switch between elements

2.1 Install IPFire

  1. Start the VM and open a Console window.
  2. Press Enter to start the OS installation.
  3. Choose your preferred language.
  4. Press Enter to start the installation process.
  5. Press Right Arrow, then Spacebar to select ‘I accept this license’.
  6. Press Right Arrow then Enter to continue to the next step.
  7. Press Enter to ‘Delete all data’ on the VM drive.
  8. Press Enter to choose the ext4 Filesystem and install IPFire.
  9. Press Enter to Reboot.

2.2 Configure IPFire

  1. Choose your keyboard type.
  2. Choose your timezone.
  3. Enter your machine’s hostname or leave the default.
  4. Enter your machine’s domain name or leave the default.
  5. Create your root user’s password. Note: nothing will show up when you start typing. Keep Calm and Type On
  6. Create your IPFire WebUI admin password.

2.2.1 Network configuration menu

The Green network is the local network for all devices that will use the IPFire firewall. The Red network is the external/public network.

2.2.1a Drivers and card assignments

Note: For this guide, it doesn’t matter which NIC you choose.

  1. Set the Green interface.
  2. Set the Red interface.

2.2.1b Address settings

If your network is similar to mine, you have your host machine directly connected to an ISP provided router which is also providing DHCP. If you still have defaults setup, your local IP address range is likely 192.168.0.0/24

Green
192.168.50.1 # This can be whatever you want but stick to type C
255.255.255.0
Red
192.168.0.2
255.255.255.0
# This is the address recognized by the ISP router for internet connections
# This will likely cause issues if you don't reserve the address
# You can also define the DHCP range and set Red to outside the range

2.2.1c Gateway settings

If you have default ISP router settings, your default gateway should be 192.168.0.1.

  1. Set default gateway to your ISP router IP.

2.2.2 DHCP Server Configuration

Don’t enable the DHCP server unless you want DHCP assignments for devices on the Green network.

2.3 Access WebUI

The WebUI can ONLY be accessed from within the Green network so you’ll need a VM with a desktop environment, browser and NIC on the Green network.

  1. Browse to the IPFire Green addresshttps://192.168.50.1:444 to access the WebUI.

2.4 Update protected machines

The following is only necessary if you don’t have DHCP enabled.

  1. Log in to any VM you want to protect with IPFire.
  2. Set the IP address to the Green network 192.168.50.0/24 i.e. 192.168.50.2
  3. Set the default gateway to the IPFire Green ip 192.168.50.1

Your VMs should now be protected behind a secure firewall. Congratulations and take a break!

3.0 References

wiki.ipfire.org — Hardware; 10–01–2021; https://wiki.ipfire.org/hardware

ipfire01.png; 10–01–20201; https://www.commander1024.de/wordpress/wp-content/uploads/2009/10/ipfire01.png

4.0 Author’s Notes

  • Thanks for reading this article! If you have any questions, suggestions or comments, feel free to leave a comment.
  • If you want to be able to access VMs behind the firewall, you’ll need to add some rules to allow connections from your Red network to the Green network and routes. If your ISP router can handle it, add the routes to Green network through IPFire VM’s Red interface IP; otherwise you’ll need to manually add the routes to each device.

--

--

No responses yet