A Conundrum
At home, I came across a bit of an issue. As I was adding more things to my network, my consumer-grade WiFi router (a TP-Link Archer AX3000) ran out of ethernet ports. Truly a first-world problem for the budding technologist. I needed to expand my home networking capabilities but didn't want a stopgap solution with a small switch. I decided that I needed to get something a bit more permanent.
Too Good to be True?
I was browsing the HomeLabSales subreddit when I found someone selling a Fortigate 140D-POE for cheap, around $60. This firewall has most of the standard NGFW features along with plenty of connectivity (24x standard gigabit ethernet ports, plus 16x POE gigabit ethernet ports). Thinking this was a great deal for a firewall and switch of this size, I bought it with almost no hesitation.
Upon launching the management console, I found that it was running an outdated version of FortiOS, which left me concerned that I would be connecting a potentially vulnerable device to the internet. It was then that I quickly learned that Fortinet's has a policy of not supplying any support to people who've bought their devices from any non-authorized vendors. Without going through dubious and questionably legal channels to get an OS upgrade for it, all I had was a device that I was afraid to connect to any internet connection.
Then I got a genius idea: Why don't I put a real firewall in front of the Fortigate and use the Fortigate as a switch? That way, I could have a firewall that stays updated on my schedule and has better functionality. That is when I started to do some digging into how to make this happen. However, all of the commercial options tend to get very pricy, very fast. A quick Google search informed me that getting the currently supported version of my above Fortigate (the 140E) would cost me somewhere in the neighborhood of $3000.
Tumbling Down the Rabbit Hole
I started to learn about open source firewall options, such as pfSense and OPNsense, which expanded my horizons to where I got to today. Premade hardware exists for this, such as this NiuGuy 4 Port Firewall Micro Appliance (Intel Pentium N3540 4-core, 4GB RAM, 32GB mSATA SSD) on Amazon, which is $269.00 at this time of writing. Honestly, for a somewhat "out-of-the-box" solution, this one didn't seem all too bad. For a firewall, the specs would be sufficient to route traffic as needed, but something just seemed "wrong" with the idea to me. Why would I be spending this much money for an appliance that's doing a relatively simple task?
I had also learned many people were virtualizing their firewalls. Quite a few people were running virtual environments like VMWare or Proxmox, and then running OPNsense as a virtual machine on top of it. With that setup, I could allocate the exact resources the firewall needs and use the rest of the resources for other home lab activities. I realized that I had found my project: I would build a Proxmox server with an OPNsense virtual machine, routing all of my network traffic through there.
Formulating a Plan
There were a few basic requirements that I had set out for myself, guided by some of the recommendations from others for this kind of project.
- Network Interface Card (NIC): I wanted a network card with at least four gigabit ethernet ports, but would have settled for two. Two ports would only allow the ability to go internet-in, LAN-out, but four would give me the flexibility to add additional features such as a failover connection. Intel-based cards came with the most glowing recommendations, as the open-source drivers for them worked particularly well with both OPNsense and Proxmox.
- Price: Since I could find a pre-made appliance that would meet my minimum goals for the price of $269.00, I wanted to keep my overall costs below this. I might have been willing to go a little over budget since I was building a server that could theoretically do more, but I didn't want to go too far overboard.
- Computing power: Since I would be virtualizing servers on this machine, it needed enough power to scale out past the firewall that I originally planned. It didn't need to do anything spectacular, but if I could run a couple of extra things on it I could feel like I was getting my money's worth.
- Power consumption: Since this is an appliance that would run 24x7, I wanted a machine that would consume as little power as possible. However, the energy usage at my home isn't too terrible, the device will have its own dedicated space (so the heat output isn't a problem), and our electricity is pretty cheap. Overall, this goal had the lowest priority for me.
For the hardware, I found the best option would be to repurpose an older machine. Firewalls themselves don't need much power, but if I wanted to virtualize anything more, I would need something more powerful than an Intel Atom chip. eBay has become my best friend when searching for older machines, and it did not fail me this time either.
Retail Therapy
On eBay, I found an HP ProDesk 600 G1 SFF (Small Form Factor) equipped with an Intel Core i7-4770 processor, 24GB RAM, and no storage for $100.00 with a $32.95 shipping cost (totaling $132.95). The original listing price was $140.00, though I like to watch for items with the "Accepts Offers" option. I've been able consistently haggle around 20%-30% off the asking price. It's common to get these workstations without storage since enterprise and government users retain or destroy storage drives for data security. Since I got this machine for a great price, I figured the cost savings would be enough to cover getting storage.
The network card was next on my list. I found that HP makes a card meant to upgrade their Proliant server products but works perfectly fine anywhere else. The HP NC364T PCIe Gigabit Ethernet Adapter was another eBay find, with a $25.00 ending price point (including free shipping). This card provides four gigabit ethernet ports with an Intel chipset. For the price, I really couldn't ask for much more. This card also has a low profile bracket, which is needed to fit in the small form factor case.
The last thing missing from my new server was storage. This HP ProDesk has no M.2 slots, so I'm locked into using a SATA drive. The option to use a PCIe to M.2 adapter is out there, but I've often found these adapters unreliable. Jumping onto some price-watch websites, I found a Crucial MX500 1TB SATA SSD on sale for $89.99. At this time of writing, prices are commonly trending around $100.00 per terabyte of budget SSD storage, so this ended up being a great deal for something you typically don't want to buy used. For a firewall, this much storage is overkill. However, with virtualization now in the mix, that much space is precisely what I needed to get a decent rig started.
| 1 | HP ProDesk 600 G1 SFF | $132.95 |
| 1 | HP NC364T PCIe Gigabit Ethernet Adapter | $25.00 |
| 1 | Crucial MX500 1TB SATA SSD | $89.99 |
| Total | $247.94 |
|---|
This hardware was able to meet all of my goals: it was adequately powerful, had four gigabit ethernet ports (actually five; the onboard interface was Intel-based as well), had enough storage to run a few virtual machines, and cost less than the pre-made appliance I had found on Amazon.
For Your Consideration: An Alternative
My top pick for alternative hardware for this project would be something similar to the Dell Wyze 5070 Extended. It's a unique option that would work well as a firewall. It's a thin-client PC running on an Intel Pentium Silver J5005, which is a 10w processor that packs a lot of punch for the size and power consumption it takes. The computer has a Radeon graphics card pre-installed, which is what requires the extended chassis and PCIe slot. You'll be repurposing this PCIe slot for your NIC. They can be found used on eBay for around $200 or so. Bear in mind that since it's designed for use as a thin client and not a "normal" PC, you'll probably have to mess around with the BIOS a bit to make it play nicely with your firewall software.