Today's threat landscape is drastically different, and automated tools have made it so that our home networks aren't able to hide in the myth of security by obscurity. With bots and tools constantly pinging up our network security, running a firewall that's more advanced than your ISP router's is almost an essential component for modern living.

And there are so many options if you look, from running a custom firewall with OPNsense to prosumer and enterprise firewalls, that are all easily obtainable and pretty approachable to learn how they work. One of the better known options for custom firewalls is IPFire. It's a dedicated firewall, based on Linux, but then hardened and optimized for the specific tasks of securing your network, and it's both fast to set up and fast to use.

What is IPFire_ exactly?

Custom router firmware didn't disappear, it just got better

When you want to build your own router, you've got many options these days, from firmware that replaces the manufacturer's firmware to complete operating systems that you install like any other OS. We've extensively covered plenty of different firewall software packages over the years, but only touched upon IPFire and that's a shame. It's used widely, has some advanced features that you'd typically need to configure from scratch, and is easy to manage from the web-based GUI.

IPFire consists of:

• Firewall
• Quality of Service
• Intrusion Prevention System (IPS), thanks to Snort
• Stateful packet inspection (SPI)
• Web proxy
• IPsec or OpenVPN support
• Internal DNS proxy with DNSSEC, caching and DNS-over-TLS
• Is extensible with add-ons

As it's got Linux at its core, IPFire can run on a wide variety of hardware, from traditional PCs, virtual machines, and embedded devices. How you want to run it is your choice, and it also depends on the needs of your network. Everyone's setup is slightly different, and it's great that there are choices for how you install and run your firewall, because ultimately, you want a sustainable method to manage the long-term.

It's built for speed

The throughput and monitoring speeds of IPFire depend on the hardware it's installed on, with powerful multicore CPUs with high clock speeds easily outperforming embedded SBCs and other low-power hardware. It also depends on your network's speed because 1GbE connections are probably fine for installing on slower hardware, while 2.5GbE or higher will significantly benefit from 1.5GHz or higher CPU speeds.

Setting up IPFire is a breeze

And adding new features is just as fast

Getting IPFire up and running is a short process. The installer selects the drive in your host machine, installs the necessary files, then gets you to set up the network interfaces. This is slightly different than other firewalls due to the naming convention IPFire uses, but it's not hard to figure out and only takes a minute to set up the WAN, LAN, and wireless network (if being used).

IPFire has one quirk during the setup stages that guides every decision. It's how the firewall handles zones, with Green, Blue, Orange, and Red. These are as follows:

Blue can be assigned to a NIC or port with an access point attached to it or a supported Wi-Fi card. Orange puts the devices on that NIC outside the firewall, which is handy for some older game consoles but should be used as a last resort. Green and Red are the two areas that most users will be concentrated on, and that's how I set up my installation.

You need to assign a NIC to each color before proceeding, and then you can set up network addresses for each color. If you have IPsec, OpenVPN, or WireGuard VPNs set up, those will show up on the main dashboard as individual network interfaces, and any devices connected will be in a section below that. It's pretty standard fare, to be honest, but the speed and responsiveness of the dashboard makes IPFire a joy to use.

One neat feature is the hardware vulnerability page, which shows any issues like Meltdown & Spectre, and whether your CPU is affected, vulnerable, or if the problems have been mitigated with firmware or other fixes. I wish more devices showed this, so you have full visibility into issues affecting security without having to dive into research mode.

It's full of monitoring and other neat tools

The status pages show metrics on system usage, memory, services running and their status, metrics on any hard drives installed, pages and pages of network statistics, and a ton of other things that you'd normally have to spend time installing monitoring and graphing packages to accomplish. I love this, as setting up monitoring and dashboards are not my favorite tasks, so to have everything immediately available is awesome.

Then there's deep network customization, from zones, VLANs, DNS, and the web proxy, which can filter URLs out based on category, and the update acceleration that caches software updates for your clients so they get to download at full speed. There's a Captive Portal for new users to the network to be sent to before they can use the rest of the network, and deep DNS configuration, including forwarding, internal hostnames, static routes, and more.

IPFire_ is another alternative if you want to make your own router

The speed and responsiveness of IPFire are winners, and the depth of options that are immediately accessible make this one of the best firewalls I've used so far. It gets bonus points for having a full-featured DNS solution, for caching, resolving, and blocking, so you don't have to add Unbound or Pi-hole or any other packages to become more secure. It only takes a few clicks to get Snort running as IDS/IPS, and you can also set up geoblocks. This is all before you even touch the Pakfire package manager, which has the usual suspects for networking packages you might want, and a bunch of things you might not have thought of.