IPFire Firewall Setup

Why IPFire?

The honest answer: because it boots on hardware where pfSense and OPNsense refuse to. IPFire is Linux-based, so it picks up cheap Realtek NICs that FreeBSD-based firewalls choke on, and it idles at around 200-300MB RAM instead of the 1.5-2GB that OPNsense wants. The trade-off is a smaller feature set and a web UI that looks like it was last redesigned during the Obama administration. But the core firewall features work fine.

What you actually get:

• Color-coded zones (RED=WAN, GREEN=LAN, BLUE=WiFi, ORANGE=DMZ)
• Suricata-based intrusion prevention system
• Web proxy with URL filtering
• VPN support (IPsec, OpenVPN)
• Runs on hardware from 2010 without complaining

Hardware Requirements

Minimum (and I mean it actually runs at these specs, unlike OPNsense's "minimum" that's really a floor for misery):

• 1 GHz processor — even old Atoms work
• 1 GB RAM (2GB if you want Suricata running)
• 4 GB storage — an old SSD or even a compact flash card
• At least 2 network interfaces

Thin clients, old desktops, embedded boards with dual NICs — anything x86 from the last 15 years will probably work. The Linux kernel underneath has vastly better hardware support than FreeBSD, which matters a lot when you're scrounging parts.

Installation

Grab the ISO from ipfire.org and flash it to a USB stick with Rufus or dd.

1. Boot from USB
2. Select language and keyboard
3. Accept license
4. Choose installation destination
5. Select filesystem (ext4 is fine)
6. Wait for installation
7. Setup wizard runs automatically

Network Configuration

The installer walks you through assigning physical NICs to zones. This is where IPFire's color system starts:

• RED - WAN interface (faces the internet)
• GREEN - LAN interface (your trusted machines)
• BLUE - Optional, meant for wireless or semi-trusted devices
• ORANGE - Optional, DMZ for anything you expose to the internet

You need at least RED and GREEN. If you only have two NICs, that's all you'll get, and honestly it's enough for most setups.

Web Interface

Connect to the GREEN interface and open https://YOUR_IP:444 in a browser.

Yes, port 444, not 443. One of many small IPFire quirks you just learn to live with.

Log in with the root password you set during installation. And brace yourself — the web UI feels like it's from 2008. It works, everything is functional, but the layout and design are ancient. If you've used OPNsense or even pfSense's interface, this will feel like stepping back a decade. I got used to it after a week, but it's the single biggest cosmetic complaint I have with IPFire.

The Zone System

This is the one thing IPFire genuinely does well. Everything is denied between zones by default. My IoT stuff sits on BLUE and cannot talk to GREEN where my real computers are. No writing iptables rules by hand, no pfctl syntax — just color-to-color policies. It's simple, maybe overly simple for complex setups, but for a home network it's exactly enough.

Default traffic flows:

• GREEN to RED: Allowed (LAN reaches internet)
• RED to GREEN: Blocked (internet can't reach LAN)
• GREEN to ORANGE: Allowed (LAN can reach DMZ services)
• ORANGE to GREEN: Blocked (compromised DMZ host can't pivot to LAN)

If you need BLUE to reach a specific service on GREEN, you add an explicit rule. Otherwise, it's blocked. That's the whole model.

Firewall Rules

Firewall → Firewall Rules in the web UI.

Each rule has four pieces:

• Source (zone, subnet, or specific IP)
• Destination (zone, subnet, or specific IP)
• Protocol and port
• Action (ACCEPT, DROP, or REJECT)

Port Forwarding

Firewall → Port Forwarding.

Standard DNAT setup for exposing internal services:

1. Source: RED (or specific external IP)
2. External port: e.g., 443
3. Destination: Internal IP: port

Intrusion Prevention System

Suricata is available through Pakfire and it's the main reason I'd pick IPFire over just sticking a Linux box with iptables in front of my network.

Services → Intrusion Prevention System

• Enable on the RED interface
• Pick a rule provider — Emerging Threats free tier works fine to start
• Set rules to auto-update daily

One thing nobody tells you: the Emerging Threats ruleset flags completely normal traffic as suspicious. DNS-over-HTTPS, Spotify streams, Discord connections — all of these trigger "ET POLICY" alerts. I spent my first evening convinced something on my network was compromised. It wasn't. Suricata just generates a wall of noise until you go through and disable the overly broad policy rules. Budget an evening for tuning, or your logs will be unreadable within a day.

Web Proxy

IPFire has a built-in Squid-based web proxy. I don't use it — Pi-hole handles my DNS filtering — but it's there if you want it.

Network → Web Proxy

• Enable the proxy
• Transparent mode forces all HTTP through it without client config
• URL filter add-on lets you block by category

Mostly useful for parental controls or restricting devices that ignore DNS-level blocking. HTTPS interception requires deploying a CA cert to every client, which is more hassle than it's worth in most home setups.

VPN Access

IPFire ships with OpenVPN and IPsec. No WireGuard out of the box — you can install it through Pakfire, but it's not a first-class citizen the way it is on OPNsense.

Services → OpenVPN

1. Generate a CA and server certificate
2. Create per-client certificates
3. Download the .ovpn client config file

The OpenVPN setup works fine. It's just OpenVPN, which means the usual overhead and slower speeds compared to WireGuard. For remote access to a home network it's perfectly adequate.

Updates via Pakfire

IPFire → Pakfire in the web UI.

Pakfire handles both core system updates and add-on packages. The add-on selection is small compared to OPNsense's plugin system — maybe 50-60 packages versus hundreds. But the essentials are there: Suricata, OpenVPN, tor, ntopng, a few others.

Core updates come out regularly and the project has a decent security track record. Apply them promptly — a firewall running unpatched is worse than no firewall at all.

Backup

System → Backup.

This dumps all your settings, firewall rules, and certificates into a single downloadable archive. Do this before every core update. I keep copies on my NAS — if the ancient SSD in my thin client dies, I can reinstall and restore in about 20 minutes.

🖥️ The hardware I run this on

HP t620 thin client. Bought it on eBay for $25. It came with an AMD GX-415GA (quad-core, 1.5GHz), 2GB of RAM, and a 16GB M.2 SSD. I added a dual-port Realtek RTL8111 NIC via the single PCIe slot — one of those $12 cards from Amazon that OPNsense won't even detect because FreeBSD's Realtek drivers are perpetually half-broken.

IPFire was the only firewall OS that detected both NICs on first boot without any driver fiddling. I tried OPNsense first — it saw the onboard NIC but not the add-in card. Tried pfSense, same problem. IPFire's Linux kernel picked up both interfaces immediately. That's the entire reason I'm running it. Total hardware cost was about $40 including the NIC, and it routes my 500Mbps connection without breaking a sweat. Suricata uses most of the 2GB RAM, but it holds together.

Use IPFire when:

• You have low-spec x86 hardware (1-2GB RAM, old Atoms, thin clients) and need a real firewall with IDS
• Your NICs are Realtek or other cheap chipsets that FreeBSD-based firewalls won't recognize

Don't use IPFire when:

• You have 4GB+ RAM and decent hardware — just use OPNsense, it's better in every way that matters
• You need WireGuard as a first-class feature, not a Pakfire afterthought
• You want a modern web interface — IPFire's UI is genuinely painful to use daily
• You need advanced traffic shaping, VLAN trunking, or complex routing — IPFire's feature set is thin

Yeah, the "don't" list is longer. That's the honest picture. IPFire fills a gap. It's not the best firewall for most people. But for low-spec hardware with real IDS needs, nothing else runs this lean. I've had mine running since early 2024 on that $25 HP thin client. Rebooted once for a core update. I forget it exists most days, which is the only compliment that matters for a firewall.