I’d recommend OPNsense over Pfsense. The owners of Pfsense (Netgate) do not seem to understand the open source process at all, to put it lightly.
I don't recommend pfSense for a lot of reasons, namely the most recent drama with the WireGuard dev and community backlash, as well as their shady history trying to fuck over OPNsense (and losing in court over it!). They are also incredibly slow to update their community editions and don't offer as much functionality as competitors.
I'm a huge fan of OPNsense which is a fork of pfSense that has more frequent updates, additional functionalities (has had WireGuard support for a long time now) and in general treats their community with a whole lot more respect. Although I don't use it, I know OPNsense has a feature similar to the pfBlockerNG addon.
A small cheap x86 business mini / ultra mini box (dell/lenovo/HP). Any 6th+ gen intel CPU, 4gb ram and whatever disk space will be fine for your needs. Stick an intel dual NIC card in it.
Install OPnsense: https://opnsense.org/ and away you go. OPNnsense will give you the power of a huge enterprise level router/switch for basically little cost besides some cheap hardware and some time.
The ADSL modem is another story, you might be stuck with that depending on your ISP.
edit: /r/opnsense
For young one's, I try to do educational focused OS's.
https://wiki.sugarlabs.org/go/Sugar_on_a_Stick
Steam is standalone. The only options are family library sharing and disabling the thousands of adult/hentai games they are flooded with.
Anything beyond that I deal with at the router/IPS with proxy filtering(https://opnsense.org/). As far as youtube/instagram/etc, that's a pedo rabbit hole. Best you can do there is pay attention to questionable stuff, because child grooming is apparently fine, but being conservative gets you banned.
It's hard to steal something that is BSD licensed.
They are freely giving credit on their website as well: https://opnsense.org/about/legal-notices/
(Note, I am a pfSense user currently but this drama is the root cause of me switching to an Ubiquiti solution for my next firewall/router purchase in January.)
This has been some time ago, pfsense had a history of being dicks to an alternative called OPNsense. So to note, some folks over at /r/homelab would recommend opnsense over pfsense instead.
Answering my own question....
​
Once realised I should be searching for HardenedBSD rather than FreeBSD, I found the answer immediately:
OPNSense 19.1 is based on HardenedBSD 11.2
I personally run OPNsense over pfsense because Netgate (the company behind pfsense) are tools. My preconceived notions were further reinforced by the issues from the dev they sponsored to integrate wireguard into the freebsd kernel earlier this year.
They're moving away from hardened BSD and move to FreeBSD 13 with the January 2022 release. But other than that I agree.
https://forum.opnsense.org/index.php?topic=22761.0 https://opnsense.org/about/road-map/
I think it was less the community users for pfSense, and more actual Netgate employees that were spurring most of the drama. More info can be found on the opnsense website, including links to the mandate from the World Intellectual Property Organization, and the archive.org version of opnsense.com that netgate was squatting on (and more).
Ich nutze zuhause ein DrayTek Vigor130 und dahinter ein APU ALIX-Board mit der OPNSense drauf, die PPPoE macht und so Internet bereitstellt.
Ist aber absolut nichts für Anfänger mit wenig Ahnung...
I'm surprised by this statement:
> The newest offspring, OPNsense (https://opnsense.org), aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can.
Is that just him being nice to the newest entrant in the fray? I would have expected him to recommend PFSense if anything. Given the reputation of the project and such.
Also worth noting that Netgate have a history of hostile and unprofessional behaviour, leading to Opnsense taking legal action against them for libel/trademark abuse and winning https://opnsense.org/opnsense-com/
I run NSD for authoritative and unbound for caching local resolver at the colo/physical host, but you can also do the same for your home.
Unbound https://www.unbound.net/index.html can directly query root DNS servers and supports DNSseq. It is the default resolver for https://opnsense.org/ but you can of course install it anywhere on your network, or on the workstation.
>Under the open source router firmware section, PFSense (A closed sourced firmware that is advertised as open source) is listed, but OPNSense an open-source fork is not.
pfSense is open source but I'm open for evidence to prove otherwise. In fact, OPNsense developers, together with people like you, have been trying hard to prove pfSense project is closed source. You're welcome to prove me wrong. Start by explaining how OPNsense exists.
>I personally think it should be on there, especially because Netgate as been getting more and more cancerous about how they deal with their community and other developers who want to view an make changes to the "open source" code.
I'm not sure how someone saying that can accuse others of being "cancerous". I'm not kidding about OPNsense calling pfSense project not open source: https://opnsense.org/opnsense-beyond-the-fork/
e: you're not doing OPNsense a favor with this kind of "approach".
well the real question is :
Other options then pfsense ( http://vyos.net/wiki/Main_Page, https://opnsense.org, Vanilla FreeBSD router? )
Wow that is a lot of unmaintained packages. Seriously no one to port Tinc to 2.3? Looks like the commercial investment has starved resources from the open source development.
Feels like Bareos/Bacula all over again.
Time to switch to OPNSense then.
You are right on with your AP selection. I use one myself and have deployed them in a number of SMB enviornments.
For a router, I prefer a DIY OPNsense build. I suspect I'm not along, considering this is /r/homelab. What are your requirements / wish list?
https://opnsense.org/users/get-started/
Basically just make a USB installer with Rufus (or a similar program) and install OPNsense to an SSD/HDD. There is likely a drive in them already. There should be VGA+USB ports on the Sophos appliance, just hook up a keyboard and monitor to it.
FYI while OPNsense is better than pfSense, they are fairly similar and some guides for pf will work for OPN.
e.g. this looks to be good for either at a glance: https://docs.netgate.com/reference/create-flash-media.html
This is something I have also looked at, but for different reasons. It seems this is planned for the next release (21.7):
IPv6 prefix DHCP lease registration in Unbound/Dnsmasq
Go to Supermicro.com, search for Atom. Find a model that seems fairly recent. Once you find a fully built model that has 4 or more Ethernet ports, Atom processor, 1U form factor, contact your reseller (CDW or any other) and see if they can get it for you, along with RAM and an SSD.
If by "Linux" he meant a good open source firewall, check out OPNsense, https://opnsense.org/ . Easy to install and administer. Some improvements beyond pfSense. Excellent documentation.
You could also go to OPNsense.org and buy firewall hardware (just as you can with pfSense and its web site).
Good luck - one thing I am not sure about is if pfSense HA supports DHCP for the WAN. You might need a static IP from your ISP. You might want to ask that over at /r/pfsense before trying to make it work.
Also, there is OPNSense, a fork of pfSense which is really mature. If pfSense is locking up (it shouldn't) you might want to look into replacing it with OPNSense.
>It's hard to steal something that is BSD licensed.
>They are freely giving credit on their website as well: https://opnsense.org/about/legal-notices/
"giving credit" is not the same as respecting copyrights. OPNsense has been stripping out almost all pfSense copyrights from the code, uploading it as their own. Example: https://pbs.twimg.com/media/CVCceq2VAAAHZ4T.png:large
>One question - if OPN is behind the opnsense.com "parody" site, then why is it registered through a U.S. Registrar and the name behind it is assoficated with pfSense/Netgate?
I didn't say that. However OPNsense conveniently includes pfSense in the title, to portray the whole project badly. Just as they attempt to portray WIPO as an actual court.
We need a new firewall for a small enterprise that is capable of handling up to 10 users simultaneously. We received an offer for a "Black Dwarf G2 UTM" by Securepoint, who call themselves "market leader in the German area". It costs about 850 Euros with a software licence valid for three years.
However, I would prefer to purchase a used server and setup a solution using IPFire or OPNSense. Used servers DL380 G6 servers are available for 250 Euros.
I made very positive experiences with IPFire, as their UI is very usable. Furthermore, the Black Dwarf's additional features such as deep packet inspection, TLS middelmanning and the malware filters are not going to be used. Furthermore, IPFire also provides the Squid proxy.
So has anybody experiences with using an open source solution for a small business? Thanks for your answers!
Agree that a lot of the functionality is not yet implemented in GUI on their controller yet, but they do have an updated roadmap for that: http://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Feature-Roadmap/m-p/1547101#U1547101
Of course, you could still implement every feature available to any of the EdgeRouters via CLI.
As far as having a cohesive (or, well, unified) ecosystem to manage all aspects of one's network from one place, UniFi really does a good job.
I was disappointed with pfsense the last time I used it (2yrs ago) - the interface is clunky and tedious. If you really want to go that route though, I'd recommend OPNsense. Originally a fork of pfsense//monowall, it's now almost indescribably different in both form and function. Definitely worth checking out.
EDIT: I decided to check out pfsense again since it's been so long since I looked at it. I'd say my major complaint of the past is gone since they rewrote the WebGUI. It's looking pretty slick now!
Just my 2 cents!
ahem > m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense (https://opnsense.org), aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can.
http://m0n0.ch/wall/end_announcement.php > For a more feature-rich alternative that is still based on FreeBSD and has the same roots, both pfSense and OPNsense (which is a fork of the former) are excellent choices.
http://m0n0.ch/wall/freeze_announcement.php
The OPNsense project hosts the old, archived m0n0wall pages so of course the whois data will show them as the owner of the domain.
Well there's this website they put up.
And that doesn't get into the Wireguard controversy last year.
You need to contact OPNsense, see here: https://opnsense.org/support-overview/professional-services/
Imo, If you're planning on selling the software/hardware to customers, it might make sense to stick with their hardware since it'll be validated, and will come with support.
What version of OPNsense are you running? There was a bug that could set up the secondary DHCP server wrong prior to 21.7.4.
With bad config on the secondary, you'd see problems like this for only interfaces affected by the bug. Details are at the links below.
If you're running a separate firewall, you ought to just run a computer with 2 NICs with OPNsense.
With that computer you can run Omada SDN and pick up some EAP wireless access points and switches.
Now you got 1 server running everything in your home network!
u/justanotherreddituse hmmmmm I went here and got confused.. :( https://opnsense.org/download/
So is this only for servers?
I do not have a home server but I do run a Virtualbox Windows PC. On it I have the VPN automatically load and I use newsgroups mostly. occasionally I use private torrents, and alot less frequently I use websites and public torrents. I do not download very much typically (less than 20gb a week), but when i do download (on a project), I use it a lot (100s of gb). So on average I would say I download maybe a 150gb a month.
My best guess is in July I donwloaded 1.5TB but in August I think total I downloaded was 100GB.
So knowing that would you suggest I go through all of this or simply
Perhaps learn about open source software and take a look at the installation guide and then explain how this equates to "building a firewall".
Come on, I'm waiting for you to prove otherwise...
Downloading software and making configuration changes isn't building a firewall. It's configuring a pre built firewall.
You then say I'm out of my depth? LoL
If you’re looking for cheap and full functionality, check out OPNSense (https://opnsense.org/). It is a free open-source software gateway/router that can be run on a variety of hardware (I actually run it virtualized in a proxmox vm). The integration offers presence detection: https://www.home-assistant.io/integrations/opnsense/
I would recommend OPNsense as a more stable organization and new user friendly devs that don't act juvenile, also there is the recent question of open source pfSense CE versus the the closed source pfSense plus and whether netgate will let pfSense CE wither on the vine and die within a year or 2.
Netgate / pfSense acts in bad faith
Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
I didn’t realize opnsense was a legit subreddit. Last I heard someone from pfsense was still squatting on it similar to the crap around the opnsense(dot)com domain.
Both https://opnsense.org/about/features/ and https://www.netgate.com/solutions/pfsense-plus/features.html have a captive portal feature unless you have a lot of access points to maintain community version should be good.
Not sure if protectli is rebranded qotom or not. they are very similar but the case is a little different and as you stated I found the qotom to offer more bang for the buck in cpu power and number of nics.
OPNsense doesn’t release significant revisions weekly, they may do monthly minor updates and have a 6 month major revision roadmap. The major revision roadmap is closer to what pfSense would like to do going forward instead of the way too long 2-3 years between 2.4 and 2.5. Netgate has stated they plan to do 3 releases per year for pfSense+.
This is true, and the original developer of m0n0wall (the original software before forks that became OPNsense/pfSense) Manuel Kasper recommends OPNsense. Spicy sauce: https://opnsense.org/m0n0wall/
Between the childish devs, the aes-ni debaucle, the faulting hardware appliances (not really their fault, moreso Intel I think), and the recent rushed/botched wireguard implementation that made it into a PRODUCTION release with no peer review; not sure why it would be chosen. I guess people not in the know of these things, or because it has more recognition than some other firewalls.
In addition don't forget their childish developers (https://opnsense.org/opnsense-com/) and their very recent disaster of trying to implement kernel-mode wireguard to FreeBSD/pfSense. Too many sources on that to quote just one.
>Multiple (2 to 3) APs.
>
>Rock solid reliability and performance.
>
>A decent UX, from initial configuration to an easy to use and understand UI, to manual (not automatic) firmware updates.
I would not go with Unifi products after the hacks happened recently. I heard good things about the Omada system for APs.
>Integrated Wireguard or OpenVPN server at the gateway.
For firewall/router, check out OPNsense and if you are CLI person, check out VyOS. However, OPNsense offers more firewalling features than VyOS. VyOS is a router with firewall capabilities. If you are familiar with Ubiquiti Edge routers, it is similar, but without UI.
OPNsense has wireguard-go and OpenVPN. From what I heard/read, the kernel WireGuard might be implemented on the next release of OPNsense. VyOS supports both.
>A robust firewall that doesn't require me to be a command line guru to set up.
It is OPNsense then.
ntopng is the tool I use. My router (OPNsense) can run it on the router, but there's no reason you couldn't run it on another computer with a port mirror or dual NICs.
This requires all traffic to go over a single Ethernet cable though (since you essentially snoop the traffic on that cable and analyze it), so you'd need a separate router and AP. I
f you have a nice managed switch you could setup a port mirror, which mirrors traffic from the router to the data collector, or you could setup the monitoring device inline (with two Ethernet adapters bridged), or a raspberry pi with an additional USB3 NIC, or you could keep your existing router as an AP and add a router for routing only that also does traffic analysis.
I was planning on buying some netgate hardware to upgrade my system. But I’m not giving cash to an organisation that tears people down like this.
How can your software director be such a childish bully in this email stream, and yet you’re happy to share this blog post where he doubles down on his nonsense?
The open sense domain fiasco should have put us all off, but I had hoped it wasn’t part of a wider culture. If anyone has learnt to be ‘less trusting’ it’s your users.
Respect to Jason Donenfeld, I’d have reacted to this slander with much less composure than he has!
They're the new traffic graphs introduced in 21.1.2. From the release notes:
https://opnsense.org/opnsense-21-1-2-released/
o system: replace traffic graphs in widget using chart.js
Get a proper encrypted VPN for example wireguard in which you tunnel whatever remote session you wish (remote desktop, vnc, ssh etc).
The protip is to do the encryption not in the box itself (that got the GPU etc) but in the network like a dedicated vpn box or such.
https://opnsense.org/ can be handy for such task.
Another more expensive setup is to use a KVM over IP which you protect with a proper encrypted VPN (such as wireguard). This way you are not dependent on what OS or software is being runned in your box with that GPU since the KVM over IP will hook directly onto the video output and forward keyboard and mouse to the remote client.
Are you allowing incoming connections to this server from the WAN? If you want to SSH to it from work, then setup a rule just to permit SSH from your work IP address or cellular data CIDR that matches your phone if you tether. If you don't already have a robust firewall solution, OPNsense would be a great fit if you have a spare PC lying around.
I'm using both the CoolPad and the MiFi 8000 via USB tethering with OpnSense running on commodity hardware.
I did try USB with my ASUS AC-68U running Fresh Tomato, but had issues. If should work fine with PfSense too.
You can install pfSense for free, you only need some PC with multiple Ethernet ports. Also there is OPNsense now, which is a fork of pfSense, and may be better at some points: https://opnsense.org/
Edit: Also LTE may be a different beast to tackle, depending on the hardware, or may require double NATing.
Any reason you don’t want to use OPNSense? It is a fork of pfSense so it would be very familiar to someone that uses pfSense.
I just moved from from pfSense so I could have WireGuard on my routers.
Tiny DNS, it has a domain blacklist that will block lookups for them, but won't filter routing like a firewall would.
But if you want something with a stateful firewall check out OPNsense. I have both running on my network and they work pretty well together.
I know this is probably not what you're going to end up using but the more information you're armed with the better so here it goes: Take a look at OPNsense Firewall. It's an open source Hardened BSD firewall OS. You can install it on just about anything and even virtualize it. I'm running mine on an older business class desktop with an i5 4 core and 16GB Ram that I bought for about 100 bucks with a $100 pcie 4port gigabit card added in. All of my Ubiquiti equipment runs down stream from that box and I have the controller running on a dedicated server in docker. I love Ubiquiti's stuff and it makes up the majority of my network but I wanted something more feature rich and customizable for my edge device. It also worked out to be a lot cheaper which made my wife much happier. As everyone has already said before me, if you do want to stick with Ubiquiti across the board, UDM or UDM pro will get you where you want to be.
OPNsense or pfSense. I prefer OPNsense because of pfSense's history of being a-holes ( https://opnsense.org/opnsense-com/ ) and because I find their interface much easier to use.
https://opnsense.org/opnsense-20-7/
Known issues and limitations:
o i386 architecture builds are no longer available
Not sure about self compiling, but pretty sure installing an older version and trying to update will fail, as the kernel and other components are updated during that process.
The best set up if you can arrange it is to put the modem into 'bridge' mode and give you a dumb connection and put a capable firewall/router behind it to protect your network. Something like OPNsense or OpenWRT are good choices because they are open source and frequently updated unlike a lot of OEM gear is.
If you cannot put your modem into bridge mode (and some are like that) then you can make your router a DMZ and turn off all firewall rules from the modem for it. You will still be in control of all the traffic in and out of your network just it maybe be slowed down fractionally by the modem.
Feel free to ask more information on /r/HomeNetworking
Yes, it would be.
As for something to buy, the Teltonika units are good, they use open source for their OS, receive regular updates etc. But for real peace of mind you'd want a small form factor PC and use something like OPNSense.
if you want to self host something you'll need to use the ip of your hosting system at some point :)
this item out of the picture, and if you're then just looking for a firewall you can either use: - bare iptables/nftables rules. you'll need to use a list of subnets that are own by your country providers and alow only them to mimic what you had on cloudflare. - some interface to iptables/nftable like ufw, firewalld. the approach would be the same - or a dedicated appliance-like firewall like opnsense would maybe ease some of your work.
Personnaly I would go with the opnsense option as you can host it in front of your other systems allowing your systems to only be accessed by the firewall.
to avoid re-invent everything I would try to leverage what you might already been able to use by your server provider like security groups, or network zones and work with that
note: additionnal small components to secure your system is at the heart of the security of any networks so it might not feel like much but it's a very good approach nevertheless.
OpenWRT and OpenBSD (tutorial) as router OS alternatives.
I don’t recommend pfSense for this sub because it’s proprietary, however OPNSense is open-source and similar to an out-of-the-box solution like pfSense and OpenWRT.
On Tutanota while it does what it says, it’s still kind of buggy and missing a lot of features normal email providers have. It mostly works for simple personal email, but for people who deal with a large amount of emails (especially organizations) I’d recommend against it.
Can you flash it to use DDWRT or OpenWRT, whatever folks use these days? I picked up one of these for around fifty bucks 3 or 4 years ago, it's pretty good value and quite versatile: https://www.ui.com/edgemax/edgerouter-x/
Or find an old junk PC, add second network card and try OPNsense: https://opnsense.org/
Ah! Didn’t know you were doing an Opnsense install, or, installing on a thumb drive until now. The zero in 19.07 made my brain fixate on Ubuntu. 😄
How big is the target drive? If you insist on using a USB target, maybe try the custom installation instead, and, prevent the creation of any Swap. This won’t help if the target drive is just plainly running out of storage space during the install.
Step-3, line item 2 suggests the Custom installation for embedded systems, and, low storage devices. https://opnsense.org/users/get-started/
Seconded. It's the best solution in terms of...
It fits your requirements and it's free. What's not to love?
^([1 IIRC, x64 arch and AES-NI are requirements going forward)
I am thinking you have to pass trough the second NIC to the PF VM.
So,
shut down the VM,
edit the VM,
scroll to the NIC section,
select the green plus on the right to add a second NIC,
Network Bridge: [ select second NIC ]
Select Update at the bottom
Start PF VM.
Then follow those PF install steps.
PS: I like PF. Have you tried https://opnsense.org/ ?
This should cover it all: https://opnsense.org/opnsense-com/
Even though it's from the side of the OPNSense guys, it's not biased at all. Netgate pulled some really neckbeardy shady shit.
Basically, pfSense forked an m0n0wall, which was built upon FreeBSD. All open source tools. However, when OPNSense forked pfSense - pfSense went off the rails and started a smear campaign.
Netgate is also actively developing "pay-only" features that really should be in what is now dubbed the "community" version, but have shown no interest in doing so.
I wouldn't get one because pfsense isn't truly open source. They keep the build tools etc secret. Check out https://opnsense.org/
They forked it just for that. I've talked to one of the netgate guys and he was a real prick.
Would i run pfsense? Sure. I would prefer opnsense but I'm pretty happy with the Vyatta forks VyOS and ubiquiti's fork of it on their devices EdgeOS, mostly because hardware offload.
Check our VyOS if you get a chance. Has all the big boy tools in it. Not perfect (i found some ipv6 bug) but super fast.
Then get one that can do 80Gbps?
https://www.ui.com/edgemax/edgerouter-infinity/
Or get some x86 box with 10G interfaces and run opnsense on it?
The point of using dedicated interfaces for each VRF is to have better segmentation.
No matter if you use the inline method or the "on a stick" method you can still have certain traffic to leak between your VRFs if you for whatever reason got such which you for whatever reason dont want to traverse the firewall.
A rather neat solution for self-hosting is to use a multi-function gateway device. I use OpnSense it's surpassed PfSense now for me. There is a great guide to setting up your own CA with your own chain of trust, on their wiki https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html
*OPNsense & Linux
pfSense ist mir unsympathisch seitdem ich das weiß:
> Im November 2017 stellte ein Schiedsgericht der Weltorganisation für geistiges Eigentum fest, dass Netgate, der Urheber von pfSense, die Domain opnsense.com in böswilliger Absicht benutzt hatte, um OPNsense zu diskreditieren, und verpflichtete Netgate, die Domain an Deciso zu übertragen.
They're very similar, opnsense is a fork of pfsense, but opnsense has been gaining more traction and adding more features over time. There is a TON of drama surrounding the 'owner' of pfsense, he has routinely attempted to derail threads asking about opnsense. And then there was this whole fiasco at the hands of pfsense.
https://opnsense.org/opnsense-com/
I prefer to not support a raging childish asshole so its opnsense for me.
I was thinking https://opnsense.org/ for security and if I upgrade to a business line, can bundle in static IPs for an additional monthly. I was thinking vlans. I didn't delve to far into this aspect yet.
Not sure if FAUXAPI in it's current form made it into this product yet, but https://opnsense.org/ seems to be what a lot of people from the pfsense community migrated to. There is a REST API, and some other documentation that might be helpful. Out of time this morning or I'd look up the answer, sorry.
​
Best of luck!
I just run a self-built machine, supermicro board, Intel xeon CPU, 16GB RAM, couple of SSDs and 4xHDDs. The router is all done on the server in KVM using OPNsense it's great because it receives regular updates and it's open source.
The problem is the wireless auth. Normally you'd put the proxy behind the router and connect a switch to the proxy, but you can't here. You essentially have two NAT'ing devices. So you would have to put the proxy on the edge, configured as a firewall as well, then the router with with wifi auth, then the clients.
You could configure the router as a wireless AP bridge to auth/radius on the proxy, but that will take some extra effort.
You need two ethernet cards on the proxy. One inbound, and one outbound. The software I would use for this is opnsense.
https://opnsense.org/about/about-opnsense/
That will keep it clean to maintain and is easier to set up. I haven't done a squid proxy since 95, so I'm sure I've missed some recent advancements in the topology. But the premise is basically the same. Once it's set up properly, you will be stunned at how fast it is. At least I was way back when.
One caveat is that it will not hold encrypted streams. Netflix and all the other weirdness is not bufferable as far as I know. Although I have not kept up with it, so anything's possible.
You didn't read what I wrote. Don't install a Linux. Install a OPNsense firewall, which is a complete VM, and is based on BSD. But it's super easy to use and operate, bullet proof for these kinds of usage: https://opnsense.org/
OPNsense went through something similar recently with pfSense:
pfSense was doing an anonymous parody site of OPNSense. OPNSense filed a case with WIPO and won:
I'm running OpenSense and I've found it to be very stable and reliable.
I am not running it on dedicated hardware. I'm running in on a VM on an old Core2Duo laptop under VMWare. I used Netgear GS108T switches to create separate VLANs for internal and external traffic, and the OpenSense VM has vNICs on each VLAN and it handles NATing between the two. I've got a couple of 1:1 NAT entries, as well as port re-maps going on, and a third VLAN for my solar system to keep it's untrusted traffic of my home network.
Overkill? I was actually going to reply with "the Firebox may be under-powered for your situation." When upgraded, it should be able to push enough traffic to satisfy you across two interfaces, but no more. The first four interfaces on the fireboxes are rock solid, the next four require some configuration changes for them to be stable. Also be aware that pfSense releases 2.2 and newer require additional tinkering to run stable while 2.1.x runs great OOTB. Also, if you're considering pfSense (not on the firebox - the nano distribution of pfSense is currently much easier to get running on the firebox), give OPNsense a look too.
I've heard good things about the Edge Router, although I haven't used one myself. They do have firewall features and the OS is based on Vyatta, another distro worth looking at.
It's awesome. Gets updated usually once or twice a week and from what I've seen on their forums and twitter, the devs are super responsive. And I think in the next week or so, they're gonna be updating the graphs with a hella sweet new graphing library: https://opnsense.org/system-health-whats-next/
While you're browsing around, you might also look at OPNsense, which was forked from pfSense. I've heard some good things about it and am looking to implement it on a site for ~80 daily users in the next couple months.