When we started Firewalla, we had a long debate: "should we save money and build a minimal platform?" or "should we build something that's fun and educational". We picked the latter. We are hackers and makers. We want to build something that we would like to use ourselves, and really want our kids or maybe even adults to learn networking and security.
A Firewalla box is a full Linux server!
- It runs Ubuntu
- With all development tools installed, including editors like vim
- You can run python, node.js, and even compile right on the box
- To reset the system, you just need to flash an SD card.
- To Flash Red, Blue, or Blue Plus, see this guide.
- To flash Firewalla Gold series, see this guide.
- To flash Purple series boxes, see this guide.
- Of course, the code on Firewalla is Open Source
If you are an advanced user, here are some cool/fun things you can do on Firewalla. These include quicker ways to enhance your Firewalla to be even more powerful and flexible.
1. SSH
Secure Shell (SSH) is a secure way to log into Firewalla and see how things work inside. Yes, everything is accessible, we don't hide.
How to access Firewalla using SSH?
Lets ssh into the box:
2. Use Linux Apps like tcpdump
Get deep insights into what is going on with your network using all the many tools provided with the linux distro Firewalla is built on. This can be used for advanced debugging of rules and other features.
Rule Debugging and using tcpdump
3. Install Linux Apps
Once you logged in to the Firewalla box, you can install various apps/tools and explore, like the following examples.
Tshark
Tshark is the text version of Wireshark. It's a packet sniffer that allows you to look at network packets.
After install, if the system asks you any questions, just press enter:
Now you're ready to look at all the packets in live traffic. It is a great way to learn the basics about TCP/IP. The Firewalla platform already has the code in the background to move packets, so you just need to run tshark to peek at what's going on in your network. Please be prepared to hit control-c. Otherwise, your screen will be flooded.
Pi-Hole
We designed Firewalla to play well with other systems. Pi-Hole is one of the best open-source ad-blockers. It is fairly easy to install it directly on Firewalla Blue and have it integrated with the rest of Firewalla.
Tutorial: Running Pi-Hole on Firewalla Blue in 5 mins
Samba File Sharing
Don't forget you've got a USB port on Firewalla. Plug a USB flash disk in, install Samba, and now you have a shared drive running on Firewalla! Contributed by a couple of our users, here is how to mount Samba / USB Drive on a Red:
Other Linux Apps
Firewalla runs Ubuntu Server, and it includes Python/node/C compilers. You can easily pull any package you need, and write programs to run on it. If any of the fun things blow up, just use flash to reset.
4. Docker Containers
The Firewalla Gold platform is fully integrated with docker containers. Here is an example that we installed "homebridge" container right on the Gold.
See this article for a quick tutorial on Firewalla Gold + Docker
5. Networking Enhanced (Firewalla Gold)
When you use the Firewalla Gold as your main router, you will now have the capability to write simple scripts to significantly enhance your network experiences that's specific to your part of the world.
Disconnect and reconnect PPPoE on a schedule
"On my (a firewalla user) german router (AVM Fritzbox) I can configure a custom time (e.g. in the night 2-3 am) for this reconnect (the router simply reconnects the PPPoE connection)."
3 4 * * * root killall -HUP pppd
This may also work if above does not
30 5 * * * sudo systemctl restart firerouter_pppd@pppoe0
Rate Limit Upload on WAN
below example will rate-limit the upload traffic to 43mbit
tc qdisc add dev eth0 root tbf rate 43mbit burst 1540 latency 1000ms
Happy tinkering with Firewalla!
Comments
13 comments
I’m not a Samba fan and why install something new when the functionality already exists.
SSHFS (SSH Filesystem) is a filesystem client based on FUSE for mounting remote directories over an SSH connection. SSHFS is using the SFTP protocol, which is a subsystem of SSH and it is enabled by default on most SSH servers.
When compared to other network file system protocols such as NFS and Samba the advantage of SSHFS is that it does not require any additional configuration on the server side. To use SSHFS you only need SSH access to the remote server - which we already have.
Because SSHFS uses SFTP , all transmitted data between the server and the client is encrypted and decrypted. This results with a slightly degraded performance compared to NFS, and higher CPU usage on the client and server.
Is there a way to do a bulk rule upload via the Firewalla cmdline? Defining multiple rules in the UI is a bit tedious.
I HIGHLY recommend installing Portainer to your Docker stack.
It makes management of all your containers incredibly simple. I followed this guide:
https://homenetworkguy.com/how-to/install-pihole-on-raspberry-pi-with-docker-and-portainer/
More info on portainer in Guide: How to install Pi-Hole on Gold (beta). Seek the 2nd page of comments for my Q&A and findings,
HERE:
https://help.firewalla.com/hc/en-us/articles/360051625034-Guide-How-to-install-Pi-Hole-on-Gold-Beta-?page=2#comments
Quick question, I installed tshark (had to update some libraries to get it installed) and it worked. I then rebooted the Firewalla Gold through the iOS app, it was no longer installed after rebooting.
why would that be?
Install it in a docker container and make the container persistent. However things like tshark that needs direct network access have to be reinstalled at boot.
You’re installing in a tmpfs / overlay fs which get wiped out on boot.
Did you read these?
https://help.firewalla.com/hc/en-us/community/posts/360051304473-settings-not-sicking
https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting-
I have a monitor linked up to my firewalla gold, I can install tshark from the console, but id like to find a command (like the "top" command) but for packet sniffing e.g. show packets on my network now and have that as a real-time feed. Is this possible?
Sure!
All depends what you want to see. Also, what’s your skill level in Linux scripting?
So I guess the first question is what do you want to display on your screen?
Thanks Chris. I've got some experience with shell scripts, ultimately I'd be looking for a command to display my networks' packets, with the URL and port number if possible. This output would be shown on a screen, refreshing itself like a basic "top" command so it can be left to run, and be read via the monitor. I wouldn't want any files to be created on the router.
Is this possible?
Other than for a fun display, trying to figure out the usability of this. But heck, I often do things because they just look cool.
Here is a starting point for you @Alec.
You could also get fancy with something like this.
sudo tshark -i any -q -P -Y "(ip.addr != 127.0.0.1)" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.host -e http.request.uri | awk '{src_color=""; dst_color=""; src_port_color=""; dst_port_color=""; if (!match($1, /^192\.168\.1\./)) {src_color="\033[1;31m"; src_port_color="\033[1;34m"}; if (!match($3, /^192\.168\.1\./)) {dst_color="\033[1;31m"; dst_port_color="\033[1;34m"}; printf "%s%-15s\033[0m%s:%-5s\033[0m %*s-> %s%-15s\033[0m%s:%-5s\033[0m %-30s %s\n", src_color, $1, src_port_color, $2, 30-length($1)-length($2)-1, "", dst_color, $3, dst_port_color, $4, $5, $6}'
Which produces something like this.
I have a few bugs in my command, but you can figure the fix out :-)
This command gets rid of duplciates when the come sequentially (no color).
sudo rm /tmp/wireshark_*; sudo tshark -i any -q -P -Y "(ip.addr != 127.0.0.1) and (ip.addr != 192.168.1.1)" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.host -e http.request.full_uri | awk 'BEGIN {prev=""} {current=sprintf("%-14s %-14s %-14s %-14s %-30s %s", $1, $2, $3, $4, $5, $6); if (current != prev) {print current; prev = current}}'
Thanks Chris, I look forward to trying these. I've had power cuts lately which has meant I've lost tshark as I understand that the install demostrated in this article is not persistent. How can I ensure that tshark is persistent regardless of whether the router reboots?
We have a script called
in
In the file are the tools we always want available.
that has whatever we want reinstalled / reconfigured whenever the Firewalla box is restarted.
If I understand what you want to do this should be able to do it.
Please sign in to leave a comment.