My first day experience on IPFire at home

1

Because I have some strange hardware, I cannot get pfSense/OPNsense work on my device, and I just don’t want to use OpenWRT for the moment.

So I installed IPfire, and I think it is not for normal home users at all, it is a “professional” firewall.

I have to say, the install process is quite easy (but in face, OPNsense setup process is also painless).

However, the first problem I face is DNSSEC. Unfortunately all my domestic dns resolvers does not support DNSSEC, and what’s more, I have to use ISP provided DNS for most of the browsing or the experience is f**ked (taking about if I can visit a website in seconds or never).

Other DNS providers in my country does not have DNSSEC. If I use 1.1.1.1 or something else that do DNSSEC, it will be like I write letters and then fly to Mars and then go back to earth and then put it to my local mailbox near my house.

Lucky, I found that I can change unbound configuration to bypass it. Or I have to setup a DNS server locally and skip using IPFire DNS.

Secondly, UPnP. I do understand it is stupid that allow any device to open a hole on the firewall; but I must say, for most home users, it is the risk we are willing to take.

I very often play games with my friend, which usually use UPnP to allow my friend to connect to my PC. Then I should put my PC or my game server(NAS) into other firewall group while they are the devices I should protect the most.

I also a game developer, and I do know UDP hole punching exists, but does not as easy as UPnP and require a public server to work, and sometimes TCP for gaming exists.

Is it maintaining miniupnpd is very hard or time consuming? I can see there are some multimedia addon available, like ffmpeg, libvorbis. look sus to me.

At least I can compile the package and install it myself if I very want to have it.

Third, for installing package, due to some unspeakable reasons, I cannot access pakfire.ipfire.org directly, which means I have to use a proxy and I cannot find a easy way to do it.

I am not here to start a war, but I have to state my point: no one should not take away people knife if the someone think knife is dangerous.

2

IPFire is free software and the procedure to package an addon is simple enough if you are a developer. Why don’t you contribute this package in the addon list, if it is important to you? I don’t know if you researched it, but I assume you are not aware that IPFire has a very small team of developers. They have to follow their priorities, which include keeping IPFire a secure firewall that has to be maintained while all the elements of its infrastructure are constantly moving. The team is so small that they are struggling to finish IPFire version 3 which includes things really important, such as ipv6, or a arbitrary big multizone setting.

here the procedure to use a mirror is clearly described and quite easy to implement.

IPFire is a linux distribution, you have enough rope to hang yourself as much as you like. If you want also the convenience of a soap bar, a chair and a hook with the description of how to make the entire procedure working as expected in the wiki, we go back to the above point, lack of resources and priorities.

If you need an alternative to IPFire that is also a firewall/router Linux-based distribution that likely will recognize your hardware, you have also the option of vyos.

1 Like
3
  1. I do know that there is a small team for maintaining IPFire. Also, I can submit a version of miniupnpd the IPFire team just remove. I just highly doubt that keep miniupnp on the package list will require that much work.

Are you saying that everyone need IPv6 or arbitrary big multi zone right now, including myself which only have around 20 devices and no IPv6 access at my house.
The team can decide what they want to do first, but am I not allow to say what I want?

  1. No, mirror is not an option. I still have to use proxy to access any of the mirror as well.

  2. I am against the idea make something versatile meanwhile making decision for the end users. Also, I can say that if you make something, but no one understand how to use it, then who is going to use it. You don’t need help, other people need.

I am sharing my experience for the people who might want to use IPFire. I respect the effort by the IPFire team, but lack of the wiki and resources (such as a good webUI design) and some of the decision made by the team did make my experience not very good. Again, I am assuming IPFire is also for HOME user.

For me to recommend IPFire at home, I will say no, simply say, the software itself is fine, but just hard to use.

4

Hello @nideii - Welcome to the IPFire Community!

I remember a few discussions about this in the Community. I seem to remember there being a way around it. Hopefully someone else can chime in.

I found this in the Wiki:

Screen Shot 2022-10-15 at 11.38.07 AM
Screen Shot 2022-10-15 at 11.38.07 AM1958×704 54.3 KB

at:
https://wiki.ipfire.org/configuration/network/dnsforward

I don’t know if it will help or not.

EDIT: This may be for a local DNS only…

There are a few other discussions about in the Community. It may help others understand why it was dropped.

https://community.ipfire.org/search?q=upnp%20order%3Alatest

It is probably because DNS is not working correctly.

If you want to go forward we’ll need to fix DNS/DNSSEC issues first.

3 Likes