How To Build an Affordable, Layer 7 Home Firewall in About an Hour

Dennis Hackney
Aug 7, 2023
9 min read

Updated: May 10

Using a Lenovo tiny PC by adding another network adapter to build a Sophos at-home firewall with L7, anti-malware, and intrusion prevention capabilities

Lenovo device connected to cables, Sophos Firewall Home Edition text with vibrant building graphic, and house with shield icon, emphasizing security.

In my article, WIFI Best Practices, 4 Uninvited Guests, and 9 Ways to Evict, I instructed my readers not to rely on their ISP’s firewalls or use cheap, untrusted networking devices on their home networks. Now it's time that I step up and provide you with instructions for a low-cost solution to build and install a better, whole-home firewall product. This article combines the Sophos free-for-home use firewall software with a Lenovo M73 Tiny desktop and a PCIE-mini gigabit ethernet adapter to make a whole-home layer seven firewall appliance. You’ll need basic computer repair skills, around $130 US, and less than 2 hours of your time to do this yourself.

Why You Should Want a Layer 7 Firewall

Generally speaking, there are two types of firewalls: layer 3 (L3) and layer 7 (L7). L3 refers to the Network layer in the Open Systems Interconnection (OSI) model, while L7 refers to the Application layer. I developed this graphic to help my visual learners.

Diagram of OSI model layers: Application, Presentation, Session, Transport, Network, Data Link, Physical. Color-coded from green to orange.

Notice how L7 includes the entire OSI stack. You can think about the differences in L3 and L7 as being able to block what's being routed to a computer over media versus blocking what’s occurring at the application, at the host, like threatening web traffic, emails, and file transfers. In addition to just being an “L7” firewall, the Sophos Firewall Home Edition also provides the following.

Malware protection, Sophos or Avira
Rule and user-based traffic shaping and bandwidth maximization and network profiling
Intrusion prevention against SYN/TCP, UDP, Ping, and IP flood attacks
Web security, including user activities and behavioral or statistical analysis-based
Application security, web browser, client-server, peer-to-peer, and Network Protocol
Wireless access point firewall (with a wireless interface)
Email security with smtp quarantine, RBL address listing, and encryption
Web server security, including Exchange, Lync (Teams), RD Web, and legacy Remote Desktop Services
Administrative and management, including VPN, role-based groups and users, offsite backup and recovery, cloud-based Sophos support, and firewall certificate management

Regarding affordable feature-full firewall technologies from a trusted source, no other on the market compares to the Sophos Home Firewall!

Software and Hardware Requirements

Sophos Firewall Home Edition

Sophos is a top-tier cybersecurity company known industry-wide for its excellent security hardware and software. This company has done everyone a solid by allowing us to download a fully-function layer seven firewall operating system for free. Hardware is not included, of course.

This is an excellent value, especially considering that a Sophos XGS Series firewall costs over $500 with similar capabilities.

The hardware specifications for this build are as follows.

Intel Compatible Computer with Dual NIC

Quad-Core
6GB of Ram
120 GB of Disk
Minimum of two (2) NICs for LAN & WAN and not intel i210 /i225 series NICs
Bios Set to Legacy bios (CSM)

Anything over four cores and 6GB of RAM will not be used. For more information, visit the Sophos Community home firewall page.

Go here to get your copy of the Sophos Firewall Home Edition.

Lenovo ThinkCentre Tiny

Lenovo has a strategic alliance with IBM to sell end-to-end computer hardware for home and business use. These companies build and support best-in-breed, affordable personal computers and servers. Choose the Lenovo M73 tiny for home use to offset the cost, utilize the compatible form factor, and because of easy accessibility. This is a more trusted option than buying a no-name, cheap firewall appliance. Also, having the Sophos software as the operating system and utilizing the hardwired ethernet connections provides enough peace of mind to mitigate espionage risks at the component level.

This is the model information.

Lenovo ThinkCentre M73 Tiny Desktop PC
Intel Core I5-4570T 2.9GHz up to 3.6GHz
8GB RAM
240GB SSD
WIFI (PCIE Mini – onboard adapter)
BT 4.0
USB 3.0
VGA
DP port
W10P64

Wireless capabilities on the M73 Tiny are imperative to this build to ensure you have a functioning mini–PCIE port, or you will not be able to add the second network card.

As of the writing of this article, the legacy Lenovo ThinkCentre M73 Tiny could be purchased on common marketplaces for less than 100 US dollars.

Mini PCIE Gigabit Ethernet RJ45 Adapter

It was a little tricky finding just the suitable ethernet adapter to fit in the M73 tiny due to the compact packaging of the components within the case. Fortunately, there was a Realtek-based chip for $20 US total. After considerable testing, the Realtek chip demonstrated adequate throughput with a perfect fit!

Two electronic circuit boards connected by a flat cable on a dark surface. The boards are green with visible chips and metal components.

Here are the specifications for the Realtek adapter.

Speed 1Gbps
Chipset RTL811F
External Port 1x RJ-45 Ethernet
Host interface Mini PCI-E
OS Support Windows 7, 8, 10, 11, Linux, DOS, and Mac

This adapter can be found on common online auction vendor sites. As with the Lenovo PC, the Sophos OS provides the drivers. This adds to the peace of mind over prepackaged, cheap firewalls developed 100% by untrusted vendors.

Please do your due diligence when purchasing hardware and make the best selection.

After all the purchases, this firewall can be built for less than USD 130; that’s a $370 savings under a comparable Sophos appliance!

Building the Box

Let’s get to it, shall we? This section will quickly describe removing the PCIE wireless adapter and installing the new ethernet port to an M73 tiny.

Tools Needed

#2 Phillips headed screwdriver
10mm wrench
Small flat-headed screwdriver or small plastic pry tool

Disassembling and Removing the WIFI adapter

Remove the wireless antenna by unscrewing it by hand.

Hand attaching a black antenna with a gold connector to a device. The setting is indoors, and the background is dark and textured.

Remove the case screw with a Phillips head screwdriver in the rear center of the case

Hand using a screwdriver on a black Lenovo device, placed on a dark surface. Text on device reads "Lenovo" and model number details.

Slide the top cover on the case forward by hand.

A hand slides open a Lenovo device cover, revealing internal circuitry and components. The setting is dimly lit with a focus on hardware details.

You should see this. If you do not see this, you have a different computer and must figure the rest out independently.

Open computer case showing a mounted hard drive, cooling fan, and circuit board with visible wires and labels on a dark surface.

Remove the first (1 of 2) Phillips screw from the hard drive bracket nearest the cables.

A screwdriver tightens a screw inside a computer. Visible are cables, circuit board, and a silver SSD with barcodes and labels.

Remove the second (2 of 2) Phillips-headed screw nearest the front of the computer.

A screwdriver tightens a screw on a hard drive inside a computer. Labels with serial numbers and icons are visible on the drive.

Slide the HD away from the side of the case and towards the processor, lift it, and carefully hang it over the side.

Close-up of a computer motherboard with visible green circuitry, labels, and wired components. A small Intel chip is central.

Remove the first (1 of 2) WIFI antenna cable, as shown in the following image, by pulling it straight off the WIFI adapter board.

A hand inserts a component onto a green motherboard with visible circuits and labels. Text on components includes "Intel" and "00232478012C".

Remove the second (2 of 2) WIFI antenna cable as shown by pulling, like the first.

A hand connects a cable to a circuit board inside a computer with visible QR code and various components. The setting is well-lit.

Remove the brass antenna bulkhead connector from the back of the computer case with a 10mm wrench.

A hand holds a small hex nut near a gold connector on a computer's circuit board. The background is a textured black surface.

You can now pop the PCIE WIFI adapter away from the motherboard by pressing a small flat-headed screwdriver or plastic pry tool against the plastic standoff in the corner of the WIFI board. It should lift right out, as shown below.

A hand installs a wireless card into a green circuit board inside a computer. Various components and cables are visible, with text on the card.

These are all the components from the WIFI adapter.

Computer components on a dark surface, including a network card, antenna, and cables. Visible barcode and texts on labels.

Remove the extra VGA blanking plate with your flathead screwdriver, as shown in the following image.

A screwdriver is inserted into a computer's black rear panel. Visible are USB, VGA ports, and circuit board. Background is dark and reflective.

It should pry right out with a little twist.

Hand holds a metal piece with a cross shape near a computer's open side panel on a dark surface. Colored wires and ports are visible.

Installing the Realtek RJ45 Ethernet Adapter

Unpackage the RJ45 adapter.

A green circuit board connected to a metal port via a white ribbon cable on a dark surface. Components have visible text and details.

Gently bend and break off the board extension at the perforations. This install does not need the extra mounting holes.

A hand holds a green circuit board with a disconnected connector on a dark surface. A ribbon cable is visible. Text shows a red symbol.

Install the Ethernet adapter in the PCIE port on the motherboard by slipping it in the slot and pressing it down on the plastic standoff.

Close-up of a computer motherboard with various components. Visible green circuit board, black and red connectors, and a flat ribbon cable.

Locate the RJ45 connector in the computer's back panel where the VGA blanking plate was located.

Close-up of a computer motherboard with visible green circuit board, silver fan, and ribbon cables. Text labels are partially visible.

Secure the RJ45 port to the backplane using the Phillips screwdriver with two screws.

Close-up of a computer's back panel showing various ports including Ethernet, VGA, and USB, on a black surface.

Reinstall the HD mounting plate, carefully ensuring not to kink or pinch the ribbon cable for the ethernet adapter.

Open computer case with visible components: hard drive, cooling fan labeled "AVC." Wires and circuit board visible. Dark background.

Reinstall the top cover of your new firewall hardware.

Enabling the New Ethernet Adapter

I start this section by noting...

...Lenovo probably does not support this modification.

...I don't know if Lenovo would have an issue with this modification on legacy hardware.

...If you are concerned, DO NOT DO THIS AND STOP HERE.

....This section requires the closest thing I can relate to some command-line skills; even though they are basic, they are text only.

...Proceed at your own risk.

The problem, Lenovo does not support non-Lenovo hardware. You will see this error that an unauthorized network card is plugged in.

Have no fear; there is a super easy fix. This section includes a bootable USB drive using Rufus 4.1 portable (no install) and the Lenovo BIOS utility tools.

Download Rufus from here https://rufus.ie/en/.

From the Lenovo support site (http://support.lenovo.com), search for the applicable system BIOS Package for the system, and download the USB Drive/DOS flash program (.zip file).

BIOS update download page showing "fhjt87usa.zip," 4.64 MB, with OS compatibility and a "Download" button. Dated 04 Jan 2022.

Be sure to unzip this file in a location with easy access.

File directory listing showing names, modification dates, types, and sizes. Includes applications, batch files, text documents, and a CAP file.

Insert your formatted or formattable USB drive, run the Rufus tool, and choose the Boot selection: “FreeDOS.”

Rufus software window showing drive properties, format options, and status. Device set to FreeDOS, Quick format checked, and Ready status.

Click start and continue through the warning.

Rufus warning dialog: "All data on device 'FreeDOS (D:) [8 GB]' will be destroyed." Options: OK or Cancel. Yellow warning symbol displayed.

Rufus will show “READY” when completed.

Rufus 3.4 window showing drive properties and format options for FreeDOS on an 8GB drive. "Ready" status highlighted in green.

Open your FreeDOS drive and your unzipped Lenovo BIOS tools side by side, and copy everything to the FreeDOS root folder except for the “AUTOEXEC.BAT.” You don’t need it. In the images below, files were copied from the window on the right to the left.

Two open Windows File Explorer windows showing contents of FreeDOS (D:) and Lenovo-Tools folders, displaying various executable and text files.

Ensure that the Lenovo M73 tiny is entirely powered off.

Insert the USB drive in the left front USB port.

Power on the system and repeatedly press F12 until the boot menu pops up.

Make sure the device with the flash program is selected as a boot device.

Boot into the USB drive.

Note: If you do not see your USB drive in the options, boot into the BIOS, check your UEFI boot support settings, and match your drive type.

Once you are booted into the drive, use the below commands to flash the machine type and model, serial number, or system brand ID in BIOS:

Flash machine type and model: amidedos.exe /sp “INVALID”
Flash the serial number: amidedos.exe /ss “INVALID”
Flash the system brand ID: amidedos.exe /sv “INVALID"

After the update is complete, reboot the system and check your information in the BIOS.

Computer BIOS setup screen with system info, including machine type, BIOS revision, and Ethernet MAC address. Menu options at the bottom.

Believe it or not, the RJ45 adapter should now work! If you still have the Window operating system installed, you can run some tests as shown below.

Here’s an image showing both adapters installed.

Network Connections window showing three adapters: Intel (unplugged), Npcap Loopback Adapter (disabled), and Realtek (enabled).

Here’s a speed test on an Intel built-on adapter.

Internet speed test results: 551 Mbps download, 73.9 Mbps upload, 10 ms latency, server Dallas. "TEST AGAIN" button visible.

… here’s a speed test on a Realtek adapter on the same cable.

Internet speed test results showing 598.8 Mbps download, 81.0 Mbps upload. Fast connection noted. Options: "Learn More" and "Test Again".

The hardware is now ready to support the Sophos Home Firewall operating system.

Downloading and Installing the Firewall Operating System

Before installing Sophos, you must complete a form and enter a valid email address. It is essential to use a valid address because this is where you will receive your home use serial number.

Go to https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-home-edition/software and enter your first name, last name, and email address. Remember, this is for home use only.

Submit the form and get your download.

Blue screen with text thanking for choosing Sophos Firewall Home Edition. Includes next steps, download button, and version info.

Insert a USB drive you don’t mind formatting and relaunching, Rufus.

Rufus 3.4 interface for creating a bootable USB. Options for device, partition, format, and status are visible. "READY" in status bar.

Select your USB drive for the “Device” and select the Sophos firewall file that you downloaded for the “Boot selection,” leave it set to “BIOS of UEFI” for the “Target System,” leave the rest at defaults and click “START.”

Drive Properties window showing a USB device, boot selection file, and partition scheme as MBR. Options for advanced settings and BIOS target.

A popup window will appear for ISOHybrid options. Select “Write in DD Image Mode” and click “OK.”

Dialog box with "ISOHybrid image detected" message, offering options to write in ISO or DD Image mode. "Write in DD Image mode" is selected.

You're ready to go once the Rufus screen displays “READY”!

Ensure that the Lenovo M73 tiny is entirely powered off.

Insert the USB drive in the left front USB port.

Power on the system and repeatedly press F12 until the boot menu pops up.

Make sure the device with the flash program is selected as a boot device.

Blue startup device menu screen listing boot options: SATA, USB Key, Network. Instructions to navigate using arrow keys at bottom.

Boot into the USB drive.

Sophos will completely overwrite all data on the hard drive starting with a format. Ensure you have your data backed up or are ok with the formatting before you continue.

Computer screen showing Sophos firmware installer. Text details version 19.5.1.278 and disk info. Prompt asks to confirm data wipe.

You’ll get an exciting and familiar digital tune once the installation is complete, and you can press “y” to reboot.

Computer screen displaying a firmware installation progress; text shows partitions being formatted and prompts to press 'y' to reboot.

You now have the firewall installed and may continue with the setup after rebooting; thoroughly read and decide if you accept the license terms.

Computer screen displaying Sophos End User Terms of Use. Text explains definitions and conditions. Options to Accept or Decline are visible.

To log in for the first time, use the password “admin.”

A computer monitor displays a boot screen with text detailing system checks and specifications, including RAM and disk size.

With both network connections plugged in, look up the address for the LAN port by selecting Network Configuration from the menu.

Computer screen displaying Sophos firmware menu with options like Device Activation and Network Configuration in white text on a black background.

The default setting might look like this.

Monitor displaying network settings and firmware details for Sophos SF01V. Text shows interface, zone name, IP address, and prompts to continue.

Follow the prompts and make your selections. You do not have to make any changes now; you should be able to navigate to the static IP address from another computer on the same network.

Browse to the IP address of your Sophos firewall by typing the following in your web browser.

https://<LAN IP address of Sophos Firewall>:4444

You are now ready to set up your Sophos home firewall!

Next Steps and References for Setting up Your New Firewall

If you’ve made it this far, you might wonder why I’m not including instructions on the setup. It comes down to this:

I selected this product for this article because it is built on the Sophos XG Firewall appliance and is fully supported by a trusted vendor.
Sophos provides excellent online support manuals like the one below.
1. Start here: Sophos Home Firewall – 19.5
As you might expect, an installation wizard makes getting it running easy.

Follow these three final tips for a successful configuration.

Set your firewall up as a router and do not bridge the adapters, do not use passthrough mode. Use router mode. Even though Sophos provides passthrough mode, it does not work correctly for the home use firewall. This is documented in forums and will cause you heartache if you figure it out on your own.
Look for the Sophos license key in your email and have it on hand before you start the setup wizard.
Ensure your new firewall has an active Internet connection before the setup wizard for best results. This will allow you to register your device and update the latest firmware before operationalizing it for your home!

That’s it! You now have a working Sophos layer 7 firewall on your home network! Now get to work setting up your malware detection and intrusion protection to continue defending your networks!