Using a Lenovo tiny PC by adding another network adapter to build a Sophos at-home firewall with L7, anti-malware, and intrusion prevention capabilities
In my article, WIFI Best Practices, 4 Uninvited Guests, and 9 Ways to Evict, I instructed my readers not to rely on their ISP’s firewalls or use cheap, untrusted networking devices on their home networks. Now it's time that I step up and provide you with instructions for a low-cost solution to build and install a better, whole-home firewall product. This article combines the Sophos free-for-home use firewall software with a Lenovo M73 Tiny desktop and a PCIE-mini gigabit ethernet adapter to make a whole-home layer seven firewall appliance. You’ll need basic computer repair skills, around $130 US, and less than 2 hours of your time to do this yourself.
Why You Should Want a Layer 7 Firewall
Generally speaking, there are two types of firewalls: layer 3 (L3) and layer 7 (L7). L3 refers to the Network layer in the Open Systems Interconnection (OSI) model, while L7 refers to the Application layer. I developed this graphic to help my visual learners.
Notice how L7 includes the entire OSI stack. You can think about the differences in L3 and L7 as being able to block what's being routed to a computer over media versus blocking what’s occurring at the application, at the host, like threatening web traffic, emails, and file transfers. In addition to just being an “L7” firewall, the Sophos Firewall Home Edition also provides the following.
Malware protection, Sophos or Avira
Rule and user-based traffic shaping and bandwidth maximization and network profiling
Intrusion prevention against SYN/TCP, UDP, Ping, and IP flood attacks
Web security, including user activities and behavioral or statistical analysis-based
Application security, web browser, client-server, peer-to-peer, and Network Protocol
Wireless access point firewall (with a wireless interface)
Email security with smtp quarantine, RBL address listing, and encryption
Web server security, including Exchange, Lync (Teams), RD Web, and legacy Remote Desktop Services
Administrative and management, including VPN, role-based groups and users, offsite backup and recovery, cloud-based Sophos support, and firewall certificate management
Regarding affordable feature-full firewall technologies from a trusted source, no other on the market compares to the Sophos Home Firewall!
Software and Hardware Requirements
Sophos Firewall Home Edition
Sophos is a top-tier cybersecurity company known industry-wide for its excellent security hardware and software. This company has done everyone a solid by allowing us to download a fully-function layer seven firewall operating system for free. Hardware is not included, of course.
This is an excellent value, especially considering that a Sophos XGS Series firewall costs over $500 with similar capabilities.
The hardware specifications for this build are as follows.
Intel Compatible Computer with Dual NIC
Quad-Core
6GB of Ram
120 GB of Disk
Minimum of two (2) NICs for LAN & WAN and not intel i210 /i225 series NICs
Bios Set to Legacy bios (CSM)
Anything over four cores and 6GB of RAM will not be used. For more information, visit the Sophos Community home firewall page.
Go here to get your copy of the Sophos Firewall Home Edition.
Lenovo ThinkCentre Tiny
Lenovo has a strategic alliance with IBM to sell end-to-end computer hardware for home and business use. These companies build and support best-in-breed, affordable personal computers and servers. Choose the Lenovo M73 tiny for home use to offset the cost, utilize the compatible form factor, and because of easy accessibility. This is a more trusted option than buying a no-name, cheap firewall appliance. Also, having the Sophos software as the operating system and utilizing the hardwired ethernet connections provides enough peace of mind to mitigate espionage risks at the component level.
This is the model information.
Lenovo ThinkCentre M73 Tiny Desktop PC
Intel Core I5-4570T 2.9GHz up to 3.6GHz
8GB RAM
240GB SSD
WIFI (PCIE Mini – onboard adapter)
BT 4.0
USB 3.0
VGA
DP port
W10P64
Wireless capabilities on the M73 Tiny are imperative to this build to ensure you have a functioning mini–PCIE port, or you will not be able to add the second network card.
As of the writing of this article, the legacy Lenovo ThinkCentre M73 Tiny could be purchased on common marketplaces for less than 100 US dollars.
Mini PCIE Gigabit Ethernet RJ45 Adapter
It was a little tricky finding just the suitable ethernet adapter to fit in the M73 tiny due to the compact packaging of the components within the case. Fortunately, there was a Realtek-based chip for $20 US total. After considerable testing, the Realtek chip demonstrated adequate throughput with a perfect fit!
Here are the specifications for the Realtek adapter.
Speed 1Gbps
Chipset RTL811F
External Port 1x RJ-45 Ethernet
Host interface Mini PCI-E
OS Support Windows 7, 8, 10, 11, Linux, DOS, and Mac
This adapter can be found on common online auction vendor sites. As with the Lenovo PC, the Sophos OS provides the drivers. This adds to the peace of mind over prepackaged, cheap firewalls developed 100% by untrusted vendors.
Please do your due diligence when purchasing hardware and make the best selection.
After all the purchases, this firewall can be built for less than USD 130; that’s a $370 savings under a comparable Sophos appliance!
Building the Box
Let’s get to it, shall we? This section will quickly describe removing the PCIE wireless adapter and installing the new ethernet port to an M73 tiny.
Tools Needed
#2 Phillips headed screwdriver
10mm wrench
Small flat-headed screwdriver or small plastic pry tool
Disassembling and Removing the WIFI adapter
Remove the wireless antenna by unscrewing it by hand.
Remove the case screw with a Phillips head screwdriver in the rear center of the case
Slide the top cover on the case forward by hand.
You should see this. If you do not see this, you have a different computer and must figure the rest out independently.
Remove the first (1 of 2) Phillips screw from the hard drive bracket nearest the cables.
Remove the second (2 of 2) Phillips-headed screw nearest the front of the computer.
Slide the HD away from the side of the case and towards the processor, lift it, and carefully hang it over the side.
Remove the first (1 of 2) WIFI antenna cable, as shown in the following image, by pulling it straight off the WIFI adapter board.
Remove the second (2 of 2) WIFI antenna cable as shown by pulling, like the first.
Remove the brass antenna bulkhead connector from the back of the computer case with a 10mm wrench.
You can now pop the PCIE WIFI adapter away from the motherboard by pressing a small flat-headed screwdriver or plastic pry tool against the plastic standoff in the corner of the WIFI board. It should lift right out, as shown below.
These are all the components from the WIFI adapter.
Remove the extra VGA blanking plate with your flathead screwdriver, as shown in the following image.
It should pry right out with a little twist.
Installing the Realtek RJ45 Ethernet Adapter
Unpackage the RJ45 adapter.
Gently bend and break off the board extension at the perforations. This install does not need the extra mounting holes.
Install the Ethernet adapter in the PCIE port on the motherboard by slipping it in the slot and pressing it down on the plastic standoff.
Locate the RJ45 connector in the computer's back panel where the VGA blanking plate was located.
Secure the RJ45 port to the backplane using the Phillips screwdriver with two screws.
Reinstall the HD mounting plate, carefully ensuring not to kink or pinch the ribbon cable for the ethernet adapter.
Reinstall the top cover of your new firewall hardware.
Enabling the New Ethernet Adapter
I start this section by noting...
...Lenovo probably does not support this modification.
...I don't know if Lenovo would have an issue with this modification on legacy hardware.
...If you are concerned, DO NOT DO THIS AND STOP HERE.
....This section requires the closest thing I can relate to some command-line skills; even though they are basic, they are text only.
...Proceed at your own risk.
The problem, Lenovo does not support non-Lenovo hardware. You will see this error that an unauthorized network card is plugged in.
Have no fear; there is a super easy fix. This section includes a bootable USB drive using Rufus 4.1 portable (no install) and the Lenovo BIOS utility tools.
Download Rufus from here https://rufus.ie/en/.
From the Lenovo support site (http://support.lenovo.com), search for the applicable system BIOS Package for the system, and download the USB Drive/DOS flash program (.zip file).
Be sure to unzip this file in a location with easy access.
Insert your formatted or formattable USB drive, run the Rufus tool, and choose the Boot selection: “FreeDOS.”
Click start and continue through the warning.
Rufus will show “READY” when completed.
Open your FreeDOS drive and your unzipped Lenovo BIOS tools side by side, and copy everything to the FreeDOS root folder except for the “AUTOEXEC.BAT.” You don’t need it. In the images below, files were copied from the window on the right to the left.
Ensure that the Lenovo M73 tiny is entirely powered off.
Insert the USB drive in the left front USB port.
Power on the system and repeatedly press F12 until the boot menu pops up.
Make sure the device with the flash program is selected as a boot device.
Boot into the USB drive.
Note: If you do not see your USB drive in the options, boot into the BIOS, check your UEFI boot support settings, and match your drive type.
Once you are booted into the drive, use the below commands to flash the machine type and model, serial number, or system brand ID in BIOS:
Flash machine type and model: amidedos.exe /sp “INVALID”
Flash the serial number: amidedos.exe /ss “INVALID”
Flash the system brand ID: amidedos.exe /sv “INVALID"
After the update is complete, reboot the system and check your information in the BIOS.
Believe it or not, the RJ45 adapter should now work! If you still have the Window operating system installed, you can run some tests as shown below.
Here’s an image showing both adapters installed.
Here’s a speed test on an Intel built-on adapter.
… here’s a speed test on a Realtek adapter on the same cable.
The hardware is now ready to support the Sophos Home Firewall operating system.
Downloading and Installing the Firewall Operating System
Before installing Sophos, you must complete a form and enter a valid email address. It is essential to use a valid address because this is where you will receive your home use serial number.
Go to https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-home-edition/software and enter your first name, last name, and email address. Remember, this is for home use only.
Submit the form and get your download.
Insert a USB drive you don’t mind formatting and relaunching, Rufus.
Select your USB drive for the “Device” and select the Sophos firewall file that you downloaded for the “Boot selection,” leave it set to “BIOS of UEFI” for the “Target System,” leave the rest at defaults and click “START.”
A popup window will appear for ISOHybrid options. Select “Write in DD Image Mode” and click “OK.”
You're ready to go once the Rufus screen displays “READY”!
Ensure that the Lenovo M73 tiny is entirely powered off.
Insert the USB drive in the left front USB port.
Power on the system and repeatedly press F12 until the boot menu pops up.
Make sure the device with the flash program is selected as a boot device.
Boot into the USB drive.
Sophos will completely overwrite all data on the hard drive starting with a format. Ensure you have your data backed up or are ok with the formatting before you continue.
You’ll get an exciting and familiar digital tune once the installation is complete, and you can press “y” to reboot.
You now have the firewall installed and may continue with the setup after rebooting; thoroughly read and decide if you accept the license terms.
To log in for the first time, use the password “admin.”
With both network connections plugged in, look up the address for the LAN port by selecting Network Configuration from the menu.
The default setting might look like this.
Follow the prompts and make your selections. You do not have to make any changes now; you should be able to navigate to the static IP address from another computer on the same network.
Browse to the IP address of your Sophos firewall by typing the following in your web browser.
https://<LAN IP address of Sophos Firewall>:4444You are now ready to set up your Sophos home firewall!
Next Steps and References for Setting up Your New Firewall
If you’ve made it this far, you might wonder why I’m not including instructions on the setup. It comes down to this:
I selected this product for this article because it is built on the Sophos XG Firewall appliance and is fully supported by a trusted vendor.
Sophos provides excellent online support manuals like the one below.
Start here: Sophos Home Firewall – 19.5
As you might expect, an installation wizard makes getting it running easy.
Follow these three final tips for a successful configuration.
Set your firewall up as a router and do not bridge the adapters, do not use passthrough mode. Use router mode. Even though Sophos provides passthrough mode, it does not work correctly for the home use firewall. This is documented in forums and will cause you heartache if you figure it out on your own.
Look for the Sophos license key in your email and have it on hand before you start the setup wizard.
Ensure your new firewall has an active Internet connection before the setup wizard for best results. This will allow you to register your device and update the latest firmware before operationalizing it for your home!
That’s it! You now have a working Sophos layer 7 firewall on your home network! Now get to work setting up your malware detection and intrusion protection to continue defending your networks!