Context
I’m going through the process of recording my configuration processes so that I can automate as much of them as possible. This is roughly the config I run on a standalone OPNsense gateway. A configuration with a Gateway, DMZ and internal router is preferable, but I wanted to start with something simpler.
So far, this configures OPNsense as a Gateway, connected to one switch.
Questions and feedback are welcome.
Schema Outline
Infrastructure
Formula
Site Number = X = 0–255 = 256 Sites
Primary VLANs = P = Y – (Y+9) = 10 Primaries
Subnets = 10 . X . P . 0 /24 = 1 /24 Subnet per Primary
Isolated PVLANs = (1000+P) = 1 Isolated per Primary
Community PVLANs = (2000 + (P * 10)) – ((2000 + (P * 10)) + 99) = 10 Community per Primary
DMZ
(VLANs 0,1 unused)
Primary = 2–9
Isolated = 1002–1009
Community = 2020–2099
NET
Primary = 10–19
Isolated = 1010–1019
Community = 2100–2199
ADMIN
Primary = 20–29
Isolated = 1020–1029
Community = 2200–2299
SRV
Primary = 30–39
Isolated = 1030–1039
Community = 2300–2399
OOBM
Primary = 40–49
Isolated = 1040–1049
Community = 2400–2499
SAN
Primary = 50–59
Isolated = 1050–1059
Community = 2500–2599
IAAS
Primary = 60–69
Isolated = 1060–1069
Community = 2600–2699
DOM
Primary = 70–79
Isolated = 1070–1079
Community = 2700–2799
RESERVED
Primary = 80–89
Isolated = 1080–1089
Community = 2800–2899
RESERVED
Primary = 90–99
Isolated = 1090–1099
Community = 2900–2999
End User
Formula
Variations on infrastructure
CLIENTS / DEPARTMENTS
Primary = 100–209
Isolated = 1100–1209
Community = 3000–4094
GUESTS
Primary = 210–255
Isolated = 310–355
Community = 410–455, 510–555, 610–655, 710–755, 810–855, 910–955 = 6 Community per Primary
Initial Configuration
Prerequisites
Public IP and DNS
-
ISP IP address, subnet and gateway (unless provided via DHCP)
-
Preferably public FQDN is already configured
Installation Media
-
OPNsense VGA image block copied to a USB Drive or OPNsense ISO image copied to the
_iso
directory on an Iodd Virtual Disk Drive.
Gateway
-
Processor: amd64, AES-NI
-
2+ Network Ports
Managed Switch
- Mainly just need VLAN support for this
Admin Workstation
- Whatever you prefer
Preparation
Physical Prep
-
Plug install media into gateway
-
Plug WAN uplink into port 2 on the gateway
-
Plug all other gateway ports into LAN switch
-
Plug admin computer into LAN switch
Admin Workstation Prep
- On admin workstation, add a virtual interface with VLAN 20 to the physical interface plugged into the switch
LAN Switch Prep
-
Turn on the switch
-
Onboard switch (use VLAN10 for management)
-
Configure all ports connected to the gateway as VLAN trunks
Install OPNsense on the Gateway
-
Turn on the gateway
-
Configure BIOS to boot from installation media
-
Click through default OPNsense installation (select
MBR
when prompted) -
When the system reboots, ensure BIOS is configured to boot into local media where OPNsense was installed
Configure Secure Defaults
Configure Admin User
-
On admin computer, navigate to
https://192.168.1.1
-
Log in as
root
with password set during installation -
Navigate to
System > Access > Users
-
Click
+ Add
-
Enter randomly generated strings for
Username
andPassword
fields -
Set
Login shell
to/sbin/sh
-
Move
admins
group toMember Of
-
Click
Save and go back
-
Navigate to
Lobby > Logout
-
Login as new admin user
Disable root
-
Navigate to
System > Access > Users
-
Click on the edit icon to the right of the user
root
-
Check
Disabled
-
Check
Generate a scrambled password to prevent local database logins for this user.
-
Click
Save
Configure WAN Interface
-
Navigate to
Interfaces > [WAN]
-
Check
General configuration: Lock
-
Check
General configuration: Block private networks
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv6 Configuration Type
toNone
-
If WAN address is not provided via DHCP, set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Click
Save
-
If WAN address is not provided via DHCP, set
Static IPv4 configuration: IPv4 address
according to address provided by ISP -
Click
Save
-
Click
Apply changes
Configure Firmware and Update
-
Navigate to
System > Firmware > Settings
-
Set
Firmware Flavour
toLibreSSL
-
Click
Save
Remove Automatically Installed Plugins
-
Navigate to
System > Firmware > Plugins
-
Click the trash icon to the right of
os-dyndns
-
Repeat for any other plugins labelled
(installed)
Initial Update
-
Click
Check for updates
-
Wait until the
Update now
appears and click on it -
Repeat until all updates are installed
-
If the gateway doesn’t reboot automatically, navigate to
Power > Reboot
-
Wait for the gateway to reboot
-
Navigate to
https://192.168.1.1
-
Login as the admin user
Schedule Automatic Updates and Reboot
-
Navigate to
System > Settings > Cron
-
Click
+
-
Set
Command
toAutomatic firmware update
-
Set
Description
toAutomatic Updates Daily at Midnight
-
Click
Save
-
Click
+
-
Set
Hours
to4
-
Set
Day of the month
to1-7
-
Set
Days of the week
to6
-
Set
Command
toIssue a reboot
-
Set
Description
toReboot Every First Saturday at 4
-
Click
Save
-
Click
Apply
Configure Gateway Administration
-
Navigate to
System > Settings > Administration
-
Check
Web GUI: HTTP Strict Transport Security
-
Check
Secure Shell: Secure Shell Server
-
Check
Secure Shell: Authentication Method
-
Set
Authentication: Sudo
toAsk password
-
Click
Save
-
Navigate to
System > Settings > General
-
Set
System: Hostname
,System: Domain
andSystem: Time zone
if they are incorrect -
Check
Networking: Prefer IPv4 over IPv6
-
Add
9.9.9.9
toNetworking: DNS Servers: DNS Server
field and setUse gateway
to... - wan - ...
-
Add
149.112.112.112
toNetworking: DNS Servers: DNS Server
field and setUse gateway
to... - wan - ...
-
Uncheck
DNS server options: Allow DNS server list to be overridden by DHCP/PPP on WAN
-
Click
Save
Configure Hardware and Memory Optimizations
-
Navigate to
System > Settings > Miscellaneous
-
Set
Thermal Sensors: Hardware
according to the make of your processor -
Check
Disk / Memory Settings: Swap file
-
Check
Disk / Memory Settings: /tmp RAM disk
-
Click
Save
-
Navigate to
Interfaces > Settings
-
Uncheck
Hardware CRC
-
Uncheck
Hardware TSO
-
Uncheck
Hardware LRO
-
Set
VLAN Hardware Filtering
toEnable VLAN Hardware Filtering
-
Click
Save
Reboot
-
Navigate to
Power > Reboot
-
Wait for the gateway to reboot
-
Navigate to
https://192.168.1.1
-
Login as the admin user
Configure General Firewall Settings
-
Navigate to
Firewall > Settings > Advanced
-
Uncheck
IPv6 Options: Allow IPv6
-
Set
Bogon Networks: Update Frequency
toDaily
-
Check
Miscellaneous: Bind states to interface
-
Check
Miscellaneous: Check certificate of aliases URLs
-
Click
Save
Allow External Ping
-
Navigate to
Firewall > Rules > WAN
-
Click
+ Add
-
Set
Edit Firewall Rule: Protocol
toICMP
-
Set
Edit Firewall Rule: ICMP type
toEcho Request
-
Set
Edit Firewall Rule: Description
toPass Ingress Echo Request (Ping)
-
Click
Save
-
Click
Apply changes
Configure Physical LAN Interfaces
Configure LAN Interface
-
Navigate to
Interfaces > [LAN]
-
Check
General configuration: Lock
-
Set
General configuration: Description
toTRUNK1
-
Click
Save
-
Click
Apply changes
Configure Additional Interfaces
-
Navigate to
Interfaces > Assignments
-
For each additional interface connected to the LAN switch, set
New interface:
accordingly and click+
-
Click
Save
-
For each new interface, navigate to
Interfaces > OPT#
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toTRUNK(#+1)
-
Click
Save
-
Click
Apply changes
Essential Infrastructure
Configure Network Management VLAN
Create the NET VLAN
-
Navigate to
Interfaces > Other Types > VLAN
-
Click
+ Add
-
Set
Parent interface
to...[TRUNK1]
-
Set
VLAN tag
to10
-
Set
VLAN priority
toNetwork Control (7, highest)
-
Set
Description
toNET
-
Click
Save
Configure the NET Interface
-
Navigate to
Interfaces > Assignments
-
Set
New interface:
to...(NET)
and click+
-
Click
Save
-
Navigate to
Interfaces > [OPT#]
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toNET
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Set
Static IPv4 configuration
to10.#.10.1
and select24
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
tolocal
-
Set
Description
toLAN Interfaces
-
Set
Members
toNET
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > local
-
Click
+ Add
-
Set
Edit Firewall Rule: Protocol
toICMP
-
Set
Edit Firewall Rule: ICMP type
toEcho Request
-
Set
Edit Firewall Rule: Destination
toThis Firewall
-
Set
Edit Firewall Rule: Description
toPass Echo Requests (Ping) to this Gateway
-
Click
Save
-
Click
Apply changes
Configure the Gateway as Time Server (NTP)
-
Navigate to
Services > Network Time > General
-
Add
NET
toInterface(s)
-
Click
Save
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
tontp_clients
-
Set
Description
toInterfaces with Access to the Local NTP Server(s)
-
Set
Members
toNET
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > ntp_clients
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toUDP
-
Set
Edit Firewall rule: Destination
toThis Firewall
-
Set
Edit Firewall rule: Destination port range
toNTP
-
Set
Edit Firewall rule: Description
toPass NTP to this Gateway
-
Click
Save
-
Click
Apply changes
Configure the Gateway as a DHCP and Name Server (Unbound)
Configure Unbound
-
Navigate to
Services > Unbound DNS > General
-
Uncheck
Network Interfaces
toNET
-
Check
DNSSEC
-
Check
DHCP Static Mappings
-
Uncheck
IPv6 Link-local
-
Check
TXT Comment Support
-
Check
DNS Query Forwarding
-
Click
Show Advanced Options
-
Set
Outgoing Network Interfaces
toWAN
-
Click
Save
-
Click
Apply changes
-
Navigate to
Services > Unbound DNS > Advanced
-
Check
Hide Identity
-
Check
Hide Version
-
Check
Prefetch Support
-
Check
Prefetch DNS Key Support
-
Check
Harden DNSSEC data
-
Set
Message Cache Size
to50 MB
-
Set
Unwanted Reply Threshold
to10 million
-
Click
Save
-
Click
Apply changes
Configure DNS Client Firewall Group
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
todns_clients
-
Set
Description
toInterfaces with Access to the Local Name Server(s)
-
Set
Members
toNET
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > dns_clients
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toUDP
-
Set
Edit Firewall rule: Destination
toThis Firewall
-
Set
Edit Firewall rule: Destination port range
toDNS
-
Set
Edit Firewall rule: Description
toPass DNS to this Gateway
-
Click
Save
-
Click
Apply changes
Configure DHCP for NET
-
Navigate to
Services > DHCPv4 > [NET]
-
Check
Enable
-
Set
Range
to10.#.10.246
and10.#.10.254
-
Set
Domain name
tonet.?.?
-
Check
Time format change
-
Click
NTP servers: Advanced
-
Set
NTP servers
to10.#.10.1
-
Click
Save
Configure Administration VLAN
Create the ADMIN VLAN
-
Add VLAN 20 to LAN switch
-
Navigate to
Interfaces > Other Types > VLAN
-
Click
+ Add
-
Set
Parent interface
to...[TRUNK1]
-
Set
VLAN tag
to20
-
Set
VLAN priority
toNetwork Control (7, highest)
-
Set
Description
toADMIN
-
Click
Save
Configure the ADMIN Interface
-
Navigate to
Interfaces > Assignments
-
Set
New interface:
to...(ADMIN)
and click+
-
Navigate to
Interfaces > [OPT#]
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toADMIN
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Set
Static IPv4 configuration
to10.#.20.1
and select24
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
local
-
Add
ADMIN
toMembers
-
Click
Save
Configure NTP for ADMIN
-
Navigate to
Services > Network Time > General
-
Add
ADMIN
toInterface(s)
-
Click
Save
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
ntp_clients
-
Add
ADMIN
toMembers
-
Click
Save
Configure DNS for ADMIN
-
Navigate to
Services > Unbound DNS > General
-
Add
ADMIN
toNetwork Interfaces
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
dns_clients
-
Add
ADMIN
toMembers
-
Click
Save
Configure DHCP for ADMIN
-
Navigate to
Services > DHCPv4 > [ADMIN]
-
Check
Enable
-
Set
Range
to10.#.20.10
and10.#.20.245
-
Set
Domain name
toadmin.?.?
-
Check
Time format change
-
Click
NTP servers: Advanced
-
Set
NTP servers
to10.#.20.1
-
Click
Save
Configure Administrative Access
Allow Admins to Access the Gateway
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
togw_admins
-
Set
Description
toInterfaces with Administrative Access to this Gateway
-
Set
Members
toADMIN
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > gw_admins
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toTCP
-
Set
Edit Firewall rule: Destination
toThis Firewall
-
Set
Edit Firewall rule: Destination port range
toHTTP
-
Set
Edit Firewall rule: Description
toPass HTTP to this Gateway
-
Click
Save
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toTCP
-
Set
Edit Firewall rule: Destination
toThis Firewall
-
Set
Edit Firewall rule: Destination port range
toHTTPS
-
Set
Edit Firewall rule: Description
toPass HTTPS to this Gateway
-
Click
Save
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toTCP
-
Set
Edit Firewall rule: Destination
toThis Firewall
-
Set
Edit Firewall rule: Destination port range
toSSH
-
Set
Edit Firewall rule: Description
toPass SSH to this Gateway
-
Click
Save
-
Click
Apply changes
Configure Administrative Access to Local Networks
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
tolocal_admins
-
Set
Description
toInterfaces with Administrative Access to Local Networks
-
Set
Members
toADMIN
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > local_admins
-
Click
+ Add
-
Set
Edit Firewall rule: Direction
toin
-
Set
Edit Firewall rule: Destination
tolocal net
-
Set
Edit Firewall rule: Description
toPass All to Local Networks
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > local
-
Click
+ Add
-
Set
Edit Firewall rule: Direction
toout
-
Set
Edit Firewall rule: Source
toADMIN net
-
Set
Edit Firewall rule: Description
toPass All from Admins
-
Click
Save
-
Click
Apply changes
Configure Internet Access for ADMIN
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
towan_clients
-
Set
Description
toInterfaces with Internet Access
-
Set
Members
toADMIN
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > wan_clients
-
Click
+ Add
-
Uncheck
Edit Firewall rule: Quick
-
Set
Edit Firewall rule: Description
toPass All Ingress Traffic to WAN
-
Set
Advanced features: Gateway
tpWAN...
-
Click
Save
-
Click
Apply changes
Use ADMIN VLAN
-
Set 10.x.20.1 as the default gateway on the admin workstation
-
Navigate to
https://gw1.net.?.?/
-
Log in as the admin user
Remove Unnecessary Access to the Gateway
Disable DHCP on Default LAN Interface
-
Navigate to
Services > DHCPv4 > [TRUNK1]
-
Uncheck
Enable
-
Click
Save
Remove Address on Default LAN Interface
-
Navigate to
Interfaces > TRUNK1
-
Set
General configuration: IPv4 Configuration Type
toNone
-
Set
General configuration: IPv6 Configuration Type
toNone
-
Click
Save
-
Click
Apply changes
Remove Default Firewall Rules from the LAN Interface
-
Navigate to
Firewall > Rules > TRUNK1
-
Click the trash icon to the right of
Default allow LAN to any rule
-
Click the trash icon to the right of
Default allow LAN IPv6 to any rule
-
Click
Apply changes
Isolate Administration Services to Network Management VLAN
-
Navigate to
System > Settings > Administration
-
Set
Web GUI > Listen Interfaces
toNET
-
Click
I know what I am doing
-
Set
Secure Shell > Listen Interfaces
toNET
-
Click
Save
-
Navigate to
Firewall > Settings > Advanced
-
Check
Miscellaneous: Disable anti-lockout
-
Click
Save
Configure Basic Service VLAN and Infrastructure
Create the SRV VLAN
-
Add VLAN 30 to LAN switch
-
Navigate to
Interfaces > Other Types > VLAN
-
Click
+ Add
-
Set
Parent interface
to...[TRUNK#]
-
Set
VLAN tag
to30
-
Set
VLAN priority
toCritical Applications (3)
-
Set
Description
toSRV
-
Click
Save
Configure the SRV Interface
-
Navigate to
Interfaces > Assignments
-
Set
New interface:
to...(SRV)
and click+
-
Navigate to
Interfaces > [OPT#]
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toSRV
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Set
Static IPv4 configuration
to10.#.30.1
and select24
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
local
-
Add
SRV
toMembers
-
Click
Save
Configure NTP for SRV
-
Navigate to
Services > Network Time > General
-
Add
SRV
toInterface(s)
-
Click
Save
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
ntp_clients
-
Add
SRV
toMembers
-
Click
Save
Configure DNS for SRV
-
Navigate to
Services > Unbound DNS > General
-
Add
SRV
toNetwork Interfaces
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
dns_clients
-
Add
SRV
toMembers
-
Click
Save
Configure Internet Access for SRV
-
Click the edit icon to the right of
wan_clients
-
Add
SRV
toMembers
-
Click
Save
Configure DHCP for SRV
-
Navigate to
Services > DHCPv4 > [SRV]
-
Check
Enable
-
Set
Range
to10.#.30.246
and10.#.30.254
-
Set
Domain name
tosrv.?.?
-
Check
Time format change
-
Click
NTP servers: Advanced
-
Set
NTP servers
to10.#.30.1
-
Click
Save
Register NTP Service
-
Navigate to
Services > Unbound DNS > Overrides
-
Click
+
underHost Overrides
-
Set
Host
totime1
-
Set
Domain
tosrv.?.?
-
Set
IP
to10.x.30.1
-
Set
Description
toLocal Time Server (NTP)
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Aliases
-
Click
+
-
Set
Name
tosrv_time
-
Set
Content
totime1.srv.?.?
-
Set
Description
toLocal Time Servers (NTP)
-
Click
Save
-
Click
Apply
-
Navigate to
Firewall > Rules > ntp_clients
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toUDP
-
Set
Edit Firewall rule: Destination
tosrv_time
-
Set
Edit Firewall rule: Destination port range
toNTP
-
Set
Edit Firewall rule: Description
toAllow Ingress NTP to Time Servers
-
Click
Save
-
Click
Apply changes
Register DNS Service
-
Navigate to
Services > Unbound DNS > Overrides
-
Click
+
underHost Overrides
-
Set
Host
tons1
-
Set
Domain
tosrv.?.?
-
Set
IP
to10.x.30.1
-
Set
Description
toLocal Name Server (DNS)
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Aliases
-
Click
+
-
Set
Name
tosrv_ns
-
Set
Content
tons1.srv.?.?
-
Set
Description
toLocal Name Servers (DNS)
-
Click
Save
-
Click
Apply
-
Navigate to
Firewall > Rules > dns_clients
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toUDP
-
Set
Edit Firewall rule: Destination
tosrv_ns
-
Set
Edit Firewall rule: Destination port range
toDNS
-
Set
Edit Firewall rule: Description
toAllow Ingress DNS to Name Servers
-
Click
Save
-
Click
Apply changes
Common Infrastructure
Configure OOBM Quarantine VLAN
Create the OOBM VLAN
-
Add VLAN 40 to LAN switch
-
Navigate to
Interfaces > Other Types > VLAN
-
Click
+ Add
-
Set
Parent interface
to...[TRUNK#]
-
Set
VLAN tag
to40
-
Set
VLAN priority
toInternetwork Control (6)
-
Set
Description
toOOBM
-
Click
Save
Configure the OOBM Interface
-
Navigate to
Interfaces > Assignments
-
Set
New interface:
to...(OOBM)
and click+
-
Navigate to
Interfaces > [OPT#]
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toOOBM
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Set
Static IPv4 configuration
to10.#.40.1
and select24
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
local
-
Add
OOBM
toMembers
-
Click
Save
Configure NTP for OOBM
-
Navigate to
Services > Network Time > General
-
Add
OOBM
toInterface(s)
-
Click
Save
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
ntp_clients
-
Add
OOBM
toMembers
-
Click
Save
Configure DNS for OOBM
-
Navigate to
Services > Unbound DNS > General
-
Add
OOBM
toNetwork Interfaces
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
dns_clients
-
Add
OOBM
toMembers
-
Click
Save
Configure DHCP
-
Navigate to
Services > DHCPv4 > [OOBM]
-
Check
Enable
-
Set
Range
to10.#.40.246
and10.#.40.254
-
Set
DNS servers
to10.64.30.1
-
Set
Domain name
tooobm.?.?
-
Check
Time format change
-
Click
NTP servers: Advanced
-
Set
NTP servers
to10.#.30.1
-
Click
Save
Configure SAN VLAN (Jumbo Frames)
Create the SAN VLAN
-
Add VLAN 50 to LAN switch
-
Navigate to
Interfaces > Other Types > VLAN
-
Click
+ Add
-
Set
Parent interface
to...[TRUNK#]
-
Set
VLAN tag
to50
-
Set
VLAN priority
toBackground (1, lowest)
-
Set
Description
toSAN
-
Click
Save
Configure the SAN Interface
-
Navigate to
Interfaces > Assignments
-
Set
New interface:
to...(SAN)
and click+
-
Navigate to
Interfaces > [TRUNK#]
-
Set
General configuration: MTU
to9000
-
Click
Save
-
Click
Apply changes
-
Navigate to
Interfaces > [OPT#]
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toSAN
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Set
General configuration: MTU
to9000
-
Set
Static IPv4 configuration
to10.#.50.1
and select24
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
local
-
Add
SAN
toMembers
-
Click
Save
Configure DHCP
-
Navigate to
Services > DHCPv4 > [SAN]
-
Check
Enable
-
Set
Range
to10.#.50.246
and10.#.50.254
-
Set
Domain name
tosan.?.?
-
Set
Interface MTU
to9000
-
Check
Time format change
-
Click
Save
Configure IaaS Management VLAN
Create the IAAS VLAN
-
Add VLAN 60 to LAN switch
-
Navigate to
Interfaces > Other Types > VLAN
-
Click
+ Add
-
Set
Parent interface
to...[TRUNK1]
-
Set
VLAN tag
to60
-
Set
VLAN priority
toInternetwork Control (6)
-
Set
Description
toIAAS
-
Click
Save
Configure the IAAS Interface
-
Navigate to
Interfaces > Assignments
-
Set
New interface:
to...(IAAS)
and click+
-
Navigate to
Interfaces > [OPT#]
-
Check
General configuration: Enable
-
Check
General configuration: Lock
-
Set
General configuration: Description
toIAAS
-
Check
General configuration: Block bogon networks
-
Set
General configuration: IPv4 Configuration Type
toStatic IPv4
-
Set
Static IPv4 configuration
to10.#.60.1
and select24
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
local
-
Add
IAAS
toMembers
-
Click
Save
Configure NTP for IAAS
-
Navigate to
Services > Network Time > General
-
Add
IAAS
toInterface(s)
-
Click
Save
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
ntp_clients
-
Add
OOBM
toMembers
-
Click
Save
Configure DNS for IAAS
-
Navigate to
Services > Unbound DNS > General
-
Add
IAAS
toNetwork Interfaces
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Groups
-
Click the edit icon to the right of
dns_clients
-
Add
IAAS
toMembers
-
Click
Save
Configure Internet Access for IAAS
-
Click the edit icon to the right of
wan_clients
-
Add
IAAS
toMembers
-
Click
Save
Configure DHCP
-
Navigate to
Services > DHCPv4 > [IAAS]
-
Check
Enable
-
Set
Range
to10.#.60.246
and10.#.60.254
-
Set
DNS servers
to10.#.30.1
-
Set
Domain name
toiaas.?.?
-
Check
Time format change
-
Click
NTP servers: Advanced
-
Set
NTP servers
to10.#.30.1
-
Click
Save
Additional Security Measures
Configure Drop List
Configure Spamhaus (E)Drop Firewall Aliases
-
Navigate to
Firewall > Aliases
-
Click
+
-
Set
Name
tospamhaus_drop
-
Set
Type
toURL Table (IPs)
-
Set
Days
to1
-
Set
Content
tohttps://www.spamhaus.org/drop/drop.txt
-
Set
Description
toSpamhaus Drop List
-
Click
Save
-
Click
+
-
Set
Name
tospamhaus_edrop
-
Set
Type
toURL Table (IPs)
-
Set
Days
to1
-
Set
Content
tohttps://www.spamhaus.org/drop/edrop.txt
-
Set
Description
toSpamhaus Extended Drop List
-
Click
Save
Configure GeoIP Drop Firewall Aliases
-
Click
+
-
Set
Name
togeoip_drop
andIPv4
-
Set
Type
toGeoIP
-
Set
Content
to unregulated, third world countries; failed states; enemies of democracy; etc. of your choosing -
Set
Description
toGeoIP Drop List
-
Click
Save
Drop List
-
Click
+
-
Set
Name
todrop_list
-
Set
Content
tospamhaus_drop
,spamhaus_edrop
andgeoip_drop
-
Set
Description
toAggregate Drop List
-
Click
Save
-
Click
Apply
Schedule Alias Updates
-
Navigate to
System > Settings > Cron
-
Click
+
-
Set
Command
toUpdate and reload firewall aliases
-
Set
Description
toRefresh Firewall Aliases Daily at Midnight
-
Click
Save
-
Click
Apply
Enforce the Drop List
-
Navigate to
Firewall > Groups
-
Click
+ Add
-
Set
Name
todrop_list
-
Set
Description
toInterfaces that Enforce the Drop List
-
Set
Members
toWAN
-
Click
Save
-
Click
Apply changes
-
Navigate to
Firewall > Rules > drop_list
-
Click
+ Add
-
Set
Edit Firewall rule: Action
toBlock
-
Set
Edit Firewall rule: Source
todrop_list
-
Set
Edit Firewall rule: Description
toBlock Ingress from Drop List
-
Click
Save
-
Click
+ Add
-
Set
Edit Firewall rule: Action
toBlock
-
Set
Edit Firewall rule: Direction
toOut
-
Set
Edit Firewall rule: Destination
todrop_list
-
Set
Edit Firewall rule: Description
toBlock Egress to Drop List
-
Click
Save
-
Click
Apply changes
Configure Antivirus
NOTE: ClamAV currently fails to run. It starts but fails after a few minutes without leaving any reason in the logs. My advice is to configure it as below, and then disable it. Try it again after an update to see if they fix it.
Install ClamAV
-
Navigate to
System > Firmware > Plugins
-
Click
+
to the right ofos-clamav
-
Wait for ClamAV to installed
-
Refresh the browser window
Configure ClamAV
-
Navigate to
Services > ClamAV > Configuration
-
Click
Download signatures
-
Wait for signatures to download
-
Check
Enable clamd service
-
Check
Enable freshclam service
-
Check
Add Malware Expert Signatures
-
Check
Add BLURL Signatures
-
Check
Add JURLBLA Signatures
-
Check
Add BOFHLand Signatures
-
Click
Save
Configure IDS
-
Navigate to
Services > Intrusion Detection > Administration
-
Check
Enabled
-
Check
Enable syslog alerts
-
Click
advanced mode
-
Set
Home networks
to10.x.0.0/16
-
Click
Apply
-
Navigate to the
Download
tab -
Click
Download & Update Rules
-
Wait for download to finish
-
Check the box to the left of
Description
to select all rulesets -
Click
Enable selected
-
Navigate to the
Schedule
tab -
Check
enabled
-
Set
Description
toUpdate IDS Rules Daily at Midnight
-
Click
Save
Basic Monitoring and Alerts
Hardware
Install Plugins
-
Navigate to
System > Firmware > Plugins
-
Click
+
to the right ofos-dmidecode
-
Wait for dmidecode to install
-
Navigate to
System > Firmware > Plugins
-
Click
+
to the right ofos-smart
-
Wait for smart to install
Packet Inspection
Configure Netflow for Reporting Insights
-
Navigate to
Reporting > NetFlow
-
Set
Listening interfaces
toADMIN
,IAAS
,SRV
andWAN
(or whatever you’d like) -
Check
Capture local
-
Click
Apply
-
Navigate to
Reporting > Insight
-
Check
Reverse lookup
Email Alerts
Configure E-mail Alerts via Monit
-
Navigate to
Services > Monit > Settings
-
Check
Enable monit
-
Set
Mail Server
,Mail Server Port
,Username
andPassword
according to your e-mail provider’s specifications -
Check
Secure Connection
-
Click
Save
-
Click
Apply changes
(repeat until it goes away) -
Click the
Alert Settings
tab -
Click the edit icon to the right of
[email protected]
-
Click
Enable alert
-
Set
Recipient
to your email address -
Set
Events
toChecksum failed
,Connection failed
,Content failed
,Data access error
,Execution failed
,Firesystem flags failed
,GID failed
,Ping failed
,Monit instance changed
,Invalid type
,Does not exist
,Permission failed
,PID failed
,PPID failed
,Resource limit matched
,Size failed
,Status failed
,Timeout
,Timestamp failed
,UID failed
andUptime failed
-
Set
Description
toGeneral Alerts
-
Click
Apply changes
Netdata
Configure Netdata
-
Navigate to
System > Firmware > Plugins
-
Click
+
to the right ofos-netdata
-
Wait for netdata to
-
Refresh the browser
-
Navigate to
Services > Netdata > General
-
Check
Enable
-
Set
Listen Address
to10.x.10.1
-
Click
Save
-
Navigate to
Firewall > Rules > gw_admins
-
Click
+ Add
-
Set
Edit Firewall rule: Protocol
toTCP
-
Set
Edit Firewall rule: Destination
toThis Firewall
-
Set
Edit Firewall rule: Destination port range
to(other)
-
Set
Edit Firewall rule: Destination port range: from:
to19999
-
Set
Edit Firewall rule: Description
toPass Netdata to this Gateway
-
Click
Save
-
Click
Apply changes
January 2020 Update
GeoIP now requires a MaxMind account. Follow this procedure when using GeoIP:
Cached 2020/01/10
MaxMind GeoIP’s Setup
With the changes MaxMind have implemented it is now a requirement that anyone using their lists must have an account and by having that account will have accepted their data protection requirements. It’s fairly simple to set-up so let’s get started.
Create An Account
Goto https://www.maxmind.com/en/geolite2/signup and create your account. Note that the email address you provide will be used to send you the link you will need to enter in OPNsense, so make sure its a real account.
Generate License Key
Once you have created an account you’ll need to create a license key. Click in the “My License Key” link and generate a key. Save the key ID somewhere safe!!!
You do not need to download the config at this point.
Create Link
Now we need to create the link we’ll need in OPNsense, all you need to do now is to replace the ‘My License key’ part of the link below with your license key.
You can check that you have done it correctly by just pasting the link into a browser, it should download the zip file.
OPNsense
In OPNsense, goto Firewall:Aliases and select the GeoIP settings tab. Enter the URL you have created into the URL box and click Apply, and that’s it.