oO.o's OPNsense Gateway Config

Wikis & How-to Guides
, ,
1

Context

I’m going through the process of recording my configuration processes so that I can automate as much of them as possible. This is roughly the config I run on a standalone OPNsense gateway. A configuration with a Gateway, DMZ and internal router is preferable, but I wanted to start with something simpler.

So far, this configures OPNsense as a Gateway, connected to one switch.

Questions and feedback are welcome.

Schema Outline

Infrastructure

Formula

Site Number = X = 0–255 = 256 Sites

Primary VLANs = P = Y – (Y+9) = 10 Primaries

Subnets = 10 . X . P . 0 /24 = 1 /24 Subnet per Primary

Isolated PVLANs = (1000+P) = 1 Isolated per Primary

Community PVLANs = (2000 + (P * 10)) – ((2000 + (P * 10)) + 99) = 10 Community per Primary

DMZ

(VLANs 0,1 unused)

Primary = 2–9

Isolated = 1002–1009

Community = 2020–2099

NET

Primary = 10–19

Isolated = 1010–1019

Community = 2100–2199

ADMIN

Primary = 20–29

Isolated = 1020–1029

Community = 2200–2299

SRV

Primary = 30–39

Isolated = 1030–1039

Community = 2300–2399

OOBM

Primary = 40–49

Isolated = 1040–1049

Community = 2400–2499

SAN

Primary = 50–59

Isolated = 1050–1059

Community = 2500–2599

IAAS

Primary = 60–69

Isolated = 1060–1069

Community = 2600–2699

DOM

Primary = 70–79

Isolated = 1070–1079

Community = 2700–2799

RESERVED

Primary = 80–89

Isolated = 1080–1089

Community = 2800–2899

RESERVED

Primary = 90–99

Isolated = 1090–1099

Community = 2900–2999

End User

Formula

Variations on infrastructure

CLIENTS / DEPARTMENTS

Primary = 100–209

Isolated = 1100–1209

Community = 3000–4094

GUESTS

Primary = 210–255

Isolated = 310–355

Community = 410–455, 510–555, 610–655, 710–755, 810–855, 910–955 = 6 Community per Primary

Initial Configuration

Prerequisites

Public IP and DNS

  • ISP IP address, subnet and gateway (unless provided via DHCP)

  • Preferably public FQDN is already configured

Installation Media

Gateway

  • Processor: amd64, AES-NI

  • 2+ Network Ports

Managed Switch

  • Mainly just need VLAN support for this

Admin Workstation

  • Whatever you prefer
Preparation

Physical Prep

  1. Plug install media into gateway

  2. Plug WAN uplink into port 2 on the gateway

  3. Plug all other gateway ports into LAN switch

  4. Plug admin computer into LAN switch

Admin Workstation Prep

  1. On admin workstation, add a virtual interface with VLAN 20 to the physical interface plugged into the switch

LAN Switch Prep

  1. Turn on the switch

  2. Onboard switch (use VLAN10 for management)

  3. Configure all ports connected to the gateway as VLAN trunks

Install OPNsense on the Gateway

  1. Turn on the gateway

  2. Configure BIOS to boot from installation media

  3. Click through default OPNsense installation (select MBR when prompted)

  4. When the system reboots, ensure BIOS is configured to boot into local media where OPNsense was installed

Configure Secure Defaults

Configure Admin User

  1. On admin computer, navigate to https://192.168.1.1

  2. Log in as root with password set during installation

  3. Navigate to System > Access > Users

  4. Click + Add

  5. Enter randomly generated strings for Username and Password fields

  6. Set Login shell to /sbin/sh

  7. Move admins group to Member Of

  8. Click Save and go back

  9. Navigate to Lobby > Logout

  10. Login as new admin user

Disable root

  1. Navigate to System > Access > Users

  2. Click on the edit icon to the right of the user root

  3. Check Disabled

  4. Check Generate a scrambled password to prevent local database logins for this user.

  5. Click Save

Configure WAN Interface

  1. Navigate to Interfaces > [WAN]

  2. Check General configuration: Lock

  3. Check General configuration: Block private networks

  4. Check General configuration: Block bogon networks

  5. Set General configuration: IPv6 Configuration Type to None

  6. If WAN address is not provided via DHCP, set General configuration: IPv4 Configuration Type to Static IPv4

  7. Click Save

  8. If WAN address is not provided via DHCP, set Static IPv4 configuration: IPv4 address according to address provided by ISP

  9. Click Save

  10. Click Apply changes

Configure Firmware and Update

  1. Navigate to System > Firmware > Settings

  2. Set Firmware Flavour to LibreSSL

  3. Click Save

Remove Automatically Installed Plugins

  1. Navigate to System > Firmware > Plugins

  2. Click the trash icon to the right of os-dyndns

  3. Repeat for any other plugins labelled (installed)

Initial Update

  1. Click Check for updates

  2. Wait until the Update now appears and click on it

  3. Repeat until all updates are installed

  4. If the gateway doesn’t reboot automatically, navigate to Power > Reboot

  5. Wait for the gateway to reboot

  6. Navigate to https://192.168.1.1

  7. Login as the admin user

Schedule Automatic Updates and Reboot

  1. Navigate to System > Settings > Cron

  2. Click +

  3. Set Command to Automatic firmware update

  4. Set Description to Automatic Updates Daily at Midnight

  5. Click Save

  6. Click +

  7. Set Hours to 4

  8. Set Day of the month to 1-7

  9. Set Days of the week to 6

  10. Set Command to Issue a reboot

  11. Set Description to Reboot Every First Saturday at 4

  12. Click Save

  13. Click Apply

Configure Gateway Administration

  1. Navigate to System > Settings > Administration

  2. Check Web GUI: HTTP Strict Transport Security

  3. Check Secure Shell: Secure Shell Server

  4. Check Secure Shell: Authentication Method

  5. Set Authentication: Sudo to Ask password

  6. Click Save

  7. Navigate to System > Settings > General

  8. Set System: Hostname, System: Domain and System: Time zone if they are incorrect

  9. Check Networking: Prefer IPv4 over IPv6

  10. Add 9.9.9.9 to Networking: DNS Servers: DNS Server field and set Use gateway to ... - wan - ...

  11. Add 149.112.112.112 to Networking: DNS Servers: DNS Server field and set Use gateway to ... - wan - ...

  12. Uncheck DNS server options: Allow DNS server list to be overridden by DHCP/PPP on WAN

  13. Click Save

Configure Hardware and Memory Optimizations

  1. Navigate to System > Settings > Miscellaneous

  2. Set Thermal Sensors: Hardware according to the make of your processor

  3. Check Disk / Memory Settings: Swap file

  4. Check Disk / Memory Settings: /tmp RAM disk

  5. Click Save

  6. Navigate to Interfaces > Settings

  7. Uncheck Hardware CRC

  8. Uncheck Hardware TSO

  9. Uncheck Hardware LRO

  10. Set VLAN Hardware Filtering to Enable VLAN Hardware Filtering

  11. Click Save

Reboot

  1. Navigate to Power > Reboot

  2. Wait for the gateway to reboot

  3. Navigate to https://192.168.1.1

  4. Login as the admin user

Configure General Firewall Settings

  1. Navigate to Firewall > Settings > Advanced

  2. Uncheck IPv6 Options: Allow IPv6

  3. Set Bogon Networks: Update Frequency to Daily

  4. Check Miscellaneous: Bind states to interface

  5. Check Miscellaneous: Check certificate of aliases URLs

  6. Click Save

Allow External Ping

  1. Navigate to Firewall > Rules > WAN

  2. Click + Add

  3. Set Edit Firewall Rule: Protocol to ICMP

  4. Set Edit Firewall Rule: ICMP type to Echo Request

  5. Set Edit Firewall Rule: Description to Pass Ingress Echo Request (Ping)

  6. Click Save

  7. Click Apply changes

Configure Physical LAN Interfaces

Configure LAN Interface

  1. Navigate to Interfaces > [LAN]

  2. Check General configuration: Lock

  3. Set General configuration: Description to TRUNK1

  4. Click Save

  5. Click Apply changes

Configure Additional Interfaces

  1. Navigate to Interfaces > Assignments

  2. For each additional interface connected to the LAN switch, set New interface: accordingly and click +

  3. Click Save

  4. For each new interface, navigate to Interfaces > OPT#

  5. Check General configuration: Enable

  6. Check General configuration: Lock

  7. Set General configuration: Description to TRUNK(#+1)

  8. Click Save

  9. Click Apply changes

Essential Infrastructure

Configure Network Management VLAN

Create the NET VLAN

  1. Navigate to Interfaces > Other Types > VLAN

  2. Click + Add

  3. Set Parent interface to ...[TRUNK1]

  4. Set VLAN tag to 10

  5. Set VLAN priority to Network Control (7, highest)

  6. Set Description to NET

  7. Click Save

Configure the NET Interface

  1. Navigate to Interfaces > Assignments

  2. Set New interface: to ...(NET) and click +

  3. Click Save

  4. Navigate to Interfaces > [OPT#]

  5. Check General configuration: Enable

  6. Check General configuration: Lock

  7. Set General configuration: Description to NET

  8. Check General configuration: Block bogon networks

  9. Set General configuration: IPv4 Configuration Type to Static IPv4

  10. Set Static IPv4 configuration to 10.#.10.1 and select 24

  11. Click Save

  12. Click Apply changes

  13. Navigate to Firewall > Groups

  14. Click + Add

  15. Set Name to local

  16. Set Description to LAN Interfaces

  17. Set Members to NET

  18. Click Save

  19. Click Apply changes

  20. Navigate to Firewall > Rules > local

  21. Click + Add

  22. Set Edit Firewall Rule: Protocol to ICMP

  23. Set Edit Firewall Rule: ICMP type to Echo Request

  24. Set Edit Firewall Rule: Destination to This Firewall

  25. Set Edit Firewall Rule: Description to Pass Echo Requests (Ping) to this Gateway

  26. Click Save

  27. Click Apply changes

Configure the Gateway as Time Server (NTP)

  1. Navigate to Services > Network Time > General

  2. Add NET to Interface(s)

  3. Click Save

  4. Navigate to Firewall > Groups

  5. Click + Add

  6. Set Name to ntp_clients

  7. Set Description to Interfaces with Access to the Local NTP Server(s)

  8. Set Members to NET

  9. Click Save

  10. Click Apply changes

  11. Navigate to Firewall > Rules > ntp_clients

  12. Click + Add

  13. Set Edit Firewall rule: Protocol to UDP

  14. Set Edit Firewall rule: Destination to This Firewall

  15. Set Edit Firewall rule: Destination port range to NTP

  16. Set Edit Firewall rule: Description to Pass NTP to this Gateway

  17. Click Save

  18. Click Apply changes

Configure the Gateway as a DHCP and Name Server (Unbound)

Configure Unbound

  1. Navigate to Services > Unbound DNS > General

  2. Uncheck Network Interfaces to NET

  3. Check DNSSEC

  4. Check DHCP Static Mappings

  5. Uncheck IPv6 Link-local

  6. Check TXT Comment Support

  7. Check DNS Query Forwarding

  8. Click Show Advanced Options

  9. Set Outgoing Network Interfaces to WAN

  10. Click Save

  11. Click Apply changes

  12. Navigate to Services > Unbound DNS > Advanced

  13. Check Hide Identity

  14. Check Hide Version

  15. Check Prefetch Support

  16. Check Prefetch DNS Key Support

  17. Check Harden DNSSEC data

  18. Set Message Cache Size to 50 MB

  19. Set Unwanted Reply Threshold to 10 million

  20. Click Save

  21. Click Apply changes

Configure DNS Client Firewall Group

  1. Navigate to Firewall > Groups

  2. Click + Add

  3. Set Name to dns_clients

  4. Set Description to Interfaces with Access to the Local Name Server(s)

  5. Set Members to NET

  6. Click Save

  7. Click Apply changes

  8. Navigate to Firewall > Rules > dns_clients

  9. Click + Add

  10. Set Edit Firewall rule: Protocol to UDP

  11. Set Edit Firewall rule: Destination to This Firewall

  12. Set Edit Firewall rule: Destination port range to DNS

  13. Set Edit Firewall rule: Description to Pass DNS to this Gateway

  14. Click Save

  15. Click Apply changes

Configure DHCP for NET

  1. Navigate to Services > DHCPv4 > [NET]

  2. Check Enable

  3. Set Range to 10.#.10.246 and 10.#.10.254

  4. Set Domain name to net.?.?

  5. Check Time format change

  6. Click NTP servers: Advanced

  7. Set NTP servers to 10.#.10.1

  8. Click Save

Configure Administration VLAN

Create the ADMIN VLAN

  1. Add VLAN 20 to LAN switch

  2. Navigate to Interfaces > Other Types > VLAN

  3. Click + Add

  4. Set Parent interface to ...[TRUNK1]

  5. Set VLAN tag to 20

  6. Set VLAN priority to Network Control (7, highest)

  7. Set Description to ADMIN

  8. Click Save

Configure the ADMIN Interface

  1. Navigate to Interfaces > Assignments

  2. Set New interface: to ...(ADMIN) and click +

  3. Navigate to Interfaces > [OPT#]

  4. Check General configuration: Enable

  5. Check General configuration: Lock

  6. Set General configuration: Description to ADMIN

  7. Check General configuration: Block bogon networks

  8. Set General configuration: IPv4 Configuration Type to Static IPv4

  9. Set Static IPv4 configuration to 10.#.20.1 and select 24

  10. Click Save

  11. Click Apply changes

  12. Navigate to Firewall > Groups

  13. Click the edit icon to the right of local

  14. Add ADMIN to Members

  15. Click Save

Configure NTP for ADMIN

  1. Navigate to Services > Network Time > General

  2. Add ADMIN to Interface(s)

  3. Click Save

  4. Navigate to Firewall > Groups

  5. Click the edit icon to the right of ntp_clients

  6. Add ADMIN to Members

  7. Click Save

Configure DNS for ADMIN

  1. Navigate to Services > Unbound DNS > General

  2. Add ADMIN to Network Interfaces

  3. Click Save

  4. Click Apply changes

  5. Navigate to Firewall > Groups

  6. Click the edit icon to the right of dns_clients

  7. Add ADMIN to Members

  8. Click Save

Configure DHCP for ADMIN

  1. Navigate to Services > DHCPv4 > [ADMIN]

  2. Check Enable

  3. Set Range to 10.#.20.10 and 10.#.20.245

  4. Set Domain name to admin.?.?

  5. Check Time format change

  6. Click NTP servers: Advanced

  7. Set NTP servers to 10.#.20.1

  8. Click Save

Configure Administrative Access

Allow Admins to Access the Gateway

  1. Navigate to Firewall > Groups

  2. Click + Add

  3. Set Name to gw_admins

  4. Set Description to Interfaces with Administrative Access to this Gateway

  5. Set Members to ADMIN

  6. Click Save

  7. Click Apply changes

  8. Navigate to Firewall > Rules > gw_admins

  9. Click + Add

  10. Set Edit Firewall rule: Protocol to TCP

  11. Set Edit Firewall rule: Destination to This Firewall

  12. Set Edit Firewall rule: Destination port range to HTTP

  13. Set Edit Firewall rule: Description to Pass HTTP to this Gateway

  14. Click Save

  15. Click + Add

  16. Set Edit Firewall rule: Protocol to TCP

  17. Set Edit Firewall rule: Destination to This Firewall

  18. Set Edit Firewall rule: Destination port range to HTTPS

  19. Set Edit Firewall rule: Description to Pass HTTPS to this Gateway

  20. Click Save

  21. Click + Add

  22. Set Edit Firewall rule: Protocol to TCP

  23. Set Edit Firewall rule: Destination to This Firewall

  24. Set Edit Firewall rule: Destination port range to SSH

  25. Set Edit Firewall rule: Description to Pass SSH to this Gateway

  26. Click Save

  27. Click Apply changes

Configure Administrative Access to Local Networks

  1. Navigate to Firewall > Groups

  2. Click + Add

  3. Set Name to local_admins

  4. Set Description to Interfaces with Administrative Access to Local Networks

  5. Set Members to ADMIN

  6. Click Save

  7. Click Apply changes

  8. Navigate to Firewall > Rules > local_admins

  9. Click + Add

  10. Set Edit Firewall rule: Direction to in

  11. Set Edit Firewall rule: Destination to local net

  12. Set Edit Firewall rule: Description to Pass All to Local Networks

  13. Click Save

  14. Click Apply changes

  15. Navigate to Firewall > Rules > local

  16. Click + Add

  17. Set Edit Firewall rule: Direction to out

  18. Set Edit Firewall rule: Source to ADMIN net

  19. Set Edit Firewall rule: Description to Pass All from Admins

  20. Click Save

  21. Click Apply changes

Configure Internet Access for ADMIN

  1. Navigate to Firewall > Groups

  2. Click + Add

  3. Set Name to wan_clients

  4. Set Description to Interfaces with Internet Access

  5. Set Members to ADMIN

  6. Click Save

  7. Click Apply changes

  8. Navigate to Firewall > Rules > wan_clients

  9. Click + Add

  10. Uncheck Edit Firewall rule: Quick

  11. Set Edit Firewall rule: Description to Pass All Ingress Traffic to WAN

  12. Set Advanced features: Gateway tp WAN...

  13. Click Save

  14. Click Apply changes

Use ADMIN VLAN

  1. Set 10.x.20.1 as the default gateway on the admin workstation

  2. Navigate to https://gw1.net.?.?/

  3. Log in as the admin user

Remove Unnecessary Access to the Gateway

Disable DHCP on Default LAN Interface

  1. Navigate to Services > DHCPv4 > [TRUNK1]

  2. Uncheck Enable

  3. Click Save

Remove Address on Default LAN Interface

  1. Navigate to Interfaces > TRUNK1

  2. Set General configuration: IPv4 Configuration Type to None

  3. Set General configuration: IPv6 Configuration Type to None

  4. Click Save

  5. Click Apply changes

Remove Default Firewall Rules from the LAN Interface

  1. Navigate to Firewall > Rules > TRUNK1

  2. Click the trash icon to the right of Default allow LAN to any rule

  3. Click the trash icon to the right of Default allow LAN IPv6 to any rule

  4. Click Apply changes

Isolate Administration Services to Network Management VLAN

  1. Navigate to System > Settings > Administration

  2. Set Web GUI > Listen Interfaces to NET

  3. Click I know what I am doing

  4. Set Secure Shell > Listen Interfaces to NET

  5. Click Save

  6. Navigate to Firewall > Settings > Advanced

  7. Check Miscellaneous: Disable anti-lockout

  8. Click Save

Configure Basic Service VLAN and Infrastructure

Create the SRV VLAN

  1. Add VLAN 30 to LAN switch

  2. Navigate to Interfaces > Other Types > VLAN

  3. Click + Add

  4. Set Parent interface to ...[TRUNK#]

  5. Set VLAN tag to 30

  6. Set VLAN priority to Critical Applications (3)

  7. Set Description to SRV

  8. Click Save

Configure the SRV Interface

  1. Navigate to Interfaces > Assignments

  2. Set New interface: to ...(SRV) and click +

  3. Navigate to Interfaces > [OPT#]

  4. Check General configuration: Enable

  5. Check General configuration: Lock

  6. Set General configuration: Description to SRV

  7. Check General configuration: Block bogon networks

  8. Set General configuration: IPv4 Configuration Type to Static IPv4

  9. Set Static IPv4 configuration to 10.#.30.1 and select 24

  10. Click Save

  11. Click Apply changes

  12. Navigate to Firewall > Groups

  13. Click the edit icon to the right of local

  14. Add SRV to Members

  15. Click Save

Configure NTP for SRV

  1. Navigate to Services > Network Time > General

  2. Add SRV to Interface(s)

  3. Click Save

  4. Navigate to Firewall > Groups

  5. Click the edit icon to the right of ntp_clients

  6. Add SRV to Members

  7. Click Save

Configure DNS for SRV

  1. Navigate to Services > Unbound DNS > General

  2. Add SRV to Network Interfaces

  3. Click Save

  4. Click Apply changes

  5. Navigate to Firewall > Groups

  6. Click the edit icon to the right of dns_clients

  7. Add SRV to Members

  8. Click Save

Configure Internet Access for SRV

  1. Click the edit icon to the right of wan_clients

  2. Add SRV to Members

  3. Click Save

Configure DHCP for SRV

  1. Navigate to Services > DHCPv4 > [SRV]

  2. Check Enable

  3. Set Range to 10.#.30.246 and 10.#.30.254

  4. Set Domain name to srv.?.?

  5. Check Time format change

  6. Click NTP servers: Advanced

  7. Set NTP servers to 10.#.30.1

  8. Click Save

Register NTP Service

  1. Navigate to Services > Unbound DNS > Overrides

  2. Click + under Host Overrides

  3. Set Host to time1

  4. Set Domain to srv.?.?

  5. Set IP to 10.x.30.1

  6. Set Description to Local Time Server (NTP)

  7. Click Save

  8. Click Apply changes

  9. Navigate to Firewall > Aliases

  10. Click +

  11. Set Name to srv_time

  12. Set Content to time1.srv.?.?

  13. Set Description to Local Time Servers (NTP)

  14. Click Save

  15. Click Apply

  16. Navigate to Firewall > Rules > ntp_clients

  17. Click + Add

  18. Set Edit Firewall rule: Protocol to UDP

  19. Set Edit Firewall rule: Destination to srv_time

  20. Set Edit Firewall rule: Destination port range to NTP

  21. Set Edit Firewall rule: Description to Allow Ingress NTP to Time Servers

  22. Click Save

  23. Click Apply changes

Register DNS Service

  1. Navigate to Services > Unbound DNS > Overrides

  2. Click + under Host Overrides

  3. Set Host to ns1

  4. Set Domain to srv.?.?

  5. Set IP to 10.x.30.1

  6. Set Description to Local Name Server (DNS)

  7. Click Save

  8. Click Apply changes

  9. Navigate to Firewall > Aliases

  10. Click +

  11. Set Name to srv_ns

  12. Set Content to ns1.srv.?.?

  13. Set Description to Local Name Servers (DNS)

  14. Click Save

  15. Click Apply

  16. Navigate to Firewall > Rules > dns_clients

  17. Click + Add

  18. Set Edit Firewall rule: Protocol to UDP

  19. Set Edit Firewall rule: Destination to srv_ns

  20. Set Edit Firewall rule: Destination port range to DNS

  21. Set Edit Firewall rule: Description to Allow Ingress DNS to Name Servers

  22. Click Save

  23. Click Apply changes

Common Infrastructure

Configure OOBM Quarantine VLAN

Create the OOBM VLAN

  1. Add VLAN 40 to LAN switch

  2. Navigate to Interfaces > Other Types > VLAN

  3. Click + Add

  4. Set Parent interface to ...[TRUNK#]

  5. Set VLAN tag to 40

  6. Set VLAN priority to Internetwork Control (6)

  7. Set Description to OOBM

  8. Click Save

Configure the OOBM Interface

  1. Navigate to Interfaces > Assignments

  2. Set New interface: to ...(OOBM) and click +

  3. Navigate to Interfaces > [OPT#]

  4. Check General configuration: Enable

  5. Check General configuration: Lock

  6. Set General configuration: Description to OOBM

  7. Check General configuration: Block bogon networks

  8. Set General configuration: IPv4 Configuration Type to Static IPv4

  9. Set Static IPv4 configuration to 10.#.40.1 and select 24

  10. Click Save

  11. Click Apply changes

  12. Navigate to Firewall > Groups

  13. Click the edit icon to the right of local

  14. Add OOBM to Members

  15. Click Save

Configure NTP for OOBM

  1. Navigate to Services > Network Time > General

  2. Add OOBM to Interface(s)

  3. Click Save

  4. Navigate to Firewall > Groups

  5. Click the edit icon to the right of ntp_clients

  6. Add OOBM to Members

  7. Click Save

Configure DNS for OOBM

  1. Navigate to Services > Unbound DNS > General

  2. Add OOBM to Network Interfaces

  3. Click Save

  4. Click Apply changes

  5. Navigate to Firewall > Groups

  6. Click the edit icon to the right of dns_clients

  7. Add OOBM to Members

  8. Click Save

Configure DHCP

  1. Navigate to Services > DHCPv4 > [OOBM]

  2. Check Enable

  3. Set Range to 10.#.40.246 and 10.#.40.254

  4. Set DNS servers to 10.64.30.1

  5. Set Domain name to oobm.?.?

  6. Check Time format change

  7. Click NTP servers: Advanced

  8. Set NTP servers to 10.#.30.1

  9. Click Save

Configure SAN VLAN (Jumbo Frames)

Create the SAN VLAN

  1. Add VLAN 50 to LAN switch

  2. Navigate to Interfaces > Other Types > VLAN

  3. Click + Add

  4. Set Parent interface to ...[TRUNK#]

  5. Set VLAN tag to 50

  6. Set VLAN priority to Background (1, lowest)

  7. Set Description to SAN

  8. Click Save

Configure the SAN Interface

  1. Navigate to Interfaces > Assignments

  2. Set New interface: to ...(SAN) and click +

  3. Navigate to Interfaces > [TRUNK#]

  4. Set General configuration: MTU to 9000

  5. Click Save

  6. Click Apply changes

  7. Navigate to Interfaces > [OPT#]

  8. Check General configuration: Enable

  9. Check General configuration: Lock

  10. Set General configuration: Description to SAN

  11. Check General configuration: Block bogon networks

  12. Set General configuration: IPv4 Configuration Type to Static IPv4

  13. Set General configuration: MTU to 9000

  14. Set Static IPv4 configuration to 10.#.50.1 and select 24

  15. Click Save

  16. Click Apply changes

  17. Navigate to Firewall > Groups

  18. Click the edit icon to the right of local

  19. Add SAN to Members

  20. Click Save

Configure DHCP

  1. Navigate to Services > DHCPv4 > [SAN]

  2. Check Enable

  3. Set Range to 10.#.50.246 and 10.#.50.254

  4. Set Domain name to san.?.?

  5. Set Interface MTU to 9000

  6. Check Time format change

  7. Click Save

Configure IaaS Management VLAN

Create the IAAS VLAN

  1. Add VLAN 60 to LAN switch

  2. Navigate to Interfaces > Other Types > VLAN

  3. Click + Add

  4. Set Parent interface to ...[TRUNK1]

  5. Set VLAN tag to 60

  6. Set VLAN priority to Internetwork Control (6)

  7. Set Description to IAAS

  8. Click Save

Configure the IAAS Interface

  1. Navigate to Interfaces > Assignments

  2. Set New interface: to ...(IAAS) and click +

  3. Navigate to Interfaces > [OPT#]

  4. Check General configuration: Enable

  5. Check General configuration: Lock

  6. Set General configuration: Description to IAAS

  7. Check General configuration: Block bogon networks

  8. Set General configuration: IPv4 Configuration Type to Static IPv4

  9. Set Static IPv4 configuration to 10.#.60.1 and select 24

  10. Click Save

  11. Click Apply changes

  12. Navigate to Firewall > Groups

  13. Click the edit icon to the right of local

  14. Add IAAS to Members

  15. Click Save

Configure NTP for IAAS

  1. Navigate to Services > Network Time > General

  2. Add IAAS to Interface(s)

  3. Click Save

  4. Navigate to Firewall > Groups

  5. Click the edit icon to the right of ntp_clients

  6. Add OOBM to Members

  7. Click Save

Configure DNS for IAAS

  1. Navigate to Services > Unbound DNS > General

  2. Add IAAS to Network Interfaces

  3. Click Save

  4. Click Apply changes

  5. Navigate to Firewall > Groups

  6. Click the edit icon to the right of dns_clients

  7. Add IAAS to Members

  8. Click Save

Configure Internet Access for IAAS

  1. Click the edit icon to the right of wan_clients

  2. Add IAAS to Members

  3. Click Save

Configure DHCP

  1. Navigate to Services > DHCPv4 > [IAAS]

  2. Check Enable

  3. Set Range to 10.#.60.246 and 10.#.60.254

  4. Set DNS servers to 10.#.30.1

  5. Set Domain name to iaas.?.?

  6. Check Time format change

  7. Click NTP servers: Advanced

  8. Set NTP servers to 10.#.30.1

  9. Click Save

Additional Security Measures

Configure Drop List

Configure Spamhaus (E)Drop Firewall Aliases

  1. Navigate to Firewall > Aliases

  2. Click +

  3. Set Name to spamhaus_drop

  4. Set Type to URL Table (IPs)

  5. Set Days to 1

  6. Set Content to https://www.spamhaus.org/drop/drop.txt

  7. Set Description to Spamhaus Drop List

  8. Click Save

  9. Click +

  10. Set Name to spamhaus_edrop

  11. Set Type to URL Table (IPs)

  12. Set Days to 1

  13. Set Content to https://www.spamhaus.org/drop/edrop.txt

  14. Set Description to Spamhaus Extended Drop List

  15. Click Save

Configure GeoIP Drop Firewall Aliases

  1. Click +

  2. Set Name to geoip_drop and IPv4

  3. Set Type to GeoIP

  4. Set Content to unregulated, third world countries; failed states; enemies of democracy; etc. of your choosing

  5. Set Description to GeoIP Drop List

  6. Click Save

Drop List

  1. Click +

  2. Set Name to drop_list

  3. Set Content to spamhaus_drop, spamhaus_edrop and geoip_drop

  4. Set Description to Aggregate Drop List

  5. Click Save

  6. Click Apply

Schedule Alias Updates

  1. Navigate to System > Settings > Cron

  2. Click +

  3. Set Command to Update and reload firewall aliases

  4. Set Description to Refresh Firewall Aliases Daily at Midnight

  5. Click Save

  6. Click Apply

Enforce the Drop List

  1. Navigate to Firewall > Groups

  2. Click + Add

  3. Set Name to drop_list

  4. Set Description to Interfaces that Enforce the Drop List

  5. Set Members to WAN

  6. Click Save

  7. Click Apply changes

  8. Navigate to Firewall > Rules > drop_list

  9. Click + Add

  10. Set Edit Firewall rule: Action to Block

  11. Set Edit Firewall rule: Source to drop_list

  12. Set Edit Firewall rule: Description to Block Ingress from Drop List

  13. Click Save

  14. Click + Add

  15. Set Edit Firewall rule: Action to Block

  16. Set Edit Firewall rule: Direction to Out

  17. Set Edit Firewall rule: Destination to drop_list

  18. Set Edit Firewall rule: Description to Block Egress to Drop List

  19. Click Save

  20. Click Apply changes

Configure Antivirus

NOTE: ClamAV currently fails to run. It starts but fails after a few minutes without leaving any reason in the logs. My advice is to configure it as below, and then disable it. Try it again after an update to see if they fix it.

Install ClamAV

  1. Navigate to System > Firmware > Plugins

  2. Click + to the right of os-clamav

  3. Wait for ClamAV to installed

  4. Refresh the browser window

Configure ClamAV

  1. Navigate to Services > ClamAV > Configuration

  2. Click Download signatures

  3. Wait for signatures to download

  4. Check Enable clamd service

  5. Check Enable freshclam service

  6. Check Add Malware Expert Signatures

  7. Check Add BLURL Signatures

  8. Check Add JURLBLA Signatures

  9. Check Add BOFHLand Signatures

  10. Click Save

Configure IDS

  1. Navigate to Services > Intrusion Detection > Administration

  2. Check Enabled

  3. Check Enable syslog alerts

  4. Click advanced mode

  5. Set Home networks to 10.x.0.0/16

  6. Click Apply

  7. Navigate to the Download tab

  8. Click Download & Update Rules

  9. Wait for download to finish

  10. Check the box to the left of Description to select all rulesets

  11. Click Enable selected

  12. Navigate to the Schedule tab

  13. Check enabled

  14. Set Description to Update IDS Rules Daily at Midnight

  15. Click Save

Basic Monitoring and Alerts

Hardware

Install Plugins

  1. Navigate to System > Firmware > Plugins

  2. Click + to the right of os-dmidecode

  3. Wait for dmidecode to install

  4. Navigate to System > Firmware > Plugins

  5. Click + to the right of os-smart

  6. Wait for smart to install

Packet Inspection

Configure Netflow for Reporting Insights

  1. Navigate to Reporting > NetFlow

  2. Set Listening interfaces to ADMIN, IAAS, SRV and WAN (or whatever you’d like)

  3. Check Capture local

  4. Click Apply

  5. Navigate to Reporting > Insight

  6. Check Reverse lookup

Email Alerts

Configure E-mail Alerts via Monit

  1. Navigate to Services > Monit > Settings

  2. Check Enable monit

  3. Set Mail Server, Mail Server Port, Username and Password according to your e-mail provider’s specifications

  4. Check Secure Connection

  5. Click Save

  6. Click Apply changes (repeat until it goes away)

  7. Click the Alert Settings tab

  8. Click the edit icon to the right of [email protected]

  9. Click Enable alert

  10. Set Recipient to your email address

  11. Set Events to Checksum failed, Connection failed, Content failed, Data access error, Execution failed, Firesystem flags failed, GID failed, Ping failed, Monit instance changed, Invalid type, Does not exist, Permission failed, PID failed, PPID failed, Resource limit matched, Size failed, Status failed, Timeout, Timestamp failed, UID failed and Uptime failed

  12. Set Description to General Alerts

  13. Click Apply changes

Netdata

Configure Netdata

  1. Navigate to System > Firmware > Plugins

  2. Click + to the right of os-netdata

  3. Wait for netdata to

  4. Refresh the browser

  5. Navigate to Services > Netdata > General

  6. Check Enable

  7. Set Listen Address to 10.x.10.1

  8. Click Save

  9. Navigate to Firewall > Rules > gw_admins

  10. Click + Add

  11. Set Edit Firewall rule: Protocol to TCP

  12. Set Edit Firewall rule: Destination to This Firewall

  13. Set Edit Firewall rule: Destination port range to (other)

  14. Set Edit Firewall rule: Destination port range: from: to 19999

  15. Set Edit Firewall rule: Description to Pass Netdata to this Gateway

  16. Click Save

  17. Click Apply changes

January 2020 Update

GeoIP now requires a MaxMind account. Follow this procedure when using GeoIP:

Cached 2020/01/10

MaxMind GeoIP’s Setup

With the changes MaxMind have implemented it is now a requirement that anyone using their lists must have an account and by having that account will have accepted their data protection requirements. It’s fairly simple to set-up so let’s get started.

Create An Account

Goto https://www.maxmind.com/en/geolite2/signup and create your account. Note that the email address you provide will be used to send you the link you will need to enter in OPNsense, so make sure its a real account.

Generate License Key

Once you have created an account you’ll need to create a license key. Click in the “My License Key” link and generate a key. Save the key ID somewhere safe!!!

You do not need to download the config at this point.

Create Link

Now we need to create the link we’ll need in OPNsense, all you need to do now is to replace the ‘My License key’ part of the link below with your license key.

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip

You can check that you have done it correctly by just pasting the link into a browser, it should download the zip file.

OPNsense

In OPNsense, goto Firewall:Aliases and select the GeoIP settings tab. Enter the URL you have created into the URL box and click Apply, and that’s it.

10 Likes
2

Dude, this is way too organized for a forum post. … You make us others look bad.
Stop that! :smiley:

That OPNsense web-UI looks nice, I have to say.
I had PFSense for a while, these days I am running IPFire on my dinky little Ryzen 3 1200. Do you have experience with one or even both of those and could you give a short comparison? Why choose one over the other?

2 Likes
3

This post is what initially turned me onto OPNsense. It goes into a lot of details.

I’ve never used IPFire, but I do use Ubiquiti EdgeMax routers which are also Debian-based. My ideal config is an OPNsense gateway in front of an Edgerouter. The topology looks like this, but split between them with a DMZ in the middle.

Coming from CCNA world, configuring the Edgerouter is a little more familiar to me. It feels like a router where *sense feels like a firewall. Additionally, Edgerouters do not have speculative execution vulnerabilities, so it is nice to have them somewhere between important stuff and the outside world. That said, the gateway capabilities are not as robust as either *senses.

4 Likes
5

Hi! Sorry for necroposting. Just making sure this is still relatively up to date? I just started to poke on OPNsense for my homelab (not an IT person, just an enthusiast) and I am wondering if this is still up to date/best practice.

Thanks!

2 Likes
6

@PhaseLockedLoop are you using OPNsense? I know a couple people here are but I don’t remember who.

I switched to vanilla OpenBSD for my gateway/routing.

4 Likes
7

I seem to recall PLL using it. I just switched from pfSense with no particular reason (it was working ok). So I gather some of this guide is no longer up to date?

1 Like
8

I would be surprised if all of it is up to date but also surprised if most of it isn’t still applicable.

2 Likes
9

I do use opnsense

Its since debased to freebsd and there is no longer a libressl variant. Which makes it very close to pfsense. I still like opnsense but now my motivation to stick to it is lower as a result. What’s needed? What’s up?

1 Like
10

Oh wow, that was kind of the whole point

2 Likes
11

Wait i can still switch to libressl and stuff seems working

Can confirm it is FreeBSD

> https://pkg.opnsense.org/FreeBSD:13:amd64/22.1

Hmm wondering if I should try VyOS

2 Likes
12

VyOS is my favorite routing platform, but lacks some of the power of pf for firewall. There was a time when I was running a Ubiquiti router (which runs a downstream derivative of VyOS) while using OPNsense as a transparent filtering bridge to get best of both worlds.

I ultimately abandoned OPNsense and PFsense because they can only be configured manually with the GUI.

3 Likes
13

I find GUI to be acceptable, surprisingly more on the pfsense side. Looks like I’ll just go back to pfSense for now because mostly I’ve already set a lot of things there to my preference and refiguring out things on OPNsense seems to be wasting time.

Thank you for the heads up.

2 Likes
14

I gave up on pfsense/opnsense, mostly because of all the hand-holding that they are doing. If I want to break my firewall rules and lock myself out of it, let me do it.

3 Likes
15

At some point, I’ll post an OpenBSD gateway guide and you all will wonder why you ever tolerated logging into a web GUI to configure anything.

1 Like
16

I dont really work in tech so I need all the hand-holdy things pf- and OPNsense provides. I have my own family now so I dont have the time to fully explore computer and infotech things that interest me. These days I’m in the it works good enough for me camp.

@oO.o Do it!

I only have a small appliance box so its going to have to be in the form of serial console for me. While CLI is cooler and has a hackery kind of sex appeal (whatever that means), I tend to explore and understand more on the GUI side. I’ve come to appreciate the inline help that OPNsense provides.

2 Likes
17

I was mostly jk. My main issue with *sense is that it just doesn’t scale. At some point, as Wendell has pointed out many times, you need to think of your equipment as cattle instead of pets. *sense can only ever be a pet. You cannot mass-deploy/configure/maintain it. To do pretty much anything, a skilled human being needs to log into it and leverage some high level big brain decision making. At scale, that is monumentally expensive and unacceptable.

2 Likes
18

Right holy crap that’s something I’ve noticed. I wish they would fix this :confused:

1 Like
19

Ehh not fully. Opnsense also streamlined their code base. They just cleaned and hardened freebsd. The base allows great software support

1 Like
20

I guess I should be thankful I am not a computer janitor of sorts :sweat_smile:.

Thank you for the valuable insights.

2 Likes