OPNsense

Open Source FreeBSD based Firewall

Setup & Installation

Setup & Installation

Hardware Requirements

At the minimum, your host machine for OPNsense should have the following:

Additionally, your host machine needs at least 2 RJ45 ports, 1 for your WAN connection and 1 for your LAN connection. My OptiPlex only had 1 RJ45 port, so I purchased an Intel I350-T4 NIC and installed it onto the motherboard, which gave me 4 RJ45 gigabit ports. More information about that can be found here.

Setup & Installation

Installation

Installing OPNsense onto hardware is quite easy and straight forward. Download the ISO from their official website opnsense.org and create a bootable drive. You can use Rufus, balenaEtcher, or any other software to burn the ISO onto the drive. I used Ventoy, as it allows you to store several ISOs on a single drive, which makes it much easier instead of having to go through that process again for every operating system. 

Connect your modem to an RJ45 port of the host machine, and then connect either your router or laptop to another RJ45 port of the machine. A couple things to make sure you do...

With everything set up. boot your machine and select the boot drive which has your OPNsense ISO on it. 

OPNsense will run through initial configurations. To install the operating system log in with the following credentials:

Username: installer

Password: opnsense

If installed correctly, the Web GUI should be available at the designated IP that will show in the terminal console. For my machine, the Web GUI is available at the 192.168.1.1

Check out the "Configurations" Chapter to view the dashboard and available configurations!



Initial Configurations


Initial Configurations

Web GUI

After installation, a message will appear stating the Web GUI is available at XXXX.XXXX.XXXX.XXXX

My web GUI is @ 192.168.1.1

Login Page

image.png

Login as root, with the password you set up during installation. Once you go through the initial set up wizard, your dashboard will show up. You can configure widgets on your dashboard however you'd like to view your most important network statistics!

I currently have both OPNsense's IDS/IPS running alongside ZenArmor's NGFW which shows me utilizing 72% of my 8gb ram. Without these 2 services, your RAM usage, if 8 GB, should be less than 30%

image.png

Initial Configurations

Interfaces

OPNsense allows you to set up Interfaces, which can be used to set up separate networks. I set up 2 interfaces to allow my homelab to operate on 1, and all other devices (including my roommates) to operate on the other. The Interface assignments are as follows:

image.png

Here, you can see the devices (ports) and the interfaces you've assigned. 

You can reassign these ports in the Interfaces --> Assignments tab, should you happen to change anything in the future. 

Interface Configurations

After hardwire connections and assigning interfaces to each port, you'll have to enable the interface. Navigate in the sidebar to Interfaces ---> OPT1. Enable the interface and give it a name in the description section.

image.png

Next, assign your Interface a Static IPv4 address, and select "24" to give that IP the full range of associates IPs. I've given my homeLAB interface a static IP of 192.168.2.1/24

image.png

After saving changes, you'll need to first apply the changes and then adjust your DHCP server range. To do this, navigate to Services --> ISC DHCPv4 --> homeLAB (or whatever your name your new LAN). Enable DHCP server on the interface, and then designate a range of addresses in between the available range. 

image.png

Save your changes and apply if needed. To confirm you've configured everything properly, navigate to Services --> ISC DHCPv4 --> Leases and filter for your interface, in my case, homeLAB. Here, you'll find active devices on your interface. In my case, I have my homeLAB interface going through a NETGEAR switch which is connected to my Dell PowerEdge server:

image.png

 To further test it, I'll check if I can access my switch's Web GUI:

image.png

 

You can view all of Interface information in the Overview tab under the relevant Interfaces Section. With everything configured, it should look somewhat similar to whats below:

 

interfaces_overview.png

 

Firewall Configurations

Firewall Configurations

Firewall Rules

Rules can be configured for each interface by navigating to the following page in your GUI...Firewall --> Rules --> Selected Interface. By default, OPNsense will generate sets of rules for each of your interfaces. You can clone, edit, delete, and rearrange the order of rules as desired. Here's an example of what my WAN rules look like:

image.png

These are just a couple of rules out of the 24 that were generated. As of now, the only rules I've configured are for my LAN and homeLAB. I plan to host my NAS service with TrueNAS and am waiting on some SSDs to come in. Once I get it up and running, I'll update this page with rules accordingly. 

Firewall Configurations

Network Address Translation (NAT)

Another tab within the Firewall section is NAT, which allows you to configure and set up port forwarding. I'll most likely be using this more when I set up my NAS later this week. 

In addition to port forwarding, you can configure rules for One-to-One connections, Outbound connections, and NPTv6:

One-to-One

image.png

Outbound

image.png

NPTv6

image.png

Current Results

Current Results

Dashboards & Reporting

image.png

ACME Certificate for Web GUI

ACME Certificate for Web GUI

Install

To set up a certificate with ACME, there are several steps involved. First, you'll need to install a the ACME client plug-in ( System--> Firmware --> Plug-Ins )