Messages

16

Troubleshooting / Re: [OPNsense] Need help reaching my DMZ servers from the internet (DynDNS domain)

« on: September 28, 2021, 09:45:18 AM »

The main difference between associated an unassociated rules is when you make changes to the NAT port forward rule, it will be reflected in the associated rule. The unassociated rules won't get updated. You have to delete them to recreate them. I don't think there is a bug with how that works since it was intentionally designed that way for different purposes. I'm not quite sure when you would want an unassociated rule unless maybe you are worried someone will change the NAT port forward rule. However, if you did make changes and didn't realize you had an unassociated rule, it might make troubleshooting the rules more difficult.

Are your 2 private networks connected to the same OPNsense box or is one network on the ISP router and the other is on the OPNsense router? If they are on 2 separate routers, you should be able to create NAT port forward rules similar to if the WAN was connected directly to the Internet. This of course requires you uncheck blocking of private networks/bogons on the WAN interface (although I'm not sure if unchecking bogons is critical unless you are planning to use those specially reserved IP address ranges in your internal networks).

17

Troubleshooting / Re: Purpose of VLANs in OPNSense

« on: September 10, 2021, 09:17:15 AM »

VLANs are a way to logically divide up your network into separate smaller networks. It is useful when you want to put restrictions between devices on both networks. So you can keep your employees or guests in your house on a separate network so they can't access more critical parts of the network. VLANs can be used to improve security but by itself, it doesn't improve security. You have to have the proper firewall rules in place. VLANs + firewall rules provides you with improved security.

VLANs are not required to use but are commonly used because it saves money (it saves physical rack space, hardware costs, electricity, etc). You can accomplish the same thing without VLANs but you would need to have a separate network switch for each separate network. That is how they could separate networks before VLAN technology existed. They would use separate routers/switches to create physically separate networks.

VLANs allow you to be more efficient with your hardware. You only need 1 switch (but you can have more if you need more ports or if you want some PoE ports you can save money and buy a switch with fewer ports). You can create several networks using one router and one network switch. It will appear as though they are separate physical networks but they in fact are not on physically separate hardware. Another benefit of VLANs is you don't have to physically have every device that's on the same network plugged into the same switch. This can cause problems if you have switches in different locations in your office or home since you have to make sure the device is plugged into the proper switch. If you want to switch networks, you have to physically move the Ethernet cable. With VLANs, you can simply change which network a device belongs to by changing it on the switch itself without needing to move any cables. So you can reconfigure your network very easily with VLANs since there in increased flexibility.

If you have multiple interfaces, you could plug a small unmanaged switch (which is cheaper) in each port and have separate networks without VLANs or you could use 1 (or more) interfaces with 1 bigger network switch (depending on how many devices you want to connect) that supports VLANs and you can create 1 or more VLANs to start separating your traffic. VLANs add a little more configuration in OPNsense but it's not a lot different than setting up the physical interfaces. You just have an extra step of creating your VLAN tag(s) and then you assign the VLANs to a physical LAN interface. You will have extra configuration for your network switch. You create the same VLANs in your network switch (making sure that the port that connects to the router from your switch is set to TRUNK or allows all VLAN tags to pass through -- different switches have slightly different terminology but the concept is the same).

It sounds like your firewall is allowing all connections for all of your interfaces. If you want your traffic to be isolated, you will need to add rules to block traffic between the interfaces while still allowing traffic to the Internet (unless you want an offline network which is handy for security cameras for instance if you worry about being exposed to the Internet).

18

Tech Discussions / Re: Firewall rules - OPNsense Firewall Rule "Cheat Sheet"

« on: September 07, 2021, 09:56:02 AM »

The problem is that the "WAN net" alias does not mean "allow access to the Internet". The Internet essentially consists of all non-private IP addresses (except for a few other specially reserved IP ranges). Your external WAN address is only on 1 network out of billions/trillions on the Internet. That's why when you create rules you essentially need a "allow all" rule near the bottom of your rules which basically is like "allow all other" as in allow all other traffic out to the Internet (and other internal networks if you do not have any blocks in place).

So on the NA interface, you could have something like:

Block NA net to NB net
Allow NA net to any HTTP/HTTPS

19

Troubleshooting / Re: Opnsense content filtering

« on: September 07, 2021, 09:47:17 AM »

Thanks for reporting back! I haven't tried to mess with web proxies especially since it seems like it works best for unencrypted traffic which isn't helpful most of the time since most everything is encrypted. I use Sensei also and it works well especially after they fixed a lot of the netmap issues that caused problems early on (at least with my hardware). I like being able to look at my traffic aggregated and broken down as well as block certain traffic.

20

Proposed Network Designs / Re: Learning Networking by Mucking at Home

« on: September 03, 2021, 10:19:21 PM »

Thanks for providing your proposed network diagram. That helps me visualize what you are trying to do.

I notice that for each “segment” (network) you are creating, you are placing a router in front of it. While that can work to provide each network some access to the other networks where you are plugged into, you don’t have to use that approach. It complicates the access between the different networks. It may even require static routes on your routers so traffic can be routed properly between all the networks if you wish to access other devices.

A simpler approach would be to put your ISP modem/router into bridge mode, run a router such as OPNsense (which in write about often) and then create all your networks using your OPNsense router. Since everything is connected to one router, you can manage all the access/firewall rules from a single router (instead of having 3-4 routers). For wireless, you could connect one of your existing routers and put it in AP mode so you can only use its wireless functionality (or your could buy dedicated wireless access points which gives you more freedom where to place it).

If you want to try to make your network function with the hardware you have, you may end up having to use separate routers with separate networks since you don’t have equipment to utilize VLANs or a single router like OPNsense. It may require setting up static routes, and I don’t know if your routers provide many settings for establishing firewall rules to keep your networks separated and protected while also allowing specific access to various services you have hosted on your network.

21

Other Random Things / Re: Newbie Q -How to use OPNs to find IP address of divices

« on: September 03, 2021, 09:59:54 PM »

You’re welcome. I had mine turned off for a while so it doesn’t spam the firewall logs. I have it on now and where possible, I tried to update many of my rules to use IPv4+IPv6 so the rule will apply to both protocols because I want essentially the same firewall restrictions for both protocols. It doesn’t always work out perfectly because some of my aliases refer to IPv4 only networks or IP addresses so it wouldn’t apply to IPv6. However the broader rules which use the predefined network interface addresses should work for both protocols since OPNsense knows both addresses on the interface/network.

22

Proposed Network Designs / Re: Half done - half hoped for - running into issues

« on: September 03, 2021, 09:55:26 PM »

I wrote about firewall aliases so when you want to dive deeper, you could check it out.

As for testing if you can connect to your other devices to ensure everything is blocked, you could trying pinging them from the console/command prompt. Type:

ping 192.168.1.50

Using the IP addresses of your machines (or hostnames). If they are on the same network or your firewall rules aren’t blocking the device, you’ll get a response back. So if you know the device is on the same network, getting a response is ok. If it’s not on the same network, you shouldn’t get one back.

If you have any services running on your systems like a web server, you could try accessing those as well to see if you can get a connection. It depends on what you have running on your network. If you can’t access something that’s on another network (like a printer, file sharing/sync server, Apple TV, Roku, Xbox, PlayStation, etc.), then your rules are blocking properly.

You can also check the live firewall logs to see if your rules are blocking any network traffic. That might be the easiest way but you have to be a little familiar and comfortable with the live firewall log. You can filter the log to just the one network or device you are trying to access so you don’t get flooded with as many log entries. It’s hard to see what’s going on if you have a lot of network activity and you don’t filter it.

23

How-to Discussions / Re: Configure intrusion detection in OPNsense article

« on: August 31, 2021, 09:39:16 PM »

It's ok if you want intrusion detection on the LAN instead of the WAN but you have to make sure you don't select the VLANs instead of the physical LAN interface(s) since it will mess up your VLANs. But if you want to put it on the WAN and use Sensei on the LAN, that will work too. I like the graphs and charts and other information that Sensei provides. It does things that intrusion detection doesn't do, but I think they can complement each other. I don't have a guide on how to set up Sensei since the documentation on Sensei's website is pretty straightforward but I did do a comparison between the home and free versions.

That "Administration Rules" page lists all of the rules you have downloaded. Those are not the rules which have been triggered on your network. It shows the default action of allow, block, or disabled. You have to go to the "Administration Alerts" page to see what has been blocked on your network. You also need to make sure you have "IPS Mode" checked on the "Administration Settings" page.

24

Other Random Things / Re: Newbie Q -How to use OPNs to find IP address of divices

« on: August 31, 2021, 05:27:43 PM »

You can disable IPv6 entirely by going to the "Firewall > Settings > Advanced" page. It's the first option.

Devices/software will only prefer IPv6 if it's enabled on your network since it cannot communicate via IPv6 if it's disabled.

25

Proposed Network Designs / Re: Half done - half hoped for - running into issues

« on: August 31, 2021, 05:24:47 PM »

An Ethernet drop is just what they call running an Ethernet cable down through walls (the cable is "dropped" down the wall).

If you don't feel comfortable with creating aliases, you could create 2 block rules for the em2 interface to block access to the em1 and em3 interfaces and put them before the allow all rule. So the rules for em2 could be:

(replace em1, em2, em3 with the names you use in OPNsense for those interfaces)

Interface: em2
Action: Block
Source: em2 net
Destination: em1 net

Interface: em2
Action: Block
Source: em2 net
Destination: em3 net

Interface: em2
Action: Allow
Source: em2 net
Destination: any

Repeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.

26

Other Random Things / Re: Newbie Q -How to use OPNs to find IP address of divices

« on: August 30, 2021, 02:16:02 PM »

Sure!

IP addresses are assigned to every device on the network including routers and network switches.

A subnet is a network which has one more devices. The modern notation used for IPv4 networks is called CIDR (instead of using Class A, B, or C networks). For home networks it is common to use the 192.168.x.x addresses so a subnet could be defined as 192.168.0.0/24 or 192.168.1.0/24, etc. The /24 indicates that the last digit can be used for device addresses so for 192.168.0.0/24, you can have devices assigned to 192.168.0.1-192.168.0.254 (.0 and .255 are reserved for special use such as network broadcasts).

In OPNsense, you will see 2 gateways by default if IPv6 is enabled. One gateway on the WAN is used for IPv4 and the other is IPv6. IPv6 is the new protocol for IP addresses that allows for a much greater amount of IP addresses than IPv4. It is ok to have both enabled. Sometimes devices/software will prefer to use the newer IPv6 protocol if it's enabled. You have to keep that in mind when creating firewall rules. If you want to restrict the traffic for both IPv4 and IPv6 network traffic, you need to apply the rules to both protocols.

If you wish to see the names of the devices, you need to set the option to "register DHCP leases" and "register DHCP static mappings" on the "Services > Unbound DNS > General" page. This doesn't always guarantee you will see the hostname. I've had some devices not show up but most do. If you really want everything named better, you could create a static DHCP mapping for a device (once you have identified it) and you can set an IP address (outside of your DHCP IP address range you have set for the network) and a hostname. Sometimes the manufacturer will show up below the MAC address which could possibly help identify devices. Most devices provide a way for you to view the IP address (and sometimes the MAC address). That will help you find out which device has which IP address.

Please let me know if this info helps and if you have more questions!

27

How-to Discussions / Re: Configure intrusion detection in OPNsense article

« on: August 30, 2021, 12:02:32 PM »

Yes, this is a subjective topic. However, what I have done to keep things simple is just select the rulesets that I wish to use and put them all in one policy. Since I am just setting all the rules which are enabled to "block", I do not really see a need to group them in separate policies since I don't make use of a lot of the filters. If I had more time, I could start to filter on the rules I'm most interested in using within each ruleset using the filters in the policy, but it's easier to just blanket it all in one policy for a home network. It doesn't seem to impact my network performance (especially since I'm just using it on the WAN, and I have less than 1 Gbit downstream). In the past before the policies were a feature, I manually searched for hardware/software products I didn't have on my network and disabled those rules to minimize the amount of rules that are active for performance, but I haven't noticed any issues just leaving them all enabled for the rulesets I have selected. I don't have every ruleset selected but I have a lot of them selected. I don't run it on extremely fast hardware, but it works very well especially considering I'm also running Sensei on my LAN interfaces.

If guessing makes you nervous, you could just try it out and then disable it if it is causing issues. In my experience, you may encounter more issues running it on the LAN rather than the WAN because it could end up blocking services you are trying to use (which isn't malware). You also have to make sure you turn on Promiscuous Mode and only select the physical LAN interface(s) if you plan to use it on the LAN because you will end up blocking access to all of your VLANs. That is the biggest issue you have to worry about (as far as I know). I've seen intrusion detection described as a "not fire and forget" solution because it requires monitoring and tweaking in order for it to be of the most benefit. I don't monitor mine as well as I should. Since I also have Sensei running, I have other protections in place (along with firewall rules, etc).

28

Proposed Network Designs / Re: Half done - half hoped for - running into issues

« on: August 30, 2021, 11:52:40 AM »

Glad you found my site useful and a safe place for newbies!

Instead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!

Using a separate interface on the OPNsense box for each switch (like you are doing) is a better approach than chaining a bunch of switches. Chaining a bunch of switches introduces extra points of failure (if one switch dies) and could negatively affect performance. For a home network, if you have to chain a few switches in a few locations where it may be hard to run extra Ethernet drops, performance likely won't be terrible unless you are doing lots of high bandwidth file transfers at the same time, for example. I know some people may get upset if you chain switches, but sometimes it's just more convenient in a small home network (if it is found later that performance is an issue, then perhaps it would be worth the effort to run some extra Ethernet drops).

You mentioned wanting to use VLANs for improved security. If each of your rooms needs to be in a separate network, you don't necessarily need to use VLANs. Since they are on separate physical interfaces, you can simply keep the network traffic separated via appropriate firewall rules. If you want some devices in each room to be on the same network as devices in another room, then you could make use of VLANs to create a virtual network so the devices appear to be on the same network even though they may not be physically connected to the same switch.

With that said, for the em2 interface you mentioned there are no firewall rules on that interface. By default, any new interfaces (including VLANs) have no firewall rules. When there are no firewall rules, it means all traffic will be blocked. You need to add rules to allow network traffic. You will notice that the LAN has a default "allow all" rule which allows access to all networks and the Internet. If you want to isolate different networks, you need to modify the rules to allow access to the Internet but not other networks (unless you want them to have access to a local server, etc).

For testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).

29

Success Stories / Re: Thanks for the ToDo'S

« on: August 30, 2021, 11:22:54 AM »

I'm glad you found my site useful in helping you set up OPNsense for a small business! Also thanks for the tips for people using that particular hardware.

30

Tech Discussions / Re: Opnsense + sensei vs untangle

« on: August 30, 2021, 11:17:31 AM »

I replied to this same question in the Disqus comments for Sensei, but for reference for others browsing the forum, here is what I wrote:

I’ve seen mentions of Untangle in some firewall discussions and also heard about it some on a Podcast. I’m not familiar with it in detail but it seems similar in features.

As for the differences, it may be a matter of preference. Untangle seems to be even more GUI focused/driven that OPNsense if that is something you prefer. OPNsense let’s you tweak things outside of the GUI (not sure to what extent you can do that with Untangle). OPNsense is open source which can be beneficial. I’m not sure if it’s easier to find online help with OPNsense vs Untangle and how each community compares. The OPNsense community seems to be very friendly and helpful.