Messages

16

Other Random Things / Re: Newbie Q -How to use OPNs to find IP address of divices

« on: September 03, 2021, 09:59:54 PM »

You’re welcome. I had mine turned off for a while so it doesn’t spam the firewall logs. I have it on now and where possible, I tried to update many of my rules to use IPv4+IPv6 so the rule will apply to both protocols because I want essentially the same firewall restrictions for both protocols. It doesn’t always work out perfectly because some of my aliases refer to IPv4 only networks or IP addresses so it wouldn’t apply to IPv6. However the broader rules which use the predefined network interface addresses should work for both protocols since OPNsense knows both addresses on the interface/network.

17

Proposed Network Designs / Re: Half done - half hoped for - running into issues

« on: September 03, 2021, 09:55:26 PM »

I wrote about firewall aliases so when you want to dive deeper, you could check it out.

As for testing if you can connect to your other devices to ensure everything is blocked, you could trying pinging them from the console/command prompt. Type:

ping 192.168.1.50

Using the IP addresses of your machines (or hostnames). If they are on the same network or your firewall rules aren’t blocking the device, you’ll get a response back. So if you know the device is on the same network, getting a response is ok. If it’s not on the same network, you shouldn’t get one back.

If you have any services running on your systems like a web server, you could try accessing those as well to see if you can get a connection. It depends on what you have running on your network. If you can’t access something that’s on another network (like a printer, file sharing/sync server, Apple TV, Roku, Xbox, PlayStation, etc.), then your rules are blocking properly.

You can also check the live firewall logs to see if your rules are blocking any network traffic. That might be the easiest way but you have to be a little familiar and comfortable with the live firewall log. You can filter the log to just the one network or device you are trying to access so you don’t get flooded with as many log entries. It’s hard to see what’s going on if you have a lot of network activity and you don’t filter it.

18

How-to Discussions / Re: Configure intrusion detection in OPNsense article

« on: August 31, 2021, 09:39:16 PM »

It's ok if you want intrusion detection on the LAN instead of the WAN but you have to make sure you don't select the VLANs instead of the physical LAN interface(s) since it will mess up your VLANs. But if you want to put it on the WAN and use Sensei on the LAN, that will work too. I like the graphs and charts and other information that Sensei provides. It does things that intrusion detection doesn't do, but I think they can complement each other. I don't have a guide on how to set up Sensei since the documentation on Sensei's website is pretty straightforward but I did do a comparison between the home and free versions.

That "Administration Rules" page lists all of the rules you have downloaded. Those are not the rules which have been triggered on your network. It shows the default action of allow, block, or disabled. You have to go to the "Administration Alerts" page to see what has been blocked on your network. You also need to make sure you have "IPS Mode" checked on the "Administration Settings" page.

19

Other Random Things / Re: Newbie Q -How to use OPNs to find IP address of divices

« on: August 31, 2021, 05:27:43 PM »

You can disable IPv6 entirely by going to the "Firewall > Settings > Advanced" page. It's the first option.

Devices/software will only prefer IPv6 if it's enabled on your network since it cannot communicate via IPv6 if it's disabled.

20

Proposed Network Designs / Re: Half done - half hoped for - running into issues

« on: August 31, 2021, 05:24:47 PM »

An Ethernet drop is just what they call running an Ethernet cable down through walls (the cable is "dropped" down the wall).

If you don't feel comfortable with creating aliases, you could create 2 block rules for the em2 interface to block access to the em1 and em3 interfaces and put them before the allow all rule. So the rules for em2 could be:

(replace em1, em2, em3 with the names you use in OPNsense for those interfaces)

Interface: em2
Action: Block
Source: em2 net
Destination: em1 net

Interface: em2
Action: Block
Source: em2 net
Destination: em3 net

Interface: em2
Action: Allow
Source: em2 net
Destination: any

Repeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.

21

Other Random Things / Re: Newbie Q -How to use OPNs to find IP address of divices

« on: August 30, 2021, 02:16:02 PM »

Sure!

IP addresses are assigned to every device on the network including routers and network switches.

A subnet is a network which has one more devices. The modern notation used for IPv4 networks is called CIDR (instead of using Class A, B, or C networks). For home networks it is common to use the 192.168.x.x addresses so a subnet could be defined as 192.168.0.0/24 or 192.168.1.0/24, etc. The /24 indicates that the last digit can be used for device addresses so for 192.168.0.0/24, you can have devices assigned to 192.168.0.1-192.168.0.254 (.0 and .255 are reserved for special use such as network broadcasts).

In OPNsense, you will see 2 gateways by default if IPv6 is enabled. One gateway on the WAN is used for IPv4 and the other is IPv6. IPv6 is the new protocol for IP addresses that allows for a much greater amount of IP addresses than IPv4. It is ok to have both enabled. Sometimes devices/software will prefer to use the newer IPv6 protocol if it's enabled. You have to keep that in mind when creating firewall rules. If you want to restrict the traffic for both IPv4 and IPv6 network traffic, you need to apply the rules to both protocols.

If you wish to see the names of the devices, you need to set the option to "register DHCP leases" and "register DHCP static mappings" on the "Services > Unbound DNS > General" page. This doesn't always guarantee you will see the hostname. I've had some devices not show up but most do. If you really want everything named better, you could create a static DHCP mapping for a device (once you have identified it) and you can set an IP address (outside of your DHCP IP address range you have set for the network) and a hostname. Sometimes the manufacturer will show up below the MAC address which could possibly help identify devices. Most devices provide a way for you to view the IP address (and sometimes the MAC address). That will help you find out which device has which IP address.

Please let me know if this info helps and if you have more questions!

22

How-to Discussions / Re: Configure intrusion detection in OPNsense article

« on: August 30, 2021, 12:02:32 PM »

Yes, this is a subjective topic. However, what I have done to keep things simple is just select the rulesets that I wish to use and put them all in one policy. Since I am just setting all the rules which are enabled to "block", I do not really see a need to group them in separate policies since I don't make use of a lot of the filters. If I had more time, I could start to filter on the rules I'm most interested in using within each ruleset using the filters in the policy, but it's easier to just blanket it all in one policy for a home network. It doesn't seem to impact my network performance (especially since I'm just using it on the WAN, and I have less than 1 Gbit downstream). In the past before the policies were a feature, I manually searched for hardware/software products I didn't have on my network and disabled those rules to minimize the amount of rules that are active for performance, but I haven't noticed any issues just leaving them all enabled for the rulesets I have selected. I don't have every ruleset selected but I have a lot of them selected. I don't run it on extremely fast hardware, but it works very well especially considering I'm also running Sensei on my LAN interfaces.

If guessing makes you nervous, you could just try it out and then disable it if it is causing issues. In my experience, you may encounter more issues running it on the LAN rather than the WAN because it could end up blocking services you are trying to use (which isn't malware). You also have to make sure you turn on Promiscuous Mode and only select the physical LAN interface(s) if you plan to use it on the LAN because you will end up blocking access to all of your VLANs. That is the biggest issue you have to worry about (as far as I know). I've seen intrusion detection described as a "not fire and forget" solution because it requires monitoring and tweaking in order for it to be of the most benefit. I don't monitor mine as well as I should. Since I also have Sensei running, I have other protections in place (along with firewall rules, etc).

23

Proposed Network Designs / Re: Half done - half hoped for - running into issues

« on: August 30, 2021, 11:52:40 AM »

Glad you found my site useful and a safe place for newbies!

Instead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!

Using a separate interface on the OPNsense box for each switch (like you are doing) is a better approach than chaining a bunch of switches. Chaining a bunch of switches introduces extra points of failure (if one switch dies) and could negatively affect performance. For a home network, if you have to chain a few switches in a few locations where it may be hard to run extra Ethernet drops, performance likely won't be terrible unless you are doing lots of high bandwidth file transfers at the same time, for example. I know some people may get upset if you chain switches, but sometimes it's just more convenient in a small home network (if it is found later that performance is an issue, then perhaps it would be worth the effort to run some extra Ethernet drops).

You mentioned wanting to use VLANs for improved security. If each of your rooms needs to be in a separate network, you don't necessarily need to use VLANs. Since they are on separate physical interfaces, you can simply keep the network traffic separated via appropriate firewall rules. If you want some devices in each room to be on the same network as devices in another room, then you could make use of VLANs to create a virtual network so the devices appear to be on the same network even though they may not be physically connected to the same switch.

With that said, for the em2 interface you mentioned there are no firewall rules on that interface. By default, any new interfaces (including VLANs) have no firewall rules. When there are no firewall rules, it means all traffic will be blocked. You need to add rules to allow network traffic. You will notice that the LAN has a default "allow all" rule which allows access to all networks and the Internet. If you want to isolate different networks, you need to modify the rules to allow access to the Internet but not other networks (unless you want them to have access to a local server, etc).

For testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).

24

Success Stories / Re: Thanks for the ToDo'S

« on: August 30, 2021, 11:22:54 AM »

I'm glad you found my site useful in helping you set up OPNsense for a small business! Also thanks for the tips for people using that particular hardware.

25

Tech Discussions / Re: Opnsense + sensei vs untangle

« on: August 30, 2021, 11:17:31 AM »

I replied to this same question in the Disqus comments for Sensei, but for reference for others browsing the forum, here is what I wrote:

I’ve seen mentions of Untangle in some firewall discussions and also heard about it some on a Podcast. I’m not familiar with it in detail but it seems similar in features.

As for the differences, it may be a matter of preference. Untangle seems to be even more GUI focused/driven that OPNsense if that is something you prefer. OPNsense let’s you tweak things outside of the GUI (not sure to what extent you can do that with Untangle). OPNsense is open source which can be beneficial. I’m not sure if it’s easier to find online help with OPNsense vs Untangle and how each community compares. The OPNsense community seems to be very friendly and helpful.

26

Troubleshooting / Re: Selective Routing to External OpenVPN Provider

« on: August 23, 2021, 10:02:18 AM »

I get my selective Routing now working with the Help of this Guide here

https://community.spiceworks.com/how_to/177167-policy-based-routing-via-vpn

best regards

Thanks for providing a link to help resolve the issue especially since I don't have a lot of experience with this yet, but I do want to experiment with connecting to external VPNs to help others get their VPN set up even if I do not plan to use a VPN for my own network.

27

Troubleshooting / Re: Selective Routing to External OpenVPN Provider

« on: August 05, 2021, 10:58:51 PM »

I personally haven’t set up my OPNsense as a client to an external VPN service such as PIA, but it is certainly on my todo list to write about. There is enough interest in the topic, and I would want to see what I could learn along the way that I could share with others.

That said, I think that you may need to do that 3rd step in the pfSense documentation to add the outbound NAT rule. That is similar to how you need the outbound rule for running your own OpenVPN server so communication can occur between your network and your clients.

You will have to set your interfaces to use the VPN as the gateway so you can have some networks on the VPN and some that are not if you so desire.

I haven’t gone through the entire process yet but I think that may be the general idea. I hope tot dig into it more when I get some time to work on it.

Thanks for posting this on the forum! I am hoping others with more knowledge in areas I haven’t explored deeply will chime in with more information. It is why I established a forum rather than just rely on page comments (since it’s harder to work through issues).

If the amount of feedback continues to grow in the future, it could get to the point where it will be too time consuming to respond to every single question. I get questions via email, Disqus comments, and the occasional forum post.

28

Proposed Network Designs / Re: Just starting out

« on: July 19, 2021, 09:28:29 PM »

Thanks for sharing your proposed design! Once you can post a diagram that will be helpful in visualizing how the network is laid out.

It sounds like you are planning to connect 3 different switches — one to each port of your modem/router. How are you planning to do that? You mentioned you have cables ran so are you running 3 different cables to 3 different locations with a switch at each location?

While that will work, alternatively you could buy one larger switch (16 or 24 port), connect one cable to the switch from the modem/router and then connecting all your devices to that large switch. Of course that requires you to have more cables ran to the location of your switch. If you only have a couple Ethernet drops ran and it’s too hard to run more, putting a switch at location is not necessarily a bad idea for a small, basic home network. Keep in mind that you will be sharing bandwidth if you put a switch at each location if you have multiple devices transmitting/receiving a lot of data.

If you want to separate your IoT or guest devices, you may want to get managed switches. It adds more complexity but it’s nice to have for improved security. However you would need a router that supports VLANs. The Internet Service Provider’s modem/router is not likely to support that type of more advanced functionality. It depends on how deep you want to jump into when creating your home network.

29

Topic Suggestions / Re: How to Write WAN and NAT Port Forward Firewall Rules in OPNsense

« on: June 13, 2021, 09:15:59 PM »

This how-to has been written. See https://homenetworkguy.com/how-to/configure-wan-and-nat-port-forward-rules-in-opnsense/

30

Topic Suggestions / Re: OpnSense Howto Updates?

« on: June 11, 2021, 04:23:01 PM »

Thanks for the suggestion! The default direction is "in" for firewall rules and is what most users will want to use because it processes more efficiently and is likely easier to think about how to write the rules. When I specify settings for the rules, I usually leave out the values that should be left at the default (so I don't have to list 50 data elements and their values). However, I could make mention that you should usually leave that at the default.

I have been slowly working through my old guides and updating them. I've updated the following guides in the last few months: firewall rule cheat sheet, the Sensei Free vs. Home Edition comparison, how to configure WireGuard, and redirecting local DNS requests. Next on my list to update is the intrusion detection how-to since I know it's out of date. I'm trying to mix in new content in between updating the old content.