- Welcome to Home Network Guy Forum.
Home Network Guy Forum
Going beyond the basics of home networking
Recent posts
#81
How-to Discussions / Re: Configure intrusion detect...
Last post by Home Network Guy - August 30, 2021, 12:02:32 PMYes, this is a subjective topic. However, what I have done to keep things simple is just select the rulesets that I wish to use and put them all in one policy. Since I am just setting all the rules which are enabled to "block", I do not really see a need to group them in separate policies since I don't make use of a lot of the filters. If I had more time, I could start to filter on the rules I'm most interested in using within each ruleset using the filters in the policy, but it's easier to just blanket it all in one policy for a home network. It doesn't seem to impact my network performance (especially since I'm just using it on the WAN, and I have less than 1 Gbit downstream). In the past before the policies were a feature, I manually searched for hardware/software products I didn't have on my network and disabled those rules to minimize the amount of rules that are active for performance, but I haven't noticed any issues just leaving them all enabled for the rulesets I have selected. I don't have every ruleset selected but I have a lot of them selected. I don't run it on extremely fast hardware, but it works very well especially considering I'm also running Sensei on my LAN interfaces.
If guessing makes you nervous, you could just try it out and then disable it if it is causing issues. In my experience, you may encounter more issues running it on the LAN rather than the WAN because it could end up blocking services you are trying to use (which isn't malware). You also have to make sure you turn on Promiscuous Mode and only select the physical LAN interface(s) if you plan to use it on the LAN because you will end up blocking access to all of your VLANs. That is the biggest issue you have to worry about (as far as I know). I've seen intrusion detection described as a "not fire and forget" solution because it requires monitoring and tweaking in order for it to be of the most benefit. I don't monitor mine as well as I should. Since I also have Sensei running, I have other protections in place (along with firewall rules, etc).
If guessing makes you nervous, you could just try it out and then disable it if it is causing issues. In my experience, you may encounter more issues running it on the LAN rather than the WAN because it could end up blocking services you are trying to use (which isn't malware). You also have to make sure you turn on Promiscuous Mode and only select the physical LAN interface(s) if you plan to use it on the LAN because you will end up blocking access to all of your VLANs. That is the biggest issue you have to worry about (as far as I know). I've seen intrusion detection described as a "not fire and forget" solution because it requires monitoring and tweaking in order for it to be of the most benefit. I don't monitor mine as well as I should. Since I also have Sensei running, I have other protections in place (along with firewall rules, etc).
#82
Proposed Network Designs / Re: Half done - half hoped for...
Last post by Home Network Guy - August 30, 2021, 11:52:40 AMGlad you found my site useful and a safe place for newbies!
Instead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!
Using a separate interface on the OPNsense box for each switch (like you are doing) is a better approach than chaining a bunch of switches. Chaining a bunch of switches introduces extra points of failure (if one switch dies) and could negatively affect performance. For a home network, if you have to chain a few switches in a few locations where it may be hard to run extra Ethernet drops, performance likely won't be terrible unless you are doing lots of high bandwidth file transfers at the same time, for example. I know some people may get upset if you chain switches, but sometimes it's just more convenient in a small home network (if it is found later that performance is an issue, then perhaps it would be worth the effort to run some extra Ethernet drops).
You mentioned wanting to use VLANs for improved security. If each of your rooms needs to be in a separate network, you don't necessarily need to use VLANs. Since they are on separate physical interfaces, you can simply keep the network traffic separated via appropriate firewall rules. If you want some devices in each room to be on the same network as devices in another room, then you could make use of VLANs to create a virtual network so the devices appear to be on the same network even though they may not be physically connected to the same switch.
With that said, for the em2 interface you mentioned there are no firewall rules on that interface. By default, any new interfaces (including VLANs) have no firewall rules. When there are no firewall rules, it means all traffic will be blocked. You need to add rules to allow network traffic. You will notice that the LAN has a default "allow all" rule which allows access to all networks and the Internet. If you want to isolate different networks, you need to modify the rules to allow access to the Internet but not other networks (unless you want them to have access to a local server, etc).
For testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).
Instead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!
Using a separate interface on the OPNsense box for each switch (like you are doing) is a better approach than chaining a bunch of switches. Chaining a bunch of switches introduces extra points of failure (if one switch dies) and could negatively affect performance. For a home network, if you have to chain a few switches in a few locations where it may be hard to run extra Ethernet drops, performance likely won't be terrible unless you are doing lots of high bandwidth file transfers at the same time, for example. I know some people may get upset if you chain switches, but sometimes it's just more convenient in a small home network (if it is found later that performance is an issue, then perhaps it would be worth the effort to run some extra Ethernet drops).
You mentioned wanting to use VLANs for improved security. If each of your rooms needs to be in a separate network, you don't necessarily need to use VLANs. Since they are on separate physical interfaces, you can simply keep the network traffic separated via appropriate firewall rules. If you want some devices in each room to be on the same network as devices in another room, then you could make use of VLANs to create a virtual network so the devices appear to be on the same network even though they may not be physically connected to the same switch.
With that said, for the em2 interface you mentioned there are no firewall rules on that interface. By default, any new interfaces (including VLANs) have no firewall rules. When there are no firewall rules, it means all traffic will be blocked. You need to add rules to allow network traffic. You will notice that the LAN has a default "allow all" rule which allows access to all networks and the Internet. If you want to isolate different networks, you need to modify the rules to allow access to the Internet but not other networks (unless you want them to have access to a local server, etc).
For testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).
#83
Success Stories / Re: Thanks for the ToDo'S
Last post by Home Network Guy - August 30, 2021, 11:22:54 AMI'm glad you found my site useful in helping you set up OPNsense for a small business! Also thanks for the tips for people using that particular hardware.
#84
Tech Discussions / Re: Opnsense + sensei vs untan...
Last post by Home Network Guy - August 30, 2021, 11:17:31 AMI replied to this same question in the Disqus comments for Sensei, but for reference for others browsing the forum, here is what I wrote:
Quote
I've seen mentions of Untangle in some firewall discussions and also heard about it some on a Podcast. I'm not familiar with it in detail but it seems similar in features.
As for the differences, it may be a matter of preference. Untangle seems to be even more GUI focused/driven that OPNsense if that is something you prefer. OPNsense let's you tweak things outside of the GUI (not sure to what extent you can do that with Untangle). OPNsense is open source which can be beneficial. I'm not sure if it's easier to find online help with OPNsense vs Untangle and how each community compares. The OPNsense community seems to be very friendly and helpful.
#85
Other Random Things / Newbie Q -How to use OPNs to f...
Last post by JiveTalking - August 29, 2021, 02:57:50 PMHello -
Can you talk a bit (maybe even an article) about IP addresses, subnets, why I see two WAN coming from my ISP, beginner stuff like that? I see many devices attached, but cannot figure out who is who. I could using my off the self router before because the hardware names were listed along with MAC address - in OPNs it's just IPs...
Thank you ~
Can you talk a bit (maybe even an article) about IP addresses, subnets, why I see two WAN coming from my ISP, beginner stuff like that? I see many devices attached, but cannot figure out who is who. I could using my off the self router before because the hardware names were listed along with MAC address - in OPNs it's just IPs...
Thank you ~
#86
How-to Discussions / Configure intrusion detection ...
Last post by JiveTalking - August 28, 2021, 06:47:10 PMHello, First of all great article!
So I followed your steps - and so far so good, however I was very uncertain about the section for setting up Policy's.
So I nervously set my 1 policy to cover the Abuse.ch's I had selected, with no filters, because they are over my head. Maybe an article part 2 for digging deeper into this stuff would be so helpful.
My 2nd policy I set for all the Emerging Threats (ET), with no filters for the same reason.
And my 3rd policy I set for the last group of my rules, same as the others.
I really hate guessing, it makes me very nervous - I have three policies, but I don't know why, or if they are any good, or where to go from here....
I know this is all very subjective for each persons Internet use, but are there any articles which give more guidance on polices you'd recommend, and some use examples. I'd imagine there are many threats out there that the majority of people would want to guard against, so something that shoots down the middle as far as policy specifics?
I do a lot of email, ftp, browser searches and logins, some web email, banking, shopping and VOIP - no social media, no IoT If this helps.
Thanks for the enlightenment,
So I followed your steps - and so far so good, however I was very uncertain about the section for setting up Policy's.
So I nervously set my 1 policy to cover the Abuse.ch's I had selected, with no filters, because they are over my head. Maybe an article part 2 for digging deeper into this stuff would be so helpful.
My 2nd policy I set for all the Emerging Threats (ET), with no filters for the same reason.
And my 3rd policy I set for the last group of my rules, same as the others.
I really hate guessing, it makes me very nervous - I have three policies, but I don't know why, or if they are any good, or where to go from here....
I know this is all very subjective for each persons Internet use, but are there any articles which give more guidance on polices you'd recommend, and some use examples. I'd imagine there are many threats out there that the majority of people would want to guard against, so something that shoots down the middle as far as policy specifics?
I do a lot of email, ftp, browser searches and logins, some web email, banking, shopping and VOIP - no social media, no IoT If this helps.
Thanks for the enlightenment,
#87
Proposed Network Designs / Half done - half hoped for - r...
Last post by JiveTalking - August 28, 2021, 05:06:26 PMHello all,
So happy to have found a safe place for a newbie such as myself....
My network plan imagined by me (before I heard of VLANs) is simple I thought, best laid plans and all that.
The Layout & History:
My office and living room have a broom closet between their facing walls - so I put a 6port Vault running OPNsense in the closet, had my ISP run their fiber modem into the closet, and drilled holes in the left and right walls of the closet, into each of the rooms mentioned. I connected cat6 from my PC to the LAN port on my Vault, and of course the modem to the WAN port.
All was well - I had internet access in my office. That was to easy, I was very happy, for a bit.
I then attached a new TPLink 8port Gbit Smart Switch in between my Office PC and the Vault router LAN port- all was still well, and I then cat6 my Linux PC & laptop also - all 3 devices still good, but I was about to learn of the special settings for LAN ports on routers.
I then ran cat6 through the other wall hole (living room) to a TPLink 5port Gbit Easy Smart Switch, and you guessed it nothing plugged into that found the internet... all is not well :/ and I didn't know why.... I did a ton of research but other peoples network layouts were to complicated for my understanding and needs.
My goal was higher level access for my Office/LAN/Devices computing needs (1 - 4 devices) - and restricted access for the 2 switches installed via cat6 in other rooms. #1=Living room next to Office through closet, and #2=upstairs above the Office/closet. These switches would be for media TV and simple laptop Net searches, and email.
I have since heard of VLANS, which I still don't fully understand - I will dig into learning of these after I get some additional security understanding set up in my OPNsense (the entire point of this adventure in the first place is much better security).
- Many thanks Network Guy for your informative articles ♥ which have really helped, and scared me.
I felt that the trouble might be in my interfaces - so I set one up for em2 (em0 is WAN, em1 is LAN) the same as the one for my LAN except I gave it ........20.1/24 where the LAN is ........10.1/24 - Still no access for em2. Why that IP - I have no idea I just guessed.
I have poked around, lost internet access - oops, got it back again (no idea how I lost it, or got it back, yikes!)
But I have seen that there are no Firewall rules for my em2 living room could be an issue I say. But I read when OPNs mostly comes set up like an off the shelf router - security sucks = all access, maybe this just means for LAN port - so sad. FW scares me, I almost didn't make it through setting up Intrusion Prevention System - Thanks again Network Guy! Not sure I have that done right, but nothing broke so I call it a win!
So - best network layout practices for setting up 2 limited port/switches - mostly for Internet browsing and media? While... not killing my LAN
this is my current quest.
I read where you say this type of wired/switches sucks bandwidth, or better, competes for bandwidth - I want a 99% wired home network, I was hoping not to daisy chain the whole thing, so I can deal with rooms/hardware independently - it's how I think. Something that looks like an octopus, router being the central hub/brain banished to the broom closet.
If and when I do add low range wifi I would like it to be turn-off-able <-- my technical term. I do not have any IoT to deal with -yea! I do hope to add things as I learn and go - pi hole, physical redundancy for my LAN, backup power source, maybe my own email server, maybe a NAS server for home media (a girl can dream).
Q2: any good beginners practical How-To books? So far there seems to be a huge vacuum in this: "for personal use, home networking" space. So glad to find Network Guy is addressing this
I've attached my network layout/map - all rooms are only 4-12' apart.
So happy to have found a safe place for a newbie such as myself....
My network plan imagined by me (before I heard of VLANs) is simple I thought, best laid plans and all that.
The Layout & History:
My office and living room have a broom closet between their facing walls - so I put a 6port Vault running OPNsense in the closet, had my ISP run their fiber modem into the closet, and drilled holes in the left and right walls of the closet, into each of the rooms mentioned. I connected cat6 from my PC to the LAN port on my Vault, and of course the modem to the WAN port.
All was well - I had internet access in my office. That was to easy, I was very happy, for a bit.
I then attached a new TPLink 8port Gbit Smart Switch in between my Office PC and the Vault router LAN port- all was still well, and I then cat6 my Linux PC & laptop also - all 3 devices still good, but I was about to learn of the special settings for LAN ports on routers.
I then ran cat6 through the other wall hole (living room) to a TPLink 5port Gbit Easy Smart Switch, and you guessed it nothing plugged into that found the internet... all is not well :/ and I didn't know why.... I did a ton of research but other peoples network layouts were to complicated for my understanding and needs.
My goal was higher level access for my Office/LAN/Devices computing needs (1 - 4 devices) - and restricted access for the 2 switches installed via cat6 in other rooms. #1=Living room next to Office through closet, and #2=upstairs above the Office/closet. These switches would be for media TV and simple laptop Net searches, and email.
I have since heard of VLANS, which I still don't fully understand - I will dig into learning of these after I get some additional security understanding set up in my OPNsense (the entire point of this adventure in the first place is much better security).
- Many thanks Network Guy for your informative articles ♥ which have really helped, and scared me.
I felt that the trouble might be in my interfaces - so I set one up for em2 (em0 is WAN, em1 is LAN) the same as the one for my LAN except I gave it ........20.1/24 where the LAN is ........10.1/24 - Still no access for em2. Why that IP - I have no idea I just guessed.
I have poked around, lost internet access - oops, got it back again (no idea how I lost it, or got it back, yikes!)
But I have seen that there are no Firewall rules for my em2 living room could be an issue I say. But I read when OPNs mostly comes set up like an off the shelf router - security sucks = all access, maybe this just means for LAN port - so sad. FW scares me, I almost didn't make it through setting up Intrusion Prevention System - Thanks again Network Guy! Not sure I have that done right, but nothing broke so I call it a win!
So - best network layout practices for setting up 2 limited port/switches - mostly for Internet browsing and media? While... not killing my LAN
this is my current quest.I read where you say this type of wired/switches sucks bandwidth, or better, competes for bandwidth - I want a 99% wired home network, I was hoping not to daisy chain the whole thing, so I can deal with rooms/hardware independently - it's how I think. Something that looks like an octopus, router being the central hub/brain banished to the broom closet.
If and when I do add low range wifi I would like it to be turn-off-able <-- my technical term. I do not have any IoT to deal with -yea! I do hope to add things as I learn and go - pi hole, physical redundancy for my LAN, backup power source, maybe my own email server, maybe a NAS server for home media (a girl can dream).
Q2: any good beginners practical How-To books? So far there seems to be a huge vacuum in this: "for personal use, home networking" space. So glad to find Network Guy is addressing this
I've attached my network layout/map - all rooms are only 4-12' apart.
#88
Success Stories / Thanks for the ToDo'S
Last post by sushifish - August 26, 2021, 05:24:40 AMFirst of all, many Thanks for providing such detailed How-To's especially for OpenSense.
With your posts I was able to set-up Opensense for a small business (around 10 users).
I replaced the default router with a small appliance (around 600 USD invest), switched the Wlan to a dedicated AP (business Netgear model), seperated Internal and Guests in VLANs and also the VoIP phones and Server into a seperate one.
It took me 2 evenings to set-up most of the stuff. I sweated, prayed and nearly used the hammer which I found in the server room. I managed several times to log-out from opensense or the Aruba-Switch once turning the VLANs "hot". After reading most of your guides and repeating step-by-step I fianally managed. First to set-up the internal network structure, and later replacing also the old router which still took care of dialing-in (I also needed a VLAN on the WAN interface for the successful dial-in).
Maybe some learnings for others:
Get all! log-in's from existing servers and change them to DHCP.
Before starting, make sure you have access to console on the appliance and switches (you might need special cables to do so - the Aruba switch provides a micro-USB which you can connect to a laptop and access a console via COMx interace; the OpenSense appliance finally got the VGA-output working - the serial port was wrong "sex" for my cable
- this is why I recommend to try console on all switches and the Appliances before starting).
And I (still) have 2 machines where I cannot access the management interfaces and they seem to have fixed IPs. So I had to change my Internal Netowrk set-up to match with the old IP-layout. Of course I discovered that the NAS is using the "wrong" fixed IP only when colleagues urgently needed access to it - so to change the INT-interace to the other IP space as a solution was quite urgent and I was really happy this solution came to my mind...
Setting up OpenSense only worked "out-of-the-box" once I used the provided interface detection in the set-up routine on the shell. Even if I assigned the ports manually the right way, something seemed to miss - I think something in the routing or automatic firewall rules. This was one of the sources for log-outs and not working WAN connections, I think (maybe on the 5th trial I did something different, but I cannot tell now, what it was - so I think it was the use of the set-up in the shell).
Still some work in tuning the FW rules (It's quite open at the moment, but I cannot allow to disrupt the colleagues all the time
)
But over all performance is now better (OK, it gets reduced a bit with using Sensei), we can use port forwarding to the VoIP appliance now (this one needs so many open ports that I could not open these on the small router from the provider) and hopefully a VPN in future (the Wireguard set-up did not really work - OpenVPN looks better on the first glance, final test from home this evening). All together I'm happy with the decision for OpenSense and had a lot of fun and learning (I'm not an IT professional) in setting this up!
With your posts I was able to set-up Opensense for a small business (around 10 users).
I replaced the default router with a small appliance (around 600 USD invest), switched the Wlan to a dedicated AP (business Netgear model), seperated Internal and Guests in VLANs and also the VoIP phones and Server into a seperate one.
It took me 2 evenings to set-up most of the stuff. I sweated, prayed and nearly used the hammer which I found in the server room. I managed several times to log-out from opensense or the Aruba-Switch once turning the VLANs "hot". After reading most of your guides and repeating step-by-step I fianally managed. First to set-up the internal network structure, and later replacing also the old router which still took care of dialing-in (I also needed a VLAN on the WAN interface for the successful dial-in).
Maybe some learnings for others:
Get all! log-in's from existing servers and change them to DHCP.
Before starting, make sure you have access to console on the appliance and switches (you might need special cables to do so - the Aruba switch provides a micro-USB which you can connect to a laptop and access a console via COMx interace; the OpenSense appliance finally got the VGA-output working - the serial port was wrong "sex" for my cable
- this is why I recommend to try console on all switches and the Appliances before starting).And I (still) have 2 machines where I cannot access the management interfaces and they seem to have fixed IPs. So I had to change my Internal Netowrk set-up to match with the old IP-layout. Of course I discovered that the NAS is using the "wrong" fixed IP only when colleagues urgently needed access to it - so to change the INT-interace to the other IP space as a solution was quite urgent and I was really happy this solution came to my mind...
Setting up OpenSense only worked "out-of-the-box" once I used the provided interface detection in the set-up routine on the shell. Even if I assigned the ports manually the right way, something seemed to miss - I think something in the routing or automatic firewall rules. This was one of the sources for log-outs and not working WAN connections, I think (maybe on the 5th trial I did something different, but I cannot tell now, what it was - so I think it was the use of the set-up in the shell).
Still some work in tuning the FW rules (It's quite open at the moment, but I cannot allow to disrupt the colleagues all the time
)But over all performance is now better (OK, it gets reduced a bit with using Sensei), we can use port forwarding to the VoIP appliance now (this one needs so many open ports that I could not open these on the small router from the provider) and hopefully a VPN in future (the Wireguard set-up did not really work - OpenVPN looks better on the first glance, final test from home this evening). All together I'm happy with the decision for OpenSense and had a lot of fun and learning (I'm not an IT professional) in setting this up!
#89
Troubleshooting / Re: Selective Routing to Exter...
Last post by Home Network Guy - August 23, 2021, 10:02:18 AMQuote from: Criss on August 19, 2021, 10:51:54 AM
I get my selective Routing now working with the Help of this Guide here
https://community.spiceworks.com/how_to/177167-policy-based-routing-via-vpn
best regards
Thanks for providing a link to help resolve the issue especially since I don't have a lot of experience with this yet, but I do want to experiment with connecting to external VPNs to help others get their VPN set up even if I do not plan to use a VPN for my own network.
#90
Troubleshooting / Re: Selective Routing to Exter...
Last post by BondiBlueBalls - August 19, 2021, 03:55:17 PM@criss, when you got to the DNS Config section, did you follow the tutorial as written? Were you already using Unbound, or another solution? I've disabled Unbound due to using Pi-hole. It seems like I should just follow as written since it wants us to set the Outgoing Network Interfaces to the VPN interface. Does that mean Unbound will only be used for the VPN interface?
Thoughts? Thanks!
Thoughts? Thanks!