OPNsense Forum
English Forums => General Discussion => Topic started by: andrewoliv on May 31, 2022, 10:27:30 am
-
I welcome any comment/constructive critic/advice/correction below.
I love OpnSense
30 years sales experience in high tech, now retired. I am a privacy advocate and home networking is a hobby. My grandfather had his tractor he was always tinkering with, I am always tinkering with my home network.
OpnSense has become a very valuable tool for my home network. I have sold most of these capabilities to the US Government at some point and now I have these capabilities at home via OpnSense!
I use the following as a guideline to protect my privacy. I not going to reveal what I use but I encourage when selecting a tech for each of the areas below beware, lots of vendors say they are private while in the background they still are collecting private info. (OpnSense and Sensei are wonderful tools to identify this)
Secure Browser (Brave is a joke!)
VPN (European provider, US VPN providers aren’t protecting you)
Ad Blocker (OpnSense platform)
Password manager
Secure and encrypted messaging (Be very careful here)
Private Search Engine (What a mess)
Private email
Secure OS (Very hard to find and use)
Secure DNS (Need a static IP and your own DNS to be truly secure here)
Anti virus (shocking how much these vendors like to chat with your computer)
I struggled in the beginning in the following areas and struggled finding documentation. Most of the documentation I found assumed a certain level of understanding I did not possess, so I would have more questions than I started with.
Understanding IN/OUT (Not as easy at it sounds)
Source IP to Dest IP based on origination of connection
Which Interface to apply firewall rules
Inbound Interface
How to check FW rules
INSPECT button on rules page
How to use Alias
OpnSense documentation good place to start
How to use Floating Rules
had too find an example on a blog
As a home user what was I going to use OpnSense for?
I have 5 subnets:
Lab
IOT
Guest
Server
Open (No rules)
I want to isolate each subnet so I built rules for that.
I want to block access from certain countries (GeoIP Alias with floating rule)
I want to block IP’s with bad reputations (Block list Alias with Floating rule)
I want to block malware (ClamAV)
I want to block Ads (I use Unbound DNS and Sensei)
I have tinkered with Suricata and CrowdSec. I use CrowdSec to protect the GUI. Got rid of Suricata. I think its over kill for my home network. If CrowdSec ever releases a block list I will build an alias and floating rule for that as well
It has taken me almost 2 years to set this up. I am sharing this here in this forum because a guide for beginners/home users is needed. (I have thought of writing one myself but I am not qualified to)
Enterprises will use the Cisco’s, Palo Alto, Fortinet, etc firewalls for their needs. OpnSense is great for a home user especially parents. However the learning curve is to steep.
I read this forum and get bits and pieces. Another suggestion is a Home User category here on this forum.
Please suggest, comment and criticize at will!
-
Nice, can you sell these things? I'll set them up haha
I have found most of the simplicity comes from staying using the IN, into the destination IP(s)/Port(s). I have not yet used concepts like local tags for other rule designs. My next venture will be turning on the proxy, and enabling side features like antivirus and additional URL blocking. I also just use Block or Allow. I think reject causes a resource penalty or something.
In Aliases:
- Between using Host and Network types, I mostly use Network, because in Network, you can use w.x.y.z/32 to specify a single host.
- Create an network alias for all RFC 1918 local networks like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and any IPv6 prefix allocations assigned to you
This is useful for a block rule to prevent locked down networks from accessing your important stuff
- Create an host alias for local hosts 127.0.0.1 and ::1
This is useful for a port forward to force all port 53 DNS and 123 Time traffic to the firewall instead of the internet https://forum.opnsense.org/index.php?topic=9245.0
- Create a port alias for dangerous ports that should never be accessible on the internet like 25, 53, 69, 123, 135, 137:139, 161:162, 445, 514
Make a block rule in each interface blocks these ports before any allow rules to the internet, but after local rules.
- Create a port alias for management services on your firewall 22, 80, 443
Make a block rule for networks you don't want to be able to configure the firewall
I found an interesting use case for the floating rules:
1) Allow outgoing traffic to an alias of network blocks that work like exceptions to the list below
2) Block outgoing traffic to "bad" countries of IPs
If you have NAT port forwarding, allow from any source, but in the WAN or Wan group of rules, lock down access to that service.
In the WAN or a WAN group of rules:
I think the default still remains to block all unless opened
Allow access to your port forwarded services to only an alias of networks, like a block of IPs used by your hotspot, friends, family, clients.
If you are traveling, you can allow access to listed countries. Add a schedule and allow it to expire after a certain time like a travel plan. For your local services, add a daily schedule so they're only available during awake hours.
In locked down networks like Lab and IoT, add a block all rule. Watch all your mystery boxes struggle to dial out to their cloud services. The best I could think of is only allow the ports and block of IPs they need. Sometimes vendors disclose a list of rule exceptions to add to a firewall. I had a ball watching my doorbell cam try to reach odd cloud servers in China, as well as my garage door opener.
By default every interface you create enables routing to it. First thing would be to prevent that network access to local networks, unless where it is allowed.
In Unbound DNS, use the block lists to shut down a bunch of Ads, tracking etc.
There is other nitty gritty stuff, like Firewall Optimization to conservative, and bumping up the states if you have a ton of RAM and CPU.
For every block rule, I generally enable logging. It is amazing to see your devices try accessing all over the place. For the default state protection rule, it is amazing what Out there, tries to knock on services all day long.
My thoughts
-
Very good suggestions that should be in a guide!
An outline would look something like this.
1. Where to install OpnSense appliance?? Replace primary router, In front of primary router or behind primary router?
2. How to keep the bad guys out
a. Build an alias using a block list and GeoIP (some of your examples would go here)
b. How to create a floating rule using an alias
c. How to install CrowdSec
3. How to turn on Clamav to detect and block malware at the network level
4. How to turn on Unbound
a. Configure Unbound with DNSSEC and TLS
b. Enable Unbound blocklists (Blocking ads)
c. create a rule that forces DNS requests to Unbound (you gave some examples)
5. Creating subnets why you would want to (Prevent lateral movement of malware)
a. Kids network
i. Create a schedule that would block Internet access after a certain time
ii. Block access to Porn and other unsuitable sites for Kids
b. IoT
c. Guests
6. How to use logs and the inspect button to check rules
All I can think of for now. Remember this is for a home user so the guide should be as simple as possible. I don't believe the average person without an IT background would attempt to implement OpnSense in their home.
However, a person who knows what a firewall is and understands the capability a firewall offers over a standard WiFi Router would have an interest in OpnSense. Having the necessary skill set to actually configure OpnSense is another matter.
The purpose of this guide is to assist those individuals who have an understanding of a firewall but not the skill set to configure a firewall. This guide should allow them to overcome that challenge and enable them to provide another layer of security for their home.
-
It is difficult to make a good starting guide. The "n00bs" will just use the ISP hardware. The advanced users do not need a comprehensive guide but just usually some steps.
People need basis network knowledge to configure this stuff. Usually they have wishes which are not (easily) doable. Like expecting virus scanning in a HTTPS (encrypted) world. Or blocking children to access some pages. Also sometimes difficult because of DoH or DoT.
Some hobbyist use stuff like Ubiquity which hides lots of stuff for the enduser. Some people what to configure each VLAN )(in the right order) themselves. They need to first use the DHCP of the switch. Connect. Configure the device which will drop your connection.
But i can see the potential of a first-steps guide. Especially about dual NAT'ting. Or warn about ISP's which are using a VLAN for the internet connection.
-
Good points.
I believe there is a large group of people (addressable market) who understand the value of a "Network Appliance" like OpnSense (since OpnSense is more than a firewall). Yet lack the technical ability to configure one.
All consumers want is fast easy and cheap. Yet the industry can only deliver two of those things: If its easy and fast it aint cheap, if its fast and cheap its aint easy, etc etc.
Thus the need for a guide. OpnSense is fast and cheap but it aint easy. The need for a guide that explains the steps and the "why" is necessary.
I started to write one based on my own experience, however, I dont believe I have the expertise to do so. I will most likely continue that endeavor and have it edited by one of my old engineers.
-
I really do not want to discourage you to write documentation. I wrote my own notes while creating my setup. Mainly containing the network layout and VLAN planning.
There are some guides for the basic setup. I think even for OpnSense. Meaning a normal DHCP WAN ISP, 2 interfaces router and en basic switch at the second port.
Lots of people afterwards will just google/youtube (and use pfsense tutorials) to accomplish tasks. (vlan, dns redirection, blocklists, dhcp reservation, etc.).
People really need to have some basic knowledge to succeed those quests. You get really basis questions like: "i use a switch but i do not see the traffic between two systems" (on the same network). They do not understand network masks.
-
If CrowdSec ever releases a block list I will build an alias and floating rule for that as well
Could you please elaborate what you mean? We (I am head of community at CrowdSec) just released a bouncer that acts as a simple webserver that exposes the blocklists in a format that any firewall that supports external blocklists could use (at least in theory). You can read about how to use it here: https://blog.vacum.se/updated-blocklist-export-for-crowdsec/
Is that what you're missing?
/klaus
-
Klaus thank you for reaching out.
I think so.......I wrote that before..........
I installed the unofficial CrowdSec plug in for OpnSense. That installed:
An CrowdSec agent that protects the OpnSense WebGUI
An LAPI that I have no idea what that does
and a Firewall bouncer that will deny an external attack from a bad IP attacking the WebGUI.
here is what is explained:
"Out of the box, by enabling them in the "Settings" tab, they can protect the OPNsense server by receiving thousands of IP addresses of active attackers, which are immediately banned at the firewall level. In addition, the logs of the ssh service and OPNsense administration interface are analyzed for possible brute-force attacks; any such scenario triggers a ban and is reported to the CrowdSec Central API (meaning timestamp, scenario, attacking IP).
Other attack behaviors can be recognized on the OPNsense server and its plugins, or any other agent connected to the same LAPI node. Other types of remediation are possible (ex. captcha test for scraping attempts)."
My understanding from reading the above is that i have all I need from CrowdSec. At the firewall level bad IPs will be blocked irregardless if they are attacking the WebGUI or not. Is this correct? or is there more I need to do?
-
Edwin
yes there are some guides and tutorials all over the internet. Some really good most are really bad. Also, not one central source, so i had to do extensive research to figure out what I was trying to do. In the beginning the "approach" is so important. I was using sensei and suricata and I didnt need them. In the end i figured out most of what I was trying to do in sensei and suricata was easier to accomplish in the firewall. I just had to learn how which was yet another challenge.
I may go back to sensei at some point but not until i have maximized what I can get from opnsense. You brought up a good point about end to end encryption and in most cases the FW may not help. So features like Unbound ad blocking and blocking apps in sensei may be the next step.
I see you seem to have a focus on VLAN's. Why? My HW has a WAN port and a LAN port, OPT1 and OPT2 so I had enough ports for subnets for a home network. All my HW ports are being used so if I need more subnets I will have to start using VLAN's. But is there another advantage I am missing?
-
I see you seem to have a focus on VLAN's. Why? My HW has a WAN port and a LAN port, OPT1 and OPT2 so I had enough ports for subnets for a home network. All my HW ports are being used so if I need more subnets I will have to start using VLAN's. But is there another advantage I am missing?
Sure, if you have enough interfaces AND wires in your house you do not have to use vlans to segment devices. In most cases people only have 1 cable to (for example) the second floor. If you want to separate wired devices you can use vlans to accomplish this.
Most devices however are wireless. You can use vlans with different SSIDs for all networks (guest, iot, wlan, media). But you need a professional wifi AP (or flash your router with something like openWrt)
I have a router with 8 interfaces and i use only 2 (WAN and 1 to the switch).
-
My understanding from reading the above is that i have all I need from CrowdSec. At the firewall level bad IPs will be blocked irregardless if they are attacking the WebGUI or not. Is this correct? or is there more I need to do?
No problem! Thanks for installing CrowdSec and for joining the community.
You have what you need just by installing the OPNsense package - assuming that you just want to protect your OPNsense firewall. If you want to do more, that's another story and we can talk about that later :-)
To try and answer some of your comments: In this case the LAPI is part of the agent. It is possible to run it separately if you have a large infrastructure but by default they're the same. The agent does the log parsing and detection of attacks and orchestrate bouncer(s). By default there's only one; the one that you installed on OPNsense.
I hope my replies has made you understand the CrowdSec stack better. If not, please join our Discord at https://discord.gg/crowdsec and sign up for the beginner workshops we do ca every other week (we do it this week, I just created a poll for people to vote on when it suits them best). That will give you a better understanding of the stack and the possibilities. Obviously protecting OPNsense is just one of many - some that are way more advanced and cool.
-
OK
so your suggesting I need to create an alias and a floating rule like I have for other IP blocklists based on the link mentioned in this blog:
https://blog.vacum.se/updated-blocklist-export-for-crowdsec/
Then my FW will block incoming requests from the IP addresses on the CrowdSec IP black list. Just like my firewall blocks the IP's from the CIArmy blocklist.
-
Klaus
I am looking for a url that defines the Crowdsec block list as a text file.
Something like this:
http://cinsscore.com/list/ci-badguys.txt
I can build an alias with a url like that. I cant seem to find it on the CrowdSec blog article you sent.
I find this:
http://cslist.domain.tld/list.txt
not sure what "domain.tld" mean here (I understand the terms domain and top level domain but not sure how to apply them to this url. is "list.txt" a real file or just an example?
-
...
I started to write one based on my own experience, however, I dont believe I have the expertise to do so...
I have been doing enterprise IT for over 20 years and I have been teaching for a couple of years now, and I always feel like I lack the expertise to write something. I know networking really well (I teach the stuff), but I'm struggling to get started with OPNsense because this is just one system out of (literally) hundreds of systems I use. I am expert in 100 things, but right now I'm a noob when it comes to OPNsense. You probably know way more than me about OPNsense right now.
Just write something, and if it is wrong, or incomplete allow others to chip in and add and fix stuff (something like a public Wiki). Eventually it will be something with content.
-
http://cinsscore.com/list/ci-badguys.txt
http://cslist.domain.tld/list.txt
not sure what "domain.tld" mean here (I understand the terms domain and top level domain but not sure how to apply them to this url. is "list.txt" a real file or just an example?
Hello. The "domain.tld" means simply to supply your own URL to an http server (as you already know tld=top level domain = .com, .ca, .tv, .net, etc...). It looks like you have to supply your own text file from an HTTP server. This is just an example of what you need to implement yourself.
Where is this document you are looking at? If it is available publicly I can read and give you more specific answer.