Messages

Btw. @z0rk, maybe revise your idea about SSH a little?

Greetings, mark

Thanks for your feedback help, Mark. Cheers

As for contingency... if you now have access to the root menu either through console or SSH and TOTP doesn't work just choose option "3" from the menu to reset the root password. It'll ask you:

>>> Do you want to set it back to Local Database? [y/N]:

To which you input "y" and afterwards change the root password, but it can be the same password as before.


Cheers,
Franco

That's the ticket. It really addresses all of my previous concerns. Got TOTP enabled now. Thanks Cheers

I think stripping out the TOTP settings from the config.xml may be the way to go. Thanks Mark

Hey Mark... I am familiar with public key authentication and have it in place on other systems. SSH access is disabled by default on OPNsense and I don't see a particular reason why I would want to enable it at this time, if I have access at the console. Keep the attack surface small, right?
I did follow the steps for the setup for TOTP (thanks for the catch  ::)) and did the test as suggested under step 5, so it appears to be working. My concern is to have an action plan in place that I can test out in advance in case there are issues with TOTP itself. Since I've never used TOTP as a primary authentication mechanism for a homespun system I have no experience with it and therefore feel wary what to do in case something goes wrong with the account as described below. Hope this makes sense. Maybe this is not an easy thing to do or one needs advanced skills at the CLI for such a plan, so I don't know, that's why I am asking. And maybe the message here is there is no easy way, so better not to enable TOTP?
Cheers

I've SSH access disabled and I allow Web GUI access only on LAN. I am not concerned about physical access, so I could disable 'Password protect the console menu' under System: Settings: Administration. Thanks for this suggestion!

If I understand your other feedback correctly, I should then select 'TOPT Server" under  System: Settings: Administration: Server and not enable 'Disable integrated authentication'.

Ok, so now with these setting in place, I can reset to defaults or restore settings from backup at the console without having to worry about TOPT. What I am still struggling with though is, let's say I have TOPT enabled and over time make other configuration changes to the system, if then for whatever reason my TOPT enabled admin account gets hosed or the TOPT service is unavailable, how do I go back to a system that has all of my current system configuration settings in place (as of latest backup), but won't require TOPT service at the GUI? Would I have to disable TOPT at the console and create a new administrator account to get back into the GUI?

Sorry this may sound like I am getting lost in the weeds, but I am new to this level of router / firewall security and to OPNsense in particular. Basically I want to have an action plan in place in case something goes awry with TOPT / my admin account, so my family won't burn me at the stake should they loose internet access.  :P

Ok, thanks Franco I will test it out. I do have a follow up questions though about best practice in case of TOPT scenarios, i.e. what's the best way to implement a failsafe in case TOPT is unavailable or human error. How do I ensure, I don't lock myself out of the system?
i.e. once I select 'Disable integrated authentication' than how do I log in with another admin account at the console to fix things? or is the only recourse to do a reinstall and restore configurations from backup? That seems laborious. I am not sure, if I am expressing myself clearly. Do you have any thoughts / recommendations?

Thx

I want to enable 2fA for authentication when logging into the admin GUI. I've followed all steps here:
https://wiki.opnsense.org/manual/how-tos/two_factor.html
I succeeded for steps 1 - 5. But when trying to log into the admin GUI with token + password authentication fails. Using the plain password works. What am I missing?

Thanks

I am considering enabling two-factor-authentication for my primary admin account. As a failsafe I considered disabling the default 'root' admin account in hope to be able to enable it at the console CLI, if needed. Is that possible?

EDIT:
As a related question, I believe that the Local Database should be disabled, if 2fA is enabled, how do you prevent locking yourself out, if the TOPT server is unavailable?

Well, that totally makes sense; but then I fail to see how can I configure OPNsense from the GUI? I am at a loss here.

In my test setup I have port 1 connected to my 172.16.1.x network (considered WAN for this test setup). Port 1 is untagged for Vlan10 (WAN) on the switch. On port 2 OPNsense is connected. Port 2 is tagged for Vlan10 on the switch.

Instead I've also tried to keep all ports on the switch untagged for Vlan 1 which is the default / native and management Vlan; and none of the ports tagged. Plain vanilla just as the switch came out of the box.

At the OPNsense CLI I assign interface em0 (my only Ethernet port) to WAN with DHCP enabled. It grabs an address and I can access the GUI from the 172.16.1.x network. I don't have LAN configured or any VLANs at this point.

Can you help me how to logically approach the setup steps from here on so I can configure and enable my VLAN interfaces, etc. without loosing access to the GUI? Is there anything else I need to configure at the CLI?

Or maybe there's a how-to for this type of setup hat you could point me to?

Thanks Bart!

WAN interface em0: 172.16.1.10
WAN gateway: 172.16.1.1

Sorry I think I am missing something here. Part of it might be because I've never set up a firewall with a single interface on a managed switch before.
Once I set up my Vlan, assign an interface to the Vlan and enable the interface and save it, I loose access to the GUI. At the OPNsense console I can ping any device on the 172.16.1.x network including the laptop that I use to access the GUI at 172.16.1.10. But at the laptop I can't ping 172.16.1.10. What I am missing here?

Interfaces, other types, VLAN to define your VLAN. Then go to Interfaces, Assignments, New interface to create a firewall interface to set your rules on.
Bart...

Ok,... silly questions. After I created my VLANs and created a new interfaces per VLAN, how do I assign DHCP zones to each VLAN, i.e. I want each VLAN to be on a seperate subnet of 192.168.1.x/27. I don't see where to trun on the DHCP server and get this all set up. I guess Static DHCP addresses are supported as well? Maybe I am just blind.   :-[

You'll have no problem and you won't have to resort to the command line.

Awesome... I will check it out!

I am a hobbyist interested in improving the network security of my SOHO network. I am familiar with basic networking terminology / principles and I've deployed open source devices like LEDE and Tomato before. Small potatoes.
I have a x86 64bit desktop with one Ethernet port on the board and a 2x port NIC. The NIC supports link aggregation to provide redundancy. The core of my topology would be like this:

Internet > Managed Switch (VLANS: WAN, Trusted, Untrusted, DMZ) > OPNsense (VLANS: WAN, Trusted, Untrusted, DMZ).

All other Managed Switches, WiFi / Wired Bridges, etc. would be connected to the 1st Managed Switch.

Network access and security for all network nodes would be managed through VLANs. OPNsense would function as a Router / Firewall and provide DHCP, DNS, DDNS services; and possibly IDS, Web Proxy, Content Filter, Virus Scanner and VPN access; but that's optional.

I believe this can be accomplished with OPNsense, but I would like to get a sense, if all of this can be setup and managed through the GUI?

I am usually comfortable with facing a learning curve challenge, if the GUI is intuitive and logically organized; and I wouldn't shy away, if CLI intervention is required for more complex configurations, but I would prefer not having to deal with it for the initial setup.

Is this a reasonable expectation?  :P

Thanks