Any easy basic opnsense fw setup guides?
(Every guide I have seen so far includes stuff I don't have, don't need, don't use, don't want to get, don't understand).
1 ISP Modem <> 1 FW <> 1 Router <> 1 Switch/AP <> 1 LAN <> Devices. Simple as that.
[no vlans, no vpn's, no dmz, no dsl, no ipv6, no ldap, no radius, etc..]
I have a couple of recent books, I have read the docs, both has loads of extra confs I don't intend on using, and since it uses that in all examples, it's pretty much useless..
What is the router supposed to do in that scenario?
Simplest OPNsense setup is:
ISP Modem - OPNsense (both FW and router) - Switch/AP - Clients
What part of the documentation is unclear about how to go about that?
* install
* connect switch to LAN interface
* connect PC to switch
* IP address assignment is automatic
* login to web UI
* configure WAN according to provider data
* done
https://docs.opnsense.org/setup.html
I have decided to keep the router for routing, and use OPNsense exclusively as firewall. In an earlier post I implied using OPNsense both for routing and fw, but that will not be the case. Some argued against it: https://forum.opnsense.org/index.php?topic=29199.0
The basic setup is done, have OPNsense running on a temporary IP on a Supermicro Superserver and will move it between LAN and WAN in a few days.(I have all my network equipment in a dedicated rack). Got all the NIC's i could ever need for channelling the network through the fw.
What is the correct configuration for that once I do it? ISP is DHCP. DNS is Quad9.
You need to set up static routes for your internal networks if you want to connect an additional router. And you are aware that the firewall will still technically be routing, right? ;)
Can you draw a plan of the networks you are planning to connect? I mean - that router must have multiple interfaces and multiple internal networks (at least 2), to router anything ...
Something like this I pushed together in 5 minutes in draw.io
(https://i.imgur.com/2tmpWur.png)
In my opinion it is a simple basic lan.
Not sure about that thing about adding 2nd router, I guess if OPNSense is the 1st router then my EdgeMax is the second. .
So what is the second router supposed to do? I see only one connection coming from OPNsense and one going into the switch. An additional internal router only makes sense if it connects more separate networks/switches.
OPNsense is like every firewall a router at first. Why do you think you need it there.
Quote from: pmhausen on August 24, 2022, 07:22:31 PM
So what is the second router supposed to do? I see only one connection coming from OPNsense and one going into the switch. An additional internal router only makes sense if it connects more separate networks/switches.
I am placing the FW between my Router and my ISP. Is that not how it is supposed to to work? Filtering the internet traffic...logging, stats, probably DNS.
I know I can use OPNSense as Router as well, but I am not doing that now. My EdgeMAX Router handles DHCP, Static addressing and PoE, if needed, something that can not be done on the OPNSense machine. (In fact, my AP is PoE but currently connected to the Switch, I should connect it to the Router and bridge it, later.)
Quote from: SecCon on August 25, 2022, 08:04:31 AM
I am placing the FW between my Router and my ISP. Is that not how it is supposed to to work?
Not in reality, your other router has a firewall too.
Yes it does, which is only rudimentary and will be disabled if not needed. Maybe keep a rule about local admin logon to the EdgeMAX but hardly anything else.
Does your other router currently drive your Internet uplink? How is the connection esatblished? Does your ISP use DHCP, PPPoE, fixed addresses or something entirely different? Do you have fixed IP addresses or does it change regularly? IPv4 only or IPv4 and IPv6?
Regularly consumers and small businesses use one device to do routing, NAT and firewall. For a simple setup you replace an EdgeMax thingy with an OPNsense thingy.
If you want to use both in line, then OPNsense still needs to establish the connection to your ISP and you have essentially two routers in a row. There is no way to have the OPNsense "just do firewall". The packets needs to pass through the device. So it needs to route. You cannot split router and firewall function in common consumer scenarios.
In enterprise environments things like transparent bridging firewalls etc. are used. But not that common, either.
Also OPNsense of course offers DHCP, DNS, SLAAC and a plethora of other services. The only thing it cannot do (at least not on any hardware I am aware of) is provide PoE. But if your switch can do that I'd recommend getting rid of the unnecessary additional router.
HTH,
Patrick
@pmhausen
As I stated above my ISP is DHCP. My EdgeMAX Router handles that, but it will of course have to be handled by OPNSense once connected. No fixed IP. IPv4 only that I am aware of, they probably have support for IPv6, I just don't use it.
The connection to ISP is currently done via a Bridge to Gateway, from my current OPNSense to my Router. [System: Gateways: Single] pointing to 192.168.1.1. That will obviously have to be revised.
So I guess I will be implementing what you call a transparent bridge then?
As for what consumers do, I don't have any stats, and I don't care. To me it is rather simple: Can I add security to my SOHO? How would I do that? The inbuilt FW in the Ubiquiti EdgeMAX is probably usable for most, but implementing IDS and Firewall on a Router, if even possible, comes with a performance hit on CPU and RAM. That is why I put OPNSense on a SuperServer instead, to handle that (8 Atom Cores, 32GB DDR3 RAM, . Quad GbE LAN ports).
I do not understand why this scenario seems so unusual...
If you did transparent bridging the ISP IP address and DHCP would still be on the EdgeMax. As soon as the OPNsense acquires the IP address from your ISP it's a router and the additional internal router does not serve any useful function. I cannot advise you how to set up a configuration I decidedly advise against.
Nothing about what you are trying is simple. There is no valid reason to do it. Yes, more or less nobody else does it that way. You seem to be confused about what routers and firewalls do.
But you do you, I guess.
The concept of a firewall put "in front" of a router is valid for corporate networks where you have multiple external IPs and in the intranet, you need additional routing for segmentation of broadcast domains. That type of firewall is a kind of perimeter defense that mostly regulates incoming traffic to some exposed IPs.
In a small business / private networking context, you mostly have just one external IP, such that you need NAT anyway such that everything on your intranet hides behind that one IP. Thus, the rules on the firewall before a NATing router apply to just connections between this IP and the internet - you cannot discriminate between different clients on your internet apart from the port. In this scenario, the firewall could not really do very much useful.
The alternative would be to let the firewall do NAT (and firewalling), but in that case: what does the router then do anyway? Separating into different VLANs is possible in Opnsense as well.
So, I can see no real purpose for the additional router, because Opnsense can handle everything.
There are people who vote for the opposite: Placing a router before Opnsense. That CAN become neccessary if your ISP has a locked-down router and does not give you the means to build up the connection yourself and you don't trust the ISP so that you have an additional firewall to protect your intranet. If at all possible, I avoid that because of additional complexity (and power draw).
I will need PoE. Which is on the Router. So I am keeping the Router. I also have a network inventory via Ubiquiti UNMS that I use on the Router, with the Switch, not sure that can be done in OPNSense.
If yuo're determined to keep the "other router", it looks like you don't need OPN. As others have said in your case of not being a large enterprise with loads of public ips, ports, protocols to protect, there is no purpose a second would realistically have. Each will only get in the other's way and overcomplicate your setup, which by the way, since it sounds like you not be clear what router and firewalls do and how, I imagine there will be loads of follow up questions and "it's not working" sort of scenarios.
Quote from: SecCon on August 25, 2022, 01:09:45 PM
I will need PoE. Which is on the Router. So I am keeping the Router. I also have a network inventory via Ubiquiti UNMS that I use on the Router, with the Switch, not sure that can be done in OPNSense.
Just so that everyone here understands, Aircube from Ui comes with a Power Supply. And even if it's placed on a location where a plug is unavailable, you clearly stated your switch is a Layer3 which does routing anyway.
As Patrick has stated, what's the purpose of the router in the middle?
The only thing I would use the EdgeMax for is OSPF/BGP combo for various Routing scenarios with Edgeswitch, but Then again the EdgeMax would sit on the side and a Trunk between OPNsense and Edgeswitch would be established. Even still, you can install FRR on the OPNsense to do the same unless you are in to MPLS/ISP class stuff that OPNsense is having some issues with...
Also, there is a Unifi Controller plugin for OPNsense in the community repository.
Of course you can keep the EdgeMax for UNMS and PoE but the just
- connect OPNsense directly to switch
- connect one port of the router to switch
- configure router to "switch mode" - my EdgeRouter X can do that, your's too, probably
- run DHCP server on OPNsense or router as you see fit
- consider that DHCP and DNS are integrated on OPNsense so you might want to run either both on the router or both on the firewall
But please forget this "firewall in fron of router" nonsense. Which it is.
I'm a newbie with OPNsense and I don't have
enough experience with networking. This is what I've got working:
- the ISP provides an WAN UTP cable into the apartment, i.e. no DSL modem or other device
- DEC750:
- the default WAN interface assigned to the default port 2, get IP from the ISP DHCP. The WAN UTP cable into port 2
- the default LAN interface assigned to the default port 1, leases IPs through DHCP
- D-LINK DGS-1100-08V2 switch:
- factory defaults, only set to get dynamic from DHCP
- UTP connected to DEC750 port 1, gets IP from LAN
- Asus RT-AC87U Router
- set to Access Point mode
- set to get dynamic from DHCP
- UTP connected to the D-LINK switch, gets IP from LAN
- Wireless devices connect to the Asus RT-AC87U AP and get IPs from LAN
- Wired devices connect to the D-LINK switch and get IPs from LAN
@pmhausen Please, let me know if the above setup is wrong, why and how to set it up right. Thank you!
QuoteBut please forget this "firewall in fron of router" nonsense. Which it is.
@DragD please start a new thread. This one is kind of burned ... anyone starting to read from the top will probably not even make it to your post.
Turned out to be a more tricky than I thought.
As in the previously posted image, of course, but when you are actually holding the cables and trying to figure out what goes where it is a bit of a challenge for me as a newbie when it comes to actual network configuration with firewall.
The ISP WAN cable goes into igb0 on the OPNSense machine. Then after that I have at least two options. Either I connect the LAN igb1 to the Routers WAN port, or, as Herr Pmhausen might suggest I connect it to the switch port1. Or even to the Routers eth1 port. Since the Router has POE ports and I need those, I am, for the n'th time, keeping it.
What happens when reconfiguring the OPNSense interfaces I am questioned about LAGG ( https://docs.opnsense.org/manual/other-interfaces.html?highlight=lagg#lagg ) and that is a very good question. I have no clue. I manage to give the OPNSense WAN and external IP, but after that it seems I am not able to connect it to the LAN.
There must be a default order to do this. And a default working configuration. I refuse to believe no one has done it.
As it is now I just feel I need to talk this through with someone since posting here with people that are not solution-oriented answering, is not very constructive.
Quote from: SecCon on September 25, 2022, 10:17:27 AM
The ISP WAN cable goes into igb0 on the OPNSense machine. Then after that I have at least two options. Either I connect the LAN igb1 to the Routers WAN port, or, as Herr Pmhausen might suggest I connect it to the switch port1.
Not quite.
igb0 is LAN and goes into your router or your switch. igb1 is WAN and goes into your ISP connection. At least that's the factory configuration of a freshly installed OPNsense firewall.
HTH,
Patrick
You are right. I forgot about that. I think I changed that in the firewall, since its a running configuration I also tried a few things on. Maybe I just have to do a reset for that to get that right.
Yeah, interface igb0 is on Lan.
Coming to think of it, I could demote the Router, removing dhcp from it and use it only as switch leaving the routing and DHCP to OPNSense.
That would be going a bit off my original plan, but would allow me to keep the PoE and have the EdgeMax6P as a backup router should the OPNSense machine fail somehow.
If you leave NAT enabled on the ISP router, you will have to have a different subnet between the ISP and OPNsense, then more or less port forward thru both routers (referred to double NATing)
ISP ROUTER | OPNsense | NETWORK
WAN -> |NAT| LAN -> WAN -> |NAT| LAN -> SWITCH -> COMPUTERS
75.32.53.67 |NAT| 192.168.0.1 | 192.168.0.2 |NAT| 192.168.1.1 -> DHCP
https://helpdeskgeek.com/networking/what-is-double-nat-and-how-to-fix-it-on-a-network/
Not sure what you are saying here cause I can't access the configuration of the ISP box. It's handled by the ISP company only. If you by that are referring to the Router that is currently connected to the ISP box, well that's a different thing.