Hi guys, newbie here. Pardon me if this was answered before but the books I've read so far mention the necessity of use of either virtualbox or vmware when installing OPNSense. Is it possible to install OPNSense on Windows without involving Virtualbox or Vmware, utilising only USB stick or similar?
Thanks in advance,
OPNsense is an appliance OS. If you install it on your Windows machine, you will replace Windows with OPNsense. Unless you use some sort of virtualisation as you already found out.
OPNsense is not an add on to Windows but an OS for a dedicated "hardware firewall".
Let me know if I understood you correctly:
- Installing it on Windows will make Windows unusable,
- If use virtualisation, I will have to start it from whatever virtualisation software I am using after the Windows booted up. That also means quite a bit of extra load on CPU and Ram. Correct?
Both correct, not only will Windows be unusable, Windows will be gone from your disk/SSD if you install OPNsense over it.
What are you intending to do with OPNsense? Again: it is an OS for a dedicated firewall machine that you place between your network and the Internet. Not something you install as a "security product" on your existing desktop OS.
You need a dedicated computer for OPNsense and that replaces your ISP router in most cases.
Running OPNsense in VM like this is OK for testing, trying learning.
But if you want to use it as your FW/Router or what ever you need a dedicated machine as mentioned by Patrick. Because you are new to this I advice to get a device and do a Baremetal setup (no Hypervisor), get a small machine install on it OPNsense.
Regards,
S.
If you use Windows 10 or 11, using Hyper-V to get used to the OPNsense is a good choice.
Also on Windows 11 I did some performance testing just recently.
I've gotten 9.45Gbit/s routing performance through the OPNsense between two Debian VMs (machine had 12 Core Ryzen 9 CPU, 10G Vswitches). That's pretty good for a Hypervisor running an OPNsense.
Quote from: Patrick M. Hausen on September 02, 2024, 11:02:12 AM
Both correct, not only will Windows be unusable, Windows will be gone from your disk/SSD if you install OPNsense over it.
What are you intending to do with OPNsense? Again: it is an OS for a dedicated firewall machine that you place between your network and the Internet. Not something you install as a "security product" on your existing desktop OS.
You need a dedicated computer for OPNsense and that replaces your ISP router in most cases.
I simply want to secure my home network and in this sense both OPNSense or PFSense seemed to be much better options than their consumer grade counterparts targeted at home users. If this is the wrong way to accomplish this, what would be your advice?
Buy a dedicated device, install OPNsense, come back with any questions you might have.
A consumer grade router is a dedicated device in your network, right? So is OPNsense. Main difference: you only have to buy some matching hardware, the software is free and better.
Patrick M. Hausen, Seimus and Monviech,
Thank you all for the hand. Appreciated.
Quote from: Patrick M. Hausen on September 02, 2024, 11:02:12 AM
not only will Windows be unusable, Windows will be gone from your disk/SSD if you install OPNsense over it.
But that sounds like a nice improvement... 8) :P
Quote from: doktornotor on September 02, 2024, 10:47:55 PM
Quote from: Patrick M. Hausen on September 02, 2024, 11:02:12 AM
not only will Windows be unusable, Windows will be gone from your disk/SSD if you install OPNsense over it.
But that sounds like a nice improvement... 8) :P
I agree, I did last year such improvement on all of my laptops and PCs (as well gaming rig) and I could not be happier.
Regards,
S.
Quote from: Monviech on September 02, 2024, 11:25:11 AM
If you use Windows 10 or 11, using Hyper-V to get used to the OPNsense is a good choice.
Also on Windows 11 I did some performance testing just recently.
I've gotten 9.45Gbit/s routing performance through the OPNsense between two Debian VMs (machine had 12 Core Ryzen 9 CPU, 10G Vswitches). That's pretty good for a Hypervisor running an OPNsense.
Monviech, this may sound a dumb question but if I install OPNsense on one of these virtualization tools, would it protect the VMs only or the host (Windows) as well?
It would not protect anything. OPNsense goes on a dedicated device in your network. It replaces your ISP router.
It depends on the config.
If you do a Passthrough for the WAN (virtual switch external mode), and put the host itself into the same other vswitch as the VMs (virtual switch internal with host sharing enabled), then yes.
So at least two network ports for the host. (or vlan tagging with one port, but I wouldnt advice that for beginners)
In most other cases, no.
Quote from: Patrick M. Hausen on September 06, 2024, 05:21:38 PM
It would not protect anything. OPNsense goes on a dedicated device in your network. It replaces your ISP router.
Some time ago, there was a book I read, called "ETHICAL HACKING A Hands-on Introduction to Breaking In", and pfsense was one of the lab VMs to be set up that the writer said "pfSense Virtual Machine An open source router/firewall to protect the vulnerable virtual machines from outside hackers." Considering the fact that both are very similar, the same can be achieved with OPNsense as well, I guess.
Am I missing something?
Quote from: Monviech on September 06, 2024, 05:24:20 PM
It depends on the config.
If you do a Passthrough for the WAN (virtual switch external mode), and put the host itself into the same other vswitch as the VMs (virtual switch internal with host sharing enabled), then yes.
So at least two network ports for the host. (or vlan tagging with one port, but I wouldnt advice that for beginners)
In most other cases, no.
Thank you Monviech, I'll give it a shot.
I think you're missing a bit of the basic zero-to-hero info here and I'd be happy to help explain.
OPNsense works as something called a gateway router/firewall, in a category of technology called 'network appliances.' In executive summary, it is a gateway--like the gateway through your otherwise impassable garden fence--that facilitates your internal network (LAN - local area network - the house and land) from the greater internet, or WAN (wide area network, but colloquially to remember the difference, you can thick of it as the world area network).
Your ISP router does this and most routers have a decent enough, rudiamentary, firewall. Without a firewall, it's simply the gateway. Like your garden fence, it lets anyone who tries, through, in either direction. The reason most people want to replace their ISP router is either because it's slow or performs badly, doesn't facilitate something they want to do, or, commonly, because the manufacturer fails to keep it updated and secured against recent threats, leaving it slightly less secure than something maintained reliably. You can find tons of Asus, TP-Link, D-link and more brands with known (and often unfixable) router vulnerabilities in even extremely expensive hardware.
A classic firewall is, in essence, an "allowed/blocked" list that lets things that should talk (your devices) get to the internet, and responses from those things to come back, while blocking random unrequested stuff from WAN. (Look into this more yourself, but there are actually many 'gateways' called ports through which things actually talk on the internet, and the firewall maintains a closed or open state for them. Your network router is the network gateway, ports are ports, but it's helpful to think of them as open/closed doors while learning their function.)
In corporate, you'll see a lot of Next-Gen Firewall applicances - next-gen typically adds smarts, like online lists that constantly update the firewall with threat locations to block, malware sites to check for the reputation of files and programs, and breakdowns of what's accessing what, where - letting you, eg., block porn, gambling, and violence from your network via a simple click rather than going off and building your own manual blocklist, or getting alerts when IP addresses and websites from America are resolved, etc. etc.
Your firewall needs to be above your network to protect it. You can firewall a single device, but only that device will be protected. Now, granted, there are ways to redirect your LAN traffic to a firewall elsewhere in the network, but it's not optimal for a lot of reasons, and some devices may simply not work this way or will bypass it. (A good resource here is the setup for a Pi-hole. Similar methodology/functionality and setup.)
So knowing this, you now know that your firewall needs to sit between your LAN and WAN to be able to filter the traffic to protect your LAN. You can virtualise it on a host like Proxmox or Windows and VirtualBox, but as you know, it's far from optimal. Your best bet is to find a fairly cheap piece of hardware that has or supports two RJ45 (aka Ethernet) ports to make it simple for you to plug your WAN device (be that a router, modem, FTD, NTD or similar) in one port and your LAN out the other. You can get devices that have up to 8 ports to act as a switch right on the device, or you can get a small mini PC/NUC box with two ports, and go out to a dumb (or smart!) switch from there. Note that if your internet router terminates ADSL or VDSL, Coaxial or something else, you'll need to keep that in order to get Ethernet out of it for your firewall appliance.
You'll also want to find a solution for WiFi if you're replacing your router. OPNsense supports it, but it's self-confessed rudimentary as it's not a key focus for a firewall OS.
My suggestion here is to use a cheap box like an MSI NUC, Qotom or XGODY or Beelink Mini PC as a firewall gateway, then have go into current router to act as a switch and wifi box. You can always upgrade down the line with other hardware, like a Ubiquiti AP or perhaps an OpenWRT multibox. Word to the wise - aim for Intel NICs, not Realtek, though Realtek does work quite well in many cases.
As a P.S. - you can also use a firewall for specific security! A lot of malware researchers and red/blue/purple teams will run a firewall VM or specific device protecting just one LAN or VLAN, or even just one PC, on which they do their analysis. Online personalities like Kitboga and Leo at TPCSC almost certainly do this, and it allows them to have deep reporting and carefully constructed filtering to allow their research to work while seeing everything their target does.
If I got anything wrong I'm more than happy to be correct/learn myself of course, I'm far from the smartest or most experienced person in this thread, but just wanted to help out and cover the basics. If not you, it might help other browsers-by!
Quote from: Sam of Ham on September 07, 2024, 11:21:02 AM
I think you're missing a bit of the basic zero-to-hero info here and I'd be happy to help explain.
OPNsense works as something called a gateway router/firewall, in a category of technology called 'network appliances.' In executive summary, it is a gateway--like the gateway through your otherwise impassable garden fence--that facilitates your internal network (LAN - local area network - the house and land) from the greater internet, or WAN (wide area network, but colloquially to remember the difference, you can thick of it as the world area network).
Your ISP router does this and most routers have a decent enough, rudiamentary, firewall. Without a firewall, it's simply the gateway. Like your garden fence, it lets anyone who tries, through, in either direction. The reason most people want to replace their ISP router is either because it's slow or performs badly, doesn't facilitate something they want to do, or, commonly, because the manufacturer fails to keep it updated and secured against recent threats, leaving it slightly less secure than something maintained reliably. You can find tons of Asus, TP-Link, D-link and more brands with known (and often unfixable) router vulnerabilities in even extremely expensive hardware.
A classic firewall is, in essence, an "allowed/blocked" list that lets things that should talk (your devices) get to the internet, and responses from those things to come back, while blocking random unrequested stuff from WAN. (Look into this more yourself, but there are actually many 'gateways' called ports through which things actually talk on the internet, and the firewall maintains a closed or open state for them. Your network router is the network gateway, ports are ports, but it's helpful to think of them as open/closed doors while learning their function.)
In corporate, you'll see a lot of Next-Gen Firewall applicances - next-gen typically adds smarts, like online lists that constantly update the firewall with threat locations to block, malware sites to check for the reputation of files and programs, and breakdowns of what's accessing what, where - letting you, eg., block porn, gambling, and violence from your network via a simple click rather than going off and building your own manual blocklist, or getting alerts when IP addresses and websites from America are resolved, etc. etc.
Your firewall needs to be above your network to protect it. You can firewall a single device, but only that device will be protected. Now, granted, there are ways to redirect your LAN traffic to a firewall elsewhere in the network, but it's not optimal for a lot of reasons, and some devices may simply not work this way or will bypass it. (A good resource here is the setup for a Pi-hole. Similar methodology/functionality and setup.)
So knowing this, you now know that your firewall needs to sit between your LAN and WAN to be able to filter the traffic to protect your LAN. You can virtualise it on a host like Proxmox or Windows and VirtualBox, but as you know, it's far from optimal. Your best bet is to find a fairly cheap piece of hardware that has or supports two RJ45 (aka Ethernet) ports to make it simple for you to plug your WAN device (be that a router, modem, FTD, NTD or similar) in one port and your LAN out the other. You can get devices that have up to 8 ports to act as a switch right on the device, or you can get a small mini PC/NUC box with two ports, and go out to a dumb (or smart!) switch from there. Note that if your internet router terminates ADSL or VDSL, Coaxial or something else, you'll need to keep that in order to get Ethernet out of it for your firewall appliance.
You'll also want to find a solution for WiFi if you're replacing your router. OPNsense supports it, but it's self-confessed rudimentary as it's not a key focus for a firewall OS.
My suggestion here is to use a cheap box like an MSI NUC, Qotom or XGODY or Beelink Mini PC as a firewall gateway, then have go into current router to act as a switch and wifi box. You can always upgrade down the line with other hardware, like a Ubiquiti AP or perhaps an OpenWRT multibox. Word to the wise - aim for Intel NICs, not Realtek, though Realtek does work quite well in many cases.
As a P.S. - you can also use a firewall for specific security! A lot of malware researchers and red/blue/purple teams will run a firewall VM or specific device protecting just one LAN or VLAN, or even just one PC, on which they do their analysis. Online personalities like Kitboga and Leo at TPCSC almost certainly do this, and it allows them to have deep reporting and carefully constructed filtering to allow their research to work while seeing everything their target does.
If I got anything wrong I'm more than happy to be correct/learn myself of course, I'm far from the smartest or most experienced person in this thread, but just wanted to help out and cover the basics. If not you, it might help other browsers-by!
That was a very comprehensive explanation and clears lots of things for me. Thank you for your time and effort.
QuoteThat was a very comprehensive explanation and clears lots of things for me. Thank you for your time and effort.
You're super-duper welcome! I know I've certainly had my fair share of help on here so the least I can do is give back when/where I can and know how. I'm always happy to!
Good luck and safe travels on your exploration into netwroking... It may make you go bald early, but having it locked down is like finding a new mode of transport, it's never not useful!