Hi,
I would like to try OPNsense on hcloud for test purpose.
Starting from a FreeBSD instance, I am installing OPNsense via the script (https://raw.githubusercontent.com/opnsense/update/master/src/bootstrap/opnsense-bootstrap.sh.in):
sh ./opnsense-bootstrap.sh.in -r 24.7 -y
and copy the following file to /conf/config.xml:
<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<system>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<dnsallowoverride>1</dnsallowoverride>
<group>
<name>admins</name>
<description><![CDATA[System Administrators]]></description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr><![CDATA[System Administrator]]></descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$6$DEHx8zOr5VVhjFwz$pS/NcRnn03fpFxbR2xP0gkfUSdSDA0FZxRF3zCn09qTFF604k800paZCNnxrMwElH8gAsPK8GDHBFgOX32YI2/</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<webgui>
<protocol>https</protocol>
<nohttpreferercheck>1</nohttpreferercheck>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
<enabled>enabled</enabled>
</ssh>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>vtnet0</if>
<mtu/>
<ipaddr>dhcp</ipaddr>
<subnet/>
<gateway/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<dhcphostname/>
<media/>
<mediaopt/>
</wan>
<lan>
<enable>1</enable>
<if>vtnet1</if>
<ipaddr>dhcp</ipaddr>
<subnet/>
<media/>
<mediaopt/>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>1</enable>
</unbound>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<statetype>keep state</statetype>
<descr><![CDATA[Allow public ICMP ping to this firewall from LAN]]></descr>
<protocol>icmp</protocol>
<icmptype>echoreq</icmptype>
<source>
<any>1</any>
</source>
<destination>
<network>(self)</network>
</destination>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<statetype>keep state</statetype>
<descr><![CDATA[Allow public ICMP ping to this firewall from WAN]]></descr>
<protocol>icmp</protocol>
<icmptype>echoreq</icmptype>
<source>
<any>1</any>
</source>
<destination>
<network>(self)</network>
</destination>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet4</ipprotocol>
<statetype>keep state</statetype>
<descr><![CDATA[CAUTION: Allow public remote access to this firewall via SSH]]></descr>
<protocol>tcp</protocol>
<source>
<any>1</any>
</source>
<destination>
<network>(self)</network>
<port>22</port>
</destination>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet4</ipprotocol>
<statetype>keep state</statetype>
<descr><![CDATA[CAUTION: Allow public remote access to this firewall via HTTP]]></descr>
<protocol>tcp</protocol>
<source>
<any>1</any>
</source>
<destination>
<network>(self)</network>
<port>80</port>
</destination>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet4</ipprotocol>
<statetype>keep state</statetype>
<descr><![CDATA[CAUTION: Allow public remote access to this firewall via HTTPS]]></descr>
<protocol>tcp</protocol>
<source>
<any>1</any>
</source>
<destination>
<network>(self)</network>
<port>443</port>
</destination>
</rule>
</filter>
</opnsense>
Seems that the config file is read, as I am able to login, via the serial console, with root and the password above.
From the serial console I can see that:
* LAN (vtnet1) gets an ip via dhcp
* WAN (vtnet0) gets an ip via dhcp (the public one)
But I am not able to ping/ssh/access the web ui.
Am I missing something?
Thanks
The WAN is in a private network?
If that's the case, you might want to remove these 2 lines (or change them to 0).
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
If not, you might want to keep your password info less public.
You've enabled ssh, but not allowed root login nor password logins...
You want a static IP on LAN.
It's otherwise sparser than mine (as an appliance) but these stuck out.
Thanks for your reply.
To WAN is correctly assigned the public IP of the instance.
Apart the root/password login, I am not even able to ping or connect to ssh.
I do not rely care about password/security at this stage (I just want to make it run).
Anyway the instance has a firewall rule that allows traffic in only via my public IP.
After setting:
<blockpriv>0</blockpriv>
<blockbogons>0</blockbogons>
Still no ssh:
$ ssh -v root@<public_ip>
OpenSSH_9.7p1, OpenSSL 3.3.2 3 Sep 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Connecting to <public_ip> [<public_ip>] port 22.
With a public IP, you can revert the changes on bogons and private networks.
Can you ping from OPN? option 7 at the console.
You don't seem to have a loopback interface:
<lo0>
<internal_dynamic>1</internal_dynamic>
<descr>Loopback</descr>
<enable>1</enable>
<if>lo0</if>
<ipaddr>127.0.0.1</ipaddr>
<ipaddrv6>::1</ipaddrv6>
<subnet>8</subnet>
<subnetv6>128</subnetv6>
<type>none</type>
<virtual>1</virtual>
</lo0>
In my case, all rules have IDs, for example:
<rule uuid="dd5c6d7d-9578-43f3-b528-7ddf44361b0a">generate a GUID per rule. I don't know if that's an issue though.
Once you solve your IP connectivity issues, you'll want these in the ssh section:
<passwordauth>1</passwordauth>
<permitrootlogin>1</permitrootlogin>
BTW, DHCPD is not enabled on LAN.
You can't access the FW rules via APIs. But you can monitor the FW live view using console option 10.
Option 9 shows connections.
Thanks for your reply.
In the end the problem was that: even if the serial console was showing the public IP with DHCP, switching to static made it work:
<interfaces>
<wan>
<enable>1</enable>
<if>vtnet0</if>
<ipaddr>IP_PUBLIC</ipaddr>
<subnet>32</subnet>
<gateway>WAN_GW</gateway>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
</wan>
...
<OPNsense>
<Gateways version="1.0.0">
<gateway_item uuid="179b59be-87d3-4f2a-b866-2664c7f31577">
<disabled>0</disabled>
<name>WAN_GW</name>
<descr>HCloud default gateway</descr>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<gateway>172.31.1.1</gateway>
<defaultgw>1</defaultgw>
<fargw>1</fargw>
<monitor_disable>1</monitor_disable>
<monitor_noroute/>
<monitor/>
<force_down/>
<priority>255</priority>
<weight>1</weight>
<latencylow/>
<latencyhigh/>
<losslow/>
<losshigh/>
<interval/>
<time_period/>
<loss_interval/>
<data_length/>
</gateway_item>
</Gateways>
</OPNsense>
32 is probably not the correct prefix length for an Ethernet type interface.