Hi all.
I have used IPCop for a while then moved to IpFire when IpCop closed down.
I very mmuch enjoy the simplicity of it for a home lab environment.
But always needed more interfaces then the 4 zones offered by ipFire. And that option is likely only to be intorudiced in 3.x wich might take years to be released.
So i am looking at opnsense.
My question at this point:
Is there like a recommended tutorial to set up an ipfire like network ? I know the "zones" term is not really industry standard. but its just practical.
any resource you can recommend to a opnsense beginner to get a ipfire like set up configured and running ?
thankj you very much
best regards
me
Have you looked at the OPNsense Documentation (https://docs.opnsense.org/)? Specifically Security Zones (https://docs.opnsense.org/manual/how-tos/security-zones.html). I don't recall specifics from IPFire, so the concepts may not be precisely comparable. Also, Tutorials and FAQs (https://forum.opnsense.org/index.php?board=24.0) here.
ohh thats good input
thank you very much.
going to dig myself into those :)
I looked closely at IPFire when first developing my understanding of firewalls and routing, loading both it and OPNsense and donating to both (hoping for IPFire v3) while I examined them. I found IPFire presented concepts cleanly in its otherwise dated interface and its user-driven documentation, but ultimately went for the greater capability, flexibility, of OPNsense. IPFire can be nigh-dictatorial in its model. You can do "everything and more" in OPNsense and its documentation, though in a different style, gives you both setups and detail. As ever, the user forum is a vital component of the information and Q&A system so questions about any translation of concepts or implementation will be answered here.
I never had IPFire in production so cannot comment directly on working up that transition. While I keep an eye on IPFire by continuing to accept their e-mail announcements (curiosity), for my own circumstances there is no question that my choice was sound.
I think pf is a thing of beauty because as a home networking newcomer (speaking of myself only) I could grasp its fundamental mechanics from a simple, well written manual (https://www.openbsd.org/faq/pf/).
I feel that OPNsense presents pf in a very beautiful way and with a nice set of RFC-compliant defaults. It abstracts very little, but it also doesn't need to.
The fun thing about that flexibility, coupled with the fact that OPNsense doesn't force a particular design pattern, is that I find myself constantly experimenting as I come across different concepts from others. I started with separate sets of rules on each interface, but there was duplication. Then I started grouping rules. Then I came across different schools of thought on how to group rules, such as the OPNsense Zones document linked above and also this one (https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/).
After studying and comparing the two grouping methodologies, I think I finally boiled the differences down to this:
- The OPNsense Zones method is really grounded in a traditional enterprise perimeter security model with zones of "trust" and untrust. It uses Floating rules for inter-zone policy.
- Schnerring's method is grounded in a more zero-trust ideology except it doesn't start strict. It gives all local interfaces an initial baseline set of intranet access that can be further expanded (or restricted) as needed with interface-level overrides. It heavily leverages the pf quick/non-quick mechanism and doesn't use Floating rules.
This is honestly one of the more fun and interesting aspects of learning OPNsense for me :) Hope you have a similar experience, and it will be interesting to see how you decide to translate your IPFire experience to pf/OPN.