OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: Sapiens on May 29, 2021, 10:27:01 am
-
Hi,
I do not know if this is the right forum...
I am trying to improve my LAN and to separate LAN from WAN to install OPNsense. Righ now I have this configuration. Now I have everything coming form WAN going through a router (ER-6P)>>>Switch (USW-16-POE)>> all devices in LAN (PC, NAS, Cameras, etc.) in the same IP range 192.168.1.0 /24. This is working fine.
However, I was hit recently by a ransomware. After looking at the possible solutions to improve my network I have considered to install OPNsense in a miniPC. My undestanding is that I need to separate the WAN from the LAN and send all the traffic from the ER-6P to OPNsense first and then back to the switch to be distributed filtered to LAN. Therefore all traffic from router should go to OPNsense and for this it looks like I need a second dedicated network card to send the filtered traffic back to switch and the switch will serve all traffic to the LAN when it has been filtered by OPNsense.
However, I have 3 ETH unused ports in my router. I would like to ask if I could use an empty port to do the same. If this is the case I would appreciate a link on how to configure this. I have attached an image of my actual network.
Thanks
-
That way you will make double NAT... There is an option to use OPNsense with Sensei as transparent L2 filter, but you will need at least 3 ports, 2 of the NICs must be bridge devices having the same kernel device (e.g. all em, igb etc.) and same number of RX/TX queues. Why you just not consider replacing ER-6P with OPNsense?
-
Agree. For the configuration you described, it does not make sense to have 2 Firewalls. If anything, it add a large complexity for something that should be very simple. Is there a specific reason to use opnsense over your edgerouter? If your not going to use the IPS / proxy, etc that opnsense has and edgerouter doesn't provide (I'm guessing) then there is not a reason to remove your ER.
If you want to remove your equipment and put opnsense, that's fine. I'm trying to explain your easiest option.
-
It is just best to buy opnsense from https://shop.opnsense.com/ (trust me, building your own firewall won't really save you much money since firewalls require VERY specific hardware to work properly, especially opensource firewalls. For example you can't install opnsense on some of the HP ProLiant microservers)
Only protection you might have against ransomware with opnsense, is to have IPS enabled and using malltrail plugin with it's automated alias and adding that alias to firewall block rules.
Other than that, getting "better" firewall etc. won't help you, since firewalls don't by themselves have anything to detect malware and all they do is either block, reject or allow connections based on firewall rules
-
I agree with most of what vilhonator says. You don't need to purchase the firewall from opnsense. It may be your ideal method for you, however, Many users here install as VM, or built machines. I've run on different hardware for pf and onp senses.
The one thing that sticks out is making sure you have the right hardware which usually breaks down to Intel processors (amd is fine, just had a few oddities with them for unusual configurations) and intel Nics (I have used broadcom and don't remember any problems with them). Just avoid realtek NIC.