OPNsense Forum

English Forums => General Discussion => Topic started by: Redfish on July 05, 2017, 02:27:47 pm

Title: Making the switch
Post by: Redfish on July 05, 2017, 02:27:47 pm
Hello all,

I’m fairly new to the whole firewall appliance idea.  Granted networking isn’t anything new to myself (the very basics anyways), played around and successfully implemented a Cisco (isdn) router years ago.  Just like alot of home users, I’ve used dd-wrt and tomato without problems (nothing crazy configured).  As the years passed, I begin to feel that those options just weren’t enough especially with the Snowden revelations and all that has come afterwards.  So began my quest to find something better, just by sheer luck, I stumbled across pfsense and opnsense.  Why I choose pfsense to begin with, well I’m at a loss.  I purchased a dell desktop that would become my firewall, added an additional nic and off I went.  In the beginning, I kept everything simple; no Ips/Ids, no vlans, just barebones.  As I begin to learn, services were added, such as; openvpn client (don’t like the idea of my isp tracking my online presence), snort (well because I thought it was cool, using suricate now), pfblocker/dnsbl (no ads), and finally a single vlan (for gaming consoles and IOT).  Anyways, getting to the point, begin to notice a not so friendly community (especially on reddit).  Lots of negativity flowing there towards those who question pfsense decisions and directions.  For that matter, you don’t dare criticize the software or the lack of lending a helping hand when those new need assistance (lots of post go without help on the official forums to).  Now I understand those offering help are doing so by their own accord and I definitely appreciate that.  Just plain tired of a select few netgate employees berating those opinions that differ.  So begins my search for a new and helpful community (I’m fairly confident setting up pfsense and what’s needed on my side). Yesterday afternoon, I finally made the decision the time had come to move over to something better.  Downloaded and installed opnsense, unfortunately it wasn’t long before I felt overwhelmed, namely because of the GUI layout differences.  Struggled to make much progress, got the vpn up but wasn’t able to push anything out the interface (firewall rule in place directing all lan traffic that way).  Fiddled around for a hour or so without making any progress and time was of essence.  Jumped back to pfsense and threw my on backup configuration only to be greeted by a non responsive box.  Finally managed to get things squared away, had to restore one thing at a time.  So here I am, asking if anyone would mind pointing me in the right direction to making the switch to opnsense permanent.  If needed I can provide any pertinent information pertaining to my current pfsense setup.  I know everyone is busy and the last thing you need is someone looking for you to hold their hand (hopefully that’s not the case for me). 

Thanks in advance, I greatly look forward making this happen.

Title: Re: Making the switch
Post by: bartjsmit on July 05, 2017, 06:44:38 pm
Hi Rob,

Instead of transplanting an organically grown system in one go, why don't you build a second firewall on OPNsense and set up a test schedule where you implement a new feature on OPNsense, switch to test and switch back again for continued normal use?

There are various posts and how-to's in this forum and the docs https://docs.opnsense.org/index.html to help you.

Title: Re: Making the switch
Post by: Redfish on July 05, 2017, 07:36:23 pm
Hello Bart,

Appreciate the response and suggestion.  I’ll have to admit, yesterday’s fiasco was unplanned and poorly implemented (last minute rush on my part-currently have family visiting so no internet = no good).  Unfortunately, I failed to familiarize myself with the opnsense interface before tackling the task at hand.  Like I mentioned before, grew tired of the negativity and allowed my emotions to direct instead of taking the logical approach.  Over the next several days I plan to study the provided documentation and scour the forums for guidance.  Once I have a better understanding and the allotted time, I plan to give this another go (have a laptop that I may use to better familiarize myself with the GUI and will give me the opportunity to go exploring).  Quite excited to dive in and learn (enjoyed learning and exploring what pfsense had to offer, over the course of time I managed to accumulate enough to provide basic assistance to some others as well).  Again I appreciate your response and suggestions (which I will definitely follow), in the meantime if you or anyone else has any tips please don’t hesitate to post (all information is welcome).

Thanks for your time and consideration,

Title: Re: Making the switch
Post by: Redfish on July 05, 2017, 10:15:42 pm
Just have to say, after spending a short time perusing the forums, I sense a much friendlier and polite community.  This is a welcomed surprise and I hope eventually I’ll also be able to contribute in my ever so small way.  FYI...fired up the laptop to explore opnsense and have begin to understand where I went wrong in yesterday’s endeavor.
Title: Re: Making the switch
Post by: Redfish on July 07, 2017, 08:37:10 pm
Just a quick update, had some downtime today and decided to give it another go.  Thankfully I took the time to familiarize myself with the GUI this time, everything went without a hitch.  Just need to tune suricata, figure out how to block ads across the network (lan and vlan) and finally setup ups monitoring.  Definitely well on my way now.
Title: Re: Making the switch
Post by: fabian on July 07, 2017, 09:08:09 pm
Ads can be blocked via
+ Firewall (block IPs of the ad servers)
+ DNS (block ad server domains)
+ IPS (would not recommend to do that)
+ (transparent) Proxy (via URL or host list in the proxy or an external ICAP server (if more powerful filtering is required).

Title: Re: Making the switch
Post by: Redfish on July 07, 2017, 10:11:54 pm
Hello Fabian,

Thanks for responding.  I’m currently researching a few ideas, came across this https://devinstechblog.com/block-ads-with-dns-in-opnsense/ Haven’t had the chance to give it a go but in general sounds very similar to what I used on pfsense (dnsbl).  Also have a Raspberry Pi 3 that I used for ad blocking prior to pfsense, so that’s an option I’m also considering.  I appreciate your suggestions and will look into all that you provided.  Once I become more familiar and confident using opnsense I’m considering creating a few basic guides that include graphics (would this be something that would help the community?).  I hope this suggestion hasn’t stepped on anyone’s toes, just looking for a way to repay the community. 

Thanks again,