OPNsense Forum

English Forums => General Discussion => Topic started by: FrenchFries on August 16, 2017, 11:25:00 am

Title: Using two OPNsense appliances: filtering, services
Post by: FrenchFries on August 16, 2017, 11:25:00 am
In the background, i am trying to implement French ANSSI recommendations:
Recommandations et méthodologie pour le nettoyage d’une politique de filtrage réseau d’un pare-feu
 (https://www.ssi.gouv.fr/administration/guide/recommandations-et-methodologie-pour-le-nettoyage-dune-politique-de-filtrage-reseau-dun-pare-feu/)
In short, a firewall should be minimal, logging each important rule and cleaning the log to avoid mass-logging.
Minimal means that there should be no vital service running on the firewall, only a filtering router.
Hardened kernel... This is OPNSense.

So I am willing to use two OPNsense appliances:

The question is about the secondary appliance:
I am currently using FreeBSD on embedded devices for this purpose, but there is no hardened BSD.

Can OPNsense be configured without WAN as a normal computer, with only filtering rules and no routing, only a gateway pointing at the firewall? I think it could work ...

All your comments are welcome.
Title: Re: Using two OPNsense appliances: filtering, services
Post by: FrenchFries on August 16, 2017, 01:06:06 pm
Could you please move this post to "General discussion".

So I did the following, used an old appliance to test installation with one network card.
Upon installation with serial console, I press 1) to assign interfaces.

Quote
Enter the WAN interface name or 'a' for auto-detection: vr1

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(or nothing if finished):

The interfaces will be assigned as follows:

WAN  -> vr1

Do you want to proceed? [y/N]: y

Writing configuration...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Configuring WAN interface...done.
Generating RRD graphs...done.

*** OPNsense.localdomain: OPNsense 17.7 (i386/OpenSSL) ***

 WAN (vr1)       ->

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Upgrade from console
  6) Reboot system                      13) Restore a backup
Title: Re: Using two OPNsense appliances: filtering, services
Post by: FrenchFries on August 16, 2017, 01:13:12 pm
Works great!

The only hint is during installation, choose one network card and assign it to WAN.
Title: Re: Using two OPNsense appliances: filtering, services
Post by: franco on August 16, 2017, 01:32:47 pm
Yes, this is what I usually do. The "WAN" is configured via DHCP, GUI can be reached. SSH if enabled, too. Everything else is locked, but this way you can allow access through the firewall per service. It's great for a server type setup, coupled with GUI featured plugins or core services.

It also works with other software built manually from the ports tree, only then you need to configure these services as you would on a normal FreeBSD/HardenedBSD through the rc system and manual configuration files.


Cheers,
Franco