OPNsense Forum
English Forums => General Discussion => Topic started by: ezra55 on December 24, 2017, 04:03:29 pm
-
He guys,
Been working on this setup for quite a while now. I'd like some pointers and expert views on how I've setup the system. I cannot test it yet since I'm away from home for a few more weeks. I'd like to have it ready for when I return home. I have an OPNsense box with:
- Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)
- 4 GB RAM DDR3
- 16 GB SSD
- 2GB SWAP, VAR and TMP in RAM
- 4x Port - Interfaces: ESXi, LAN, LAN2 (unused for now), WIFI, WAN
- OPNsense 17.7.5-amd64
- FreeBSD 11.0-RELEASE-p12
- OpenSSL 1.0.2l 25 May 2017
- 1x Wifi Onboard (Used as guest network/IOT devices with no access to other NIC's only HTTP/HTTPS/DNS)
- 1x Wireless AP (2.4 and 5 ghz) attached to Interface LAN
- DHCP server enabled on: ESXi, LAN, WIFI
- Static DHCP entries created with MAC addresses for all existing devices
- Aliases for all existing devices and networks
- WAN address is for now local to have some internet connection, this will change once I install the router in my network for real
My goals are the following:
- Setup 4x OpenVPN client (done)
- Setup 1x OpenVPN server (done)
- Setup a FailoverVPN gateway group for all of the 4 VPN clients (done)
- Block all access to google's DNS (done)
- Route Netflix IP's over default ISP DHCP WAN (done)
- Route OPNsense traffic over the FailoverVPN
- Route All traffic over the FailoverVPN traffic https://forum.opnsense.org/index.php?topic=4979.0 (https://forum.opnsense.org/index.php?topic=4979.0) See screen (done)
- Block All traffic to my default ISP DHCP gateway See screen(done)
- Use 2x DNS server for the entire network/system (VPN company provided DNS servers: 209.222.18.218 & 209.222.18.222)(done)
- Block all DNS requests to only use unbound DNS which in turn uses the servers mentioned above (done)
- Block traffic from WIFI to all interfaces, only allow internet access and OPNsense as DNS
- For now allow ESXi, LAN to access all interfaces. Later I will tighten these to only allow certain ports in and out on ESXi to LAN with aliases
- Block all Plex metrics traffic with alias metrics.plex.tv, floating rule?
Port forwards:
https://imgur.com/zStbMCR (https://imgur.com/zStbMCR)
Rules:
Floating
https://imgur.com/P0gGbkJ (https://imgur.com/P0gGbkJ)
ESXi
https://imgur.com/qz9W80U (https://imgur.com/qz9W80U)
LAN
https://imgur.com/UCeeTdV (https://imgur.com/UCeeTdV)
LAN2
https://imgur.com/5yQlyCc (https://imgur.com/5yQlyCc)
OPENVPN (server)
https://imgur.com/VUGazFX (https://imgur.com/VUGazFX)
PIA
https://imgur.com/XtkCUSa (https://imgur.com/XtkCUSa)
PIA2
https://imgur.com/iEVnFfx (https://imgur.com/iEVnFfx)
PIA3
https://imgur.com/7FhKVu0 (https://imgur.com/7FhKVu0)
PIA4
https://imgur.com/O5rtTdR (https://imgur.com/O5rtTdR)
WAN
https://imgur.com/IsLO9Kt (https://imgur.com/IsLO9Kt)
WIFI
https://imgur.com/UjpZsvc (https://imgur.com/UjpZsvc)
Outbound NAT:
https://imgur.com/HLwHexX (https://imgur.com/HLwHexX)
https://imgur.com/Y3jRUbi (https://imgur.com/Y3jRUbi)
https://imgur.com/fgOMWwY (https://imgur.com/fgOMWwY)
Gateways:
https://imgur.com/3dfOYes (https://imgur.com/3dfOYes)
groups:
https://imgur.com/a/AilFa (https://imgur.com/a/AilFa)
Interfaces:
https://imgur.com/r9WwokQ (https://imgur.com/r9WwokQ)
General settings (DNS):
https://imgur.com/RdKVSKv (https://imgur.com/RdKVSKv)
Unbound DNS:
https://imgur.com/m2DMyAK (https://imgur.com/m2DMyAK)
DNS redirect rules:
To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.
Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces.
In the following example, the LAN interface is used, but it could be used for any local interface. Change the Interface and Destination as needed.
Navigate to Firewall > NAT, Port Forward tab
Click fa-level-up Add to create a new rule
Fill in the following fields on the port forward rule:
Interface: LAN
Protocol: TCP/UDP
Destination: Invert Match checked, LAN Address
Destination Port Range: 53 (DNS)
Redirect Target IP: 127.0.0.1
Redirect Target Port: 53 (DNS)
Description: Redirect DNS
NAT Reflection: Disable
This procedure will allow the firewall to block DNS requests to servers that are off this network. This can force DNS requests from local clients to use the DNS Forwarder or Resolver on OPNSense for resolution. When combined with OpenDNS, this allows DNS-based content filtering to be enforced on the local network.
Setup OpenDNS servers (or whatever DNS servers are preferred) in System > General.
Add a firewall rule on Firewall > Rules, LAN tab permitting TCP/UDP source:any to the firewalls LAN IP Address, port 53 (destination IP and port)
Move this newly created rule from step #2 to the very top of the LAN rules
Add a new rule blocking protocol TCP/UDP source:any destination:any.
Move the rule created in step #4 to the second position behind the permit rule that was moved in step #3.
That’s it. Enjoy the fact that the hosts behind OPNSense can only talk to the built in DNS resolver running on LAN which uses your DNS.
Hope you guys can help me out to achieve some of my goals!
Thanks and merry Christmas!!
-
Anyone?
-
For your own experience it would be better to try it out yourself and only ask if you have a specific problem. From what I read most things should easily bei done. I havent check all the screenshots since time is limited
-
Yes, thanks...
Anyone else?