Messages

Thanks for the tips,
I did some thinking on how the system works and wanted to confirm if the flow of data is like so

1. Client Browser or Any app running on PC that needs internet access
2. Proxy with Caching and Filtering
3. Firewall
4. VPN
5. Internet

Is the flow of data in OpnSense from 1 to 5 and then gets back 5 to 1.

The OPNsense box needs interfaces to all the segments of your network. You can do this in several ways:

- Have separate NIC's connect to separate switches (expensive)
- Use VLAN separation on the managed switch(es) and possibly OPNsense
- Virtualise the firewall and present different virtual switch interfaces

It is up to you which services you want to run on the firewall. You will need other devices if you want to self host. Raspberry Pi servers are fine for small networks. Your servers are best protected in their own segment but you could have them on the LAN as well if there you trust your LAN based clients.

Do not run anything on port 80 if you can help it, other than to redirect clients to 443. There's a whole raft of HTTP exploits that are fixed by HTTPS. Letsencrypt reduced the certificate cost to just effort.

The default port for VPN depends on the choice of software. OpenVPN is a good compromise between available documentation and client OS support. It can also share a port with an HTTPS connection to overcome restrictive client-side firewalls.

A very long time ago I wrote a script that emails you when there are OPNsense updates but it is much more fun to follow this forum ;-) The OPNsense twitter feed also notifies of patches.

Bart...

Thanks for the info, some profound points in there that would need some thinking and understanding since I'm just a noob in this domain.
I've yet to understand certain concepts pertaining to software firewalls and the other components they bring in, like proxy, vpn etc.
Although I do understand the terms I can't currently visualize the flow of data for instance between firewall, proxy and vpn.
I guess its time for some home work!
Thanks again.

[all]

Stick to general principles:

- do not host services on your firewall. DNS, DHCP, Proxy, etc. can all run on external servers
Would this mean that I would need 2 boxes one runninng opnserve and the other running all the other services like DHCP, proxy, antivirus etc.
How would the 2 boxes be wired up then, will the internet cable directly be connected to the firewall box, and then the lan cable of the firewall box be connected to the other server where the services are running?

- minimise the number of inbound firewall rules. Use a VPN for external access where possible
For this do you mean that I should only keep port 80 open and block other ports? Is Opnsense configured like so by default? VPN is one of the features that can be enbaled in OPNSense, so I guess you are saying that I could enable and use that on the same box as the firewall.

- split your network into segments that don't interact outside the firewall. E.g. clients, IoT, guests, servers and management
ok, got it

- patch all network clients and servers with security updates. Try them on test servers for important services
Would I need to manually check for security updates or does OPNsense do that periodically.

OPNsense already has a hardened base OS, so you have a head start.
Good to know that,

Bart...

How do I configure OPNSense to make it very difficult to hack, (by hack I mean, hacker should not get access to LAN)

Would 2 OPNSense boxes help in this case? which would be 2 layers of firewall.

Is there any hardware device I can place after/before the OpnSense server that would further harden the setup?

I just installed OPNSense and it works as expected.
4G dongle for internet and 1 network interface for LAN.

When I insert the dongle  in a Windows 7 PC it appears as a "Remote NDIS based Internet Sharing Device".

OPNSense noob here.
I hear that OPNSense needs 2 NIC's for its operation.

My setup is a
USB 4G dongle - this will be my primary and only connection to the internet, this will be connected to the OPNSense installed comptuer with a USB cable.
1 NIC on motherboard - this will be connected to the LAN switch.

Will this setup be OK for OPNSense to function, can it configure the USB 4G dongle for internet and only 1 NIC for LAN.

I intend to use OPNSense as a web proxy (caching) and firewall.