Messages

I did some research and testing on my installation.
I posted the results in this thread on my forum: https://hwtweakers.net/forum/viewtopic.php?t=48471
I know, it's in Italian, but I know that with Google Translate, it shouldn't be a problem anymore.

If it could be useful to the community, you could copy/translate/paste and integrate the official guides.
It's not exactly a super detailed guide from scratch, and I've overlooked several steps, but it should still be helpful.

In my opinion, two much-appreciated improvements would be to write an in-depth guide for each individual field in this window.
You cannot view this attachment.

Another thing I didn't find was a list of what each individual ruleset does. The name isn't self-explanatory, clicking Edit doesn't provide any useful information, and I couldn't find a comprehensive description on the rule writer's website.
You cannot view this attachment.

I've been using Opnsense for several years and had IPS mode enabled for a long time.
With the update to version 26, I started migrating to the new options.
To avoid potential problems, I reset Suricata and started over with Divert mode.
Honestly, I'm quite confused; I'm struggling to find a thorough guide that explains, even for beginners, how to properly tune Rules and Policies.

Okay, but here we're still talking about DNS filters on more or less standard ports.
Everything that's encrypted DNS and on non-standard ports can't be stopped with these lists on unbound or various DNS servers.
We need a layer 7, possibly without HTTPS inspection, but one that can at least understand from the patterns what's in the packet and can at least read the SNI field.

I think I've achieved a good level of DNS management.

These are my NAT rules:
You cannot view this attachment.
I take everything not destined for AGH on port 53 and 853 and forward it to AGH.
I take everything not arriving from AGH to Unbound and forward it to AGH (so only AGH can query Unbound).
I take everything not arriving from Unbound/OPNsense to DNSCrypt and forward it to AGH (so only Unbound/OPNsense can query DNSCrypt).


While these are my firewall rules:
You cannot view this attachment.
All local networks can reach AGH on ports 53/443/853 UDP/TCP.
The smart TV on the Guest VLAN can only access the Internet through ports 80 and 443 UDP/TCP; everything else is blocked.
Other objects on the Guest VLAN can only access the Internet.

This is the AGH encryption configuration
You cannot view this attachment.

In the AGH logs, I see that it handles:
Type: A, Simple DNS
Type: AAAA, Simple DNS
Type: A, DNS over TLS
Type: HTTPS, Simple DNS

All DNS traffic (and variants) passing through standard ports should be handled.
Now everything else is missing, and for that I can't find anything better than a Layer-7 filter.
Without paying for external software like Zenarmor, the only valid alternative at home is Suricata.

Thanks for the advice.
I was looking for RFC1918 and couldn't find it, then I realized I had to create an alias with
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Then I deleted the two rules from the tutorial and created just one with source VLAN5 and destination !RFC 1918.
Now I'm testing it and it seems to work... AGH responds because there's an upstream rule that allows all VLANs to communicate with the AGH CT, but everything in the internal VLANs isn't reachable because there's no rule that allows it.

Um, okay, I'll think about it... it seemed more intuitive to make a "pass to WAN" rule, but what you're saying makes sense.

P.S. I switched from the old rule system to the new one, so I find myself having to fix several things that used to work and now don't.

Hi, I'm struggling with the VLAN for the guest WiFi. I've read the official guide https://docs.opnsense.org/manual/how-tos/guestnet.html, but I have a question.
Basically, a firewall blocks everything that isn't explicitly allowed.
If I understand correctly, the tutorial says to create a rule to block access to the VLANs we don't want guests to access, and then create an "any-any" rule. This configuration doesn't seem like best practice; I would expect one or a series of rules to allow only what's needed.

I should point out that by following the guide, devices connecting to the guest WiFi access the internet correctly and don't see objects on the LAN. However, I tried to configure it to only allow what's needed, but I couldn't.

I'll add some details about my network topology (very common) that might help understand what actually needs to be done to achieve this goal:

FTTH - ONT - Opnsense WAN - OPNsense - Opnsense LAN (multi-VLAN) - managed L3 switch - client + managed access point with VLAN support.
Default VLAN 1 (LAN): 192.168.1.0/24
VLAN2 (Wireguard LAN): 192.168.2.0/24
VLAN3 (Video Surveillance): 192.168.3.0/24
VLAN4 (IoT): 192.168.4.0/24
VLAN5 (Guest): 192.168.5.0/24
VLAN6 (Untrusted/Unfiltered Devices): 192.168.6.0/24
VLAN7 (Management): 192.168.7.0/24

Adguard Home is on my LAN. I have a firewall rule that allows all VLANs to reach the AGH CT on ports 53/443/853.
If I wanted VLAN5 to only reach AGH and the Internet, excluding everything else, how would I write the rule?
With the initial pass rule 53/443/853 to 192.168.1.x (AGH), I see traffic passing through VLAN5 and reaching the DNS server correctly. With other pass rules to the WAN, the most I can get is a Default deny/state violation rule.

I'm probably stuck on something I'm missing.

Okay, my intent wasn't to bring up kids and the like.
And the fact that you mention 802.1x reminds me of another thing to implement/test: NAC functionality.

The next step is to understand how to do and implement https inspection.

Easy: You don't. See this, point 12.

"You can't" is relative; point 12 itself states that it's difficult (not impossible) and requires resources that can only be justified within a corporate context.

At work, we have Paloalto and perform https inspection, with, of course, bypass rules that we often add.
It's definitely a very different context; we have AD and distribute certificates via policies, as well as a ton of integrations between Paloalto and the Microsoft world (Enter).

A home lab should be a place where you can experiment and gain experience without worrying about shutting down the entire company.

you can if you wanted, run AdGuardHome on your OPNsense. Simple add the os-adguardhome-maxit plugin.

I don't like messing around with unofficial plugins or those that require "trickling."
I tried that plugin a while ago, but it took up hardware resources and required ssh activity for firewall adjustments I didn't like.
I installed AGH on a Proxmox LCX. One day, with more time, I think I'll move it to the Docker VM.

Meanwhile, I've managed to get everything working in the following chain:

• AGH on the external container responds on port 53/443/853 and turn to unbound on 35353
• Unbound listens on 35353 and turn to DNSCrypt-Proxy on 127.0.0.1:45353
• DNSCrypt-Proxy listens on 45353 and turn to DNSCrypt/DoH/DNSSEC/NoLog/NoFilter/Ephemeral Keys/TLS Disable Session Tickets server

AGH filters (no cache), unbound caches and resolves internal addresses, DNSCrypt-Proxy (no cache) makes external requests

The firewall pass all requests on 53/853 from the various VLANs to the AGH IP only and drop them from other IPs.
With a NAT rule, I intercept all requests made to the various IPs on ports 53/853 and forward them to AGH.

Meanwhile, I also managed to create a wildcard certificate for my lab using the acme plugin (I have a domain/site on OVH) and I'm gradually adding the certificates to the various services. For now, I've automated copying the certificates to the AGH CT.

The next step is to understand how to do and implement https inspection.

We've already done the simple things... now let's move on to the complex ones XD

Jokes aside, I agree with what you write.
Anyway, sometimes it's nice to experiment.
At work, we use a PaloAlto firewall; the approach is fundamentally different, but not any simpler... quite the opposite.

Updating Opnsense made my unbound and firewall rules a bit tangled up, so I ran into some serious problems.
I quickly dug up the AdGuard Home CT, which I stored in Proxmox, reset unbound, and redid the basic firewall and DHCP rules.

I've been wanting to experiment with certificates, proxies, and IPs for a while.

I read a lot of requests about DNS management, but they're always very limited to specific cases. I wanted to create a broader discussion so that users looking for information can find a starting point.

Your point remains very valid. I went from a non-smart TV to a 2025 Samsung, and boy, are they full of junk.
I basically reject everything, but if you want to use some things, you have to accept them. I was thinking about switching to a Tegra, but it's always the same old story, the same if I decided to use a mini PC... besides the fact that they're still expensive devices, consume a lot of power, and need maintenance.
Being able to leverage Opnsense and everything else around it to improve the situation wouldn't be bad.


P.S. I use Firefox as my primary browser and Vivaldi as my secondary one.
I'm a Microsoft system administrator, so I can't migrate to Linux :-P

OK, that's a start.

I would therefore divide the issue into two parts:

• Filter requests from clients within the network
• Smart TVs
• Android devices
• various "smart" systems
• Clients (win/linux/ios/etc)
• Improve privacy.

I know that smart TVs and Android systems with GAPPS are the most complex to filter.
Their manufacturers have vested interests and make a lot of money profiling users, so they do everything they can to obtain as much data as possible.
For other "smart" devices, it's necessary to analyze them on a case-by-case basis.
Clients are potentially the simplest to manage, although much also depends on the individual applications, which could bypass the system DNS and use other ones.

According to my information, the situation is as follows:

• Classic DNS on port 53

Easy to intercept and filter

• DoH TCP/443

Requires MITM to be analyzed

• DoT TCP/853

Requires MITM to be analyzed

• DoQ TCP/853

Requires MITM to be analyzed

• Android (with GApps): DoT TCP/853
• Apple: DoT TCP/853 + DoH TCP/443
• Browser: (Chrome Secure DNS/Firefox TRR): DoH TCP/443 but filterable with an extension like AdGuard

DoH and DoQ are easily blocked if they use port 853; block that with the firewall and the systems must use something else.

There's little you can do about DoH; either you start doing MITM or it passes.
And this could be a separate section.

For firewall exit, I see the following applicable strategies:

• Full recursive (DNSSEC + QNAME minimization)
• Encrypted forwarder (DoT/DoH/DoQ)
• ODoH / Anonymized DNSCrypt

As you rightly said, it's more of a matter of choosing the lesser of two evils.

Hi, I'm looking for information, but the topic is very complex and fragmented. I'm not sure if this is the right section; if so, I apologize.

The question is simple to say, but far from done.
On the one hand, I'd like my firewall to monitor all DNS queries to filter out ads and other malicious/unwanted content. On the other, I'd like all outgoing queries from my firewall to be secure and anonymized (as much as possible).

I've found several discussions online, but they're starting to get old, so they don't match the latest versions of OPNsense and the various plugins/services, or things have simply changed.

I'd like to start a discussion, perhaps to be updated over time based on the evolution of OPNsense and the world out there. Possibly divided into sections for those who use third-party plugins like PiHole/ADGuard integrated into the OPNsense installation or on other VMs/CTs/devices within their network, those who only use unbound/firewall rules, and those who want to use a combination of these tools. As you can imagine, it's all incredibly complex and has a lot of variables.

Sorry for my ignorance, I read the link and I see they are up to version 2.
How do I update the plugin on my opnsense installation?