Messages

I do not OPNSense has this capability. However, I have discovered Vilfo recently. I was going to set up OPNSense as a VPN Router but instead I installed Vilfo. Vilfo is a full featured VPN Router. WWW.Vilfo.com

There is a FireFox extension that works in conjunction with your Vilfo appliance (I installed it on a Protectli appliance). This extension allows you to choose my url what goes through a VPN and what does not.

It was the main reason I moved away from OpnSense for this effort
I still have an OpnSense firewall

Got this book from Apple iBooks about a week ago. Its an amazing resource and has become my goto source for anything OPNsource related.

Highly suggest it

Author:
Julio Cesar Bueno de Camargo

Klaus

I am looking for a url that defines the Crowdsec block list as a text file.

Something like this:

http://cinsscore.com/list/ci-badguys.txt

I can build an alias with a url like that.  I cant seem to find it on the CrowdSec blog article you sent.

I find this:

http://cslist.domain.tld/list.txt

not sure what "domain.tld" mean here (I understand the terms domain and top level domain but not sure how to apply them to this url. is "list.txt" a real file or just an example?

OK

so your suggesting I need to create an alias and a floating rule like I have for other IP blocklists based on the link mentioned in this blog:

https://blog.vacum.se/updated-blocklist-export-for-crowdsec/

Then my FW will block incoming requests from the IP addresses on the CrowdSec IP black list. Just like my firewall blocks the IP's from the CIArmy blocklist.

Edwin

yes there are some guides and tutorials all over the internet.  Some really good most are really bad.  Also, not one central source, so i had to do extensive research to figure out what I was trying to do.  In the beginning the "approach" is so important. I was using sensei and suricata and I didnt need them. In the end i figured out most of what I was trying to do in sensei and suricata was easier to accomplish in the firewall. I just had to learn how which was yet another challenge.

I may go back to sensei at some point but not until i have maximized what I can get from opnsense. You brought up a good point about end to end encryption and in most cases the FW may not help. So features like Unbound ad blocking and blocking apps in sensei may be the next step.

I see you seem to have a focus on VLAN's. Why? My HW has a WAN port and a LAN port, OPT1 and OPT2 so I had enough ports for subnets for a home network. All my HW ports are being used so if I need more subnets I will have to start using VLAN's. But is there another advantage I am missing?

Klaus thank you for reaching out.

I think so.......I wrote that before..........

I installed the unofficial CrowdSec plug in for OpnSense.  That installed:

An CrowdSec agent that protects the OpnSense WebGUI

An LAPI that I have no idea what that does

and a Firewall bouncer that will deny an external attack from a bad IP attacking the WebGUI.

here is what is explained:

"Out of the box, by enabling them in the "Settings" tab, they can protect the OPNsense server by receiving thousands of IP addresses of active attackers, which are immediately banned at the firewall level. In addition, the logs of the ssh service and OPNsense administration interface are analyzed for possible brute-force attacks; any such scenario triggers a ban and is reported to the CrowdSec Central API (meaning timestamp, scenario, attacking IP).

Other attack behaviors can be recognized on the OPNsense server and its plugins, or any other agent connected to the same LAPI node. Other types of remediation are possible (ex. captcha test for scraping attempts)."

My understanding from reading the above is that i have all I need from CrowdSec. At the firewall level bad IPs will be blocked irregardless if they are attacking the WebGUI or not.  Is this correct? or is there more I need to do?

Good points.

I believe there is a large group of people (addressable market) who understand the value of a "Network Appliance" like OpnSense (since OpnSense is more than a firewall). Yet lack the technical ability to configure one.

All consumers want is fast easy and cheap. Yet the industry can only deliver two of those things: If its easy and fast it aint cheap, if its fast and cheap its aint easy, etc etc.

Thus the need for a guide. OpnSense is fast and cheap but it aint easy.  The need for a guide that explains the steps and the "why" is necessary.

I started to write one based on my own experience, however, I dont believe I have the expertise to do so. I will most likely continue that endeavor and have it edited by one of my old engineers.

Very good suggestions that should be in a guide!

An outline would look something like this.

1. Where to install OpnSense appliance?? Replace primary router, In front of primary router or behind primary router?

2. How to keep the bad guys out
    a. Build an alias using a block list and GeoIP (some of your examples would go here)
    b. How to create a floating rule using an alias
    c. How to install CrowdSec

3. How to turn on Clamav to detect and block malware at the network level

4. How to turn on Unbound
    a. Configure Unbound with DNSSEC and TLS
    b. Enable Unbound blocklists (Blocking ads)
    c. create a rule that forces DNS requests to Unbound (you gave some examples)

5. Creating subnets why you would want to (Prevent lateral movement of malware)
    a. Kids network
         i. Create a schedule that would block Internet access after a certain time
         ii. Block access to Porn and other unsuitable sites for Kids
    b. IoT
    c. Guests

6. How to use logs and the inspect button to check rules

All I can think of for now.  Remember this is for a home user so the guide should be as simple as possible. I don't believe the average person without an IT background would attempt to implement OpnSense in their home.

However, a person who knows what a firewall is and understands the capability a firewall offers over a standard WiFi Router would have an interest in OpnSense. Having the necessary skill set to actually configure OpnSense is another matter.

The purpose of this guide is to assist those individuals who have an understanding of a firewall but not the skill set to configure a firewall. This guide should allow them to overcome that challenge and enable them to provide another layer of security for their home.

Totally wrong about this it appears the CrowdSec plug in I installed also blocks at the FW level

I have CrowdSec up and running on my OpnSense instance. My understanding is that CrowdSec is protecting my WebGUi service from Brute Force Attacks.

I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:

sudo apt install crowdsec-blocklist-mirror

Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.

Just checked and Mongodb still isnt running. Is this correct? No fix yet? Want to make sure I havent missed something.

Does your NAS have a firewall?

Do you have the firewall on your NAS enabled with port 8080 allowed?

I welcome any comment/constructive critic/advice/correction below.

I love OpnSense

30 years sales experience in high tech, now retired. I am a privacy advocate and home networking is a hobby. My grandfather had his tractor he was always tinkering with, I am always tinkering with my home network.

OpnSense has become a very valuable tool for my home network.  I have sold most of these capabilities to the US Government at some point and now I have these capabilities at home via OpnSense!

I use the following as a guideline to protect my privacy. I not going to reveal what I use but I encourage when selecting a tech for each of the areas below beware, lots of vendors say they are private while in the background they still are collecting private info. (OpnSense and Sensei are wonderful tools to identify this)

Secure Browser (Brave is a joke!)
VPN (European provider, US VPN providers aren't protecting you)
Ad Blocker (OpnSense platform)
Password manager
Secure and encrypted messaging (Be very careful here)
Private Search Engine (What a mess)
Private email
Secure OS (Very hard to find and use)
Secure DNS (Need a static IP and your own DNS to be truly secure here)
Anti virus (shocking how much these vendors like to chat with your computer)

I struggled in the beginning in the following areas and struggled finding documentation. Most of the documentation I found assumed a certain level of understanding I did not possess, so I would have more questions than I started with.

Understanding IN/OUT (Not as easy at it sounds)
Source IP to Dest IP based on origination of connection
Which Interface to apply firewall rules
Inbound Interface
How to check FW rules
INSPECT button on rules page
How to use Alias
OpnSense documentation good place to start
How to use Floating Rules
had too find an example on a blog

As a home user what was I going to use OpnSense for?

I have 5 subnets:

Lab
IOT
Guest
Server
Open (No rules)

I want to isolate each subnet so I built rules for that.
I want to block access from certain countries (GeoIP Alias with floating rule)
I want to block IP's with bad reputations (Block list Alias with Floating rule)
I want to block malware (ClamAV)
I want to block Ads (I use Unbound DNS and Sensei)

I have tinkered with Suricata and CrowdSec. I use CrowdSec to protect the GUI. Got rid of Suricata.  I think its over kill for my home network. If CrowdSec ever releases a block list I will build an alias and floating rule for that as well

It has taken me almost 2 years to set this up. I am sharing this here in this forum because a guide for beginners/home users is needed. (I have thought of writing one myself but I am not qualified to)

Enterprises will use the Cisco's, Palo Alto, Fortinet, etc firewalls for their needs. OpnSense is great for a home user especially parents. However the learning curve is to steep.

I read this forum and get bits and pieces. Another suggestion is a Home User category here on this forum.

Please suggest, comment and criticize at will!

go to firmware, status then choose check updates and it will resolve that issue, but yes I had the same when I installed Sensei today, it reported all my currrent plugins were orphaned, rechecked for updates resolved the problem

Thank you very much! That worked.