Messages

@meyergru I scanned my pfSense box via the network vulnerability scanner (light) and it says my host is down (which would seem to agree with the ShieldsUp! Stealth assessment).  It decidedly is not. Will need to find a time to cut the OPNsense box in when the wife isn't surfing the web. :-)

I do not have anything like Crowdsec on my pfSense box.

I can certainly try this. My fundamental question / concern is ... with pfSense all ports report Stealth and OPNsense reports them all open. Both boxes running. Test pfSense .. Stealth .. move cables ... all ports open ... move cables back ... Stealth.

Was obviously afraid to hang a firewall that was reporting open on the web for too long.

I honestly don't know if I am behind CG-NAT.

Maybe I need to wipe it, connect, check the status and then start building it back up piece by piece. :-)

Scott

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."

The way I read it, green / stealth means the firewall never responds (blocked based on what I understand). Blue means it responds that it's closed (reject?) and red means it responds as open (pass).

My interpretation may be all wrong of course.

Appreciate the insight!

My pfSense box reports all ports as stealth (did not provide a response) with the same test. I was expecting the same behavior from this box. It's at least enough of a warning to give me pause.

It is "open" red, "closed" blue and "stealth" no response in green

Hi again!

Working on moving my backup pfSense x86 box to OPNSense. 

I worked on configuring the OPNSense box; WAN is on igc0 and my three internal VLANs are attached to igc1.

I configured my NAT Port Forwards to match my current pfSense Port Forwards and configured my rules to be the same as my pfSense box.

I even added an extra BLOCK ALL INBOUND rule at the end to be safe.

I toggled Relfection for port forwards to be checked as it was required on the pfSense box when I set it up 4 years ago.

Power it up next to my pfSense box and then moved the network connections to OPNsense and tested it.

The WAN was properly registered with my external IP and I had internet access from my LAN VLAN.

Tested via Steve Gibson's ShieldsUp! site (https://www.grc.com/shieldsup) . All 1024 Service ports were listed as open. Needless to say the box was removed from the network.

I can confirm DISABLE FIREWALL is unchecked. :-)

I thought I understood this ... :-(

What did I miss / do wrong?

Appreciate the help!

Scott

Can provide screenshots of the Interfaces or Firewall Advance Settings pages if necessary separately

Thanks ! I moved the InternalNetworkConnection to .198 and can access it fine at .198. I moved LAN (opt1) to .1.

Cannot access gui at .1 but I can at .198. Although that's probably because I am hard wired from a laptop at .199 without VLAN tags ...

Once I get my rules for my LAN / IOT and GUEST interfaces copied over I will move it to the main firewall position and confirm I can access it at .1.

Thanks for the reply !

UPDATE: added VLAN tag 4091 to the laptop NIC, connected to .1 and deleted the internal connection.  All good. Thanks again!

Hi! 

With the news of Netgates removal of the pfSense + Home/Lab license I decided to take this opportunity to try OPNsense on my backup firewall.

Everything is going OK but there there is a difference between the two that confuses me.

I had this working on my x86 PC with 2x NICs, but what is showing is the SG-1100 configuration.

I had 3x VLANs hanging off of that internal NIC (LAN side) .... 4091 (internal LAN) with interface ip at 172.16.17.1, 4092 (guest) with interface IP 172.16.19.1 and 1618 (IOT) with interface ip at 172.16.18.1.

Each VLAN / Interface has its own DHCP server running for those networks throughout the house.

I am struggling with the opnsense InternalNetworkConnection interface.  Can I disable it at this point?

I want the opnsense box to be accessible within the internal LAN network at 172.16.17.1. I restrict access to the GUI on IOT and GUEST via rules.

Can I just delete the InternalNetworkConnection interface and set LAN (opt1) to 172.16.17.1 ?

Thanks in advance!