Messages

Hello community,

is there a way to retrieve the "real" IP address from the HTTP request headers when using Cloudflare?

The OPNsense live log only shows the known Cloudflare addresses, but not the real visitor IP.

I want to use the CrowdSec plugin to block malicious IP's, but obviously this wont work if they are obfuscated with Cloudflare.

[...] With that aside, this issue you are raising is for sure something you will have to deal with moving forward with your diagram.  No big deal, add a rule to the WAN interface allowing HTTPS to "this firewall".  You will then use the WAN IP to manage the firewall from your PC or any system on the WAN side will be able to manage opnsense firewall. 

By default, the LAN is set to 192.168.1.1, but you have to be on the LAN side of the firewall to set the initial configuration.  My suggestion is to connect a laptop or temporarily your PC to the LAN side of the firewall to set the initial configuration.  One of those items will be the rule mentioned above.  ;)  Once the firewall is configured, cable it up to your diagram.

If you want both your NAS and Homeserver in the same subnet and connect them to different ports on the opnsense firewall, you will have to go with a bridge configuration.  I sent a link for this already.  Here is a video, https://youtu.be/q1Rv4gB8fkI?si=VgPnQgBHdGYG0q_Z&t=160, the guy is a bit chatty. 

Before setting up the end-state bridge, I would either configure the WAN rule above, allowing you to manage opnsense from the WAN, or use two different ports than ETH1.  So Eth0 (WAN), Eth1 (LAN), and Eth2 and 3 could be the new bridge.  So if the bridge doesn't work after the initial configuration, you don't lose admin access to opnsense.

Hi FLguy, thank you again for this explanation! I'm hoping to gain more experience by trying out new things and help from the community to get on the right track helps alot!

As seen in the previous replies, this might not be the best "professional" solution, but it suits my needs. My question to you would be, if you were the architect of my network, how would you implement the firewall (without VLANs as for now, since I do not have VLAN-ready-devices)?

Suppose you don't mind your home server and NAS being on different IP networks. In that case, there isn't anything extraordinary here other than installing the Firewall and connecting your home server and NAS to the firewall.  You must create three networks, including the existing IP (opnsense WAN) that's live off FRITZ!Box router, one for your home server, and one for your NAS.

If you want your home server and NAS to be in the same network but connected to different interfaces on opnsense then you may want to look at configuring a bridge.  In this case, it is just two networks, the existing network and the new network behind opnsense for the home server/NAS.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

How would I go about initially setting  it up? If I manually assign ETH0 as WAN and ETH1 as LAN, it says I can reach the web GUI via 192.168.1.1 (the new network I want to use for my Homeserver and NAS). Obviously, my Homeserver is connected to the ETH1 port so my PC cannot reach its web interface.

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

Considering the diagram above: protection against what?

I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.

Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.

There could be one LAN which has all the trustworthy devices (e.g. PC and Homeserver/NAS) and another IoT LAN for devices which you cannot control, but must have cloud access. If these also need access to the NAS or Homeserver, you can create rules.

My homeserver is partially accessible from the Internet. Together with the OPNsense and CrowdSec, I want to monitor and analyze who and what tries to access my services.

Someday I'll be reorganize my whole LAN to include VLANs and a DMZ. But for now, this setup suit all my needs and works just as designed.

Thank you for your answer. This is exactly what I wanted to achieve! Will take a look into this.

Hello all. I want to integrate a 4 port hardware firewall with OPNsense in my current network. I don't want to directly install it behind my FRITZ!Box router, because I only want some devices' traffic to run through it.

Here is a simplefied network graph:


As you can see, I would like to use the firewall as a switch for my Homeserver and NAS. Only the traffic of those two should run through the firewall, not, for example, the Apple TV or Philips Hue Bridge.
All the devices you see are in the range of 192.168.0.x/24 (except the "Multiple IOT devices").

Is there a way to realize this, or do I need some minor changes first?

Kind regards!