1
General Discussion / Re: Installation on windows
« on: September 15, 2024, 06:31:20 pm »I think you're missing a bit of the basic zero-to-hero info here and I'd be happy to help explain.
OPNsense works as something called a gateway router/firewall, in a category of technology called 'network appliances.' In executive summary, it is a gateway--like the gateway through your otherwise impassable garden fence--that facilitates your internal network (LAN - local area network - the house and land) from the greater internet, or WAN (wide area network, but colloquially to remember the difference, you can thick of it as the world area network).
Your ISP router does this and most routers have a decent enough, rudiamentary, firewall. Without a firewall, it's simply the gateway. Like your garden fence, it lets anyone who tries, through, in either direction. The reason most people want to replace their ISP router is either because it's slow or performs badly, doesn't facilitate something they want to do, or, commonly, because the manufacturer fails to keep it updated and secured against recent threats, leaving it slightly less secure than something maintained reliably. You can find tons of Asus, TP-Link, D-link and more brands with known (and often unfixable) router vulnerabilities in even extremely expensive hardware.
A classic firewall is, in essence, an "allowed/blocked" list that lets things that should talk (your devices) get to the internet, and responses from those things to come back, while blocking random unrequested stuff from WAN. (Look into this more yourself, but there are actually many 'gateways' called ports through which things actually talk on the internet, and the firewall maintains a closed or open state for them. Your network router is the network gateway, ports are ports, but it's helpful to think of them as open/closed doors while learning their function.)
In corporate, you'll see a lot of Next-Gen Firewall applicances - next-gen typically adds smarts, like online lists that constantly update the firewall with threat locations to block, malware sites to check for the reputation of files and programs, and breakdowns of what's accessing what, where - letting you, eg., block porn, gambling, and violence from your network via a simple click rather than going off and building your own manual blocklist, or getting alerts when IP addresses and websites from America are resolved, etc. etc.
Your firewall needs to be above your network to protect it. You can firewall a single device, but only that device will be protected. Now, granted, there are ways to redirect your LAN traffic to a firewall elsewhere in the network, but it's not optimal for a lot of reasons, and some devices may simply not work this way or will bypass it. (A good resource here is the setup for a Pi-hole. Similar methodology/functionality and setup.)
So knowing this, you now know that your firewall needs to sit between your LAN and WAN to be able to filter the traffic to protect your LAN. You can virtualise it on a host like Proxmox or Windows and VirtualBox, but as you know, it's far from optimal. Your best bet is to find a fairly cheap piece of hardware that has or supports two RJ45 (aka Ethernet) ports to make it simple for you to plug your WAN device (be that a router, modem, FTD, NTD or similar) in one port and your LAN out the other. You can get devices that have up to 8 ports to act as a switch right on the device, or you can get a small mini PC/NUC box with two ports, and go out to a dumb (or smart!) switch from there. Note that if your internet router terminates ADSL or VDSL, Coaxial or something else, you'll need to keep that in order to get Ethernet out of it for your firewall appliance.
You'll also want to find a solution for WiFi if you're replacing your router. OPNsense supports it, but it's self-confessed rudimentary as it's not a key focus for a firewall OS.
My suggestion here is to use a cheap box like an MSI NUC, Qotom or XGODY or Beelink Mini PC as a firewall gateway, then have go into current router to act as a switch and wifi box. You can always upgrade down the line with other hardware, like a Ubiquiti AP or perhaps an OpenWRT multibox. Word to the wise - aim for Intel NICs, not Realtek, though Realtek does work quite well in many cases.
As a P.S. - you can also use a firewall for specific security! A lot of malware researchers and red/blue/purple teams will run a firewall VM or specific device protecting just one LAN or VLAN, or even just one PC, on which they do their analysis. Online personalities like Kitboga and Leo at TPCSC almost certainly do this, and it allows them to have deep reporting and carefully constructed filtering to allow their research to work while seeing everything their target does.
If I got anything wrong I'm more than happy to be correct/learn myself of course, I'm far from the smartest or most experienced person in this thread, but just wanted to help out and cover the basics. If not you, it might help other browsers-by!
That was a very comprehensive explanation and clears lots of things for me. Thank you for your time and effort.