Topics

1

General Discussion / Question on Firewall Rules

« on: August 10, 2018, 07:30:42 pm »

Hello,

I am trying to setup my security cameras (only one is connected to the network while I figure this out) with 3 goals:

• The individual camera can email me if there is an alert (I have a separate email that is used only for this purpose)
• The individual camera cannot be reached by the internet (all remote viewing will be done through OpenVPN)
• The individual camera cannot reach the internet (so that they cannot be used as part of a botnet in the case that they ever become infected)

First, I created an alias for my security cameras and added the static IP I had setup for the camera (so I can just add IPs here as I add more cameras to the network).

I setup 3 rules in OPNsense

• Rule 1 - Action - Block, Interface - WAN, Protocol - any, Destination - security_cameras, destination port range - any (goal is to keep anything from the internet from reaching the camera)
• Rule 2 - Action - Pass, Interface - LAN, Protocol - TCP, Source - security_cameras, Destination - any, Destination Port Range - from 587 to 587 (port needed for smtp.gmail.com with TLS on camera), (goal is to allow the cameras to contact the smtp server)
• Rule 3 - Action - Block, Interface - LAN, Protocol - any, Source - security_cameras, Destination - any, Destination Port Range - any (goal is to block the cameras from reaching the internet)

Rule 1 is on the WAN rules page and Rules 2 and 3 are on the on LAN rules page.  Rule 2 is higher on the list than Rule 3, so I thought that should take precedence.

If I have all 3 rules enabled, using the cameras test email setting, the email fails to send. 
If I have Rule 1 and Rule 2 enabled, and Rule 3 enabled, the camera test email will send.

I plan on using the same types of rules to block other items from the internet as much as possible as I add them back to the network, so if I could just get the basics down using this one example, I think I can move forward from there.  I was able to use aliases and WAN rules to get my Xbox ONE from a strict NAT to a moderate NAT using one of the threads on this forum.  With a little bit more research, I was able to get that NAT from moderate to open.

I'm hoping someone with more networking experience can help me out with this and help guide me on this.

Thank you.

2

18.1 Legacy Series / [SOLVED] PPPoE with VLAN Tagging

« on: August 03, 2018, 11:25:48 pm »

Hello everyone.  It's been a while since I have posted, but I have learned a lot from many people here.

I have a qotom q355-g4 running opnsense 18.1.13 (waiting a little bit to upgrade to 18.7) sitting on my desk and I hope to be able to plug it back in as my main router.  The WAN is currently set as dhcp.

I upgraded to CenturyLink gigabit fiber service and had issues trying to connect the OPNsense box and resorted to using the isp's gateway, so I pulled the OPNsense box to when I had more time to figure this out.

Thanks to the help of many here and some other tutorials I found online, I was able to setup and successfully connect to 2 different OpenVPN Servers through OPNsense and I was also able to SSH and install the Ubiquity Unifi controller on the qotom box.

Now I need to setup the VLAN -tagged PPPoE interface to connect to Centurylink's service.  The VLAN tag is 201.   I have my PPPoE username and password (encrypted and non-encrypted).  I looked to see if there is a guide for noobs, but I am kind of at a loss.

The qotom has for nics (igb0 - WAN, igb1 - LAN, igb2 - OPT1, igb3 - OPT2).  I plan on using OPT1 later on as a LTE failover for certain IP addresses, but that is a future item.

I have setup a VLAN in Interfaces --> Other Types --> VLAN and made the following selections:

• Parent Interface - igb0 - wan
• VLAN tag - 201
• VLAN Priority - Best Effort (0, default)

I'm not sure where to go from here.  I know I will need to go to Interfaces --> WAN and select PPPoE from the IPv4 Configuration Type and then enter my username, password, enable Dial-On-Demand, and enter 0 Idle timeout. 

What would I do after this point?

I appreciate any help on this.  Thanks in advance. 

3

General Discussion / New User - Hopefully Easy Question

« on: March 13, 2018, 07:35:15 pm »

Hello.

I had hoped to have a better first post to the forum, but I keep coming to a dead-end to such a simple question.

This is my first time using OPNSense.  I had played around with another product in a virtual machine prior to ordering a Qotom q355-g4, but once I had the actual hardware, I decided to try OPNSense (for some reason,I had issues trying to load it into a VM, so abandoned that endeavor until I had dedicated hardware).

I had the issue trying to do a bare metal clean install of 18.1 directly, so I installed 17.5 and then eventually upgraded to 18.1.4 through the GUI.

As I am still setting this up, I only have 1 computer in use behind it through wired LAN (double NAT behind OPNsense box and ISP gateway (will bridge ISP gateway to PPPoE once OPNSense setup is complete and tested)).  Already have a Ubiquiti AC-Pro running for WIFI. OPNSense box is still connected to a KB and monitor in case I need to make changes on the console.

I am still learning a lot about networking and reading different forum posts and logs, but I have a really simple question.

Where can I find the command line to run scripts?  I looked through out the GUI, used the search function (GUI, Wiki, forums), Google, etc. but I am unable to find where to actually open the CLI to be able to run scripts.

Thanks in advance.