Messages

Does this mean that it is not currently possible to configure OPNsense for EAP-TLS (802.1x certificate based authentication)?

I'd like to try to move from pfSense to OPNsense but lack of device certificate based 802.1x EAP-TLS authentication is a show stopper for us...  :-\

We have been running a pfSense based network for several years, but have started considering to switch over to OPNsense. I have been reading and searching the forum, but I'm still unsure if our configuration can be achieved using OPNsense.

Our current network configuration is as follows:

- pfSense edge router:
   - WAN + LAN1 physical network interfaces
   - Certificate manager to create and manage the PKI for device certificates
   - Freeradius server configured to use EAP-TLS with 802.1X device certificates on wired and wireless LAN1
- Managed switches (ZyXEL GS1900 series)
   - Authentication method: Radius; 802.1X enabled
   - Individual switch port assignments to either LAN1 or VLAN 20 / 30 / 110 / 120 / 130
   - Global Guest VLAN 30 for fallback to devices trying to connect to LAN1 ports without a proper device certificate
- WLAN APs (Ubiquiti UniFi UAC series)
   - Separate wireless networks for LAN1, VLAN 20 / 30 / 110 / 120 / 130
   - Radius profile for wireless LAN1
   - WPA-Enterprise enabled for wireless LAN1 connections to authenticate via device certificates
   - WPA-Personal and individual VLAN enabled for all other wireless networks[/li][/list]

If a workstation is trying to connect to LAN1 either wireless or wired but without device certificate, it will automatically fall back to Guest VLAN 30. Wired connection to all VLANs is possible from dedicated switch ports without authentication. Wireless connection to all VLANs is possible with standard WPA-Personal password.

I wonder if this setup is possible with the current OPNsense release.

I'm specifically concerned about how to configure Freeradius to use 802.1X and device certificates, since I cannot seem to find the user interface to configure it. On pfSense this configuration was quite straightforward, and I was also able to find examples in the user forums on how to do it.

All guidance and advice is greatly appreciated!

I'm seriously considering to switch over to OPNsense if I can do it with low or moderate effort. On the other hand, I do not currently have resources to start making very large-scale experiments if this something that has not been done with OPNsense before.

Thank you for your reply again, Bart!

I should have realized that I was missing the route definitions in OPNsense, but unfortunately there seems to remain some other (also likely obvious) impediment that still prevents my network traffic...

I decided to forget my VLANs for now and first get the physical LAN to work. The physical LAN network behind my ASUS is 10.1.2.0/24, the ASUS itself being 10.1.2.1. So I created a new Single Gateway "LAN2_GW" in OPNsense as 10.1.1.2 and configured a route to network 10.1.2.0/24 via "LAN2_GW".

Now I can ping both WAN and LAN interfaces of my ASUS from OPNsense and vise versa, but I can neither ping 8.8.8.8 from ASUS nor any PC in my LAN2 network from OPNsense.  :-\

I think it must be something very simple and obvious that I'm still missing...

(BTW how does one do packet tracing in OPNsense?)

No, but now I have read it. Thank you for your suggestion!

Well, at first glance it would seem to me that that would make my OPNsense a transparent bridge, but that's not what I want (I guess...).

I want the OPNsense to do NAT between my LAN and the internet, and I'd rather like my ASUS router to be kind of "transparent" - in the sense that I would be able to control the network traffic individually for my PCs and other HW behind the ASUS router.

So, I would like to be able to create separate firewall rules in OPNsense for e.g. to my home PC and to my WiFi capable alarm clock that are both behind the ASUS router.

And the ASUS router must operate in the router mode (i.e. not as an access point) since that's the only way to keep the VLANs in ASUS working.

I tried switching off NAT in my ASUS, but then I was not able to reach internet from my LAN.

I have an ASUS BRT-AC828 as my home router, and I and have segmented my LAN to a few VLANs (e.g. IOT devices / Guests / Home network).

I'm currently trying to add an OPNsense firewall between my ASUS router and the internet, and I'd like to get visibility to my LAN nodes from the OPNsense. For example, I have an alarm clock that has WiFi capability, but I'd like to allow only NTP protocol for that device to pass to internet and block everything else.

It seems to me that I'm lacking some basic knowledge on how to configure the OPNsense correctly. Obviously I will want to disable NAT in my ASUS router, but what are the correct steps to configure OPNsense so that I can reach the internet from behind the ASUS router?

The network configuration is as follows:

Internet <--> OPNSense <---> ASUS BRT-AC828 <--> VLAN1: 10.11.1.1 <--> PC 10.11.1.2
                             10.1.1.1     10.1.1.2                        VLAN2: 10.12.1.1 <--> alarm clock 10.12.1.2

Any help would be greatly appreciated!

I have been using Sophos UTM in my home network for a few years but decided to give OPNSense a try.

So, I downloaded the 18.7 VGA AMD64 image file and burned it into a USB3 stick with Rufus. Booting from the USB stick started normally (at least to my eyes), but it hang almost immediately.

All I got into the console screen was:

=============================================

>> FreeBSD EFI boot block
Loader path: /boot/loader.efi

Initializing modules: ZFS UFS
Probing 14 block devices........*........ done
  ZFS found no pools
  UFS found 1 partition
Consoles: EFI console
_

=============================================

Then, after a few minutes a reboot occurs, with exactly the same results, and again and again...

I was not able to find a solution neither in the wiki nor by searching the forum. My apologies if I'm missing something obvious here.

The HW is a Dell Optiplex 7010 SFF with one 160GB HDD.