Messages

436

General Discussion / Re: Run OPNsense virtualized and handle all traffic for the host and it's VMs?

« on: March 08, 2016, 03:51:58 pm »

You're welcome.

If you don't have much experience with ESXi then I'd suggest you be prepared to make mistakes, it is straight forward but it's still a pain when things don't work out as you expected. If you're using the free (or even a paid-for) version then you might find this little tool a boon for managing your ESXi host from a browser: https://labs.vmware.com/flings/esxi-embedded-host-client

What that fling does is install a web browser on the host and all the management functions are written in html and you don't even need a windows machine to run the VMware client.

437

General Discussion / Re: Run OPNsense virtualized and handle all traffic for the host and it's VMs?

« on: March 08, 2016, 12:56:20 pm »

Assuming you don't have an Exterprise Plus licence then you're left with using the standard vSwitch. Create two of those and attach your NICs to them - if this is a home LAN then one NIC on each of the switches should do. Create the OPNsense VM with two NICs, connect one of those NICs to the 'WAN' vSwitch and the other to the 'LAN' vSwitch. Install OPNsense and configure it to your requirements, when it's up and running you should have a working firewall and LAN connection.

Nothing in my environment is directly connected to the internet (excpet the ESXi NICs) and everything (including the ESXi host) is routed throiugh OPNsense. Create any required VMs with single NICs (you don't really need more) and connect them to the LAN vSwitch and that should give you a quick and simple set-up, the beauty is you can rearrange things later should you desire to do so.

438

General Discussion / Re: Run OPNsense virtualized and handle all traffic for the host and it's VMs?

« on: March 08, 2016, 11:57:01 am »

Yes, I use OPNsense VM for all the VMs on my host and all the other machines in my LAN.

IMO, there's no such thing as "not as secure as" - that means not secure to me. Security is a multi-layered approach and relying on a firewall or one single point of protection is self defeating - if the firewall is breached then you have problems. I do as much as I can on the firewall with IDS/IPS etc., etc. and add additional security measures on the machines in my LAN

439

General Discussion / Re: Run OPNsense virtualized and handle all traffic for the host and it's VMs?

« on: March 08, 2016, 11:34:40 am »

I don't have any problem running OPNsense in a VM on my ESXi server, why do you think a virtualized firewall is not secure?

440

General Discussion / Re: Newb Assistance - Please Recommend an Initial Firewall Rule Set & HowTo

« on: March 07, 2016, 12:11:20 pm »

Don't forget to take a look at the new docs, they are already quite comprehensive and are being further extended for 16.7:

https://docs.opnsense.org/

Oops, sorry about that I thought I'd included a link for the docs. I must say the documentation is moving along quite well and is extremely easy to read and understand. Now if only I could sort out my VLAN problem but that's for another thread.

441

General Discussion / Re: Newb Assistance - Please Recommend an Initial Firewall Rule Set & HowTo

« on: March 06, 2016, 06:13:00 pm »

As I mentioned earlier, if you have no need of ports being open or anything being forwarded to the LAN then the initial configuration will allow you to surf the internet and stop anything nasty getting in - that is the default configuration. You'll see what the default rules are when you look at the NAT pages in the UI.

OPNsense is still a relatively new project although it is a fork of PFsense so if you're in need of more comprehensive documentation you should take a look at the PFsense pages and you'll get the idea of what's possible. The documentation for OPNsense is available via the main page but it's still a work in progress. You can also take a look at some of these sites: http://preview.tinyurl.com/OPNsense - they'll give you an idea about configuring OPNsense through the web UI. Don't forget to take a backup of your configuration before you make changes to the firewall.

442

General Discussion / Re: Newb Assistance - Please Recommend an Initial Firewall Rule Set & HowTo

« on: March 06, 2016, 08:17:44 am »

The simple answer is there is no "one size fits all" solution for a firewall and it requires you to do some research about what a firewall is and what you can do with it, this is a complex subject with a steep learning curve (if you're new to firewalls).

If you've successfully installed OPNsense then you should have a firewall that will allow you to surf the internet and not have anything nasty making connections to any machines on your LAN. I assume you do have internet access at the moment?  Other than that you'll have to give some information about what you're trying to do, what machines on your LAN do you need to expose to the internet etc., etc.

As for your comment about there not being any "pass rules for the WAN", the feature you're looking for (in any firewall) is NAT - Network Address Translation. You'll find a page in the Web UI for that under Firewall/NAT or just enter 'nat' in the search box in the top-right corner of the UI.

443

Hardware and Performance / Re: Some suggestions for my new OPNSense (on ESXi host)

« on: March 04, 2016, 10:54:55 am »

What you haven't mentioned is the load you will have on this firewall, is this replacing another firewall or what? Is this in a business environment or a home LAN, how many users and what sort of traffic? I'd also suggest you are likely to be allocating too many vCPUs to the firewall and I'd guess you may need more disk space if you have many users and/or growing log file requirements.

444

16.1 Legacy Series / Re: RRD tool discontinued... But what else?

« on: March 04, 2016, 10:33:45 am »

The RRD graphs were removed a while ago and replaced with the "health" display. My recommendation would be to use monitoring software on another server on your  LAN, you can take a look at something like LibreNMS or the Open Monitoring Distribution from here: http://omdistro.org/ It really depends on your needs and requirements but I use both of those monitoring solutions and they work well. You'll also find further details in the forums on the reasons that the rrd graphs were removed and in addition, the data is still available.

445

16.1 Legacy Series / Re: questions about opnsense

« on: February 22, 2016, 07:23:08 pm »

Squid is available and you can add Access Control Lists to it and update them via cron.

446

16.1 Legacy Series / Re: Download speed on Xen max 3Mbit on a 150Mbit connection

« on: February 21, 2016, 06:02:18 pm »

Why have you started a new (duplicate) thread when you already have your question in the other thread? I'm sure that someone will answer when they have the time and to echo the reply of weust in that other thread, I don't have any problem with speed running OPNsense if a VM on ESXi.

447

General Discussion / Re: [SOLVED] Plex Port Forward

« on: February 09, 2016, 08:51:16 pm »

and you should learn to read first. I didnt write fuck you phoenix, right. More is not to say here, and please go back to shool.

Did I actually accuse you of calling me names? No I didn't, I actually called you a foul mouthed lout - your language is unacceptable when people are trying to help you. In my earlier post I also asked you to provide further information about your problem and your aims and the the best you can do is to tell me to "learn to read first". I read your post and understood it perfectly well, I think maybe your reading skills are a little on the rusty side. 

I'm done with this thread.

448

General Discussion / Re: [SOLVED] Plex Port Forward

« on: February 09, 2016, 08:44:55 pm »

you know what phoenix. Fuck you is an insult. But what I wrote is far away from insulting and I came here not for advice I came here for help. Which is also another thing. Maybe my question in english was frased wrong, still you should help first and not lecture/advice ppl from beginning.

I never said or wrote it has to be on LAN, just that I changed it. But again you all dont help you LECTURE ppl and that is very poor. As written before, I have my solution and will never come back here.

I think you need to calm down or keep taking the tablets. I've asked you to explain what it is you're trying to achieve and the best you can manage is to be a foul mouthed lout. If that's you're attitude you won't getting very far on any forum. I have not lectured you nor insulted you so the best advice I can give is provide some information with which we can help you or go away and solve the problem yourself.

449

General Discussion / Re: [SOLVED] Plex Port Forward

« on: February 09, 2016, 08:29:41 pm »

so instead of helping you just lecture me.

aka my things are NOT searchable by shodan.io. But anyway, I got a solution which fits me and no need of port forwarding or VPN. VPN slows down everything and why the heck should I use VPN with Plex. I dont have to hide my movies and music. I was talking about the rest which is on one of the NAS I have.

But thanks for nothing your are very unhelpfull.

Your comments are not correct, you came here for advice and you've been given good advice. It really isn't much use insulting people when they're trying to help.

If you have private data on a machine behind your firewall you really should consider using a VPN to get to it. If you want this plex server to be visible on the internet you can use port forwarding to that server. It's not clear from your original post what your exact problem is nor what you are trying to achieve. Perhaps you could give a more a more descriptive and clear explanation of what you're trying to do.

450

General Discussion / Re: How to install ports?

« on: February 09, 2016, 01:39:41 pm »

Did you disable all the offload settings in your other thread? What NICs are installed on your host machine?

I don't know what the view of the OPNsesnse developers (nor anyone else) is on this subject but I'd guess you might be asking for trouble by enabling a non-standard repository within OPNsense.