home network with two opnsense firewalls, and split- DNS

[rickeyw]

Hello Everyone!

I am doing a small home project with a second LAN protected by a second, internal firewall (# 2).
The DMZ will be used for a "honey- pot/net".
There will be also "Management VLAN" working within the networks, and having no Internet.
The DNS resolution indeed is done by couple caching DNSes installed as bind into a cloud provider. All the local resolvers will forward the DNS- requests to the cloud ones. There are ACLs applied there so only designated IP- addresses are allowed to query. This part already is finished, and works fine with the vpn, proxy, tor, pihole, etc.

1. The major question is how to configure the interfaces, and network between the two firewalls?
I red part of the book about OPNsense, and the author was using for the labs the 192.0.2.0/24 (reserved for documentation). Most similar configurations, I have seen up to now indeed are using DMZ- ports, and public IP- addresses between the firewalls.
I am not really sure that I need to use the above range, and how to configure interface "e2" on "opnsense1" - as "second wan", or "second lan" ? Same applies for "GigabitEthernet0\0" on "opnsense2"?
How to configures the Rules, Routing, and NAT afterwards on both firewalls so the "internal" firewall to have the Internet "passed thru", and basically just that... (some DNS too) ?
For inter- subnet communication that cannot be avoided I will use vpn.

2. Overall I am also not really sure how the concept of "second LAN" is working on OPNsense so to act like the "initially installed LAN" into it - Do I create it, and then just copy the same pre- installed rules as into the original one ? If there is a "shortcut"- way to do it ?

3. If so, and if I go a little bit further, how to configure additional "management network" that supposed to be "blind" to Internet, and "works" with all crucial devices on all networks (it will be the only interface to access the web- interfaces of the firewalls too) - My guess is just to create "additional LAN" interfaces on the firewalls, and remove all rules but the anti-lookout one ?
The rest is easy - just create the same vlan on all switches, connect all needed devices thru their designated "management ports" and it is done.

Please, tell me what do you think from overall perspective, and how to resolve the particular questions if you think the "general plan" is basically ok

The Schema is attached.

Thank you very much for your kind help!

Best Regards,

Rick

[hbc]

.oO(Small home project with this company like network schema?)

[petrus]

Hi,

my home network looks even more complicated, and your questions seem to be like someones who is not completely familiar with private ranges... (no harm meant, but I think, it still looks like a hobbyists exercise)

https://en.wikipedia.org/wiki/Private_network
don't use 192.0.x.x, just 192.168.x.x or see the link for 10.x.x.x etc.
 
So you could just have one interface configured as LAN with 10.1.1.1/24 and one as WAN initially.
Then after you can access the GUI over the LAN Interface, you add new interfaces Like MGT with 10.1.2.1/24, and so on.
Then you make sure to configure rules so that a PC behind MGT can reach the Opnsense GUI and if verified, you just change your ruleset so that LAN can't access the GUI any more.

You set up NAT rules to get into the internet.

I don't know why do you want to use VPN to communicate between your local subnets, but do yourself a favor, don't do it...

Try to read the Opnsense docs and https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/
 
I don't have the time to go into more detail, but I hope I could help a bit.

Petrus

[chemlud]

Hi,

my home network looks even more complicated, and your questions seem to be like someones who is not completely familiar with private ranges... (no harm meant, but I think, it still looks like a hobbyists exercise)

https://en.wikipedia.org/wiki/Private_network
don't use 192.0.x.x, just 192.168.x.x or see the link for 10.x.x.x etc.
 
So you could just have one interface configured as LAN with 10.1.1.1/24 and one as WAN initially.
Then after you can access the GUI over the LAN Interface, you add new interfaces Like MGT with 10.1.2.1/24, and so on.
Then you make sure to configure rules so that a PC behind MGT can reach the Opnsense GUI and if verified, you just change your ruleset so that LAN can't access the GUI any more.

You set up NAT rules to get into the internet.

I don't know why do you want to use VPN to communicate between your local subnets, but do yourself a favor, don't do it...

Try to read the Opnsense docs and https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/
 
I don't have the time to go into more detail, but I hope I could help a bit.

Petrus

eeehhhhh.... https://en.wikipedia.org/wiki/Reserved_IP_addresses ***cough***

[chemlud]

2. Overall I am also not really sure how the concept of "second LAN" is working on OPNsense so to act like the "initially installed LAN" into it - Do I create it, and then just copy the same pre- installed rules as into the original one ? If there is a "shortcut"- way to do it ?

No short cut, but I would not use the default "allow any any" rule(s) as given on default LAN interface, neither for LAN, nor for LAN2 or whatever you are going to call it. Establish rules with higher granularity that allow anything you need, but not more. either on the level of each individual host or for the complete LAN net...

3. If so, and if I go a little bit further, how to configure additional "management network" that supposed to be "blind" to Internet, and "works" with all crucial devices on all networks (it will be the only interface to access the web- interfaces of the firewalls too) - My guess is just to create "additional LAN" interfaces on the firewalls, and remove all rules but the anti-lookout one ?

Depends. I would in general block all traffic from LAN to LAN2 and vice versa. Allow only if needed (specific hosts, specific ports). For your management network block anything but the specific hosts on other LAN interfaces you want to reach. Good luck!

[rickeyw]

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

[chemlud]

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

Is there a browser plugin or alike? Would be nice for the forum...

[petrus]

eeehhhhh.... https://en.wikipedia.org/wiki/Reserved_IP_addresses ***cough***

Hi,

well not that this will matter much for any home network, but, no 192.0.0.0/24 is not meant to be used for private networks.

rfc6890:

 Address Block        | 192.0.0.0/24 [2]       
[...]
[2] Not usable unless by virtue of a more specific
                  reservation.
         |
2.1.  Assignment of an IPv4 Address Block to IANA

   Table 7 of this document records the assignment of an IPv4 address
   block (192.0.0.0/24) to IANA for IETF protocol assignments.  This
   address allocation to IANA is intended to support IETF protocol
   assignments.

Petrus

[chemlud]

...but we are talking about

...192.0.2.0/24 (reserved for documentation)....

See my link above. Sure not for home use, but in theory...

[rickeyw]

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

Is there a browser plugin or alike? Would be nice for the forum...

It is coming with a web- interface too, which is still in dev.
See the attached.
Best,

[rickeyw]

.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use   

Is there a browser plugin or alike? Would be nice for the forum...

It is coming with a web- interface too, which is still in dev.
See the attached.
Best,

P.S.

Here's two more finished one "in action",

Best,

[rickeyw]

the other one...