Planning for a migration to OPNsense (appliance)

[Koloa]

Good time of day all,

I recently took the plunge into OPNsense in a large way - bought one of the Deciso appliances which is en route to me now. 

I don't have a background in pfSense or m0n0wall, but, have worked with networks, firewalls, routing and the Internet for multiple decades (yeah, greybeard here).

As I'm sure most of you do, I like to plan out network changes as carefully as I can, and whilst I spent several days becoming familiar with OPNsense, plugins, configuration, this forum, and so on (software testing was via Parallels on my Mac), I realise that ACTUAL migration to the OPNsense appliance will come with a few more challenges.

The initial network that I'm testing this on is just going to be my home (rather I suffer than an employer suffer).  As I was documenting the various changes and tweaks I know I'll need to make, it occurred to me that since the Deciso appliance is headless, setting it up and configuring it may or may not be straightforward.

As I understand it, the default configuration will be that interface 0 (as labelled on the front panel of the DEC800 series) will be the WAN port, and interface 1 will be LAN.  Also, from what I gather, interface 1 will be 192.168.1.1/24.

I will need to make changes to the network addresses and mask to fit in with my home setup, but, I don't want to put the appliance "in line" to my gigabit WAN Internet service until I've got at least the basics set up right.

I'd appreciate any input from users of the Deciso appliances in particular about how they recommend initial setup.  I am sure I can dig up a USB C -> USB A -> USB Mini B -> Console port cable if needed, but, it was my understanding that whilst this would be useful for booting information, without explicitly enabling the serial console in OPNsense, I may not be able to use this for initial configuration.

No doubt I'm making some false assumptions, and there may even be documentation that will come with the unit when it arrives next week that makes this all much more obvious, but, I still like to plan through these things as much as possible in advance.

So if anyone has any advice on those very first initial steps with a headless appliance like the DEC850/DEC840, I'd really appreciate them!

My priority is simply getting the device to be accessible on my LAN so that I can configure it for the right number plan for existing devices.

My second priority is making sure that LAN to WAN connectivity works.  I've read through many posts on the forum and have conflicting views as to how automatic or manual this will be.  Since this is a residential ISP, and I have a static /56 for IPv6 and /32 for IPv4, my intention was actually to hope that the DHCP (and DHCPv6) on WAN would obtain the right details from my provider (as currently happens with my ASUS home router).  From there, I'm less clear.

Will I have to manually enable any sort of NAT from LAN to WAN?  Any firewall rules?

Essentially, I want to OPNsense to act like a home router whilst I become more familiar with it in situ, rather than a "lab" on virtual machines.

In my experiments on virtual machines, I did an excellent job of fubaring up the configuration (due to the vagaries of virtual machine "host only/shared/interface bound" interface configs) that more than once I blew away the VM and started over.  Trying to avoid that with the appliance!

Realise these sorts of newbie questions are often annoying to experts, but, if there is any input people could provide, I'd be grateful.  I've spent way too much time going down YouTube video rabbit holes on this topic as well, but still am not clear on whether or not I'll have to muck about with NAT and/or Firewall rules to Get Going.  Just want to have a sense of what I need to read or learn about to make my Deciso appliance act like a very simple home router as quickly as possible. 

Thank you!

[cookiemonster]

Welcome to the forum.
Will you connecting to your ISP with a modem in front of the OPN appliance when setup permanently?, and could you leave an hour window of downtime to set OPN up?
I ask because in my case, everytime I just put in the OPN device (not a deciso appliance but ones I install OPN on) on by plugging the WAN cable, and one on the LAN to a switch, or even just the WAN one, it sets everything up right in regards to identifying the WAN and setting the firewall rules that are sensible defaults to it. That includes blocking in by default but enabling dhcp, network, access from LAN, etc. Leaves you in a good place to start to follow the docs to setup the rest and only if needed. Pretty much plug and play.
What I have also seen is that when setting up as an additional device to an existing network, this guessing is impeded, and the user is required to set it up pretty much from scratch. A different proposition entirely for someone new to firewalls. All possible but many defaults will need to be done manually, like defining the wan interface, setting up the rules, etc.
I don't use IPV6, so I can't comment on that. Good luck.

[Koloa]

Thanks very much for the reply!

No modem will be involved in my setup; the fibre terminates into a cat-6 RH45, which is where I'll be plugging the OPNsense WAN connection.

The current ASUS is a WiFi router; the WAN port going to my fibre termination device directly.  I'll be converting the ASUS into an Access Point device only.  I already moved DHCP off of it some time ago (being done on a Pi-Hole at the moment), so that part should be fairly painless.

I'm willing to knock out my home Internet for an hour or so if the setup is as easy as you suggest -- I have a laptop that I can plug directly into the Deciso appliance, and set to something like 192.168.1.2/24 and plug the appliance directly into the proper Internet.

It just wasn't clear to me if the automatic detection/setup on initial boot would be clever enough for that.   But it sounds like it does make educated guesses and having the actual network connected is likely to give the best results.  I'll give that a shot.

Thanks!

[lilsense]

I do have a DEC850 and process is quite simple, just plug and play and follow the directions.

for console, I use https://www.get-console.com/shop/en/25-airconsole-mini-20
which gives you ability to console with SSH.

The NAT is on by default and most configuration is pretty straight forward. Since OPNsense is on FreeBSD its ability to do things is enormous specially on DEC850. One thing I recommend is to offload all the log files to a remote server to increase the life span of the SSD.

Here's a link for additional documentation: https://forum.opnsense.org/index.php?topic=29171.0

[Koloa]

Outstanding lilsense, thanks very much.  I just wasn't sure if the "directions" would be visible, being headless and all.

I really like that AirConsole Mini, never seen that.  Looking into ordering now.

I tried to find that book, but, frustratingly, it doesn't seem available in the Australian Apple Books store, no matches to the title, or author (nothing for OPNsense at all).  I'll keep hunting!

[Sar6e]

I too wanted to be able to drop in the OPNSense gateway as a working replacement rather than a work in progress, so I understand where you are coming from. 

My solution was to configure offline.  It did mean I missed the benefits cookiemonster highlights with the auto sensing of inputs if booted up when plugged in.  I just manually assigned my interfaces in the console screen.

After that, I connected a device (in may case a raspberry pi) over ethernet to the gateway to create a stand alone network of 2 devices (gateway and pi) and used the browser to complete the config over a few days to point where no one else in the household would notice anything when it was switched in to replace the router.  I much preferred that to feeling time pressured because the internet was down and word with friend was unavailable!   

[Koloa]

Yeah, I've spent a few weeks now wrapping my head around the process, creating VM after VM, trying to make sure I've got a good strategy -- and I think I'm nearly there with comfort.  I still have a Plan B in mind (going back to the way it was), at least!

I will try to update this thread when I get the device (next week) and add in any extra comments/gotchas for future readers.