OPNSense setup in rented apartment

Started by Maginos, August 16, 2022, 08:58:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 16, 2022, 08:58:21 AM
Hi guys,

as the title suggests, I live in an house with 60 flats and I would like to run an OPNSense instance in my flat. I get a private IP from my landlord, until now I have an Edgerouter X in bridge mode running.
What would be the best setup for the Sense?

Here's what I would like to achieve:

- I would like to have WAN Interface on port 0 and the LAN interface on port 1-3.

- The DHCP Server should be active on all LAN Ports.

For the start, this would be enough.

Under Interfaces --> WAN I unchecked "Block private networks" and "Block bogon networks".
What else do you recommend?

The main problem is right now, that DNS doesn't work as expected. If I do a ping on the Sense (for LAN and WAN interface), everything works fine, if I do the ping on my MacBook (connected via Ethernet to the LAN), it says "ping: cannot resolve google.com: Unknown host".
The IP address of the DNS Server seems correct.

Besides the changes of the private and bogon networks, I did not change anything compared to the default settings.

Thank you for your help!

Maginos
August 16, 2022, 08:15:58 PM #1
First of all,
1. are you connecting opnsense to edgerouter or directly?
2. have you tried using the same mac address on the opnsense from edgerouter? (useful if landlord gives ip with dhcp)
3. for the "Block private networks" and "Block bogon networks" part, you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts, you usually disable these two options if you have internal opnsenses routing between your subnets
August 17, 2022, 06:53:59 AM #2
Since all the tenets in your building are on the same subnet your situation is like logging into a hotel WiFi where all of your traffic is visible to anyone else staying in the hotel. No need to panic but just be more vigilant when you see anything odd in the logs or IDS services.

At the very least, disable OPNSense GUI from WAN, disable root login into OPNSense and disable HTTP redirect for GUI (under System ==> Settings).

As for the problem you posted, did you create any firewall rules for LAN? The default is "block all" and that is what seems to be happening in your case.
August 17, 2022, 07:37:22 AM #3
Quote from: KILLERMANTV on August 16, 2022, 08:15:58 PM
First of all,
1. are you connecting opnsense to edgerouter or directly?
2. have you tried using the same mac address on the opnsense from edgerouter? (useful if landlord gives ip with dhcp)
3. for the "Block private networks" and "Block bogon networks" part, you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts, you usually disable these two options if you have internal opnsenses routing between your subnets

1. Right now I have the Sense connected to the Edgerouter, but in the future, the Sense should replace the Edgerouter.

2. The IP I get from my landlord is static, so it's always the same. I didn't try with the same mac address.

3. Since I have the Sense behind my Edgerouter, I think I need these two options, if I understand it correct.
August 17, 2022, 07:47:46 AM #4
Quote from: pankaj on August 17, 2022, 06:53:59 AM
Since all the tenets in your building are on the same subnet your situation is like logging into a hotel WiFi where all of your traffic is visible to anyone else staying in the hotel. No need to panic but just be more vigilant when you see anything odd in the logs or IDS services.

At the very least, disable OPNSense GUI from WAN, disable root login into OPNSense and disable HTTP redirect for GUI (under System ==> Settings).

As for the problem you posted, did you create any firewall rules for LAN? The default is "block all" and that is what seems to be happening in your case.

The IP I get from my landlord is 10.46.number_of_my_flat.129. I hope that every flat has its own subnet and there's no routing between the subnets.

If I am able to get the sense working, I will disable OPNSense GUI from WAN, the root login and the HTTP redirect for the GUI. Thanks for the tips.

Please find my firewall rules in the picture. Looks fine to me.
August 17, 2022, 08:05:33 AM #5
First try just one simple rule (i.e allow all) like the screenshot below. If it works then you can start adding more complex rules to make it robust and more secure.

My two cents.
August 17, 2022, 08:19:25 AM #6
I think, I already have such a rule, as you can see from the picture of my last post. Unfortunately, the "Default allow LAN to any" rule doesn't seem to be the problem.
August 17, 2022, 08:22:19 AM #7
Enable logging for the default "allow all" rule and see the firewall logs in real time as you ping from a client machine on LAN.
August 17, 2022, 08:39:32 AM #8
I will check when I'm back from work.
August 17, 2022, 05:49:17 PM #9
Quote from: pankaj on August 17, 2022, 08:22:19 AM
Enable logging for the default "allow all" rule and see the firewall logs in real time as you ping from a client machine on LAN.

There were no entries, where traffic was blocked.

I kind of solved it. If I disable unbound dns and switch to DNSmasq DNS, DNS works as expected and I can browse the web regularly. If I switch then back to unbound, DNS no longer works.
Seems to be a problem for the experts. :D
August 17, 2022, 06:29:54 PM #10
Got it.
Enable "Services --> Unbound DNS --> Query Forwarding --> Use System Nameservers"
August 17, 2022, 08:33:30 PM #11
Quote from: Maginos on August 17, 2022, 07:37:22 AM
Quote from: KILLERMANTV on August 16, 2022, 08:15:58 PM
First of all,
1. are you connecting opnsense to edgerouter or directly?
2. have you tried using the same mac address on the opnsense from edgerouter? (useful if landlord gives ip with dhcp)
3. for the "Block private networks" and "Block bogon networks" part, you need to treat it the same as if you had an ISP providing you internet through dhcp within a subnet with other probably compromised hosts, you usually disable these two options if you have internal opnsenses routing between your subnets

1. Right now I have the Sense connected to the Edgerouter, but in the future, the Sense should replace the Edgerouter.

2. The IP I get from my landlord is static, so it's always the same. I didn't try with the same mac address.

3. Since I have the Sense behind my Edgerouter, I think I need these two options, if I understand it correct.

3. If you have your edgerouter in bridge mode (no firewall) you have effectively a beefy switch, all the hosts on the next network can access your subnet, my both isps gave me their devices in bridge mode and i regularly see nmap and other tools trying to scan my network from the isp's subnet. Those options you turned off blocks anything trying to enter your subnet except established connections.
August 18, 2022, 09:12:34 AM #12
Thank you for the tip, I have enabled the two options.
December 08, 2022, 10:40:00 PM #13
adding the rule and plugging in the laptop directly gave it the inet address 192.168.1.102, at least from what I could tell from ifconfig.
and I can't ping the edge router from my laptop on lan or wifi connection, but I can ping it from the opnsense install. still can't seem to update the packages though
December 08, 2022, 10:58:18 PM #14
digging through the settings under services->[WAN]->available range I'm seeing an error message :

No available address range for configured interface subnet size

searching it online I only found the message declaration: https://github.com/opnsense/lang/blob/master/pt_PT.po#L10310
Print
Go Up Pages1
User actions