New setup, need expert eyes and suggestions

Started by ezra55, December 24, 2017, 04:03:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 24, 2017, 04:03:29 PM Last Edit: December 26, 2017, 05:59:20 PM by ezra55
He guys,

Been working on this setup for quite a while now. I'd like some pointers and expert views on how I've setup the system. I cannot test it yet since I'm away from home for a few more weeks. I'd like to have it ready for when I return home. I have an OPNsense box with:

  • Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (4 cores)
  • 4 GB RAM DDR3
  • 16 GB SSD
  • 2GB SWAP, VAR and TMP in RAM
  • 4x Port - Interfaces: ESXi, LAN, LAN2 (unused for now), WIFI, WAN
  • OPNsense 17.7.5-amd64
  • FreeBSD 11.0-RELEASE-p12
  • OpenSSL 1.0.2l 25 May 2017
  • 1x Wifi Onboard (Used as guest network/IOT devices with no access to other NIC's only HTTP/HTTPS/DNS)
  • 1x Wireless AP (2.4 and 5 ghz) attached to Interface LAN
  • DHCP server enabled on: ESXi, LAN, WIFI
  • Static DHCP entries created with MAC addresses for all existing devices
  • Aliases for all existing devices and networks
  • WAN address is for now local to have some internet connection, this will change once I install the router in my network for real
My goals are the following:

  • Setup 4x OpenVPN client (done)
  • Setup 1x OpenVPN server (done)
  • Setup a FailoverVPN gateway group for all of the 4 VPN clients (done)
  • Block all access to google's DNS (done)
  • Route Netflix IP's over default ISP DHCP WAN (done)
  • Route OPNsense traffic over the FailoverVPN
  • Route All traffic over the FailoverVPN traffic https://forum.opnsense.org/index.php?topic=4979.0 See screen (done)
  • Block All traffic to my default ISP DHCP gateway See screen(done)
  • Use 2x DNS server for the entire network/system (VPN company provided DNS servers: 209.222.18.218 & 209.222.18.222)(done)
  • Block all DNS requests to only use unbound DNS which in turn uses the servers mentioned above (done)
  • Block traffic from WIFI to all interfaces, only allow internet access and OPNsense as DNS
  • For now allow ESXi, LAN to access all interfaces. Later I will tighten these to only allow certain ports in and out on ESXi to LAN with aliases
  • Block all Plex metrics traffic with alias metrics.plex.tv, floating rule?

Port forwards:
https://imgur.com/zStbMCR

Rules:
Floating
https://imgur.com/P0gGbkJ

ESXi
https://imgur.com/qz9W80U

LAN
https://imgur.com/UCeeTdV

LAN2
https://imgur.com/5yQlyCc

OPENVPN (server)
https://imgur.com/VUGazFX

PIA
https://imgur.com/XtkCUSa

PIA2
https://imgur.com/iEVnFfx

PIA3
https://imgur.com/7FhKVu0

PIA4
https://imgur.com/O5rtTdR

WAN
https://imgur.com/IsLO9Kt

WIFI
https://imgur.com/UjpZsvc

Outbound NAT:
https://imgur.com/HLwHexX
https://imgur.com/Y3jRUbi
https://imgur.com/fgOMWwY

Gateways:
https://imgur.com/3dfOYes
groups:
https://imgur.com/a/AilFa

Interfaces:
https://imgur.com/r9WwokQ

General settings (DNS):
https://imgur.com/RdKVSKv

Unbound DNS:
https://imgur.com/m2DMyAK

DNS redirect rules:
Code Select
To restrict client DNS to only the specific servers configured on a firewall, a port forward may be used to capture all DNS requests sent to other servers.

Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces.

In the following example, the LAN interface is used, but it could be used for any local interface. Change the Interface and Destination as needed.

Navigate to Firewall > NAT, Port Forward tab
Click fa-level-up Add to create a new rule
Fill in the following fields on the port forward rule:
Interface: LAN
Protocol: TCP/UDP
Destination: Invert Match checked, LAN Address
Destination Port Range: 53 (DNS)
Redirect Target IP: 127.0.0.1
Redirect Target Port: 53 (DNS)
Description: Redirect DNS
NAT Reflection: Disable

QuoteThis procedure will allow the firewall to block DNS requests to servers that are off this network. This can force DNS requests from local clients to use the DNS Forwarder or Resolver on OPNSense for resolution. When combined with OpenDNS, this allows DNS-based content filtering to be enforced on the local network.

Setup OpenDNS servers (or whatever DNS servers are preferred) in System > General.
Add a firewall rule on Firewall > Rules, LAN tab permitting TCP/UDP source:any to the firewalls LAN IP Address, port 53 (destination IP and port)
Move this newly created rule from step #2 to the very top of the LAN rules
Add a new rule blocking protocol TCP/UDP source:any destination:any.
Move the rule created in step #4 to the second position behind the permit rule that was moved in step #3.
That's it. Enjoy the fact that the hosts behind OPNSense can only talk to the built in DNS resolver running on LAN which uses your DNS.

Hope you guys can help me out to achieve some of my goals!
Thanks and merry Christmas!!
December 26, 2017, 09:22:38 AM #1
Anyone?
December 26, 2017, 10:45:15 AM #2
For your own experience it would be better to try it out yourself and only ask if you have a specific problem. From what I read most things should easily bei done. I havent check all the screenshots since time is limited
December 26, 2017, 02:47:12 PM #3 Last Edit: December 26, 2017, 03:31:08 PM by ezra55
Yes, thanks...

Anyone else?
Print
Go Up Pages1
User actions