OPNSense Alternatives for DMZ

Started by amd.64, December 08, 2024, 12:17:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2024, 12:17:34 AM
I am looking for suggestions.

I currently use OPNSense for my Router / Firewall. I am also building a DMZ so looking to add a second firewall, preferably with something other then OPNSense.

I want some something like OPNSense, IE something I can install on a computer or server and is open source. I would also prefer something that has a web interface.


  • I tried IP Fire but do not like it.
  • I considered PFSense but it is based on FreeBSD just like OPNSense.
  • ClearOS apparently has gone away. IE their website can't be found.
  • Endian Firewall will not load on the hardware I have
  • m0n0wall, although they have a download page there is no link to actually download it


Systems like Untangle have a subscription.

Anyone have good suggestions
December 08, 2024, 12:30:59 AM #1
Why not configure a DMZ interface on your current OPNsense firewall?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 08, 2024, 12:42:06 AM #2
I found several other options out there, mainly small or older and less well supported. You could try VyOS to keep yourself occupied for a while.

If you want an internal firewall for your trusted devices in case the OPNsense is somehow compromised then my practical suggestion is that you review your criteria, either repeating with OPNsense, learning to love IPFire, or buy a Mikrotik or some such.
Deciso DEC697
+crowdsec +wireguard
December 08, 2024, 06:38:00 PM #3
Quote from: passeri on December 08, 2024, 12:42:06 AM
I found several other options out there, mainly small or older and less well supported. You could try VyOS to keep yourself occupied for a while.

Yes that is the problem I ran into, most of the ones I found are no longer supported. The website for ClearOS isn't even active any more. I have seen VyOS in CompTIA labs, but did not do much with it in those labs. However, it does look like they have no web interface. I wouldn't mind using it web interface or not if their commands are similar to the Cisco CLI which would help me prepare for the CCNA when ever I get a chance to take it.

Quote from: passeri on December 08, 2024, 12:42:06 AM
If you want an internal firewall for your trusted devices in case the OPNsense is somehow compromised then my practical suggestion is that you review your criteria, either repeating with OPNsense, learning to love IPFire, or buy a Mikrotik or some such.


Yes, what ever I use will be for the internal firewall in the even OPNSense or one of the systems in the DMZ are compromised. I do have a TP-Link SOHO router I have thought about using for the internal FW which is a last resort. I would like something with more features however.
December 08, 2024, 06:39:16 PM #4
Quote from: Patrick M. Hausen on December 08, 2024, 12:30:59 AM
Why not configure a DMZ interface on your current OPNsense firewall?

I may be wrong, but my opinion is having two firewalls would provide more security then a ingle FW and a DMZ.
December 08, 2024, 09:52:12 PM #5
Yes, the dual or staged firewall strategy is a traditional design to secure user assets from internal areas of higher risk, diagrammed in textbooks and on Wikipedia. Matter of fact I use it myself, although my view is that even before that step the users (us) are the main vulnerability.

Usually when people mention two routers there are mutterings about double-NAT but the second firewall's purpose is to block the outside completely; no NAT or other external hole on the second firewall at all, or it loses the point.

Conversely I have another internal firewall which blocks an internal device from contacting anything at all, local or anywhere else. It receives local replies to its NTP requests, and responds if contacted on a single port which I can access in my network (including VPN). I take no risks with others seeing through my cameras or otherwise compromising the Linux-based NVR. I can see that the NVR tries constantly to contact a variety of sites. Maybe it just likes to check for software updates once a minute. More likely it is trying to contact the manufacturer's management portal on the assumption you are using it.

It just depends on what you think is a relevant threat, or personal desire for assurance, or whether you get kicks configuring routers  :o .
Deciso DEC697
+crowdsec +wireguard
December 09, 2024, 09:32:33 AM #6 Last Edit: December 09, 2024, 09:36:05 AM by meyergru
One should take a second to think for oneself before going down that route...

That (theoretical) textbook design was conceived long ago and it was mainly meant for high-value targets, like banks. Been there - done that, but 25 years ago.

The idea basically was that if a specific vulnerability was to be found in one product, it might be absent in the other, such that by employing two different firewall types (preferably on different OSes), you would have to break both to get at the (unprotected) target.

However, if you do that in a home or even normal business setup, it is quite overkilll. In business setups, there are often automations in place to create the same rule for both firewalls at once - in a home setup, you will most likely have to setup anything twice. The probabilty of getting this going wrong mostly outweighs the gained security, let alone other problems like potential lack of separated management interfaces - mind you: both firewalls cannot be on the same management network, because that would give a backdoor from one firewall to the other...

Also, the types of real-world threats have changed since the olden days (tm) to inside-out threats via tunneling and all sorts of application vulnerabilities that do not even need breaking the firewall(s) any more at all.

And finally: Are your assets a high-value target?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
Print
Go Up Pages1
User actions