Opnsense Requirement in my private network

Started by Ashwini, March 27, 2018, 06:31:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 27, 2018, 06:31:21 AM
Hardware 1- Opnsense host
Hardware 2 - Server
Hardware 3 - Client

HW 1,2,3 are in same network.
Internet access is given only for HW2(server).

HW3(Client) can access HW2(Server).

HW1 ( opnsense ) will act as a firewall/router between HW2 and HW3.

My question is how to protect HW3(client) in case of external attack to HW2(server) using security features of HW1(opnsense).
March 27, 2018, 07:25:30 AM #1 Last Edit: March 27, 2018, 08:06:43 AM by elektroinside
With carefully crafted firewall rules.
You will delete the default allow any to any rule on the LAN, create one to allow *any* access for hw2, another one to allow access from hw1 only to hw2 (so only on the LAN side), and finally bring up the local firewall of each OS, adding exceptions to whatever is needed. You will also have to assign static dhcp leases for each hw on the LAN, as manually configuring IP addresses on the LAN clients is not recommended in locked down environments. You should also consider static arp entries (read about it before enabling this, otherwise you may get locked out). You should also use limited local users (without admin privileges) on hw's on the LAN.

Without any other exceptions (rules), access to hw2 from the internet is not allowed. This is what almost all firewalls do by default, allow all outgoing, block all incoming.
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
Print
Go Up Pages1
User actions