home network with two opnsense firewalls, and split- DNS

rickeyw · February 04, 2020, 08:56:08 PM

Hello Everyone!

I am doing a small home project with a second LAN protected by a second, internal firewall (# 2).
The DMZ will be used for a "honey- pot/net".
There will be also "Management VLAN" working within the networks, and having no Internet.
The DNS resolution indeed is done by couple caching DNSes installed as bind into a cloud provider. All the local resolvers will forward the DNS- requests to the cloud ones. There are ACLs applied there so only designated IP- addresses are allowed to query. This part already is finished, and works fine with the vpn, proxy, tor, pihole, etc.

1. The major question is how to configure the interfaces, and network between the two firewalls?
I red part of the book about OPNsense, and the author was using for the labs the 192.0.2.0/24 (reserved for documentation). Most similar configurations, I have seen up to now indeed are using DMZ- ports, and public IP- addresses between the firewalls.
I am not really sure that I need to use the above range, and how to configure interface "e2" on "opnsense1" - as "second wan", or "second lan" ? Same applies for "GigabitEthernet0\0" on "opnsense2"?
How to configures the Rules, Routing, and NAT afterwards on both firewalls so the "internal" firewall to have the Internet "passed thru", and basically just that... (some DNS too) ?
For inter- subnet communication that cannot be avoided I will use vpn.

2. Overall I am also not really sure how the concept of "second LAN" is working on OPNsense so to act like the "initially installed LAN" into it - Do I create it, and then just copy the same pre- installed rules as into the original one ? If there is a "shortcut"- way to do it ?

3. If so, and if I go a little bit further, how to configure additional "management network" that supposed to be "blind" to Internet, and "works" with all crucial devices on all networks (it will be the only interface to access the web- interfaces of the firewalls too) - My guess is just to create "additional LAN" interfaces on the firewalls, and remove all rules but the anti-lookout one ?
The rest is easy - just create the same vlan on all switches, connect all needed devices thru their designated "management ports" and it is done.

Please, tell me what do you think from overall perspective, and how to resolve the particular questions if you think the "general plan" is basically ok :)

The Schema is attached.

Thank you very much for your kind help!

Best Regards,

Rick

hbc · February 06, 2020, 01:55:50 PM

.oO(Small home project with this company like network schema?)

petrus · February 06, 2020, 05:02:50 PM

Hi,

my home network looks even more complicated, and your questions seem to be like someones who is not completely familiar with private ranges... (no harm meant, but I think, it still looks like a hobbyists exercise)

https://en.wikipedia.org/wiki/Private_network
don't use 192.0.x.x, just 192.168.x.x or see the link for 10.x.x.x etc.

So you could just have one interface configured as LAN with 10.1.1.1/24 and one as WAN initially.
Then after you can access the GUI over the LAN Interface, you add new interfaces Like MGT with 10.1.2.1/24, and so on.
Then you make sure to configure rules so that a PC behind MGT can reach the Opnsense GUI and if verified, you just change your ruleset so that LAN can't access the GUI any more.

You set up NAT rules to get into the internet.

I don't know why do you want to use VPN to communicate between your local subnets, but do yourself a favor, don't do it...

Try to read the Opnsense docs and https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/

I don't have the time to go into more detail, but I hope I could help a bit.

Petrus

chemlud · February 06, 2020, 06:59:46 PM

Quote from: petrus on February 06, 2020, 05:02:50 PM
Hi,

my home network looks even more complicated, and your questions seem to be like someones who is not completely familiar with private ranges... (no harm meant, but I think, it still looks like a hobbyists exercise)

https://en.wikipedia.org/wiki/Private_network
don't use 192.0.x.x, just 192.168.x.x or see the link for 10.x.x.x etc.

So you could just have one interface configured as LAN with 10.1.1.1/24 and one as WAN initially.
Then after you can access the GUI over the LAN Interface, you add new interfaces Like MGT with 10.1.2.1/24, and so on.
Then you make sure to configure rules so that a PC behind MGT can reach the Opnsense GUI and if verified, you just change your ruleset so that LAN can't access the GUI any more.

You set up NAT rules to get into the internet.

I don't know why do you want to use VPN to communicate between your local subnets, but do yourself a favor, don't do it...

Try to read the Opnsense docs and https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/

I don't have the time to go into more detail, but I hope I could help a bit.

Petrus

eeehhhhh.... https://en.wikipedia.org/wiki/Reserved_IP_addresses ***cough***

chemlud · February 06, 2020, 07:08:39 PM

Quote2. Overall I am also not really sure how the concept of "second LAN" is working on OPNsense so to act like the "initially installed LAN" into it - Do I create it, and then just copy the same pre- installed rules as into the original one ? If there is a "shortcut"- way to do it ?

No short cut, but I would not use the default "allow any any" rule(s) as given on default LAN interface, neither for LAN, nor for LAN2 or whatever you are going to call it. Establish rules with higher granularity that allow anything you need, but not more. either on the level of each individual host or for the complete LAN net...

Quote3. If so, and if I go a little bit further, how to configure additional "management network" that supposed to be "blind" to Internet, and "works" with all crucial devices on all networks (it will be the only interface to access the web- interfaces of the firewalls too) - My guess is just to create "additional LAN" interfaces on the firewalls, and remove all rules but the anti-lookout one ?

Depends. I would in general block all traffic from LAN to LAN2 and vice versa. Allow only if needed (specific hosts, specific ports). For your management network block anything but the specific hosts on other LAN interfaces you want to reach. Good luck!

rickeyw · February 07, 2020, 11:28:54 AM

Quote from: hbc on February 06, 2020, 01:55:50 PM
.oO(Small home project with this company like network schema?)

GNS3 is very versatile nowadays, and easy to use ;)

chemlud · February 07, 2020, 12:30:34 PM

Quote from: rickeyw on February 07, 2020, 11:28:54 AM
Quote from: hbc on February 06, 2020, 01:55:50 PM
.oO(Small home project with this company like network schema?)
GNS3 is very versatile nowadays, and easy to use ;)

Is there a browser plugin or alike? Would be nice for the forum...

petrus · February 07, 2020, 03:18:00 PM

Quote from: chemlud on February 06, 2020, 06:59:46 PM
eeehhhhh.... https://en.wikipedia.org/wiki/Reserved_IP_addresses ***cough***

Hi,

well not that this will matter much for any home network, but, no 192.0.0.0/24 is not meant to be used for private networks.

rfc6890:

Address Block | 192.0.0.0/24 [2]
[...]
[2] Not usable unless by virtue of a more specific
reservation.
|
2.1. Assignment of an IPv4 Address Block to IANA

Table 7 of this document records the assignment of an IPv4 address
block (192.0.0.0/24) to IANA for IETF protocol assignments. This
address allocation to IANA is intended to support IETF protocol
assignments.

Petrus

chemlud · February 07, 2020, 03:58:59 PM

...but we are talking about

Quote...192.0.2.0/24 (reserved for documentation)....

See my link above. Sure not for home use, but in theory...

rickeyw · February 10, 2020, 12:22:35 AM

Quote from: chemlud on February 07, 2020, 12:30:34 PM
Quote from: rickeyw on February 07, 2020, 11:28:54 AM
Quote from: hbc on February 06, 2020, 01:55:50 PM
.oO(Small home project with this company like network schema?)
GNS3 is very versatile nowadays, and easy to use ;)

Is there a browser plugin or alike? Would be nice for the forum...

It is coming with a web- interface too, which is still in dev.
See the attached.
Best,

rickeyw · February 10, 2020, 05:48:06 PM

Quote from: rickeyw on February 10, 2020, 12:22:35 AM
Quote from: chemlud on February 07, 2020, 12:30:34 PM
Quote from: rickeyw on February 07, 2020, 11:28:54 AM
Quote from: hbc on February 06, 2020, 01:55:50 PM
.oO(Small home project with this company like network schema?)
GNS3 is very versatile nowadays, and easy to use ;)

Is there a browser plugin or alike? Would be nice for the forum...

It is coming with a web- interface too, which is still in dev.
See the attached.
Best,

P.S.

Here's two more finished one "in action", :)

Best,

rickeyw · February 10, 2020, 05:49:08 PM

the other one...

home network with two opnsense firewalls, and split- DNS

rickeyw

February 04, 2020, 08:56:08 PM

hbc

February 06, 2020, 01:55:50 PM #1

petrus

February 06, 2020, 05:02:50 PM #2

chemlud

February 06, 2020, 06:59:46 PM #3

chemlud

February 06, 2020, 07:08:39 PM #4

rickeyw

February 07, 2020, 11:28:54 AM #5

chemlud

February 07, 2020, 12:30:34 PM #6

petrus

February 07, 2020, 03:18:00 PM #7

chemlud

February 07, 2020, 03:58:59 PM #8

rickeyw

February 10, 2020, 12:22:35 AM #9

rickeyw

February 10, 2020, 05:48:06 PM #10

rickeyw

February 10, 2020, 05:49:08 PM #11