Looking for recommended Configuration.

[rubantin]

I am somewhat a newb to firewall software.

I want to be able to remote in. Not sure how to set that up with OPNsense.

Also, I am setting this up for a dentist office that has a local server. The main software runs local on the server. The office only uses the internet for surfing, backup and updates.

What is the recommended configuration for OPNsense?

What things should I be careful not to screw up configuration wise?

[franco]

You will have to do some reading on IPsec and VPN. There was a (technical) discussion about the pros and cons of these technologies, maybe it can help you to start looking for answers:

http://lists.nycbug.org/pipermail/talk/2015-April/016141.html

TL;DR: Pick IPsec or VPN, span a network between routers/firewalls/gateways of your two sites.

[rubantin]

I only have one server and have put the appliance between the modem and server... I am able to access the internet so I think I have all the basics (default) right...

[franco]

Yes, although you need to double check if your Device/Router can be reached from the outside. Some ISPs do NAT so you are locked out of establishing connections to your router, if you want it to be the server.

If you use a router/modem in front of OPNsense, you'll need the router to do port forwarding so you can be reached as well.

If all else fails, you may be looking at a cloud server with a VPN embedded. You can e.g. install OPNsense iso on https://www.vultr.com/ and add your VPN server there, simply connecting your local OPNsense as a client.

[rubantin]

I would like to try a port forward.. However, the config of the NAT forwarding is a little more than I am used to....

I know the wan IP (27.134.6.91) and the IP of the computer I am wanting to remote to (192.168.3.101).. I also know that I want to forward port 3389... but where to put all the numbers i dunno...

[franco]

Okay, so we are talking about a simple RDP port forwarding.

Again, if the modem is a router you'll have to add a port forward from there 3389 to OPNSENSEBOXIP:3389.

On the OPNsense box, you go to Firewall: Nat: Port Forwarding, add a new rule. Interface: WAN, Protocol: TCP, Destination: Single Host, probably 192.168.3.101. Destination port: 3389. That should be it.

Challenge is to verify it's working, or more to the point of knowing which device doesn't forward correctly because it isn't set up accordingly.

[Joe]

I think it should be possible to use ssh's -L and/or -R options to forward ports 80/443 somehow.

Something like:

  ssh -N -L 8080:pfsense.do.main:80 -L 8443:pfsense.do.main:443

or something. Then, you'd use something like http://localhost.localdomain:8080 or https://localhost.localdomain:8443

I tried that, but I then got this error message:

Code: [Select]

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.


[franco]

Rebind attack protection can be turned off under System: Settings: Admin Access.

[Joe]

Thanks for the hint, franco!

Before getting rid of the seat belts, I'd like to understand why this warning is given. Maybe there's another possibility to get rid of this warning without turning it off completely?

[franco]

The idea is to detect and prevent "rebinding" in order to protect the client from running the risk of snooped/forwarded connections. For the GUI it looks the same as the attack... https://en.wikipedia.org/wiki/DNS_rebinding

I used port forwarding (even locally on the same IP/Interface) and I think this works without removing the protection.

[Kongootto72]

The idea is to detect and prevent "rebinding" in order to protect the client from running the risk of snooped/forwarded connections. For the GUI it looks the same as the attack... https://en.wikipedia.org/wiki/DNS_rebinding

I used port forwarding (even locally on the same IP/Interface) and I think this works without removing the protection.

Hi franco, i deactivated DNS Rebind protection but dns rebind error still appears. can u explain the port forwading solution please  ? 

TIA