OPNSENSE Firewall Basics

Started by DrJon, May 14, 2020, 01:08:06 PM

Previous topic - Next topic
May 14, 2020, 01:08:06 PM Last Edit: May 14, 2020, 01:10:42 PM by DrJon
Hi, I have installed OPNsense last night for the first time. I have so far just taken a look around and not set anything up yet. I have a few questions and apologise for any that seem stupid.
1. When first set up after initial installation what firewall protection does the system offer. Is it safe to go live?
2. I have a DM200 modem I plan to use for my Internet connection. It uses PPPOE and I have the settings from BT. Will this work OK or is there a better device?
3. I have currently got the default IP address range set up 192.168.x.x. I am wanting to change this as I want to be able to remotely connect to my server away from home. What address range is best to use? I was considering 172.16.x.x/24 or 10.1.x.x/24.
4. I would like to connect my cyberghost vpn and use one of the spare interfaces as the output port for the connection ie: VPN connects via wan but distributes connection via opt1? Is this possible?

I'm sure I have more questions  but for now I think that's a good start  ???

My setup is as follows:
DM200 modem
Watchguard xtm5 series (OPNsense 20.1.6)
HTPC
Windows server 2019
24port managed switch
8 workstations (laptop and desktop)
Mutiple smart home devices, Alexa, ip cameras, hive, hue etc etc

Many thanks all!


       
  • 1. Yes, All WAN ports are firewalled by default.
  • 2. DM200 should be fine in bridge mode. You'll of course need to enter the ppoe details in opnsense
  • 3. You can still connect to your server from home, no mater what the LAN IP range is set to. It's the WAN address you  target using port forwarding or preferably VPN.
  • 4. You could can do that with NordVPN, if OpenVPN works with CyberGhost I wouldn't know.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member

Great, thanks. Cyberghost works with OpenVPN. Are there instructions for NORDVPN? I assume that is what you use?

nordvpn have instructions on their site for setting up with opnsense, so check that site out. I use ExpressVPN, and I know that also works and the setups the same, near as dammit.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member

Great, thank you very much  ;D

So I have set up nordvpn after failing to get anywhere with cyberghost and all works well!
I followed their guide and after some minor adjustments everything seems to work.

I have now discovered a new problem. How do I bypass the vpn for certain devices? Can I do this by device ip address or mac address?

Quote from: marjohn56 on May 14, 2020, 04:32:21 PM
You can still connect to your server from home, no mater what the LAN IP range is set to.

Not quite; if you're on a remote network, say 192.168.1.0/24 from Starbucks WiFi (remember them? other burnt coffee peddlers are available) and your home LAN is also on 192.168.1.0/24, then your laptop will not route traffic through the VPN since it is directly attached to a 192.168.1.0 network already.

Safest choices are class C subnets in the middle of the 10 range, e.g. 10.37.98.0/24

Bart...

Good Point, forgot that. ;)


That's the reason I used my birthday in the 10.x.x.0 range
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member

Quote from: bartjsmit on May 16, 2020, 12:40:46 PM
Quote from: marjohn56 on May 14, 2020, 04:32:21 PM
You can still connect to your server from home, no mater what the LAN IP range is set to.

Not quite; if you're on a remote network, say 192.168.1.0/24 from Starbucks WiFi (remember them? other burnt coffee peddlers are available) and your home LAN is also on 192.168.1.0/24, then your laptop will not route traffic through the VPN since it is directly attached to a 192.168.1.0 network already.

Safest choices are class C subnets in the middle of the 10 range, e.g. 10.37.98.0/24

Bart...
Thanks, that's what I thought. So for example I could set the lan ip to 10.50.50.1/24 and the dhcp to 10.50.50.10/24-10.50.50.245/24??

Sent from my CLT-L09 using Tapatalk

Yes, that's fine... Still looking at the individual IP to route through the VPN. Should be possible, I've just never done individual.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member

May 16, 2020, 03:53:33 PM #10 Last Edit: May 16, 2020, 04:04:05 PM by marjohn56
Quote from: DrJon on May 16, 2020, 09:49:01 AM
So I have set up nordvpn after failing to get anywhere with cyberghost and all works well!
I followed their guide and after some minor adjustments everything seems to work.

I have now discovered a new problem. How do I bypass the vpn for certain devices? Can I do this by device ip address or mac address?


OK, had a little time to look at this, and yes it can be done quite easily. So your VPN is set up and works, so we'll skip that bit.


If  you haven't already done so, go to the Interface->Assignments menu, there should be your WAN and LAN, New Interface should show the  ovpnc1 interface, click +  to assign it. Now click on the name that's been assigned to it, OPTx. Enable it and change the description to whatever you want to call it, in my case I'll call it ExpressVPN Inteface, check the enable box and save and apply.


Now go to Firewall -> Aliases and click + to add a new Alias. Enter a name, in my case I'll call it ExpressVPN Hosts, select Host(s) as the type, and in the box below enter the IP addresses of the LAN clients you want routed through the VPN. Make sure enabled is ticked and give a description and clock save.
Now goto Firewall-> NAT -> Outbound. Change the Mode to Hybrid. Under Manual rules click Add. For interface select the interface you created earlier, in my case  ExpressVPN Inteface. Set the TCP version to IPv4; set the source address to the
ExpressVPN hosts alias; set the Translation / target to - in my case 'ExpressVPNInterface Address'; click save & apply.


Finally, we need to create the rules. Under Firewall->LAN, Add a new rule.  Action is 'Pass', Interface is LAN, Direction is In, TCP is IPv4, Protocol Any. Source is, in my case ExpressVPNHosts and the gateway needs to be set to the VPN interface, in my case EXPRESSVPNINTERFACE_VPNV4.


Save and apply..


Now, move the rule you have just created to the top of the list, above the LAN net rule. Save and apply.


Now, I think that should do it, unless I've forgotten something... which is always likely, however mine works.
OPNsense 25.7a - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member

Great, thankyou for that! Much appreciated [emoji1303]

Sent from my CLT-L09 using Tapatalk