[Blog] I migrated the popular "pfSense baseline guide" to OPNsense

Started by schnerring, November 18, 2021, 12:19:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 18, 2021, 12:19:57 AM Last Edit: December 04, 2021, 01:42:29 AM by schnerring
Over the past few weeks, I created the OPNsense Baseline Guide with Mullvad VPN, Guest, and VLAN Support. It's a beginner-friendly, comprehensive step-by-step guide that replicates the popular pfSense baseline guide setup that many of you might know.

I skip over hardware selection and installation instructions as I was fortunate enough to be able to support Deciso's open-source mission by buying the DEC630 like a year ago. The only thing I regret about the purchase is that I now can't afford the sexier-looking successor model, the DEC690.  ;D

The guide covers the following topics:

  • ISP and WireGuard Mullvad VPN WAN
  • "Clearnet", VPN, and Guest VLAN configuration
  • Simultaneous use of DNS resolver (Unbound) and forwarder (Dnsmasq) to satisfy the requirements of VLANs
I revised this guide many times as I configured and learned about the OPNsense platform. I probably clean installed my appliance more than 20 times. Publishing this guide has been on my agenda for a like a year and I'm really happy to share it with you. Any feedback is greatly appreciated and I hope you like it.

The only issue I'm having is that I can't get WireGuard multi-WAN to work. Someone commented that `wireguard-kmod` makes it possible, so I'm gonna give this a try soon.
November 18, 2021, 03:21:34 PM #1
thank you
November 25, 2021, 02:44:44 PM #2
Well done. Thank you.
4 x Intel(R) Celeron(R) N5105 @ 2.00GHz
December 13, 2021, 05:02:32 PM #3 Last Edit: December 14, 2021, 03:31:09 PM by The_Dave
Thank you very much for this very detailed beginners guide, it helped me a lot getting things set up. Everything works but the wireguard interfaces. I even bought a month of mullvard to be sure that the vpn provider is not the problem but the wireguard service doesn't want to stay on and the vpn gateways  keep showing offline (probably as a cause of that). I did get a handshake in the wireguard config though so no idea what's the problem.
Maybe the cause is that I shouldn't have upgraded to 22.1 beta but I hope someone can help me getting it solved anyway.

Thanks in advance

edit: I've reverted to 21.7.5 now, the wireguard service is running now but the wan_vpn interfaces are still down
December 15, 2021, 12:07:24 AM #4
One of the best guides I ever read, and I refer both at the content and the layout, it was a pleasure reading it. (but I already told you on reddit  :D)

Thanks a lot.
December 20, 2021, 11:32:32 PM #5
Quote from: The_Dave on December 13, 2021, 05:02:32 PM
Thank you very much for this very detailed beginners guide, it helped me a lot getting things set up. Everything works but the wireguard interfaces. I even bought a month of mullvard to be sure that the vpn provider is not the problem but the wireguard service doesn't want to stay on and the vpn gateways  keep showing offline (probably as a cause of that). I did get a handshake in the wireguard config though so no idea what's the problem.
Maybe the cause is that I shouldn't have upgraded to 22.1 beta but I hope someone can help me getting it solved anyway.

Thanks in advance

edit: I've reverted to 21.7.5 now, the wireguard service is running now but the wan_vpn interfaces are still down

Adding this here also for completeness:

Quote from: The_Dave
It turns out the solution to the problem was not to use a server adress in form of de4-wg.socks5.mullvad.net as listed on the mullvad website under servers, but to use a server adress like de4-wireguard.mullvad.net.
December 22, 2021, 01:10:03 PM #6
Fantastic guide, thank you sir for your time, effort and sharing you knowledge.

I'm new to Firewalls and this has helped me tremendously.

Thank you!

Mark
January 01, 2022, 04:50:18 PM #7
Quote from: The_Dave
It turns out the solution to the problem was not to use a server adress in form of de4-wg.socks5.mullvad.net as listed on the mullvad website under servers, but to use a server adress like de4-wireguard.mullvad.net.
Mullvad should really fix this, it's very easy to miss for beginners! Good you figured it out.

And anyway, this guide is amazing work!
January 02, 2022, 10:22:00 PM #8
Excellent work!

If you are adding more sections then consider adding Monit with a simple "ping" service test to monitor if a host is up or down!
July 28, 2022, 07:01:55 PM #9
Upgrading to 22.7 went smoothly 8)
June 17, 2025, 09:52:59 PM #10
I was using pfsense in the past and was using the popular pfSense baseline guide setup. After some searching I came across https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/ Great howto, thanks schnerring for the great work!

Unfortunately I don't quite understand two items.
One:
In section interface-groups the use of interface groups is explained. I understand the principle. But with version OPNsense 25.1.8_1-amd64 FreeBSD 14.2-RELEASE-p3 OpenSSL 3.0.16 you also have to specify the Sequence of a group. Aka "priority sequence used in sorting the groups".
Can someone tell me what the Sequence of the Interface Groups should be for the interface groups as specified in the howto?
Below the config I have:


Two:
In section NAT the usage of Outbound NAT is explained. I understand the principle, but I can't get my setup to work properly when I set Manual outbound NAT rule generation. I have to set Hybrid outbound NAT rule generation which is not explained as such.
I have the idea that this is not working because it is not configured correctly with the Sequence of the Interface Groups. I believe this is causing the firewall rules to not work as intended.
Can someone confirm my assumption regarding NAT config is correct and help me further to get this resolved?
Below the config I have:


Summary of my two questions:
  • Can someone tell me what the Sequence of the Interface Groups should be for the interface groups as specified in the howto?
  • Can someone confirm my assumption regarding NAT config is correct and help me further to get this resolved?

Any help is appreciated, thanks in advance!
June 17, 2025, 11:09:09 PM #11
1. The sequence just determines the sorting order in the GUI - the help text for the item says: "priority sequence used in sorting the groups".
2. Your NAT config seems to miss many of the automatic rules that I would deem neccessary, like one for the LAN networks.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
June 18, 2025, 03:56:57 PM #12
Quote from: meyergru on June 17, 2025, 11:09:09 PM1. The sequence just determines the sorting order in the GUI - the help text for the item says: "priority sequence used in sorting the groups".
2. Your NAT config seems to miss many of the automatic rules that I would deem necessary, like one for the LAN networks.

Thanks for the help.

Regarding your response:
1: Thanks for the hint, is there any documentation where I can read this is indeed only a view thing?
2: I will double check https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#interface-groups and compare with my config.
June 22, 2025, 10:20:21 AM #13
I got it all working after some good debugging sessions. On this page I found the hints I needed.
Print
Go Up Pages1
User actions