1 LAN. 1 Router. 1 FW. 1 Switch. 1 AP. Easiest possible setup. Full stop.

[SecCon]

Any easy basic opnsense fw setup guides? 

(Every guide I have seen so far includes stuff I don't have, don't need, don't use, don't want to get, don't understand).

1 ISP Modem <> 1 FW <> 1 Router <> 1 Switch/AP <> 1 LAN <> Devices. Simple as that.

[no vlans, no vpn's, no dmz, no dsl, no ipv6, no ldap, no radius, etc..]

I have a couple of recent books, I have read the docs, both has loads of extra confs I don't intend on using, and since it uses that in all examples, it's pretty much useless.. 

[Patrick M. Hausen]

What is the router supposed to do in that scenario?

Simplest OPNsense setup is:

ISP Modem - OPNsense (both FW and router) - Switch/AP - Clients

What part of the documentation is unclear about how to go about that?

* install
* connect switch to LAN interface
* connect PC to switch
* IP address assignment is automatic
* login to web UI
* configure WAN according to provider data
* done

https://docs.opnsense.org/setup.html

[SecCon]

I have decided to keep the router for routing, and use OPNsense exclusively as firewall.  In an earlier post I implied using OPNsense both for routing and fw, but that will not be the case.  Some argued against it: https://forum.opnsense.org/index.php?topic=29199.0

The basic setup is done, have OPNsense running on a temporary IP on a Supermicro Superserver and will move it between LAN and WAN in a few days.(I have all my network equipment in a dedicated rack). Got all the NIC's i could ever need for channelling the network through the fw.

What is the correct configuration for that once I do it? ISP is DHCP. DNS is Quad9.

[Patrick M. Hausen]

You need to set up static routes for your internal networks if you want to connect an additional router. And you are aware that the firewall will still technically be routing, right?  ;)

Can you draw a plan of the networks you are planning to connect? I mean - that router must have multiple interfaces and multiple internal networks (at least 2), to router anything ...

[SecCon]

Something like this I pushed together in 5 minutes in draw.io



In my opinion it is a simple basic lan.

Not sure about that thing about adding 2nd router, I guess if OPNSense is the 1st router then my EdgeMax is the second. .

[Patrick M. Hausen]

So what is the second router supposed to do? I see only one connection coming from OPNsense and one going into the switch. An additional internal router only makes sense if it connects more separate networks/switches.

[Bob.Dig]

OPNsense is like every firewall a router at first. Why do you think you need it there.

[SecCon]

So what is the second router supposed to do? I see only one connection coming from OPNsense and one going into the switch. An additional internal router only makes sense if it connects more separate networks/switches.

I am placing the FW between my Router and my ISP. Is that not how it is supposed to to work? Filtering the internet traffic...logging, stats, probably DNS.

I know I can use OPNSense as Router as well, but I am not doing that now. My EdgeMAX Router handles DHCP, Static addressing and PoE, if needed, something that can not be done on the OPNSense machine. (In fact, my AP is PoE but currently connected to the Switch, I should connect it to the Router and bridge it, later.)

[Bob.Dig]

I am placing the FW between my Router and my ISP. Is that not how it is supposed to to work?

Not in reality, your other router has a firewall too.

[SecCon]

Yes it does, which is only rudimentary and will be disabled if not needed. Maybe keep a rule about local admin logon to the EdgeMAX but hardly anything else.

[Patrick M. Hausen]

Does your other router currently drive your Internet uplink? How is the connection esatblished? Does your ISP use DHCP, PPPoE, fixed addresses or something entirely different? Do you have fixed IP addresses or does it change regularly? IPv4 only or IPv4 and IPv6?

Regularly consumers and small businesses use one device to do routing, NAT and firewall. For a simple setup you replace an EdgeMax thingy with an OPNsense thingy.

If you want to use both in line, then OPNsense still needs to establish the connection to your ISP and you have essentially two routers in a row. There is no way to have the OPNsense "just do firewall". The packets needs to pass through the device. So it needs to route. You cannot split router and firewall function in common consumer scenarios.

In enterprise environments things like transparent bridging firewalls etc. are used. But not that common, either.

Also OPNsense of course offers DHCP, DNS, SLAAC and a plethora of other services. The only thing it cannot do (at least not on any hardware I am aware of) is provide PoE. But if your switch can do that I'd recommend getting rid of the unnecessary additional router.

HTH,
Patrick

[SecCon]

@pmhausen

As I stated above my ISP is DHCP. My EdgeMAX Router handles that, but it will of course have to be handled by OPNSense once connected. No fixed IP. IPv4 only that I am aware of, they probably have support for IPv6, I just don't use it.

The connection to ISP is currently done via a Bridge to Gateway, from my current OPNSense to my Router. [System: Gateways: Single] pointing to 192.168.1.1. That will obviously have to be revised.

So I guess I will be implementing what you call a transparent bridge then?

As for what consumers do, I don't have any stats, and I don't care. To me it is rather simple: Can I add security to my SOHO? How would I do that? The inbuilt FW in the Ubiquiti EdgeMAX is probably usable for most, but implementing IDS and Firewall on a Router, if even possible, comes with a performance hit on CPU and RAM. That is why I put OPNSense on a SuperServer instead, to handle that (8 Atom Cores, 32GB DDR3 RAM, . Quad GbE LAN ports).

I do not understand why this scenario seems so unusual...

[Patrick M. Hausen]

If you did transparent bridging the ISP IP address and DHCP would still be on the EdgeMax. As soon as the OPNsense acquires the IP address from your ISP it's a router and the additional internal router does not serve any useful function. I cannot advise you how to set up a configuration I decidedly advise against.

Nothing about what you are trying is simple. There is no valid reason to do it. Yes, more or less nobody else does it that way. You seem to be confused about what routers and firewalls do.

But you do you, I guess.

[meyergru]

The concept of a firewall put "in front" of a router is valid for corporate networks where you have multiple external IPs and in the intranet, you need additional routing for segmentation of broadcast domains. That type of firewall is a kind of perimeter defense that mostly regulates incoming traffic to some exposed IPs.

In a small business / private networking context, you mostly have just one external IP, such that you need NAT anyway such that everything on your intranet hides behind that one IP. Thus, the rules on the firewall before a NATing router apply to just connections between this IP and the internet - you cannot discriminate between different clients on your internet apart from the port. In this scenario, the firewall could not really do very much useful.

The alternative would be to let the firewall do NAT (and firewalling), but in that case: what does the router then do anyway? Separating into different VLANs is possible in Opnsense as well.

So, I can see no real purpose for the additional router, because Opnsense can handle everything.

There are people who vote for the opposite: Placing a router before Opnsense. That CAN become neccessary if your ISP has a locked-down router and does not give you the means to build up the connection yourself and you don't trust the ISP so that you have an additional firewall to protect your intranet. If at all possible, I avoid that because of additional complexity (and power draw).

[SecCon]

I will need PoE. Which is on the Router. So I am keeping the Router. I also have a network inventory via Ubiquiti UNMS that I use on the Router,  with the Switch, not sure that can be done in OPNSense.