How to setup OPNsense for my needs?

[Fibea]

Hello all. I want to integrate a 4 port hardware firewall with OPNsense in my current network. I don't want to directly install it behind my FRITZ!Box router, because I only want some devices' traffic to run through it.

Here is a simplefied network graph:


As you can see, I would like to use the firewall as a switch for my Homeserver and NAS. Only the traffic of those two should run through the firewall, not, for example, the Apple TV or Philips Hue Bridge.
All the devices you see are in the range of 192.168.0.x/24 (except the "Multiple IOT devices").

Is there a way to realize this, or do I need some minor changes first?

Kind regards!

[FLguy]

Suppose you don't mind your home server and NAS being on different IP networks. In that case, there isn't anything extraordinary here other than installing the Firewall and connecting your home server and NAS to the firewall.  You must create three networks, including the existing IP (opnsense WAN) that's live off FRITZ!Box router, one for your home server, and one for your NAS.

If you want your home server and NAS to be in the same network but connected to different interfaces on opnsense then you may want to look at configuring a bridge.  In this case, it is just two networks, the existing network and the new network behind opnsense for the home server/NAS.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

[Fibea]

Thank you for your answer. This is exactly what I wanted to achieve! Will take a look into this.

[meyergru]

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

Considering the diagram above: protection against what?

I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.

Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.

There could be one LAN which has all the trustworthy devices (e.g. PC and Homeserver/NAS) and another IoT LAN for devices which you cannot control, but must have cloud access. If these also need access to the NAS or Homeserver, you can create rules.

[Fibea]

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

Considering the diagram above: protection against what?

I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.

Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.

There could be one LAN which has all the trustworthy devices (e.g. PC and Homeserver/NAS) and another IoT LAN for devices which you cannot control, but must have cloud access. If these also need access to the NAS or Homeserver, you can create rules.

My homeserver is partially accessible from the Internet. Together with the OPNsense and CrowdSec, I want to monitor and analyze who and what tries to access my services.

Someday I'll be reorganize my whole LAN to include VLANs and a DMZ. But for now, this setup suit all my needs and works just as designed.

[Fibea]

Suppose you don't mind your home server and NAS being on different IP networks. In that case, there isn't anything extraordinary here other than installing the Firewall and connecting your home server and NAS to the firewall.  You must create three networks, including the existing IP (opnsense WAN) that's live off FRITZ!Box router, one for your home server, and one for your NAS.

If you want your home server and NAS to be in the same network but connected to different interfaces on opnsense then you may want to look at configuring a bridge.  In this case, it is just two networks, the existing network and the new network behind opnsense for the home server/NAS.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

How would I go about initially setting  it up? If I manually assign ETH0 as WAN and ETH1 as LAN, it says I can reach the web GUI via 192.168.1.1 (the new network I want to use for my Homeserver and NAS). Obviously, my Homeserver is connected to the ETH1 port so my PC cannot reach its web interface.

[meyergru]

How would I go about initially setting  it up? If I manually assign ETH0 as WAN and ETH1 as LAN, it says I can reach the web GUI via 192.168.1.1 (the new network I want to use for my Homeserver and NAS). Obviously, my Homeserver is connected to the ETH1 port so my PC cannot reach its web interface.

Quoting myself from earlier:

I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.

And there you have it: Your (trustworthy) PC is on the wrong side of the setup. It must be trustworthy if you want to configure your firewall from it.

That is what I meant: You are about to design a non-standard setup and now the problems turn up one by one...

Someday I'll be reorganize my whole LAN to include VLANs and a DMZ. But for now, this setup suit all my needs and works just as designed.

...or does it?

Sorry, could not resist.

[FLguy]

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

Considering the diagram above: protection against what?

I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.

Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.

Sorry, meyergru, I disagree with your assertions.  I'm taking the original post into consideration when I replied.  If there were a comment about "how I should do it better" or "how it should be done",  I would completely suggest something similar to what you just mentioned.  I would not suggest using VLANs right off the bat.  That opens a whole new can of worms to discuss.  I took the information, his request, and the diagram and gave the options to look at.

He took the time to make this diagram where the PC is on the WAN side of opnsense.  Why would I assume he wants to protect that with opnsense as well?  You also stated using vlans,  but yet he doesn't have a switch that can do vlans it's unmanaged.   

I gave him three use cases that match very similar to what he was requesting in the original post. Putting assumptions and assertions is something I don't do, but you are welcome to. 

And there you have it: Your (trustworthy) PC is on the wrong side of the setup. It must be trustworthy if you want to configure your firewall from it.

That is what I meant: You are about to design a non-standard setup and now the problems turn up one by one...

Brother, He's asking questions about initially setting up opnsense, nothing about end-state configuration. 

[FLguy]

How would I go about initially setting  it up? If I manually assign ETH0 as WAN and ETH1 as LAN, it says I can reach the web GUI via 192.168.1.1 (the new network I want to use for my Homeserver and NAS). Obviously, my Homeserver is connected to the ETH1 port so my PC cannot reach its web interface.

Hi Fibea,

Please ignore my last post, which was directed to meyergru.  With that aside, this issue you are raising is for sure something you will have to deal with moving forward with your diagram.  No big deal, add a rule to the WAN interface allowing HTTPS to "this firewall".  You will then use the WAN IP to manage the firewall from your PC or any system on the WAN side will be able to manage opnsense firewall. 

By default, the LAN is set to 192.168.1.1, but you have to be on the LAN side of the firewall to set the initial configuration.  My suggestion is to connect a laptop or temporarily your PC to the LAN side of the firewall to set the initial configuration.  One of those items will be the rule mentioned above.  ;)  Once the firewall is configured, cable it up to your diagram.

If you want both your NAS and Homeserver in the same subnet and connect them to different ports on the opnsense firewall, you will have to go with a bridge configuration.  I sent a link for this already.  Here is a video, https://youtu.be/q1Rv4gB8fkI?si=VgPnQgBHdGYG0q_Z&t=160, the guy is a bit chatty. 

Before setting up the end-state bridge, I would either configure the WAN rule above, allowing you to manage opnsense from the WAN, or use two different ports than ETH1.  So Eth0 (WAN), Eth1 (LAN), and Eth2 and 3 could be the new bridge.  So if the bridge doesn't work after the initial configuration, you don't lose admin access to opnsense. 

[Fibea]

[...] With that aside, this issue you are raising is for sure something you will have to deal with moving forward with your diagram.  No big deal, add a rule to the WAN interface allowing HTTPS to "this firewall".  You will then use the WAN IP to manage the firewall from your PC or any system on the WAN side will be able to manage opnsense firewall. 

By default, the LAN is set to 192.168.1.1, but you have to be on the LAN side of the firewall to set the initial configuration.  My suggestion is to connect a laptop or temporarily your PC to the LAN side of the firewall to set the initial configuration.  One of those items will be the rule mentioned above.  ;)  Once the firewall is configured, cable it up to your diagram.

If you want both your NAS and Homeserver in the same subnet and connect them to different ports on the opnsense firewall, you will have to go with a bridge configuration.  I sent a link for this already.  Here is a video, https://youtu.be/q1Rv4gB8fkI?si=VgPnQgBHdGYG0q_Z&t=160, the guy is a bit chatty. 

Before setting up the end-state bridge, I would either configure the WAN rule above, allowing you to manage opnsense from the WAN, or use two different ports than ETH1.  So Eth0 (WAN), Eth1 (LAN), and Eth2 and 3 could be the new bridge.  So if the bridge doesn't work after the initial configuration, you don't lose admin access to opnsense.

Hi FLguy, thank you again for this explanation! I'm hoping to gain more experience by trying out new things and help from the community to get on the right track helps alot!

As seen in the previous replies, this might not be the best "professional" solution, but it suits my needs. My question to you would be, if you were the architect of my network, how would you implement the firewall (without VLANs as for now, since I do not have VLAN-ready-devices)?