Opnsense setup with Zenarmor do I need something for WAN

Started by zzup, July 24, 2024, 05:32:11 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 24, 2024, 05:32:11 AM
So currently my current setup is just Opnsense with Zenarmor, upnp and smart tools.  I have shaper setup for keeping latency down.  My connection is a 2.5 gig up and down fiber.  I get full speed on my router with no problem.  I am wondering if i need to add something like CrowdSec to the WAN side or something else to protect my firewall.  I am not new with opnsense but never really dug into other addons much.  What are any suggestions on what i might want to add to secure my system more but would not overly complicate management for me.

Thanks for the help
July 24, 2024, 06:08:48 AM #1 Last Edit: July 24, 2024, 06:14:29 AM by tangofan
Quote from: zzup on July 24, 2024, 05:32:11 AM
So currently my current setup is just Opnsense with Zenarmor, upnp and smart tools.  I have shaper setup for keeping latency down.  My connection is a 2.5 gig up and down fiber.  I get full speed on my router with no problem.  I am wondering if i need to add something like CrowdSec to the WAN side or something else to protect my firewall.  I am not new with opnsense but never really dug into other addons much.  What are any suggestions on what i might want to add to secure my system more but would not overly complicate management for me.

Thanks for the help
One thing to consider would be to disable UPnP and configure any necessary port openings and port forwardings manually, so you have some visibility into incoming traffic. Then with external ports open, I'd use CrowdSec and probably GeoIP as well. Some folks also use Suricata on WAN ports, though I don't know enough about it to have an idea, when that makes sense.

Anything else would depend on WHAT ports and services you expose.
July 24, 2024, 08:43:00 AM #2
The problem with not using UPNP is that I have 7 gaming consoles and 6 gaming computers that all use similar ports.  The problem with assigning each one static is each game requires its own so using UPNP helps keep the management down.  I know it is not perfect but working with what i got.  Do you run crowdsec on the wan or lan interface?
July 24, 2024, 08:53:03 AM #3
Quote from: zzup on July 24, 2024, 08:43:00 AM
Do you run crowdsec on the wan or lan interface?
Crowdsec is run globally, i.e. floating rules that simply block listed IP addresses.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 24, 2024, 10:40:49 PM #4
Quote from: Patrick M. Hausen on July 24, 2024, 08:53:03 AM
Quote from: zzup on July 24, 2024, 08:43:00 AM
Do you run crowdsec on the wan or lan interface?
Crowdsec is run globally, i.e. floating rules that simply block listed IP addresses.

When it comes to the rules.  I see on one guide that the wan should be out and on the other guide it should be in.  Do you know which guide is right?

https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-and-configure-crowdsec-on-opnsense

https://homenetworkguy.com/how-to/install-and-configure-crowdsec-on-opnsense/#create-firewall-rules
July 24, 2024, 11:00:19 PM #5
But Crowdsec does that for you! If you have the plugin installed, look at the automatically generated rules for any interface. No user serviceable parts inside  ;)

And why would I refer to third party documentation by some "home network guy" whoever that is instead of the vendor's?

https://docs.crowdsec.net/docs/getting_started/install_crowdsec_opnsense/
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions