discovering OPNSense

[caplam]

Hello to all,
I am new here.
I'm discovering OPNSense. For now I fired it up in vm to navigate through the different menus and options.
Until now I have mainly unifi gear in my network (udr, switches, ap).
As I'm discovering security subjects I try to modify my network to. something more secure and with dashboards to monitor security and network.

First I'm in the process of segmenting my network which is truly a nightmare. The difficult part being where to put devices and services (most of them offered through docker containers) when a large part of them use multicast (Logitech server, Plex, home assistant,...). If you have advices on it .....

I also installed a security onion vm. But there is no chance to monitor north-south traffic correctly with the udr. So I want to change my firewall/router to be able to monitor that traffic. It will require me to route a fiber to the basement and a new router.

So i plan to use opnsense but don't know how to install it: bare metal or virtualised
There are some devices with a N305 soc which would make a decent platform with Proxmox. I would run opnsense, unifi network controller and monitoring stuff like a Zabbix vm.
I could dedicate 2 interfaces to opnsense vm with sub interfaces for vlans and use 1 or 2 interfaces for Proxmox gui and other vm or lxc.
The main advantage I see is quick restoration in case of misconfiguration and better availability of unifi network controller. The downside is of course more complexity.
My isp provides a public ipv4 through pppoe and ipv6 through dhcpv6 with a /56 prefix delegation (managing ipv6 in unifi is almost impossible). On the wan interface all services (data, tv and phone) are accessible on vlan35.
The line speed is 500/250 Mbps but it will be certainly upgraded to 800/400.
Currently my unifi dashboard lists around 70 devices.
I have several services published for my relatives (Plex, nextcloud, homeassistant, and a few others), a Wireguard server (mainly for remote maintenance when I'm away) and a site2site openvpn (for backing up a small remote Proxmox server)
I will probably enable ids/ips but have no idea of the desirability of zenarmor.
I will also probably use haproxy to replace my existing nginx proxy manager.
The use of opnsense dhcp server and unbound will probably be a huge improvement.
If I would go bare metal I would probably take a less powerful device like a N100.

Would you have advices for me to start the right way my opnsense journey ?

And even if I have not been far with vlans, transitioning from my actual setup to opnsense will be quite time consuming so I'd like to prepare the configuration of opnsense before switching.
Do you have advices for that ?


 

[meyergru]

Put all media devices in an untrusted network. That way, your insecure media players are already on the same network as your media servers. Other than that, there are several multicast/broadcast repeater plugins available to forward such traffic between your subnets, like os-mdns-repeater, os-udpbroadcastrelay and os-igmp-proxy , just to name a few.

Following that pattern, I have multiple docker VM instances running - one for my LAN services and one for services that are accessible from the internet (DMZ). If I had set up Plex as a docker container instead of a VM, I would need a third one for IoT, on which my media devices live.

Setting up Proxmox with OpnSense has some specific pitfalls, which will greatly intensify your learning experience - read this and preferably, also this. From a security perspective, bare metal is to be preferred.

[caplam]

Thank you 
That's instructive.
But still unclear how to manage home assistant as it communicates with almost everything on the network and is publicly accessible.

Are mdns repeater sufficient for laptops and smartphones to communicate with Plex (of course with appropriate firewall rules)?
I have many containers (~70), all on my Unraid server. Docker in Unraid is very easy but when your installation grows up the management is not so convenient except for keeping up persistent data in one place and backing it up. I even have a second Unraid server for backups.

So reading your posts mentioned, I may go with bare metal on a N100 appliance with 16 Gig ram and a ssd with ZFS. Afaik all these appliances are using i226 Nic which is good thing.

And perhaps a second appliance with Proxmox for running unified network controller and monitoring stuff.
I could even imagine a second OPNsense instance as virtual with HA. but that's for later 

I have 2 sfp+ ports available but appliance with sfp+ are not common.
I don't have 2,5gbps ports so I may leverage the 6 interfaces models and assign physical interfaces to vlans instead of sub interfaces. I have a 48 gigabit ports switch lying around.

[meyergru]

But still unclear how to manage home assistant as it communicates with almost everything on the network and is publicly accessible.

With what specifically? The devices Home Assistant has to connect to are all IoT, i.e. per se "untrusted", so it should reside on the IoT network as well - even more so if it can be reached from the internet.

That does not keep you from allowing to access it from your LAN side.

Are mdns repeater sufficient for laptops and smartphones to communicate with Plex (of course with appropriate firewall rules)?

I fail to see why they would need broadcasts or multicasts at all, since those are only used to "find" devices and services. From a laptop, you can always address and use the Plex web interface - provided that you allow LAN->IoT access.

I have 2 sfp+ ports available but appliance with sfp+ are not common.
I don't have 2,5gbps ports so I may leverage the 6 interfaces models and assign physical interfaces to vlans instead of sub interfaces. I have a 48 gigabit ports switch lying around.

I do it the same way. Even when there are OpnSense-capable devices out with SFP+, they draw too much power. By distributung the VLANs over two or more 2.5 GbE ports, you can have full 2.5 Gbps cross-traffic, which will most likely suffice for all your needs.