discovering OPNSense

[caplam]

Hello to all,
I am new here.
I'm discovering OPNSense. For now I fired it up in vm to navigate through the different menus and options.
Until now I have mainly unifi gear in my network (udr, switches, ap).
As I'm discovering security subjects I try to modify my network to. something more secure and with dashboards to monitor security and network.

First I'm in the process of segmenting my network which is truly a nightmare. The difficult part being where to put devices and services (most of them offered through docker containers) when a large part of them use multicast (Logitech server, Plex, home assistant,...). If you have advices on it .....

I also installed a security onion vm. But there is no chance to monitor north-south traffic correctly with the udr. So I want to change my firewall/router to be able to monitor that traffic. It will require me to route a fiber to the basement and a new router.

So i plan to use opnsense but don't know how to install it: bare metal or virtualised
There are some devices with a N305 soc which would make a decent platform with Proxmox. I would run opnsense, unifi network controller and monitoring stuff like a Zabbix vm.
I could dedicate 2 interfaces to opnsense vm with sub interfaces for vlans and use 1 or 2 interfaces for Proxmox gui and other vm or lxc.
The main advantage I see is quick restoration in case of misconfiguration and better availability of unifi network controller. The downside is of course more complexity.
My isp provides a public ipv4 through pppoe and ipv6 through dhcpv6 with a /56 prefix delegation (managing ipv6 in unifi is almost impossible). On the wan interface all services (data, tv and phone) are accessible on vlan35.
The line speed is 500/250 Mbps but it will be certainly upgraded to 800/400.
Currently my unifi dashboard lists around 70 devices.
I have several services published for my relatives (Plex, nextcloud, homeassistant, and a few others), a Wireguard server (mainly for remote maintenance when I'm away) and a site2site openvpn (for backing up a small remote Proxmox server)
I will probably enable ids/ips but have no idea of the desirability of zenarmor.
I will also probably use haproxy to replace my existing nginx proxy manager.
The use of opnsense dhcp server and unbound will probably be a huge improvement.
If I would go bare metal I would probably take a less powerful device like a N100.

Would you have advices for me to start the right way my opnsense journey ?

And even if I have not been far with vlans, transitioning from my actual setup to opnsense will be quite time consuming so I'd like to prepare the configuration of opnsense before switching.
Do you have advices for that ?


 

[meyergru]

Put all media devices in an untrusted network. That way, your insecure media players are already on the same network as your media servers. Other than that, there are several multicast/broadcast repeater plugins available to forward such traffic between your subnets, like os-mdns-repeater, os-udpbroadcastrelay and os-igmp-proxy , just to name a few.

Following that pattern, I have multiple docker VM instances running - one for my LAN services and one for services that are accessible from the internet (DMZ). If I had set up Plex as a docker container instead of a VM, I would need a third one for IoT, on which my media devices live.

Setting up Proxmox with OpnSense has some specific pitfalls, which will greatly intensify your learning experience - read this and preferably, also this. From a security perspective, bare metal is to be preferred.