Using two OPNsense appliances: filtering, services

Started by FrenchFries, August 16, 2017, 11:25:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 16, 2017, 11:25:00 AM Last Edit: August 16, 2017, 11:39:25 AM by FrenchFries
In the background, i am trying to implement French ANSSI recommendations:
Recommandations et méthodologie pour le nettoyage d'une politique de filtrage réseau d'un pare-feu

In short, a firewall should be minimal, logging each important rule and cleaning the log to avoid mass-logging.
Minimal means that there should be no vital service running on the firewall, only a filtering router.
Hardened kernel... This is OPNSense.

So I am willing to use two OPNsense appliances:

  • one front firewall for pf filtering, IPv6 tunnels and route processing.
  • a secondary appliance for "services", i.e. DHCP, DHCPv6, bind server, Unbound server.

The question is about the secondary appliance:
I am currently using FreeBSD on embedded devices for this purpose, but there is no hardened BSD.

Can OPNsense be configured without WAN as a normal computer, with only filtering rules and no routing, only a gateway pointing at the firewall? I think it could work ...

All your comments are welcome.
August 16, 2017, 01:06:06 PM #1
Could you please move this post to "General discussion".

So I did the following, used an old appliance to test installation with one network card.
Upon installation with serial console, I press 1) to assign interfaces.

QuoteEnter the WAN interface name or 'a' for auto-detection: vr1

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(or nothing if finished):

The interfaces will be assigned as follows:

WAN  -> vr1

Do you want to proceed? [y/N]: y

Writing configuration...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Configuring WAN interface...done.
Generating RRD graphs...done.

*** OPNsense.localdomain: OPNsense 17.7 (i386/OpenSSL) ***

WAN (vr1)       ->

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Upgrade from console
  6) Reboot system                      13) Restore a backup
August 16, 2017, 01:13:12 PM #2
Works great!

The only hint is during installation, choose one network card and assign it to WAN.
August 16, 2017, 01:32:47 PM #3
Yes, this is what I usually do. The "WAN" is configured via DHCP, GUI can be reached. SSH if enabled, too. Everything else is locked, but this way you can allow access through the firewall per service. It's great for a server type setup, coupled with GUI featured plugins or core services.

It also works with other software built manually from the ports tree, only then you need to configure these services as you would on a normal FreeBSD/HardenedBSD through the rc system and manual configuration files.


Cheers,
Franco
Print
Go Up Pages1
User actions