New User needing some DNS and Web Filtering Help

[tgoodrich]

Hello All,

About 4 months ago I decided it was time for a router based firewall. I had a set of criteria I wanted my firewall to do and the first firewall I came across that seemed to fit my needs was pfSense.

To make a long story short pfSense does have most all the features I need but I found it not very intuitive and as such I had a difficult time setting it up. As you could guess I had to ask several questions in their forum. What I found was that several of the questions I asked went unanswered and when I did get an answer it was usually either condescending or unhelpful, sometimes both.

This led me to look else where for a firewall solution and that is when I found OPNsense. I was delighted to find OPNsense is very similar to pfSense which made the initial setup of OPNsense much smoother. On the plus side I really also like the OPNsense webGUI.

In the past couple of days I have so far got OPNsense installed and running with no issues. At this point I now need to set up my VPN, some port forwards, DNS and web filtering.

I have got my VPN partially setup, I just need to create my VPN gateways and gateway group which shouldn't be a problem for me. I also shouldn't need any help with the port forwards.

What I am getting stuck on is getting the DNS working correctly and trying to figure out the web filtering.

Concerning DNS, how would I setup OPNSense as the main DNS resolver and Google DNS as a secondary? My main objective is to not use my ISP's DNS which is I believe dynamically assigned because I connect using PPPoE.

I will also be setting up OpenVPN from ExpressVPN. Their DNS is also dynamically assigned. I will be using 2 different VPN locations in what I believe is called a fall over config or load balancing in case one goes down. This for the most part shouldn't be a problem for me to set up except for the DNS. I think the DNS will be an issue for me because some of my LAN clients will run through the VPN and some won't. Due to the way the VPN works I also can't manually assign VPN DNS servers as they are unknown and assigned dynamically.

I am also wondering if I can use block list similar to how you would with pfBlockerNG. In pfBlockerNG I can block IP's and URL's using auto updated Block List. I am hoping I can I achieve this same functionality with OPNsense.

So to recap my not so clear questions,

1. Can I use OPNsense like pfBLockerNG by filtering IP's and URL's with block list and have these list auto update?

2. If yes to #1, how do I accomplish?

3. How would I setup OPNSense as the main DNS resolver and Google DNS as a secondary?

4. How can I have some network clients use VPN IP and DNS while others NOT using VPN use ISP IP and DNS as described in question #3?

This is probably alot to ask but hopefully someone here can help.

If it helps to know, I am running the latest OPNsense version on amd64 hardware.

Thanks in advance 

[fabian]

1. Can I use OPNsense like pfBLockerNG by filtering IP's and URL's with block list and have these list auto update?

IPs: You can use an alias for that
URLs: Use the Proxy for it.

2. If yes to #1, how do I accomplish?

Proxy: https://docs.opnsense.org/manual/proxy.html

3. How would I setup OPNSense as the main DNS resolver and Google DNS as a secondary?

You should not. The DNS server for clients can be set via the DHCP server. You may use another DNS server (forwarder mode) on your OPNsense device.

4. How can I have some network clients use VPN IP and DNS while others NOT using VPN use ISP IP and DNS as described in question #3?

If they are in another network you can set a different DNS server via DHCP or if they are in the same network you should be able to configure an override for that client.

[cyberzeus]

To make a long story short pfSense does have most all the features I need but I found it not very intuitive and as such I had a difficult time setting it up. As you could guess I had to ask several questions in their forum. What I found was that several of the questions I asked went unanswered and when I did get an answer it was usually either condescending or unhelpful, sometimes both.

@tgoodrich,

That'a really unfortunate - that has not been my experience over there with the pFsense folks.  Sure, some users here and there can be less than civil but for the most part, I've had really good interactions especially when compared to something like IRC.

In terms of ease of use, things like basic FW functionality are pretty straight-forward and similar on either platform.  On the flip-side, the toughest thing I've encountered thus far was IPS tuning but that is more a function of the IPS, not pfSense or OPNsense.

Also, in terms of the pfBlocker functionality in OPNsense, you're just not gonna find parity here.  As I've posted elsewhere here on these forums, the pfBlocker package is very functional and while some of it is possible with OPNsense, you may be required to use a proxy, the FW rules can become challenging to manage, updates are limited in terms of frequency, etc.  Is it doable?  Sure - to a point - but again, you may need to use the proxy to get there and IMO, that's just shouldn't be necessary...

Don't get me wrong - OPNsense has strong points - much better traffic reporting, overall cleaner interface, much easier installation, code sanity check and rewrite, etc.  And of course, the support - these folks seem really eager to make this thing great and keep it true open-source which for me, is a huge thing...

[tgoodrich]

Thank you both for your kind and helpful responses.

I actually had to reinstall pfsense as I had a config that was working for the most part and things at home have got kinda busy as of late leaving me little time for learning a new firewall.

I actually thought I would be able to get OPNsense up and running fairly easily since it is so similar to pfSense but found a few things I am getting hung up on.

I will say though that I have full intention on using OPNsense in the future. Aside from some of the things I have already mentioned, I feel much better supporting and open source project.

Ultimately I think I will install OPNsense on one of my spare pc's and get to know it better before implementing into my network.

Thanks again!

[NightShade]

If what you are thinking about for filtering URL's is basically to setup an ad blocker there is a post on here about using Unbound DNS to basically do just that.  You can setup a script to automatically poll text documents and then parse them for your system. 

I use the same thing and it has worked fairly well.  If you had specific URL's you wanted to block you could easily add them a list and host it somewhere for the script to parse.

I have been using OPNsense for about a year now and have enjoyed it.  I started setting up and trying pfsense and it just didn't feel like a good fit for me.

[tgoodrich]

If what you are thinking about for filtering URL's is basically to setup an ad blocker there is a post on here about using Unbound DNS to basically do just that.  You can setup a script to automatically poll text documents and then parse them for your system. 

Excellent to know that, thanks for the tip!

Once I get OPNsense reinstalled I will definitely give your tip a go.

PS - Do you happen to remember the title for the post you mentioned?

[mimugmail]

Also, in terms of the pfBlocker functionality in OPNsense, you're just not gonna find parity here.  As I've posted elsewhere here on these forums, the pfBlocker package is very functional and while some of it is possible with OPNsense, you may be required to use a proxy, the FW rules can become challenging to manage, updates are limited in terms of frequency, etc.  Is it doable?  Sure - to a point - but again, you may need to use the proxy to get there and IMO, that's just shouldn't be necessary...

You don't have to uderline pfBlocker in every post. 
There are some different approaches to fit most of it but not centralized via an own plugin since this would double the code and work.

Perhaps we can find a better way when 18.1 is released.

[cyberzeus]

You don't have to uderline pfBlocker in every post.

Wasn't aware there is a style book for OPNsense forums...besides, too much clarity never hurts...

That said, the "better way" is probably a port of the functionality found in pfBlocker...why re-invent when it isn't broken?  Furthermore, the platform is part of the way there anyhow - most of the stuff I see missing is UI\UX...some operational things as well but not seeing how it would be terribly difficult to code given how far the platform is already...

[mimugmail]

To be honest, I never used pfB but what I heard from it manages it's aliases and IPs separate from the system ones which is not the best thing. If I'm wrong and you have a good doc please enlighten me.

[cyberzeus]

Hmmm not quite...the most common use is bulk IP black\whitelisting.  It also has DNSBL and GeoIP blocking.

As I mentioned, OPNsense has some of the core functionality but it's not nearly as easy to use given the UI.  If some key changes were made to the OPNsense UI, I can see close to functional parity.  At present, achieving the same functions is a definite headache in OPNsense...