How to open specific ports?

[elektroinside]

Getting ready

1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment
3. Disable the proxy server in OPNsense and configure clients not to use the proxy Do this on one machine first, see if it works.

DNS

Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.

OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you.
AdGuard: https://adguard.com/en/adguard-dns/overview.html

Lets go with AdGuard as it is easy to verify and this one you need to manually configure:

1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
SAVE
6. Just to be sure everything works, reboot and check your internet connection on that one machine

IDS/IPS

1. Go to Services: Intrusion Detection: Settings tab
2. Check these:  Enabled,  IPS mode (do not check promiscuous mode)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)

What to do when something is not working (can't open a website, torrents don't work, can't connect to something)

1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'

If absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Don't forget to reconfigure the clients to previous settings, in your case the proxy.

Verify results:

1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare

With these techniques, you should have a good protection and speed as well without the proxy. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).

Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured. If you wish, you can enforce this with a firewall rule:

Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY

With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-to Amsterdam: http://www.speedtest.net/result/6972207406
-to Romania: http://www.speedtest.net/result/6972210834

Thats it

[Dzioobasek]

Man youre great! thank you for you time and help, yesterday i was busy but in next few days ill try to set it up with your guide. Again big thanks for you!

[elektroinside]

Sure thing, you're welcome!
Nevertheless, you should ask around for a second opinion, someone else who also knows your network requirements (if possible)

[Dzioobasek]

im trying this but i have problem in IDS/IPS part. If i check IPS it blocks access to internet and access to opnsense.
Also in point 5. Select all Home networks - i dont have such option, only LAN and WAN.

[Ciprian]

im trying this but i have problem in IDS/IPS part. If i check IPS it blocks access to internet and access to opnsense.

It shouldn't! Maybe you checked (as in, enabled and set to block) every and each rule in every and each ruleset, without checking what each is doing?!?!

Also in point 5. Select all Home networks - i dont have such option, only LAN and WAN.

Click on "advanced mode" (upper left corner - vis-a-vis of "full Help)

[Dzioobasek]

at 3rd time its working, previous 2 times it blocked everything. At this home networks i have 3 values: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 is that ok? My wan network is 192.168.1.0 lan is 192.168.0.0


Now i cant login to joomla panel, i have found rule which was blocking it, changed to alert. Now when i switch to Rules tab should i check and apply all rules?

[elektroinside]

It definitely shouldn't. Actually, if you only set the rulesets (so not the rules on a one by one basis, just the rulesets from the 'download' tab), all of them, to drop, you will notice that not all of the rules will actually be set to drop. This is how it should work, don't set to 'drop' anything else (the rules) manually unless you know what you are dropping. Unless something went wrong, it should never isolate you completely.

You will have issues, that's for sure, some stuff will be blocked right after the first deployment, but if you only set the rulesets to drop, you should be able to set the actually dropped packets to 'alert' in the 'Alerts' tab in order to allow it for future use. After you have set a rule to 'alert', hit 'Apply' in the rules tab, otherwise, it won't be applied.

[elektroinside]

Now i cant login to joomla panel, i have found rule which was blocking it, changed to alert. Now when i switch to Rules tab should i check and apply all rules?

Just go the Rules tab, don't select anything, just hit 'Apply'. It should work. Don't worry, there won't be that many stuff blocked. They will be, some, but once you allow them (aka. set the to 'alert'), everything will work

[Dzioobasek]

i did everything you wrote and i cant login to joomla admin panel. I can access site but after i provide login and password it drops connection

[elektroinside]

Do you have dropped alerts you may have missed to set to 'alert' from that host, in the 'Alerts' tab? Refresh the 'Alerts' tab, delete the 'blocked' from search, verify the results again... It has to be there..

[Dzioobasek]

alert for this site appears as `allowed` but still cant login

in IPS description there is `Before enabling, please disable all hardware offloading first in advanced network.` I havent done it, may this be the reason?

[Ciprian]

As far as I remember, Hardware Offloading is, by default, OFF.
Only check!

[Dzioobasek]

nope, i have unchecked those and then everything is blocked.
Im going home, if you give me any tips ill try them on wednesday. Have a nice weekend guys!

PS
This should be official guide.

hutiucip - its all checked by default

[Ciprian]

nope, i have unchecked those and then everything is blocked.
Im going home, if you give me any tips ill try them on wednesday. Have a nice weekend guys!

PS
This should be official guide.

hutiucip - its all checked by default

Leave them checked: as they state "Disable hardware 'bla-bla-bla' offload" it means unchecking them enables/ activates offloads. Negation of negation = affirmation / non p and non p = non non p = p (if I remember it accurately)

[elektroinside]

Another good point, all offloading must be disabled. They are by default, but who knows