Fast and easy way to protect your home and/or small office network with OPNsense

[jenmonk]

Networking

1. Go to System: Settings: Networking
2. Disable all hardware offloading (they are by default, but please verify)

Should be

Networking

1. Go to Interfaces: Settings
2. Disable all hardware offloading (they are by default, but please verify)

[Julien]

on the port forward NAT Firewall,
we cannot create it as it request the redirect IP ( see attached).

my question is for this steps

Code: [Select]

Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY

[jenmonk]

I know. I gave my LAN IP 192.168.5.1/24

[Julien]

I know. I gave my LAN IP 192.168.5.1/24

is your answer related to my question ?

[jenmonk]

yes, for the redirect IP I gave my LAN IP 192.168.5.1/24

[Ciprian]

or 127.0.0.1 - for cases when you use multiple interfaces with multiple subnets and you create an "interface group" in the firewall, and create a single rule for this group containing all LAN subnets.

[Julien]

or 127.0.0.1 - for cases when you use multiple interfaces with multiple subnets and you create an "interface group" in the firewall, and create a single rule for this group containing all LAN subnets.

if we are using a internal active directory. do we have to add this rule and use the active directory ip 10.10.10.101 ?

the dns is working now or creating this rules would speed up things ?

[Ciprian]

if we are using a internal active directory. do we have to add this rule and use the active directory ip 10.10.10.101 ?

Definitely!
You use the IP of the DNS server you want to use. Pay close attention at the moment when & if you start to use different DNS servers for different VLANs, you would have to break "single floating rule" model, and clone & adapt every rule for every VLAN with each corresponding DNS server on every subnet's/ VLAN's interface.

the dns is working now or creating this rules would speed up things ?

I don't quite get that, what do you mean?
Anyway, related to DNS traffic and speeding things up, it is a "best practice" to place as down as possible rules implying DNS queries: as all FW rules are evaluated from top to bottom, every time a particular traffic session is about to be established it causes first a FW rules evaluation for that session; when anything but pure IP addresses (CIDR) is used in a particular FW rule which is placed on top, you will have generated DNS queries traffic necessary for that particular rule evaluation. Even if the rule doesn't mach the traffic, still, the rule is evaluated, and is evaluated after the DNS FQDN <-> IP record has been obtained from the DNS server. You will get .

Pay close attention to rule order, it's important since OPNsense is NOT your DNS server in your domain. If you google it a bit, you will find the exact recommended order for FW rules based on their type and purpose (general use, no brand addiction).

[mitchadmin]

Hi,

I have followed your guide for basic configuration and found it an excellent point of reference.
Is there possibly a guide for configuration that will allow RDP to run properly through an OPNsense router?

Many thanks

[marjohn56]

You could use a port forward for RDP to a specific machine, however I would only ever use that if the machine on the WAN side is on a static address and you can limit that port forward to that address, otherwise you are exposing the internal machine to the WAN, not a good idea. If you want to use RDP from the WAN, then use a VPN and go into the LAN that way, then connect using RDP to the local address of the machine you want.

[mitchadmin]

I want to RDP from the LAN side of the router out to client servers (which I depend on to do my job).

Currently, I must have IDS/IPS turned off in order to use RDP. And yes, I have looked over and disabled every RDP related rule I can find.

[thewolf56]

3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.

Hello @elektroinside

I followed your guide to the end and after downloading the rules (and after changing the ones you pointed out that caused issues with windows update to alert), I was able to get IDS/IPS to run, but only for less than a minute before it would stop itself.  I would watch the cpu graph and memory usage on the dashboard steadily climb and then I would see the cpu graph drop dramatically and watch my memory usage (4 GB RAM) drop from about 52% to 14%.  I would then refresh the dashboard to see that IDS had stopped.

I did some googling and it seems that my issue is that I had set pattern matcher to "Hyperscan"  (it's been staying on ever since I changed it back to default).  My i5 - 5250u has Intel SSE 4.1 and SSE 4.2, which are backwards compatible with SSE 3, so I rechecked your instructions to use dmesg to verify SSE3. I did use dmesg to verify the SSE3 set is there, but the only change I made was switching from hyperscan to default to make it work.  So, I am at a loss on that front.  My WAN is PPPoE, so I made sure that was not included and I double-checked all hardware acceleration was disabled.
 
  I see a small point that a little clarification could help those of us that need to follow this wonderful guide step by step.  The first part of step 3 says (to me) that if I have a newer Intel CPU, then I should have SSE3, but then the last part indicates that no SSE3 is indicative of a newer Intel CPU.  I re-read that part a few times, but was not sure which whether a newer intel CPU should have SSE3 or not.

Thanks again for this great guide and other guidance you have shared.

[mimugmail]

Do you use the URLHaus list? ATM it's too big and unusable.

[thewolf56]

Do you use the URLHaus list? ATM it's too big and unusable.

Thanks mimugmail.  I do have that list enabled at the moment.  Would it be better to disable the URLhaus lst and re-enable hyperscan?  Or leave the rule list enabled with the default pattern matcher?

I tried disabling that list and switched back to hyperscan.  Suricata still stalled out and stopped running with hyperscan enabled.  I have not re-checked my speed on my 1 Gbps up/down since switching to default pattern matcher, but plan to do so once I am back on ethernet instead of wifi, but I imagine it is not going to be a great speed.

[Marcel_75]

@elektroinside: Thank you for this nice guide. Followed it step by step.

Unfortunately, I still can download the Eicar Test Virus from https://www.wicar.org/test-malware.html without any problem.

So my IDS/IPS isn't working as it should, right?

Any idea how to check what's going wrong here?

PS: My client computer has a manual IP and the DNS server is the same as the Gateway. Also your Firewall rule is added to avoid DNS overrides from client side. And all rulesets are activated as recommended, so the download speed is not over 100 MBit now (without Suricata I have nearly 400 MBit normally). It seems to be "on" but I still can download the Eicar Test Virus? Why? That's strange …