Fast and easy way to protect your home and/or small office network with OPNsense

[elektroinside]

I use these techniques for my home network and many of my clients. IDS/IPS needs occasional maintenance. Combine these with 'Security through obscurity' philosophies and techniques and you should be safe enough. Obviously, nobody but yourself is responsible for your deployment.

INTRO

IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures, both heavily dependent on these (except some newer technologies).

There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult sometimes.

I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.

Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - can cause issues, in between internal interfaces, like RDP sessions, Windows Updates, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. The advise for everyone would be, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.

Getting ready

1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment

Networking

1. Go to System: Settings: Networking
2. Disable all hardware offloading (they are by default, but please verify)

DNS

Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.

OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you. Follow/verify the rest of the steps.
AdGuard: https://adguard.com/en/adguard-dns/overview.html

Let's go with AdGuard as it is easy to verify and this one you need to manually configure:

1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
6. Uncheck 'Enable DNSSEC Support' (if you use OpenDNS or AdGuard, none of these supports this feature)
SAVE
7. Just to be sure everything works, reboot and check your internet connection on that one machine

IDS/IPS

1. Go to Services: Intrusion Detection: Settings tab
2. Check these:  Enabled,  IPS mode (do not check promiscuous mode unless you have multiple interfaces or VLANs)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)

What to do when something is not working (can't open a website, torrents don't work, can't connect to something)

1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'

Further debugging

1. Go to to Services: Intrusion Detection and disable IPS mode.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

2. Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.

3. Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'

4. Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'

If still absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Then stop reading :)

Verify results:

1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare

With these techniques, you should have a good protection and speed as well. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).

Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured, even if the clients override them locally. So if you wish, you can enforce this with a firewall rule:

Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY

With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-with Amsterdam: http://www.speedtest.net/result/6972207406
-with Romania: http://www.speedtest.net/result/6972210834

That's it :)

[elektroinside]

Feel free to comment, ask questions, tell your success/fail stories...
Criticism is also welcomed :)

[Ciprian]

Not because you're from Romania (mee too :) ), but bravo for your guide, excellent work.

Only one add (and maybe you can add this to your post?!): Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - caused issues for me, in between internal interfaces (eg. CorpLan <-> Servers, Core <-> Management) traffic, like RDP session, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. This being the reason I didn't identified the exact problematic rules, didn't had the time and/ or patience to "ad labam" verify every rule in every ruleset.

I advise everyone, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.

Cheers.

[elektroinside]

Thank you :)

You're perfectly right, take a look at this post: https://forum.opnsense.org/index.php?topic=6840.0

That's why I specified the target audience (home and/or small office), under no circumstances should this guide be deployed in SME or higher, as it is.

Thank you for adding this missing description, I'll include it in the INTRO part, so that people may be aware as to why this is not good for SME as it is and what needs to be tweaked in case of issues.

Update: updated the description of the guide :)

[elektroinside]

New update: added some more debugging steps.

[richardmountain]

I'm currently using Unbound DNS but when I check 'DNS Query Forwarding' it stops access to websites.

[franco]

If you have no DNS servers it doesn't know where to forward to.


Cheers,
Franco

[elektroinside]

Yes, as Franco said, you have to make sure you have configured DNS servers here (like in the attached snapshot):
System: Settings: General

And if you are on 18.1.r2, you should also apply this patch from the console in order to see all the blocked rules in the GUI (so you can unblock them if needed):
https://github.com/opnsense/core/commit/573612d48

Code Select Expand

opnsense-patch 573612d48

[richardmountain]

I have DNS server IP addresses entered in there. I have the IP addresses that OpenDNS suggest.

I'm currently on 17.7.12 should I look at updating?

[elektroinside]

I have DNS server IP addresses entered in there. I have the IP addresses that OpenDNS suggest.

Strange...
You should not enable DNSSEC (no support from AdGuard or OpenDNS) (Services: Unbound DNS: General)
You should verify your access list and make sure all your internal networks are added in the ACL (Services: Unbound DNS: Access Lists)

Maybe a restart of OPNsense helps?

[richardmountain]

Good shout about DNSSEC, i'd got that enabled.

I've disabled it and it's working.

[elektroinside]

Great!
Now, you can begin the hunt for rules to disable :)
17.7.x, unfortunately, will not display in the GUI all of the blocked packets (and corresponding rules). You might have issues and you might not realize why (what is being blocked).

I don't think the above-mentioned patch brakes IDS on 17.7.x, you could try it (I hope I'm not wrong):

Run this from the console (from putty):

Code Select Expand

opnsense-patch 573612d48

If, for some reason, something brakes, run the patch again (it will revert the changes).

[richardmountain]

Okay, thanks for that.  I'll take a look.

[elektroinside]

Sure thing, you're welcome.

I've also updated the guide to make users aware of the DNSSEC option.

Thank you.

[richardmountain]

Great,

Another issue I've got with OpenDNS, which might be related somehow.

It seems to be working to a degree because it's blocking sites that I've blocked, however, it doesn't seem to be logging the sites I've visited or even my requests?