OPNSense Configuration (Part 2 - Deploy-Config)

This is part two of a two-part series. 

As I mentioned in Part One, this configuration is written as two parts for a specific use case. First is a 'base-config' that has all common settings and part two covers settings that would be different between my friend's clients. Between the two parts, you can put together a fully functional OPNSense Layer 7 firewall with ZenArmour for personal or small business use. Just like with Part One, you can adjust as needed such as importing the config.

Base-Config Deployment Process

Put the downloaded Part-One config on a separate FAT32 USB stick as /conf/config.xml for import during install. Do not put on the install media.

Follow Part One to install OPNSense until the Initial Wizard via HTTPS step.

NOTE: During Boot from the install media press any key to run the configuration importer. Alternatively, the config can be imported via the GUI later. By importing the configuration it will install all plugins when you run selection 12 to update to latest which saves some time.

You would simply type the device name and it will import the configuration from part one. In this example, you simply enter 'da0'. Continue the boot and let it autoconfigure the networks. 

NOTE: If not running on Intel emX based NICs (such as igcX) you can modify the config file for interfaces before import as this will save time later. Boot the installer USB and it will state the device NICs.

TIP: search for ‘>em0<’ for example as older vlans could be ‘em0_vlan400’ for so including brackets will exclude the vlans for later replacement.

• em0=LAN
• em1=WAN
• em2=WLAN

From another PC on the LAN goto HTTPS://192.168.1.1, login with root/opnsense

If the config was not imported at install, navigate to System: Configuration: Backups and restore backup.

Restart and then log in again

Navigate to SYSTEM: SETTINGS: GENERAL and set host info

Hostname= Hostname of FW

Domain= Domain of network

        Click Save

Navigate to INTERFACES: WAN

Adjust IPv4 Configuration Type for ISP if not DHCP

If Xfinity modem goto DHCP client configuration

Reject Leases From = 192.168.100.1 (customer-provided modem) 

                        Reject Leases From = 10.0.0.1 (Xfinity provided modem)

Optionally enable IPv6 configuration if ISP supports it and desired

If Xfinity

                        IPv6 Configuration Type=DHCPv6

                        DHCPv6 Client Configuration

                        Prefix delegation size=60

                        Send IPv6 prefix hint = checked

                        Use IPv4 connectivity=checked 

Navigate to INTERFACES: LAN

Adjust Static IPv4 configuration as needed

If IPv6 was enabled on WAN interface and it is desired on LAN

                        set IPv6 Configuration Type = Track Interface

Track IPv6 Interface

IPv6 Interface=WAN

IPv6 Previx ID=0

Click Save

Optionally delete WLAN if not used

Navigate to INTERFACES: ASSIGNMENTS

        Click Delete icon

        Click Save

Navigate to INTERFACES: WLAN

Adjust Static IPv4 configuration as needed 

If IPv6 was enabled on WAN interface and it is desired on WLAN

                        set IPv6 Configuration Type = Track Interface

Track IPv6 Interface

IPv6 Interface=WAN

IPv6 Prefix ID=1

Click Save

Configure DNS as needed

Optionally remove DNS over TLS for Cloudflare

Navigate to SERVICES: UNBOUND DNS: DNS over TLS

Delete the two CloudFlare entries

                Use System Nameservers = checked

                Navigate to SYSTEM: SETTINGS: GENERAL: NETWORKING

        Add DNS servers or enable DNS from DHCP/PPP on WAN

If Windows Domain is present

                Navigate to SERVICES: UNBOUND DNS: OVERRIDES: DOMAIN OVERRIDES

Click Plus icon to create

Domain = Windows AD Domain FQDN

IP address= Windows AD DC server IP Address

Description=Friendly name of AD Domain

Click Save

                Click Plus icon to create

Domain = Windows AD Domain reverse

example=1.168.192.in-addr-arpa

IP address= Windows AD server IP Address

Description=Friendly name of AD Domain

Click Save

Optionally on Windows AD DC Servers change their current upstream to this OPNSense LAN IP

Configure GEOIP Blocking

        Navigate to FIREWALL: ALIASES: GEOPIP SETTINGS

URL= https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip

  More detail located here 

Click Apply

        NAVIGATE to FIREWALL: ALIASES: ALIASES:

Edit GeoIPBlock and adjust countries as needed

If AMD CPU based, change Thermal Sensors

        Navigate to SYSTEM: SETTINGS: MISCELLANEOUS

                Thermal Sensors 

                Hardware = AMD K8,K10 and K11 CPU on-die thermal sensor (amdtemp)

Navigate to SERVICES: VNSTAT: GENERAL

Enable vnStat daemon=checked

Interface=WAN

Click Save

Install and Configure ZenArmor

More details are located here

        Navigate to ZENARMOR: DASHBOARD

Agree to EULA

Click Proceed to start the setup Wizard

Click Next

Choose install 

Click radio button for Install a local Elasticsearch Database

If low spec then Mongodb will be only option

Click Install Database & Proceed

Click Done

Under Deployment mode select radio button for Routed Mode with native netmap driver

If using unusual NICs you may need to choose emulated netmap

Under Interface Selection choose LAN and WLAN if applicable

Click each interface then the >> button

Do not choose any VLAN interfaces, only the physical interface

Click Next

        On Cloud Reputation & Web Categorization tab

Local Domains Names to Exclude From Cloud Queries = Local domain and/or Windows AD Domain if present

        Click Next

        On Updates and Suppot click Next

        On Deployment size correct environment size

Hardware requirements are located here

        Click Next

        Click Finish

Optionally install Zenarmor license

        Navigate to ZENARMOR: DASHBOARD

        Click Upgrade to a Subscription at top

        Choose options

Change Root Password

Navigate to SYSTEM: ACCESS: USERS

Edit Root user and set password.

Click Save

Optionally Add additional users

Click Plus

Configure as required

Click Save

Enable System Notifications via Email

Navigate to  SERVICES: MONIT: SETTINGS

Enable Monit =Checked

Mail Server Address = Mail server IP

Mail Server Port = Mail Server required

Mail Server Username = Mail Server required

Mail Server Password = Mail Server required

Mail Server SSL Connection = Mail Server required

Navigate to Services: Monit: Alert Settings

Click Plus and configure as required

Enabled alert = checked

Recipient= email address for alerts

Not on = checked

Events=Nothing Selected

Mail format = Leave blank

Reminder=Leave blank

Description = Description as needed

                Click Save

Click Apply

Optionally adjust access protocols and ports

    Navigate to SYSTEM: SETTINGS: ADMINISTRATION

Change HTTPS TCP port as required

                Change SSH port as required

Optionally install Postfix to handle all emails for site

        Navigate to SYSTEM: FIRMWARE: PLUGINS

                Install is-postfix

                Navigate to SERVICES: POSTFIX and configure for the Email provider

Optionally install ACME Client for Lets Encrypt Certificate

        Navigate to SYSTEM: FIRMWARE:PLUGINS

                Install os-acme-client

                Navigate to SERVICES: ACME Client and configure Certificates

Optionally install DDNS Client

Navigate to SYSTEM: FIRMWARE:PLUGINS

Instal os-dyndns for legacy (more support but older)

Install os-ddclient for modern

        Navigate to SERVICES: DYNAMIC DNS and configure for DDNS Provider

Optionally configure UPS

Navigate to SERVICES: NUT: CONFIGURATION: GENERAL SETTINGS

Enable Nut= checked

Click Down arrow on UPS type and choose the relevant Type

For most brands use USBHID-Driver

Enable= Check

Navigate to SERVICES: NUT: DIAGNOSTICS and it should show stats from UPS.

Enable ZFS pool trim

        SSH to the OPNSense and at the command prompt type zpool autotrim=on zroot

Enable SMART tests on storage

        Navigate to LOBBY: DASHBOARD

        Under SMART status note the drive(s) with OK under Status

        Examples would be da0, nvme0

        Navigate to SYSTEM: SETTINGS CRON

        Click Plus to create new Cron entry

        Minutes = 5

        Hours = 2

        Day of the month = 2

        Command = Run SMART test (short)

        Parameters = /dev/drivename (/dev/da0 for example)

        Description = drivename Smart Test

        Click Save

        Click Plus and duplicate for remaining drives.

Any Firewall Rule customizations

Navigate to FIREWALL: RULES: INTERFACES

Examples:

            DNS redirection

            Remove/Disable the Floating This firewall Rule if required

WLAN to LAN for printer or Active Directory

-Kevin

OPNSense Configuration (Part 1 - Base-Config)

This is Part 1 of a two-part series.

A good friend of mine supports many small and medium businesses and has started transitioning their firewalls to OPNSense from others such as PFSense, Sophos or ASA as they age out. I offered to design devices and a base config that is easy for him to manage so they are uniform in configuration.  I documented the OPNSense configuration to support this and thought I would share it here.

For the hardware, I obtained a bunch of older 4 and 6 port 1RU commodity firewall devices and upgraded their CPU, memory, and added mirrored SSD storage to handle line speed routing depending on their ISP options. 

To upgrade them I obtained 4C4T CPUs to replace the 1C2T CPUs the devices came with. These were towards the top range of that socket but without a high TDP cost. As I had memory I upgraded them from 2GB to 8GB. I also had several mSATA drives so obtained some SATA to mSATA converters to give mirrored ZFS storage for the firewalls and even color-coded the SATA cables to make replacement identity very easy...All in I have spent around $80 per device with a dozen done so far and I buy more as I come across them.

  

For the OPNSense configuration, it is split into two parts with this being the "base-config", or all settings common to all clients, and a second "post-deploy" with custom settings unique to each client. I will post the second part shortly. This allows the base-config to be easily manipulated and re-creatable for a newer release even though the config file is forward compatible.

This was last updated with 23.1 however many screenshots are still 22.7. Since it is for a specific, albeit wide use case, you will need to make some adjustments such as IP addresses/ranges if you follow this guide. The OPNSense install documentation is fantastic.

Create Base-Config

Download the Latest ISO Installer from OPNSense

• AMD64

• DVD

• Use 7-zip to extract bz to ISO

Create VM in ESXi choosing FreeBSD 13+ 64-Bit

• UEFI

• 2 cores (1x2)

• 4GB memory

• 20GB Storage

• 20GB Storage

• Intel e1000e NIC on LAN VLAN

• Intel e1000e NIC on its own non-routed VLAN

• Intel e1000e NIC on its own non-routed VLAN

• Downloaded ISO

Boot from Media and let it autoconfigure network

Login: installer

Password: opnsense

Choose Select to use default keymap

Choose Install (ZFS)

Choose mirror

Select both 20GB Drives

Select Yes at the configuration

It will install a clone of the live system

Leave Root password as default and Select Complete Install and choose OK

The System will restart and goto landing login

Login: root

Password: opnsense

Choose Option 12 to update to latest build version

Choose Yes to proceed.

Use PgDn to scroll through the release notes and type Q at the : or (END) prompt

It will update to the latest minor dot version and restart

After restart login again as root and run option 12 again as it may have a patch release to apply

STOP If on Part 2 and return to Part 2.

From another PC on the non-routed VLAN goto HTTPS://192.168.1.1 and login and let it start the wizard.

On the initial Wizard screen set the following:

        Override DNS = unchecked

        Enable Resolver = Checked

        Enable DNSSEC Support = Checked

        Harden DNSSEC data = Checked

Choose Next and on the Time Server Wizard set

        Time server hostname = time.cloudflare.com time.facebook.com 0.us.pool.ntp.org 1.us.pool.ntp.org

        Timezone = America/Denver

Choose Next and on the Configure WAN interface wizard choose Next to leave defaults

On the Configure LAN interface wizard choose Next to leave at default

On the Set Root Password wizard choose Next to leave at default

Finally, choose Reload to apply the changes.

Initial Wizard is now complete

Navigate to INTERFACES:LAN

IPV6 Configuration Type = None

Select Save

Navigate to INTERFACES:WAN

IPV6 Configuration Type = None

Select Save

Select Apply changes at top

Navigate to INTERFACES: ASSIGNMENTS

Under new interface verify em2 is listed and enter WLAN for its description.

Click the Plus sign

Select Save

Navigate to INTERFACES: WLAN

Enable=checked

IPv4 Configuration Type = Static IPv4

Static IPv4 configuration

IPV4 address = 192.168.2.1 /24

Click Save

Click Apply Changes at top

Navigate to SYSTEM: FIRMWARE: Plugins and install the following plugins

• os-crowdsecs-dmidecode

• os-dmidecode

• os-hw-probe

• os-iperf

• os-smart

• os-theme-cicada

• os-vnstat

• os-nut

• os-sunnyvalley

• Os-sensei

• WIll install os-sensei-updater

• os-sensei-agent

Navigate to SYSTEM: SETTINGS: General

Change Theme to cicada

Select Save

Navigate to SYSTEM: SETTINGS: ADMINISTRATION

Access Log=checked

Secure Shell Server = checked

Root Login = checked

Inactivity timeout = 20

Click Save

Navigate to SYSTEM: SETTINGS: LOGGING

Preserve Logs(Days) = 90

Select Save

Navigate to SYSTEM: SETTINGS: MISCELLANEOUS

Thermal Sensors 

Hardware = Intel Core CPU on-die thermal sensor (coretemp)

Power Savings

Use PowerD = Checked

On AC Power Mode = Hiadaptive

On Battery Power Mode = Hiadaptive

On Normal Power Mode = Hiadaptive

Disk / Memory Settings (reboot to apply changes)

Swap File = checked

Select Save

Navigate to SERVICES: DHCPv4: LAN

Range = 192.168.1.11 to 192.168.1.245

Click Save

Navigate to SERVICES: DHCPv4: WLAN

Range = 192.168.2.11 to 192.168.2.245

Click Save

Navigate to SERVICES: NETWORK TIME: GENERAL

NTP Graphs - checked

Syslog logging

Enable logging of peer messages = checked

Enable logging of system messages = checked

Click Save

Navigate to SERVICES: CROWDSEC: SETTINGS

Click Apply

Navigate to REPORTING: SETTINGS

Under Unbound DNS reporting

Statistics = checked

Click Save

Navigate to SERVICES: UNBOUND DNS: GENERAL

DHCP Registration = checked

TXT Comment Support = checked

Click Save

Click Apply Changes

Navigate to SERVICES: UNBOUND DNS: ADVANCED

Prefetch Support = checked

Prefetch DNS Key Support = checked

Harden DNSSEC data = checked

Message Cache Size = 10MB

Extended statistics = checked

Number of Hosts to cache = 50000

Click Apply

Navigate to SERVICES: UNBOUND DNS: DNS OVER TLS

Use System Nameservers = unchecked

Click the Plus sign to create a new entry.

Entry One Server IP = 1.1.1.1  Hostname = cloudflare-dns.com

Entry One Server IP = 1.0.0.1  Hostname = cloudflare-dns.com

Click Apply

Navigate to FIREWALL: GROUPS

Click Plus sign to create a group

Name=ALL_INTERNL_NET

Members=LAN, WLAN

Click Save

Click Apply Changes

Navigate to FIREWALL: ALIASES

Click Plus sign to create an Alias

Name=GeoIPBlock

Type=GeoIP

Africa=Sudan

America=Cuba

Asia=China,Iran,Iraq,Korea (North),Myanmar (Burma),Syria

Europe=Lithuania, Russia

Description=Countries Being Blocked

Navigate to FIREWALL: ALIASES: GeoIP settings

URL=Temp maxmind URL

Click Apply

        URL=blank

Click Apply

Navigate to FIREWALL: RULES: ALL_INTRNL_NETS

Click Plus to create a rule

Action = Block

Interface=ALL_INTRNL_NETS

Source= ALL_INTRNL_NETS

Destination=crowdsec_blacklists

Log=checked

Description=Block Outbound to CrowdSec IPv4

Select Save

Clone the above rule and set the following

TCP/IP Version=IPv6

Destination=crowdsec6_blacklists

Description=Block Outbound to CrowdSec IPv6

Select Save

Clone crowdsec IPv4 rule and set the following

Destination=GeoIPBlock

TCP/IP Version=IPv4

Description=Block Outbound to GeoIPBlock IPv4

Select Save

Clone GeoIPBlock IPv4 rule and set the following

TCP/IP Version=IPv6

Description=Block Outbound to GeoIPBlock IPv6

Select Save

Click Plus to create a rule

TCP/IP Version=IPV4+IPv6

Destination This Firewall

Click Save

Navigate to FIREWALL: RULES: WAN

Click Plus to create a rule

Action=Block

TCP/IP Version = IPv4

Source=GeoIPBlock

Log=checked

Description=GeoIP Inbound Block

Click Save

Clone the above GeoIP Rule and set the following

TCP/IP Version=IPV6

Description=GeoIP Inbound Block IPv6

Click Save

Navigate to FIREWALL: RULES: LAN

Clone the Default allow LAN to any rule and change the following

Interface=WLAN

Source=WLAN net

Description=Default allow WLAN to any rule

Click Save

Navigate to FIREWALL: RULES: WLAN

                Clone the Default allow LAN IPv6 to any rule and change the following

Interface=WLAN

Source=WLAN

Description=Default allow WLAN IPv6 to any rule

Click Save