Thursday, May 25, 2023

OPNSense Configuration (Part 2 - Deploy-Config)

This is part two of a two-part series. 

As I mentioned in Part One, this configuration is written as two parts for a specific use case. First is a 'base-config' that has all common settings and part two covers settings that would be different between my friend's clients. Between the two parts, you can put together a fully functional OPNSense Layer 7 firewall with ZenArmour for personal or small business use. Just like with Part One, you can adjust as needed such as importing the config.

Base-Config Deployment Process

Put the downloaded Part-One config on a separate FAT32 USB stick as /conf/config.xml for import during install. Do not put on the install media.

Follow Part One to install OPNSense until the Initial Wizard via HTTPS step.

NOTE: During Boot from the install media press any key to run the configuration importer. Alternatively, the config can be imported via the GUI later. By importing the configuration it will install all plugins when you run selection 12 to update to latest which saves some time.


You would simply type the device name and it will import the configuration from part one. In this example, you simply enter 'da0'. Continue the boot and let it autoconfigure the networks. 

NOTE: If not running on Intel emX based NICs (such as igcX) you can modify the config file for interfaces before import as this will save time later. Boot the installer USB and it will state the device NICs.

TIP: search for ‘>em0<’ for example as older vlans could be ‘em0_vlan400’ for so including brackets will exclude the vlans for later replacement.

  • em0=LAN
  • em1=WAN
  • em2=WLAN

From another PC on the LAN goto HTTPS://192.168.1.1, login with root/opnsense

If the config was not imported at install, navigate to System: Configuration: Backups and restore backup.
Restart and then log in again

Navigate to SYSTEM: SETTINGS: GENERAL and set host info
Hostname= Hostname of FW
Domain= Domain of network
        Click Save

Navigate to INTERFACES: WAN
Adjust IPv4 Configuration Type for ISP if not DHCP
If Xfinity modem goto DHCP client configuration
Reject Leases From = 192.168.100.1 (customer-provided modem) 
                        Reject Leases From = 10.0.0.1 (Xfinity provided modem)
Optionally enable IPv6 configuration if ISP supports it and desired
If Xfinity
                        IPv6 Configuration Type=DHCPv6
                        DHCPv6 Client Configuration
                        Prefix delegation size=60
                        Send IPv6 prefix hint = checked
                        Use IPv4 connectivity=checked 

Navigate to INTERFACES: LAN
Adjust Static IPv4 configuration as needed
If IPv6 was enabled on WAN interface and it is desired on LAN
                        set IPv6 Configuration Type = Track Interface
Track IPv6 Interface
IPv6 Interface=WAN
IPv6 Previx ID=0
Click Save

Optionally delete WLAN if not used
Navigate to INTERFACES: ASSIGNMENTS
        Click Delete icon
        Click Save

Navigate to INTERFACES: WLAN
Adjust Static IPv4 configuration as needed 
If IPv6 was enabled on WAN interface and it is desired on WLAN
                        set IPv6 Configuration Type = Track Interface
Track IPv6 Interface
IPv6 Interface=WAN
IPv6 Prefix ID=1
Click Save

Configure DNS as needed
Optionally remove DNS over TLS for Cloudflare
Navigate to SERVICES: UNBOUND DNS: DNS over TLS
Delete the two CloudFlare entries
                Use System Nameservers = checked
                Navigate to SYSTEM: SETTINGS: GENERAL: NETWORKING
        Add DNS servers or enable DNS from DHCP/PPP on WAN

If Windows Domain is present
                Navigate to SERVICES: UNBOUND DNS: OVERRIDES: DOMAIN OVERRIDES
Click Plus icon to create
Domain = Windows AD Domain FQDN
IP address= Windows AD DC server IP Address
Description=Friendly name of AD Domain
Click Save
                Click Plus icon to create
Domain = Windows AD Domain reverse
example=1.168.192.in-addr-arpa
IP address= Windows AD server IP Address
Description=Friendly name of AD Domain
Click Save
Optionally on Windows AD DC Servers change their current upstream to this OPNSense LAN IP

Configure GEOIP Blocking
        Navigate to FIREWALL: ALIASES: GEOPIP SETTINGS
URL= https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip
  More detail located here 
Click Apply
        NAVIGATE to FIREWALL: ALIASES: ALIASES:
Edit GeoIPBlock and adjust countries as needed

If AMD CPU based, change Thermal Sensors
        Navigate to SYSTEM: SETTINGS: MISCELLANEOUS
                Thermal Sensors 
                Hardware = AMD K8,K10 and K11 CPU on-die thermal sensor (amdtemp)

Navigate to SERVICES: VNSTAT: GENERAL
Enable vnStat daemon=checked
Interface=WAN
Click Save

Install and Configure ZenArmor
More details are located here
        Navigate to ZENARMOR: DASHBOARD
Agree to EULA
Click Proceed to start the setup Wizard
Click Next
Choose install 
Click radio button for Install a local Elasticsearch Database
If low spec then Mongodb will be only option
Click Install Database & Proceed
Click Done
Under Deployment mode select radio button for Routed Mode with native netmap driver
If using unusual NICs you may need to choose emulated netmap
Under Interface Selection choose LAN and WLAN if applicable
Click each interface then the >> button
Do not choose any VLAN interfaces, only the physical interface
Click Next
        On Cloud Reputation & Web Categorization tab
Local Domains Names to Exclude From Cloud Queries = Local domain and/or Windows AD Domain if present
        Click Next
        On Updates and Suppot click Next
        On Deployment size correct environment size
Hardware requirements are located here
        Click Next
        Click Finish

Optionally install Zenarmor license
        Navigate to ZENARMOR: DASHBOARD
        Click Upgrade to a Subscription at top
        Choose options
Change Root Password
Navigate to SYSTEM: ACCESS: USERS
Edit Root user and set password.
Click Save

Optionally Add additional users
Click Plus
Configure as required
Click Save

Enable System Notifications via Email
Navigate to  SERVICES: MONIT: SETTINGS
Enable Monit =Checked
Mail Server Address = Mail server IP
Mail Server Port = Mail Server required
Mail Server Username = Mail Server required
Mail Server Password = Mail Server required
Mail Server SSL Connection = Mail Server required
Navigate to Services: Monit: Alert Settings
Click Plus and configure as required
Enabled alert = checked
Recipient= email address for alerts
Not on = checked
Events=Nothing Selected
Mail format = Leave blank
Reminder=Leave blank
Description = Description as needed
                Click Save
Click Apply

Optionally adjust access protocols and ports
    Navigate to SYSTEM: SETTINGS: ADMINISTRATION
Change HTTPS TCP port as required
                Change SSH port as required

Optionally install Postfix to handle all emails for site
        Navigate to SYSTEM: FIRMWARE: PLUGINS
                Install is-postfix
                Navigate to SERVICES: POSTFIX and configure for the Email provider

Optionally install ACME Client for Lets Encrypt Certificate
        Navigate to SYSTEM: FIRMWARE:PLUGINS
                Install os-acme-client
                Navigate to SERVICES: ACME Client and configure Certificates

Optionally install DDNS Client
Navigate to SYSTEM: FIRMWARE:PLUGINS
Instal os-dyndns for legacy (more support but older)
Install os-ddclient for modern
        Navigate to SERVICES: DYNAMIC DNS and configure for DDNS Provider

Optionally configure UPS
Navigate to SERVICES: NUT: CONFIGURATION: GENERAL SETTINGS
Enable Nut= checked
Click Down arrow on UPS type and choose the relevant Type
For most brands use USBHID-Driver
Enable= Check
Navigate to SERVICES: NUT: DIAGNOSTICS and it should show stats from UPS.

Enable ZFS pool trim
        SSH to the OPNSense and at the command prompt type zpool autotrim=on zroot

Enable SMART tests on storage
        Navigate to LOBBY: DASHBOARD
        Under SMART status note the drive(s) with OK under Status
        Examples would be da0, nvme0
        Navigate to SYSTEM: SETTINGS CRON
        Click Plus to create new Cron entry
        Minutes = 5
        Hours = 2
        Day of the month = 2
        Command = Run SMART test (short)
        Parameters = /dev/drivename (/dev/da0 for example)
        Description = drivename Smart Test
        Click Save
        Click Plus and duplicate for remaining drives.

Any Firewall Rule customizations
Navigate to FIREWALL: RULES: INTERFACES
Examples:
            DNS redirection
            Remove/Disable the Floating This firewall Rule if required
WLAN to LAN for printer or Active Directory









Sunday, May 14, 2023

OPNSense Configuration (Part 1 - Base-Config)


This is Part one of a two-part series. Part two is located here.

A good friend of mine supports many small and medium businesses and has started transitioning their firewalls to OPNSense from others such as PFSense, Sophos or ASA as they age out. I offered to design devices and a base config that is easy for him to manage so they are uniform in configuration.  I documented the OPNSense configuration to support this and thought I would share it here.

For the hardware, I obtained a bunch of older 4 and 6 port 1RU commodity firewall devices and upgraded their CPU, memory, and added mirrored SSD storage to handle line speed routing depending on their ISP options. 

To upgrade them I obtained 4C4T CPUs to replace the 1C2T CPUs the devices came with. These were towards the top range of that socket but without a high TDP cost. As I had memory I upgraded them from 2GB to 8GB. I also had several mSATA drives so obtained some SATA to mSATA converters to give mirrored ZFS storage for the firewalls and even color-coded the SATA cables to make replacement identity very easy...All in I have spent around $80 per device with a dozen done so far and I buy more as I come across them.

  

For the OPNSense configuration, it is split into two parts with this being the "base-config", or all settings common to all clients, and a second "post-deploy" with custom settings unique to each client. I will post the second part shortly. This allows the base-config to be easily manipulated and re-creatable for a newer release even though the config file is forward compatible.

This was last updated with 23.1 however many screenshots are still 22.7. Since it is for a specific, albeit wide use case, you will need to make some adjustments such as IP addresses/ranges if you follow this guide. The OPNSense install documentation is fantastic.

Create Base-Config

Download the Latest ISO Installer from OPNSense

  • AMD64

  • DVD

  • Use 7-zip to extract bz to ISO

Create VM in ESXi choosing FreeBSD 13+ 64-Bit

  • UEFI

  • 2 cores (1x2)

  • 4GB memory

  • 20GB Storage

  • 20GB Storage

  • Intel e1000e NIC on LAN VLAN

  • Intel e1000e NIC on its own non-routed VLAN

  • Intel e1000e NIC on its own non-routed VLAN

  • Downloaded ISO

Boot from Media and let it autoconfigure network

Login: installer

Password: opnsense


Choose Select to use default keymap



Choose Install (ZFS)




Choose mirror




Select both 20GB Drives




Select Yes at the configuration




It will install a clone of the live system




Leave Root password as default and Select Complete Install and choose OK




The System will restart and goto landing login




Login: root

Password: opnsense


Choose Option 12 to update to latest build version




Choose Yes to proceed.


Use PgDn to scroll through the release notes and type Q at the : or (END) prompt



It will update to the latest minor dot version and restart

After restart login again as root and run option 12 again as it may have a patch release to apply

STOP If on Part 2 and return to Part 2.

From another PC on the non-routed VLAN goto HTTPS://192.168.1.1 and login and let it start the wizard.

On the initial Wizard screen set the following:

        Override DNS = unchecked

        Enable Resolver = Checked

        Enable DNSSEC Support = Checked

        Harden DNSSEC data = Checked


Choose Next and on the Time Server Wizard set

        Time server hostname = time.cloudflare.com time.facebook.com 0.us.pool.ntp.org 1.us.pool.ntp.org

        Timezone = America/Denver



Choose Next and on the Configure WAN interface wizard choose Next to leave defaults



On the Configure LAN interface wizard choose Next to leave at default



On the Set Root Password wizard choose Next to leave at default


Finally, choose Reload to apply the changes.


Initial Wizard is now complete


Navigate to INTERFACES:LAN

IPV6 Configuration Type = None

Select Save

Navigate to INTERFACES:WAN

IPV6 Configuration Type = None

Select Save

Select Apply changes at top

Navigate to INTERFACES: ASSIGNMENTS

Under new interface verify em2 is listed and enter WLAN for its description.

Click the Plus sign

Select Save


Navigate to INTERFACES: WLAN

Enable=checked

IPv4 Configuration Type = Static IPv4

Static IPv4 configuration

IPV4 address = 192.168.2.1 /24

Click Save

Click Apply Changes at top

Navigate to SYSTEM: FIRMWARE: Plugins and install the following plugins

  • os-crowdsecs-dmidecode

  • os-dmidecode

  • os-hw-probe

  • os-iperf

  • os-smart

  • os-theme-cicada

  • os-vnstat

  • os-nut

  • os-sunnyvalley

    • Os-sensei

      • WIll install os-sensei-updater

    • os-sensei-agent


Navigate to SYSTEM: SETTINGS: General

Change Theme to cicada

Select Save

Navigate to SYSTEM: SETTINGS: ADMINISTRATION

Access Log=checked

Secure Shell Server = checked

Root Login = checked

Inactivity timeout = 20

Click Save

Navigate to SYSTEM: SETTINGS: LOGGING

Preserve Logs(Days) = 90

Select Save

Navigate to SYSTEM: SETTINGS: MISCELLANEOUS

Thermal Sensors 

Hardware = Intel Core CPU on-die thermal sensor (coretemp)

Power Savings

Use PowerD = Checked

On AC Power Mode = Hiadaptive

On Battery Power Mode = Hiadaptive

On Normal Power Mode = Hiadaptive

Disk / Memory Settings (reboot to apply changes)

Swap File = checked

Select Save

Navigate to SERVICES: DHCPv4: LAN

Range = 192.168.1.11 to 192.168.1.245

Click Save

Navigate to SERVICES: DHCPv4: WLAN

Range = 192.168.2.11 to 192.168.2.245

Click Save

Navigate to SERVICES: NETWORK TIME: GENERAL

NTP Graphs - checked

Syslog logging

Enable logging of peer messages = checked

Enable logging of system messages = checked

Click Save

Navigate to SERVICES: CROWDSEC: SETTINGS

Click Apply

Navigate to REPORTING: SETTINGS

Under Unbound DNS reporting

Statistics = checked

Click Save

Navigate to SERVICES: UNBOUND DNS: GENERAL

DHCP Registration = checked

TXT Comment Support = checked

Click Save

Click Apply Changes

Navigate to SERVICES: UNBOUND DNS: ADVANCED

Prefetch Support = checked

Prefetch DNS Key Support = checked

Harden DNSSEC data = checked

Message Cache Size = 10MB

Extended statistics = checked

Number of Hosts to cache = 50000

Click Apply

Navigate to SERVICES: UNBOUND DNS: DNS OVER TLS

Use System Nameservers = unchecked

Click the Plus sign to create a new entry.

Entry One Server IP = 1.1.1.1  Hostname = cloudflare-dns.com

Entry One Server IP = 1.0.0.1  Hostname = cloudflare-dns.com

Click Apply


Navigate to FIREWALL: GROUPS

Click Plus sign to create a group

Name=ALL_INTERNL_NET

Members=LAN, WLAN

Click Save

Click Apply Changes

Navigate to FIREWALL: ALIASES

Click Plus sign to create an Alias

Name=GeoIPBlock

Type=GeoIP

Africa=Sudan

America=Cuba

Asia=China,Iran,Iraq,Korea (North),Myanmar (Burma),Syria

Europe=Lithuania, Russia

Description=Countries Being Blocked

Navigate to FIREWALL: ALIASES: GeoIP settings

URL=Temp maxmind URL

Click Apply


        URL=blank

Click Apply

Navigate to FIREWALL: RULES: ALL_INTRNL_NETS

Click Plus to create a rule

Action = Block

Interface=ALL_INTRNL_NETS

Source= ALL_INTRNL_NETS

Destination=crowdsec_blacklists

Log=checked

Description=Block Outbound to CrowdSec IPv4

Select Save

Clone the above rule and set the following

TCP/IP Version=IPv6

Destination=crowdsec6_blacklists

Description=Block Outbound to CrowdSec IPv6

Select Save

Clone crowdsec IPv4 rule and set the following

Destination=GeoIPBlock

TCP/IP Version=IPv4

Description=Block Outbound to GeoIPBlock IPv4

Select Save

Clone GeoIPBlock IPv4 rule and set the following

TCP/IP Version=IPv6

Description=Block Outbound to GeoIPBlock IPv6

Select Save

Click Plus to create a rule

TCP/IP Version=IPV4+IPv6

Destination This Firewall

Click Save


Navigate to FIREWALL: RULES: WAN

Click Plus to create a rule

Action=Block

TCP/IP Version = IPv4

Source=GeoIPBlock

Log=checked

Description=GeoIP Inbound Block

Click Save

Clone the above GeoIP Rule and set the following

TCP/IP Version=IPV6

Description=GeoIP Inbound Block IPv6

Click Save


Navigate to FIREWALL: RULES: LAN

Clone the Default allow LAN to any rule and change the following

Interface=WLAN

Source=WLAN net

Description=Default allow WLAN to any rule

Click Save


Navigate to FIREWALL: RULES: WLAN

                Clone the Default allow LAN IPv6 to any rule and change the following

Interface=WLAN

Source=WLAN

Description=Default allow WLAN IPv6 to any rule

Click Save