Sunday, May 14, 2023

OPNSense Configuration (Part 1 - Base-Config)


This is Part one of a two-part series. Part two is located here.

A good friend of mine supports many small and medium businesses and has started transitioning their firewalls to OPNSense from others such as PFSense, Sophos or ASA as they age out. I offered to design devices and a base config that is easy for him to manage so they are uniform in configuration.  I documented the OPNSense configuration to support this and thought I would share it here.

For the hardware, I obtained a bunch of older 4 and 6 port 1RU commodity firewall devices and upgraded their CPU, memory, and added mirrored SSD storage to handle line speed routing depending on their ISP options. 

To upgrade them I obtained 4C4T CPUs to replace the 1C2T CPUs the devices came with. These were towards the top range of that socket but without a high TDP cost. As I had memory I upgraded them from 2GB to 8GB. I also had several mSATA drives so obtained some SATA to mSATA converters to give mirrored ZFS storage for the firewalls and even color-coded the SATA cables to make replacement identity very easy...All in I have spent around $80 per device with a dozen done so far and I buy more as I come across them.

  

For the OPNSense configuration, it is split into two parts with this being the "base-config", or all settings common to all clients, and a second "post-deploy" with custom settings unique to each client. I will post the second part shortly. This allows the base-config to be easily manipulated and re-creatable for a newer release even though the config file is forward compatible.

This was last updated with 23.1 however many screenshots are still 22.7. Since it is for a specific, albeit wide use case, you will need to make some adjustments such as IP addresses/ranges if you follow this guide. The OPNSense install documentation is fantastic.

Create Base-Config

Download the Latest ISO Installer from OPNSense

  • AMD64

  • DVD

  • Use 7-zip to extract bz to ISO

Create VM in ESXi choosing FreeBSD 13+ 64-Bit

  • UEFI

  • 2 cores (1x2)

  • 4GB memory

  • 20GB Storage

  • 20GB Storage

  • Intel e1000e NIC on LAN VLAN

  • Intel e1000e NIC on its own non-routed VLAN

  • Intel e1000e NIC on its own non-routed VLAN

  • Downloaded ISO

Boot from Media and let it autoconfigure network

Login: installer

Password: opnsense


Choose Select to use default keymap



Choose Install (ZFS)




Choose mirror




Select both 20GB Drives




Select Yes at the configuration




It will install a clone of the live system




Leave Root password as default and Select Complete Install and choose OK




The System will restart and goto landing login




Login: root

Password: opnsense


Choose Option 12 to update to latest build version




Choose Yes to proceed.


Use PgDn to scroll through the release notes and type Q at the : or (END) prompt



It will update to the latest minor dot version and restart

After restart login again as root and run option 12 again as it may have a patch release to apply

STOP If on Part 2 and return to Part 2.

From another PC on the non-routed VLAN goto HTTPS://192.168.1.1 and login and let it start the wizard.

On the initial Wizard screen set the following:

        Override DNS = unchecked

        Enable Resolver = Checked

        Enable DNSSEC Support = Checked

        Harden DNSSEC data = Checked


Choose Next and on the Time Server Wizard set

        Time server hostname = time.cloudflare.com time.facebook.com 0.us.pool.ntp.org 1.us.pool.ntp.org

        Timezone = America/Denver



Choose Next and on the Configure WAN interface wizard choose Next to leave defaults



On the Configure LAN interface wizard choose Next to leave at default



On the Set Root Password wizard choose Next to leave at default


Finally, choose Reload to apply the changes.


Initial Wizard is now complete


Navigate to INTERFACES:LAN

IPV6 Configuration Type = None

Select Save

Navigate to INTERFACES:WAN

IPV6 Configuration Type = None

Select Save

Select Apply changes at top

Navigate to INTERFACES: ASSIGNMENTS

Under new interface verify em2 is listed and enter WLAN for its description.

Click the Plus sign

Select Save


Navigate to INTERFACES: WLAN

Enable=checked

IPv4 Configuration Type = Static IPv4

Static IPv4 configuration

IPV4 address = 192.168.2.1 /24

Click Save

Click Apply Changes at top

Navigate to SYSTEM: FIRMWARE: Plugins and install the following plugins

  • os-crowdsecs-dmidecode

  • os-dmidecode

  • os-hw-probe

  • os-iperf

  • os-smart

  • os-theme-cicada

  • os-vnstat

  • os-nut

  • os-sunnyvalley

    • Os-sensei

      • WIll install os-sensei-updater

    • os-sensei-agent


Navigate to SYSTEM: SETTINGS: General

Change Theme to cicada

Select Save

Navigate to SYSTEM: SETTINGS: ADMINISTRATION

Access Log=checked

Secure Shell Server = checked

Root Login = checked

Inactivity timeout = 20

Click Save

Navigate to SYSTEM: SETTINGS: LOGGING

Preserve Logs(Days) = 90

Select Save

Navigate to SYSTEM: SETTINGS: MISCELLANEOUS

Thermal Sensors 

Hardware = Intel Core CPU on-die thermal sensor (coretemp)

Power Savings

Use PowerD = Checked

On AC Power Mode = Hiadaptive

On Battery Power Mode = Hiadaptive

On Normal Power Mode = Hiadaptive

Disk / Memory Settings (reboot to apply changes)

Swap File = checked

Select Save

Navigate to SERVICES: DHCPv4: LAN

Range = 192.168.1.11 to 192.168.1.245

Click Save

Navigate to SERVICES: DHCPv4: WLAN

Range = 192.168.2.11 to 192.168.2.245

Click Save

Navigate to SERVICES: NETWORK TIME: GENERAL

NTP Graphs - checked

Syslog logging

Enable logging of peer messages = checked

Enable logging of system messages = checked

Click Save

Navigate to SERVICES: CROWDSEC: SETTINGS

Click Apply

Navigate to REPORTING: SETTINGS

Under Unbound DNS reporting

Statistics = checked

Click Save

Navigate to SERVICES: UNBOUND DNS: GENERAL

DHCP Registration = checked

TXT Comment Support = checked

Click Save

Click Apply Changes

Navigate to SERVICES: UNBOUND DNS: ADVANCED

Prefetch Support = checked

Prefetch DNS Key Support = checked

Harden DNSSEC data = checked

Message Cache Size = 10MB

Extended statistics = checked

Number of Hosts to cache = 50000

Click Apply

Navigate to SERVICES: UNBOUND DNS: DNS OVER TLS

Use System Nameservers = unchecked

Click the Plus sign to create a new entry.

Entry One Server IP = 1.1.1.1  Hostname = cloudflare-dns.com

Entry One Server IP = 1.0.0.1  Hostname = cloudflare-dns.com

Click Apply


Navigate to FIREWALL: GROUPS

Click Plus sign to create a group

Name=ALL_INTERNL_NET

Members=LAN, WLAN

Click Save

Click Apply Changes

Navigate to FIREWALL: ALIASES

Click Plus sign to create an Alias

Name=GeoIPBlock

Type=GeoIP

Africa=Sudan

America=Cuba

Asia=China,Iran,Iraq,Korea (North),Myanmar (Burma),Syria

Europe=Lithuania, Russia

Description=Countries Being Blocked

Navigate to FIREWALL: ALIASES: GeoIP settings

URL=Temp maxmind URL

Click Apply


        URL=blank

Click Apply

Navigate to FIREWALL: RULES: ALL_INTRNL_NETS

Click Plus to create a rule

Action = Block

Interface=ALL_INTRNL_NETS

Source= ALL_INTRNL_NETS

Destination=crowdsec_blacklists

Log=checked

Description=Block Outbound to CrowdSec IPv4

Select Save

Clone the above rule and set the following

TCP/IP Version=IPv6

Destination=crowdsec6_blacklists

Description=Block Outbound to CrowdSec IPv6

Select Save

Clone crowdsec IPv4 rule and set the following

Destination=GeoIPBlock

TCP/IP Version=IPv4

Description=Block Outbound to GeoIPBlock IPv4

Select Save

Clone GeoIPBlock IPv4 rule and set the following

TCP/IP Version=IPv6

Description=Block Outbound to GeoIPBlock IPv6

Select Save

Click Plus to create a rule

TCP/IP Version=IPV4+IPv6

Destination This Firewall

Click Save


Navigate to FIREWALL: RULES: WAN

Click Plus to create a rule

Action=Block

TCP/IP Version = IPv4

Source=GeoIPBlock

Log=checked

Description=GeoIP Inbound Block

Click Save

Clone the above GeoIP Rule and set the following

TCP/IP Version=IPV6

Description=GeoIP Inbound Block IPv6

Click Save


Navigate to FIREWALL: RULES: LAN

Clone the Default allow LAN to any rule and change the following

Interface=WLAN

Source=WLAN net

Description=Default allow WLAN to any rule

Click Save


Navigate to FIREWALL: RULES: WLAN

                Clone the Default allow LAN IPv6 to any rule and change the following

Interface=WLAN

Source=WLAN

Description=Default allow WLAN IPv6 to any rule

Click Save



Click Apply changes

Navigate to FIREWALL: NAT: PORT FORWARD

Click Plus to create a new Rule

Interface=ALL_INTRNL_NETS

Protocol = UDP

Destination/Invert=Checked

Destination=any

Destination port range = NTP

Redirect target IP- Single host or network

Host=127.0.0.1

Log=Checked

Description=Redirect NTP to OPNSense

NAT Reflection=Disable

Click Save

       Click Duplicate on the Redirect NTP to OPNSense and change the following

Protocol = TCP/UDP
Destination/Invert=Checked
Destination=any
Destination port range = DNS
Description=Redirect DNS to OPNSense
NAT Reflection=Disable
Click Save
Click Apply Changes

Navigate to SYSTEM: SETTINGS: CRON

            Click Plus to create new Crontask
            Minutes = 31
            Hours = 1
            Day of the month = 5
            Command = ZFS pool scrub
            Parameters = zroot      
            Description = Scrub ZFS Pool
            Click Save     


   
        

Navigate to LOBBY: DASHBOARD

Click Plus to add widgets and add these

Smart Status

Interface Statistics

Network Time

Thermal Sensors