This is part two of a two-part series.
As I mentioned in Part One, this configuration is written as two parts for a specific use case. First is a 'base-config' that has all common settings and part two covers settings that would be different between my friend's clients. Between the two parts, you can put together a fully functional OPNSense Layer 7 firewall with ZenArmour for personal or small business use. Just like with Part One, you can adjust as needed such as importing the config.
Base-Config Deployment Process
Put the downloaded Part-One config on a separate FAT32 USB stick as /conf/config.xml for import during install. Do not put on the install media.
Follow Part One to install OPNSense until the Initial Wizard via HTTPS step.
NOTE: During Boot from the install media press any key to run the configuration importer. Alternatively, the config can be imported via the GUI later. By importing the configuration it will install all plugins when you run selection 12 to update to latest which saves some time.
You would simply type the device name and it will import the configuration from part one. In this example, you simply enter 'da0'. Continue the boot and let it autoconfigure the networks.
NOTE: If not running on Intel emX based NICs (such as igcX) you can modify the config file for interfaces before import as this will save time later. Boot the installer USB and it will state the device NICs.
TIP: search for ‘>em0<’ for example as older vlans could be ‘em0_vlan400’ for so including brackets will exclude the vlans for later replacement.
- em0=LAN
- em1=WAN
- em2=WLAN
From another PC on the LAN goto HTTPS://192.168.1.1, login with root/opnsense
If the config was not imported at install, navigate to System: Configuration: Backups and restore backup.
Restart and then log in again
Navigate to SYSTEM: SETTINGS: GENERAL and set host info
Hostname= Hostname of FW
Domain= Domain of network
Click Save
Navigate to INTERFACES: WAN
Adjust IPv4 Configuration Type for ISP if not DHCP
If Xfinity modem goto DHCP client configuration
Reject Leases From = 192.168.100.1 (customer-provided modem)
Reject Leases From = 10.0.0.1 (Xfinity provided modem)
Optionally enable IPv6 configuration if ISP supports it and desired
If Xfinity
IPv6 Configuration Type=DHCPv6
DHCPv6 Client Configuration
Prefix delegation size=60
Send IPv6 prefix hint = checked
Use IPv4 connectivity=checked
Navigate to INTERFACES: LAN
Adjust Static IPv4 configuration as needed
If IPv6 was enabled on WAN interface and it is desired on LAN
set IPv6 Configuration Type = Track Interface
Track IPv6 Interface
IPv6 Interface=WAN
IPv6 Previx ID=0
Click Save
Optionally delete WLAN if not used
Navigate to INTERFACES: ASSIGNMENTS
Click Delete icon
Click Save
Navigate to INTERFACES: WLAN
Adjust Static IPv4 configuration as needed
If IPv6 was enabled on WAN interface and it is desired on WLAN
set IPv6 Configuration Type = Track Interface
Track IPv6 Interface
IPv6 Interface=WAN
IPv6 Prefix ID=1
Click Save
Configure DNS as needed
Optionally remove DNS over TLS for Cloudflare
Navigate to SERVICES: UNBOUND DNS: DNS over TLS
Delete the two CloudFlare entries
Use System Nameservers = checked
Navigate to SYSTEM: SETTINGS: GENERAL: NETWORKING
Add DNS servers or enable DNS from DHCP/PPP on WAN
If Windows Domain is present
Navigate to SERVICES: UNBOUND DNS: OVERRIDES: DOMAIN OVERRIDES
Click Plus icon to create
Domain = Windows AD Domain FQDN
IP address= Windows AD DC server IP Address
Description=Friendly name of AD Domain
Click Save
Click Plus icon to create
Domain = Windows AD Domain reverse
example=1.168.192.in-addr-arpa
IP address= Windows AD server IP Address
Description=Friendly name of AD Domain
Click Save
Optionally on Windows AD DC Servers change their current upstream to this OPNSense LAN IP
Configure GEOIP Blocking
Navigate to FIREWALL: ALIASES: GEOPIP SETTINGS
URL= https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip
More detail located here
Click Apply
NAVIGATE to FIREWALL: ALIASES: ALIASES:
Edit GeoIPBlock and adjust countries as needed
If AMD CPU based, change Thermal Sensors
Navigate to SYSTEM: SETTINGS: MISCELLANEOUS
Thermal Sensors
Hardware = AMD K8,K10 and K11 CPU on-die thermal sensor (amdtemp)
Navigate to SERVICES: VNSTAT: GENERAL
Enable vnStat daemon=checked
Interface=WAN
Click Save
Install and Configure ZenArmor
More details are located here
Navigate to ZENARMOR: DASHBOARD
Agree to EULA
Click Proceed to start the setup Wizard
Click Next
Choose install
Click radio button for Install a local Elasticsearch Database
If low spec then Mongodb will be only option
Click Install Database & Proceed
Click Done
Under Deployment mode select radio button for Routed Mode with native netmap driver
If using unusual NICs you may need to choose emulated netmap
Under Interface Selection choose LAN and WLAN if applicable
Click each interface then the >> button
Do not choose any VLAN interfaces, only the physical interface
Click Next
On Cloud Reputation & Web Categorization tab
Local Domains Names to Exclude From Cloud Queries = Local domain and/or Windows AD Domain if present
Click Next
On Updates and Suppot click Next
On Deployment size correct environment size
Hardware requirements are located here
Click Next
Click Finish
Optionally install Zenarmor license
Navigate to ZENARMOR: DASHBOARD
Click Upgrade to a Subscription at top
Choose options
Change Root Password
Navigate to SYSTEM: ACCESS: USERS
Edit Root user and set password.
Click Save
Optionally Add additional users
Click Plus
Configure as required
Click Save
Enable System Notifications via Email
Navigate to SERVICES: MONIT: SETTINGS
Enable Monit =Checked
Mail Server Address = Mail server IP
Mail Server Port = Mail Server required
Mail Server Username = Mail Server required
Mail Server Password = Mail Server required
Mail Server SSL Connection = Mail Server required
Navigate to Services: Monit: Alert Settings
Click Plus and configure as required
Enabled alert = checked
Recipient= email address for alerts
Not on = checked
Events=Nothing Selected
Mail format = Leave blank
Reminder=Leave blank
Description = Description as needed
Click Save
Click Apply
Optionally adjust access protocols and ports
Navigate to SYSTEM: SETTINGS: ADMINISTRATION
Change HTTPS TCP port as required
Change SSH port as required
Optionally install Postfix to handle all emails for site
Navigate to SYSTEM: FIRMWARE: PLUGINS
Install is-postfix
Navigate to SERVICES: POSTFIX and configure for the Email provider
Optionally install ACME Client for Lets Encrypt Certificate
Navigate to SYSTEM: FIRMWARE:PLUGINS
Install os-acme-client
Navigate to SERVICES: ACME Client and configure Certificates
Optionally install DDNS Client
Navigate to SYSTEM: FIRMWARE:PLUGINS
Instal os-dyndns for legacy (more support but older)
Install os-ddclient for modern
Navigate to SERVICES: DYNAMIC DNS and configure for DDNS Provider
Optionally configure UPS
Navigate to SERVICES: NUT: CONFIGURATION: GENERAL SETTINGS
Enable Nut= checked
Click Down arrow on UPS type and choose the relevant Type
For most brands use USBHID-Driver
Enable= Check
Navigate to SERVICES: NUT: DIAGNOSTICS and it should show stats from UPS.
Enable ZFS pool trim
SSH to the OPNSense and at the command prompt type zpool autotrim=on zroot
Enable SMART tests on storage
Navigate to LOBBY: DASHBOARD
Under SMART status note the drive(s) with OK under Status
Examples would be da0, nvme0
Navigate to SYSTEM: SETTINGS CRON
Click Plus to create new Cron entry
Minutes = 5
Hours = 2
Day of the month = 2
Command = Run SMART test (short)
Parameters = /dev/drivename (/dev/da0 for example)
Description = drivename Smart Test
Click Save
Click Plus and duplicate for remaining drives.
Any Firewall Rule customizations
Navigate to FIREWALL: RULES: INTERFACES
Examples:
DNS redirection
Remove/Disable the Floating This firewall Rule if required
WLAN to LAN for printer or Active Directory
No comments:
Post a Comment