Hello, The "Block private networks" option is typically enabled on the WAN interface. This prevents traffic from private IP addresses (which should usually be confined to the LAN) from entering the WAN, where it could pose a security risk. Enabling this on the LAN interface would typically not make sense, as it would block traffic within your own private network, where such addresses are commonly used. To prevent unauthorized access to the firewall management within the LAN, you would implement access controls, such as: Restricting Access by IP Address, Using Strong Authentication and Firewall Rules. Your concern is a valid one, and these measures would be part of a comprehensive security approach.
Hello. Thank you for your video. I'm curious my friend at 1:59 into the session you put a check to block private networks in the LAN interlace. Wouldn't this prevent private IP traffic from traversing on the LAN? It says in the helpful description, "When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8) and Carrier-grade NAT addresses (100.64/10). This option should only be set for WAN interfaces that use the public IP address space." I'm a little confused why they would have that there.
It is for security purposes. If you don't block or reject HTTPS, HTTP, SSH and few other ports from "LAN network" to "LAN address" or "this firewall", then any computer connected to LAN network can access the firewall management using web browser or ssh connection etc. which means anyone can access the firewall management as long as they are connected to right network. When it comes to network security, you have to block networks to hosts, to which those networks have no business to gain access and make it an effort to bypass everything.
@Lungho You can also just create another network (if your firewall has extra ports left), and use that to connect to internet etc. and block HTTP, HTTPs and SSH access on it to the firewall. For best security and simplicity, that's a valid option, but more work since you would have to either connect another computer to the management network, or connect your computer to management network everytime you need to check firewall.
@Lungho Oh, if you are running Opnsense on virtual machine, then you can create virtual adapters on the virtual machine host. Also by booting from installation media, you can restore backups. You will need at least 2 interfaces though (1 for WAN and 1 for LAN) because unless you have static public IPs which belong to same network, by connecting your computer to WAN network, opnsense won't be able to block traffic etc. since your ISP will assign different IP to the computer which can be in different network (that also could be reason why you were locked out from the system)
@Lungho Luckily you can install Opnsense on any computer, so you can buy any server network adapter (for example Intel I210-T1 isn't that expensive) or any motherboard with 2 ethernet ports. For best compatibility, server grade hardware is recommended, but quite a bit on motherboard and network adapter side of things. For example for home use Intel Celeron or Pentium CPUs are powerfull enough Clockspeed and CPU features counts more than having multiple cores, hyper threading is something I think opnsense doesn't utilize at all. My opnsense has AMD GX-210UA SOC (2 cores, 2 threads) Intel I210-T3 NIC and 4 GB of DDR3 RAM which suits fine for 600Mb net
Hello thanks for this detail video. But i want to know a thing, my firewall also installed in VirtualBox & i want that every traffic come to my server must pass through the firewall so how i route my inboud and outbond traffic
Hello, The "Block private networks" option is typically enabled on the WAN interface. This prevents traffic from private IP addresses (which should usually be confined to the LAN) from entering the WAN, where it could pose a security risk.
Enabling this on the LAN interface would typically not make sense, as it would block traffic within your own private network, where such addresses are commonly used. To prevent unauthorized access to the firewall management within the LAN, you would implement access controls, such as: Restricting Access by IP Address, Using Strong Authentication and Firewall Rules. Your concern is a valid one, and these measures would be part of a comprehensive security approach.
Hello. Thank you for your video. I'm curious my friend at 1:59 into the session you put a check to block private networks in the LAN interlace. Wouldn't this prevent private IP traffic from traversing on the LAN? It says in the helpful description, "When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8) and Carrier-grade NAT addresses (100.64/10). This option should only be set for WAN interfaces that use the public IP address space." I'm a little confused why they would have that there.
It is for security purposes. If you don't block or reject HTTPS, HTTP, SSH and few other ports from "LAN network" to "LAN address" or "this firewall", then any computer connected to LAN network can access the firewall management using web browser or ssh connection etc. which means anyone can access the firewall management as long as they are connected to right network.
When it comes to network security, you have to block networks to hosts, to which those networks have no business to gain access and make it an effort to bypass everything.
@Lungho You can also just create another network (if your firewall has extra ports left), and use that to connect to internet etc. and block HTTP, HTTPs and SSH access on it to the firewall.
For best security and simplicity, that's a valid option, but more work since you would have to either connect another computer to the management network, or connect your computer to management network everytime you need to check firewall.
@Lungho Oh, if you are running Opnsense on virtual machine, then you can create virtual adapters on the virtual machine host.
Also by booting from installation media, you can restore backups.
You will need at least 2 interfaces though (1 for WAN and 1 for LAN) because unless you have static public IPs which belong to same network, by connecting your computer to WAN network, opnsense won't be able to block traffic etc. since your ISP will assign different IP to the computer which can be in different network (that also could be reason why you were locked out from the system)
@Lungho Luckily you can install Opnsense on any computer, so you can buy any server network adapter (for example Intel I210-T1 isn't that expensive) or any motherboard with 2 ethernet ports.
For best compatibility, server grade hardware is recommended, but quite a bit on motherboard and network adapter side of things.
For example for home use Intel Celeron or Pentium CPUs are powerfull enough
Clockspeed and CPU features counts more than having multiple cores, hyper threading is something I think opnsense doesn't utilize at all.
My opnsense has AMD GX-210UA SOC (2 cores, 2 threads) Intel I210-T3 NIC and 4 GB of DDR3 RAM which suits fine for 600Mb net
Hello thanks for this detail video. But i want to know a thing, my firewall also installed in VirtualBox & i want that every traffic come to my server must pass through the firewall so how i route my inboud and outbond traffic
why is there no sound ?
oh you didn't miss anything. i heard everything and the stuff he said to do is gonna leave people more confused than when they started