Thanks for the video! I found this video extremely useful as a novice to networking/OPNSense. One question, do I need to create any firewall rules to allow DNS to the management address? Or does the NAT rule created for forwarding to the local dns handle that already?
Hi there, yip you will only need a firewall rule to allow DNS into the Management network. So you will have a rule that is something like the following: Protocol = IPv4 (TCP/UDP) Source = ALL or Management Net Source Port = ALL Destination = This Firewal Destination Port = 53 (DNS) So this will allow local DNS queries from the Management network in to the firewall. Then for non local DNS requests. Since the port forwarding is done internally, so forwarded to 127.0.0.1 ( “This Firewall”) no firewall rule is needed for that. I hope that make sense
If I have multiple VLANs set up, do I have to set up the port forwarding firewall rules in the same fashion as "Management" but with their specific name? For example, IOT VLAN will use the IOT interface, IOT net, IOT address, etc?
Can you make some beginner friendly best practice guides for ZenArmor? Like what we should initially be blocking besides all the toggle switches and what applications and protocols we should block? How to interpret some of the logs in there so we know what to do with some of that information? Its hard to find something clear and concise like your tutorial for that!
Hi there, Sorry I don't see myself doing a ZenArmor guide any time soon. I tried ZenArmor in the passed and was never a fan of it. PS I'm not saying ZenArmor is bad, each to their own, however I personally prefer using the mix of "IPS/IDS (Suricata)", "Unbound Block lists" and custom firewall rules. Doing it this way, in a sense has "taught" me a lot more and I feel that I have more control over my network. Where with ZenArmor, I never felt like I had "Control" over my network.
Very nice tutorial, i have a question, in the second 352, the menu doesnt have Management, only wan, lan and loopback, im doing something wrong or the menu changed?
Hi there, Thank you so much for your kind words. Nope, you are not doing anything wrong. In the previous video of the series ua-cam.com/video/dCRhCrokeSo/v-deo.html I created a new "management" network. If you don't want / need a "management" network, having just LAN, WAN and Loopback is correct.
@@jonomoss I just watched that video and I didn't see any instructions on setting up the "management" network (source) Do you have another video on that? Stuck at 6:18 as I can't select multiple interfaces. Looks like I'm adding an Alias but not sure as to what I'm adding to the alias. Just port 53 on WAN, LAN, Loop & VPN's?
Hi @davemck1936 Sorry my mistake, I have edited that comment, if you see this video from ua-cam.com/video/dCRhCrokeSo/v-deo.html I renamed the default LAN network to "Management". If you are not worried about having a separate "Management" network, you will have a single "LAN" network. With regards to the "Portforwarding" section you are stuck on, If I understand your question correctly, you will only forward "Local" networks DNS, so for example if you have "WAN, LAN, VPN" networks, you will only use the "LAN" interface and "VPN" interface, that is if you want to also block websites / DNS on the VPN. You don't do it on the WAN. So you will then create two separate "Portforwarding" rules. One for "LAN" interface and one for "VPN" using port 53, you don't select multiple interfaces on one rule. I hope this make sense.
If I use a custom link for the blocklist (URLs of Blacklists) instead of the predefined Type of DNSBL, will the cron you created for the automatic daily (Update Unbound DNSBLs) download will also pull the updates from the custom URLs of Blocklists link? Thanks
Thanks for the excellent explanation on how to setup Unbound DNS. Very concise and easy to follow.
Thank you for the kind words, I'm really glad it helped.
Thanks for this informative series mate. Loads of content and very well explained.
Thank you very much for your kind words, I really do appreciate it.
Great tutorial, good content with clear explanations. Thank you.
Thank you for all the kind words and I'm glad you are enjoying the tutorials.
great video! followed all the steps. got it working. i hope you will create a video for opndns.
Thank you, I can look into doing that for you, I have a few planned videos I want to do. But I will definitely add OpnDNS. to the "todo" list
but what we can do if modern browsers using resolving dns over https
Thanks for the video! I found this video extremely useful as a novice to networking/OPNSense. One question, do I need to create any firewall rules to allow DNS to the management address? Or does the NAT rule created for forwarding to the local dns handle that already?
Hi there, yip you will only need a firewall rule to allow DNS into the Management network.
So you will have a rule that is something like the following:
Protocol = IPv4 (TCP/UDP)
Source = ALL or Management Net
Source Port = ALL
Destination = This Firewal
Destination Port = 53 (DNS)
So this will allow local DNS queries from the Management network in to the firewall.
Then for non local DNS requests.
Since the port forwarding is done internally, so forwarded to 127.0.0.1 ( “This Firewall”)
no firewall rule is needed for that.
I hope that make sense
@@jonomoss so in addition to the NAT/forwarding step shown in the video, I also need the firewall rule which you described?
If I have multiple VLANs set up, do I have to set up the port forwarding firewall rules in the same fashion as "Management" but with their specific name? For example, IOT VLAN will use the IOT interface, IOT net, IOT address, etc?
Hi, yes you will have to do it for each VLAN network.
Can you make some beginner friendly best practice guides for ZenArmor? Like what we should initially be blocking besides all the toggle switches and what applications and protocols we should block? How to interpret some of the logs in there so we know what to do with some of that information? Its hard to find something clear and concise like your tutorial for that!
Hi there, Sorry I don't see myself doing a ZenArmor guide any time soon. I tried ZenArmor in the passed and was never a fan of it. PS I'm not saying ZenArmor is bad, each to their own, however I personally prefer using the mix of "IPS/IDS (Suricata)", "Unbound Block lists" and custom firewall rules. Doing it this way, in a sense has "taught" me a lot more and I feel that I have more control over my network. Where with ZenArmor, I never felt like I had "Control" over my network.
Great video!!
Very nice tutorial, i have a question, in the second 352, the menu doesnt have Management, only wan, lan and loopback, im doing something wrong or the menu changed?
Hi there, Thank you so much for your kind words. Nope, you are not doing anything wrong. In the previous video of the series ua-cam.com/video/dCRhCrokeSo/v-deo.html I created a new "management" network. If you don't want / need a "management" network, having just LAN, WAN and Loopback is correct.
@@jonomoss I just watched that video and I didn't see any instructions on setting up the "management" network (source) Do you have another video on that? Stuck at 6:18 as I can't select multiple interfaces. Looks like I'm adding an Alias but not sure as to what I'm adding to the alias. Just port 53 on WAN, LAN, Loop & VPN's?
Hi @davemck1936
Sorry my mistake, I have edited that comment, if you see this video from ua-cam.com/video/dCRhCrokeSo/v-deo.html I renamed the default LAN network to "Management".
If you are not worried about having a separate "Management" network, you will have a single "LAN" network.
With regards to the "Portforwarding" section you are stuck on, If I understand your question correctly, you will only forward "Local" networks DNS, so for example if you have "WAN, LAN, VPN" networks, you will only use the "LAN" interface and "VPN" interface, that is if you want to also block websites / DNS on the VPN. You don't do it on the WAN.
So you will then create two separate "Portforwarding" rules. One for "LAN" interface and one for "VPN" using port 53, you don't select multiple interfaces on one rule. I hope this make sense.
If I use a custom link for the blocklist (URLs of Blacklists) instead of the predefined Type of DNSBL, will the cron you created for the automatic daily (Update Unbound DNSBLs) download will also pull the updates from the custom URLs of Blocklists link? Thanks
Hi, yes it should.