Glad it helped! OPNsense uses FreeBSD as the underlying OS which uses pf for the packet engine while Linux uses iptables so there some differences there with how firewall rules are constructed. The web interface makes it easier to enter the appropriate values for the firewall rules (don’t need to remember the command line syntax).
Great video. I have one issue might be a firewall rule but I followed your DMZ guide and I still can’t reach my DMZ network from my LAN only by WAN. I can’t even ping my DMZ network from LAN so the Split DNS won’t work. Nat Reflection was working than randomly stopped and I didn’t change any settings to cause it to not work. Do you have any suggestions?
Thanks! You have to create a rule to allow ICMP if you have one already. Sounds like you just need rules to allow LAN to access DMZ but the rules need to be above any rules that block access to other internal networks. With split DNS and the appropriate firewall rules, you don’t even need NAT reflection enabled at all (I don’t on my network). Unfortunately it can be difficult to pinpoint the exact issue without looking at all your configuration since there could a couple of things that could cause such issues.
I’ll jot that down for a future video. Basically boils down to a NAT redirect rule but you can make use of firewall groups to only need to apply the rules once instead of on every interface. Works out nice. Of course for DNS, it only works for unencrypted DNS lookups on your network, unfortunately.
@@homenetworkguy Nice, i always struggle in the Outbound NAT part of this config since i have a secondary box as my DNS (pihole with DoH). anyway, i will wait for your video. hope you cover this part too. Ty
@@homenetworkguy I too am eagerly waiting for a video detailing how to redirect DNS. I have an IoT vLAN and my google homes always want to use 8 8 8 8. I would like to block the eight's and force all trafic to use my DNS one.one.one.one. Also my kids school uses their own DNS and want to do the same thing. This way my Zenarmor will work too. Thanks
It’s Kubuntu. I use it as my daily driver instead of Windows. I really like KDE since it’s a good Windows alternative. The desktop environment reminds me a bit like an older version of Windows, but better (more customizable). Plus you don’t have ads and other junk on your start menu. Haha. What would you like to see in a Linux series? It’s a bit out of my niche area but I’m pretty familiar with Linux since I’ve been using it exclusively for many years now.
@@homenetworkguy I agree with you on the slick design of Plasma, and privacy, compared to Windows. I'm new to Linux and have been using Plasma on Endeavor OS for several months now, mainly due to the massive software availability from AUR. It would be interesting if you can make a Linux series from a network engineer's perspective, topics can be like "mounting network drives on Linux and configuration of shared folder", "Linux firewall configuration". I don't remember if Kubuntu is using GUFW or firewalld...".
4:00 AIFAIK this is only really a workaround since by default with the pf firewall, the last mathing rule wins - so you would have to structure your ruleset from bottom to top.
Interesting. I think structuring from top down is easier to wrap the mind around (at least for me- but maybe I’m just used to this default behavior, haha).
Thank you. I wrote Linux kernel firewall config files years ago, a bit rusty. This helped to easily dump my work laptop in its own walled vlan.
Glad it helped! OPNsense uses FreeBSD as the underlying OS which uses pf for the packet engine while Linux uses iptables so there some differences there with how firewall rules are constructed. The web interface makes it easier to enter the appropriate values for the firewall rules (don’t need to remember the command line syntax).
SOLID video !! Good work !
Thanks! I had it done yesterday and scheduled it for today so I don't release it too soon after uploading it, haha. ;-)
Great video.
I have one issue might be a firewall rule but I followed your DMZ guide and I still can’t reach my DMZ network from my LAN only by WAN. I can’t even ping my DMZ network from LAN so the Split DNS won’t work.
Nat Reflection was working than randomly stopped and I didn’t change any settings to cause it to not work.
Do you have any suggestions?
Thanks! You have to create a rule to allow ICMP if you have one already. Sounds like you just need rules to allow LAN to access DMZ but the rules need to be above any rules that block access to other internal networks. With split DNS and the appropriate firewall rules, you don’t even need NAT reflection enabled at all (I don’t on my network). Unfortunately it can be difficult to pinpoint the exact issue without looking at all your configuration since there could a couple of things that could cause such issues.
Thank you so much i sent you a message through your site. @@homenetworkguy
Please make a video on your NTP and DNS redirect config
I’ll jot that down for a future video. Basically boils down to a NAT redirect rule but you can make use of firewall groups to only need to apply the rules once instead of on every interface. Works out nice. Of course for DNS, it only works for unencrypted DNS lookups on your network, unfortunately.
@@homenetworkguy Nice, i always struggle in the Outbound NAT part of this config since i have a secondary box as my DNS (pihole with DoH). anyway, i will wait for your video. hope you cover this part too.
Ty
@@homenetworkguy I too am eagerly waiting for a video detailing how to redirect DNS. I have an IoT vLAN and my google homes always want to use 8 8 8 8. I would like to block the eight's and force all trafic to use my DNS one.one.one.one. Also my kids school uses their own DNS and want to do the same thing. This way my Zenarmor will work too.
Thanks
What Linux distro do you use the KDE Plasma with? Can you make a Linux series? haha...thank you.
It’s Kubuntu. I use it as my daily driver instead of Windows. I really like KDE since it’s a good Windows alternative. The desktop environment reminds me a bit like an older version of Windows, but better (more customizable). Plus you don’t have ads and other junk on your start menu. Haha. What would you like to see in a Linux series? It’s a bit out of my niche area but I’m pretty familiar with Linux since I’ve been using it exclusively for many years now.
@@homenetworkguy I agree with you on the slick design of Plasma, and privacy, compared to Windows. I'm new to Linux and have been using Plasma on Endeavor OS for several months now, mainly due to the massive software availability from AUR. It would be interesting if you can make a Linux series from a network engineer's perspective, topics can be like "mounting network drives on Linux and configuration of shared folder", "Linux firewall configuration". I don't remember if Kubuntu is using GUFW or firewalld...".
@@TangDynasty1983 thanks for the ideas! I’ve added it to my list of topics to cover at some point.
4:00 AIFAIK this is only really a workaround since by default with the pf firewall, the last mathing rule wins - so you would have to structure your ruleset from bottom to top.
Interesting. I think structuring from top down is easier to wrap the mind around (at least for me- but maybe I’m just used to this default behavior, haha).