How to Configure OpnSense - vLAN, VPN, Port Forward, Firewall Rules, WireGuard, DHCP... - Part 2
Вставка
- Опубліковано 8 чер 2024
- With OpnSense deployed in part 1, part 2 shows how to configure many essential parts of the firewall including Static IPs, Services, Networks, vLAN, Firewall Rules, DHCP, DDNS, VPN, WireGuard, NordVPN, Traffic Inspect, and Backup & Restore.
NordVPN Referral (Free Months):
ref.nordvpn.com/MkwWsHpnBtY
Unifi Access Point:
amzn.to/3Rn1PYH
NordVPN OpnSense Instructions:
support.nordvpn.com/Connectiv...
OpnSense WireGuard:
docs.opnsense.org/manual/how-...
OpnSense Dynamic DNS:
docs.opnsense.org/manual/dyna...
Recommended Hardware: github.com/JamesTurland/JimsG...
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to Topics
02:00 - Dark Mode!!!
02:53 - Host & Services
05:10 - DHCP & Static IP
07:35 - VLAN
11:35 - VLAN - Proxmox Configuration
14:30 - Unifi VLAN Switch Configuration
17:16 - Testing VLAN DHCP
17:30 - Inter VLAN Routing - Firewall Rules
21:12 - Bridge (Wi-Fi)
22:49 - Port Forwarding
25:35 - Dynamic DNS (DDNS)
27:18 - VPN Inbound (WireGuard)
36:20 - VPN Outbound (NordVPN)
45:11 - Intrustion Detection & Prevention (IDS IPS)
49:00 - Backup & Restore
50:10 - Outro - Наука та технологія
Thank you mate, this is by far one of the best content for setting up OPNsense out there
Thanks, I really appreciate the feedback and donation.
So, this past month i’ve been experimenting a lot with OPNsense (even bricked it once). The funny thing is, that i kept getting back to this video. Primarily for the VLAN’s, but also for the outbound VPN.
This video is truly an all-in-one. Thanks Jim! I wish you all the best!
Much appreciated 👍
This is hands down the beat video covering OPNsense virtualized in proxmox. I was really struggling to understand the relationship between VLANs on the switch, the hypervisor, and the virtualized router.
Thanks, John , appreciate the feedback
50 minutes(!)
Gonna enjoy this one later tonight. Thanks for all the videos recently :)
Sorry about that. I did put chapters to help out with the bits you care about.
@@Jims-Garage It's a good thing. More through :)
This is some GOLDEN content. Can't wait to watch episode 3! I'm digging through your channel more for anything and everything Proxmox related too. Thank you for the content!
Welcome aboard! I use Proxmox for the majority of my videos with some specific features like GPU passthrough, SDN, backup server
Really a great tutorial for a opnsense beginner like me. Really enjoyed the crystal clear explanation and practicing the same with my homelab. Thank you so much friend.
Wow, that's extremely generous. Thank you!
Thank you for doing this series. It's very helpful!
You're very welcome!
Thanks for the intro to opnsense Jim, good pace and structure, speeding up at the end helped to keep the attention too 😊 very helpfull to get grips on this product. Good luck
Glad you enjoyed it
Tremendous work mate, I can only imagine what will episode 3 be 😊
thank you
Thanks a ton! As mentioned, high availability!
Straight over to dark mode. Thank you thank you
@technotim would be proud
Awesome series! Thanks again for all your videos.
My pleasure!
Solid run through as always Jim. Thanks :)
Thanks again!
I am moving away from Watchguard to OPNsense this video is fab to run though all the basics hopefully you will have more videos to watch after this one.
Thanks, I will likely do more OPNSense content in the future as I'm now using it.
Thanks! I've been struggling to put this together with proxmox and unifi. This was exactly what I needed.
Thanks, that's very kind
I enjoy your OPNsense content. Very helpful!
Awesome, thank you!
Nice! Just in time. Have ordered a Zimaboard. Waiting for it to arrive and have some fun installing OpenSense.
Enjoy! Assume you have a PCIe NIC?
@@Jims-Garage :/ not yet.
I just have regular Fresh Tomato router/switch/ap (Asus ac66u) which will be downgraded to switch/ap. It is 1G, so I assumed the Zima will suffice to start learning.
In the mid (long?) run I will upgrade to 2.5G or maybe 10G and just there will see to upgrade via a PCIe or move to something else.
Do you reckon it might be short with this current setup?
Hi James, thank you specially for great, neat and commented repos. 👌
You're welcome, and please submit PRs if you see any errors. Thanks
Thank you so much for making this lovely video!!.....👍
Glad you liked it!
Thanks Jim, awesome video!!! Well explained. BTW my OPNsense is running in proxmox with q35 and OVMF. so far no issues with that configuration
Great to hear! Thanks for confirming
Спасибо! Изучаю возможности OpnSense и Ваше видео очень помогает!
Great, glad it helped.
Thank you so much for this Video
You're welcome 😁
Thanks for the vid! I ordered bare metal and ap(EPA610). I will be trying hard to get out of deco mesh and control my network!
Awesome, that's great 👍
Briliant. You earned a sub from this network noob. Wish i did more research with access points. I bought the TP-link deco6e so i could take advantage of 6ghz for my phone and future devices. Only to get frustrated by not being able to connect it to my baremetal Opnsense setup. Back to the drawing board. Lots to learn but it's been fun. Thanks for the educatoinal vids.
Thanks, you're welcome. Why can't you connect it to OpnSense?
@@Jims-Garage I was able to figure it out and got it working. It just gets more complicated from here … lol. But fun.
@@JasonEala great 👍 if it's easy, you're not trying 😂
Nice video and Merry Christmas can you create also a opensense waf naxsi?
Nice vid Jim. What would be interesting is if you could take the existing Terraform Providers, convert what you did manually (pressing/toggling buttons and configuring using typed in values), and convert it to follow standard IaC principles. While I do appreciate the amount of content you provided, I sat here reading through what the public Terraform providers for Opnsense provided and honestly, it'd be easier to take the entire manual config, set values in a .tf file, and just apply to an Opnsense deployment within seconds. It'd also be a template all your viewers could use to configure their labs with whatever values they'd like to use.
I agree, once you understand it that's the way to go. I wanted to introduce it and hopefully explain what things do though. It's definitely a great idea for a future video.
Amen to that! Doing the clicky click-through definitely has its educational value. Looking forward to future vids mate!
Flashbang warning at 2:07 🤣
Haha, so true 😉
Do you have a video for outbound VPN only one on specific LAN/VLAN? For example, say I want my trusted network to use my WAN gateway, and my guest network to route out via OpenVPN to Switzerland? I think I followed this enough to understand how to do it myself, but any help you can offer would be appreciated.
Great video Jim. What is the reason for using Wireguard and NordVPN? Wouldn't is be easier to have just one?
Thanks. Check the video carefully. WireGuard is for connecting home, NordVPN is for routing entire subnets over a VPN.
impressive tutorial, thanks.
Is possible to use a LAN dns in Wireguard client ? because it seems to accept only public DNS
Yes, just make sure you have the right firewall rules. When connected via WireGuard I use my PiHole.
I have Adguard Home using port 53. What do I need to do to have them both working?
Really good one! Almost feel like trying it out.. if only I didn't join the ecosystem ^^
You're sucked in now... You belong to Ubiquiti ;)
We both know who is to blame for that @@Jims-Garage ....Jeffrey!!!!!!!!
Danke!
Thanks, that's very kind
Hi Jim, no IP address in host aliases (field "content")? No hostname in reservations? So you don´t have a firewall defind relation between reserved hosts and aliases. I would recommend it!
Thanks for pointing out, that makes sense. Must have missed it when recording!
Would you be able to cover solutions for folks like me that can't bridge their router or put it into modem only mode? I was going to DMZ from the router to OPNSense of SophosXG but I'm not sure how safe that is. Thanks!
That shouldn't be too big of an issue, you're basically double-NATed. Just pput everything behind Sophos or OpnSense and it's effectively the same thing. You'll need to do any portforwarding twice though on both routers.
Great tutorial! Please do explain how to access modem web gui on bridge mode. Many tutorials I found use PPPoE and I have a DHCP connection. I tried unblocking bogon networks with no luck.
Is your OpnSense connected to the ISP in bridge mode? What is the internal IP address of the ISP router (likely on its own subnet)?
@@Jims-Garage Yes to bridge mode. ISP is on 192.168.1.1 and Opnsense is on 10.0.1.1
Thanks for such a detailed tutorial! I have a noob question. If i set LAN to be 192.168.0.1/16 (so subnet is 255.255.0.0, and if I have WAN ip from my router 192.168.1.15, will there be some kind of conflict?! If I want to separate my LAN in subnets, should I maybe go to 10.0.x.x/16 address range to avoid conflict?! Thank you in advance!
Wow, thank you for the generous tip (not sure why your comment was automatically filtered)... Looks like you're double NAT, are you able to set the ISP router to modem only or use PPPoE? If not, yes, I'd change your subnet to 10.0.0.0/16 to make things simple. You can also use 172 if needed.
hey, Jim.. Could you tell me? The fact is that there are restrictions on the Tail scale side, I can't download from their website and update the application both on Windows and on other devices.For example, an openwrt router.
But everything works fine on the installed devices. What would you do if you need to put a package on the openwrt router, but according to the instructions from the site it will not work?
The first option that I think is to give to the vpn router, and thus circumvent the restrictions. The second option, as I think, is to do it via the offline method, download the package and manually install it. Could you tell me more about it and show me? I do not know how to connect a vpn router to openwrt. And how to download the package from the website, copy it to the router and install it through the console?
Sorry, I'm not sure off-hand. I'll need to look into that. OpenWRT is something I want to cover in the future.
Great content! However, for some reason my LAN clients don't have internet access anymore when wireguard is enabled and a peer has the allowed IPs set as 0.0.0.0/0.... When allowed IPs contains any other values, there is no issue. Any thoughts? "DNS Probe started" is the error message I get in the Chrome browsers.
Me too. So what should we enter in the Allowed IPs field?
Im wanting to follow this but i havent been able to get order a wireless Ap for wifi yeat i am going with Unifi though. Holidays made me broke so i just havent been able to purchase one yeat. But any chance have you made a video on how to integrate unfi AP to opnsense to have wifi because i almost did this setup but then i forgot how would i have wifi?
Hey, simply plugging the AP into the switch is all you need for it to "work". You then control it via the unifi controller. I'm going to do a video on this later. Just needs to be able to reach it.
Sophos vs OpnSense - which one do you recommend for a home environment?
They're both great, I use Sophos XG
Thanks for this nice video. It might be helpful to share the Google Backup link to docs opnsense at 49:49. Tested, works! 😉
Thanks, I'll look to add!
I liked the video, but I got stuck at 36:11 when I tried to fill out the android Wireguard client details. Thanks again!
Which bit were you stuck on? I assume which parts go where?
So on 35:52 you set the firewall rule to accept ports 0 (any) through 51580. Shouldnt this be 51580-51580?
You could do that, and then make sure that the client only uses those ports. However, the source port could be anything (typically).
Why do you use VLANS if you create a rule to allow the VLANs to speak to each other? Isn't the point of VLANS to separate traffic and improve security? Would subnetting be a better solution?
It's more a demonstration of how to create them. You can add whichever rules makes sense for your setup.
Because with routing rules you can limit what that device can or cannot access on a separate network. If they're all on the same network, then that device has access to everything.
Can you run entire subnet thru a proxy ? To get static ip ?
Yes, you should be able to.
@@Jims-Garage thanks , and is it better to run like opensence on old pc witj network card installed than use my isp router in accespoint mode plugged in my switch ?
When I try to portforward I have to change the destination to wan address to get it to work, otherwise the port remains closed for me.. is this right?
Yes, that's correct.
@@Jims-Garage Ah alright, was confused because in the video it was lan address.
Thanks, love your content!
Is it normal that my upload/download speed drops to almost half when IPS mode is enabled?
Yes, unfortunately. I believe suricata is single threaded. Only way to boost is likely a faster core clock but it won't work miracles.
I changed the pattern matcher to hyperscan, and that improved my up/down speeds to what is was without IPS enabled! Is there any downside to hyperscan?
@@raylab77 I'm not familiar with it, I suspect it's either using some hardware acceleration, or it's not doing as thorough scan.
Hey man, don't leave out ipv6.
More ipv6 please
You're right, something I want to play with later.
+1
super nice but setting the vpn client on opnsense is kind of... sophisticated. Yes, I know, such firewall is sophisticated by itself, but still, it could have been a bit easier to get more people on board.
Btw both are very useful: vpn server on opnsense and vpn client on opnsense. Let me try both with wireguard.
btw you picked up "wrong" port of wireguard because:
"It is scheduled to be removed on or after 2023-12-31."
Thanks for sharing. I agree it's quite involved, would be great if there was a NordVPN plugin (perhaps there is somewhere on GitHub) that had a web GUI.
@@Jims-Garage no, NordVPN is only one of many - I think the issue is: configuration in too many places. If all parameters were on one card...? It would be easier. No, NordVPN plugin would make it biased. ;-)
As you can see, the allowed IPs section is wrong 31:31 and corrected it at 31:43. There are so many mistakes in this section, including the way he used the private and public keys. He ultimately got it to work but never bothered to show us the right way to do it or the final configuration for it which resulted in a huge waste of time for me personally. Do yourself a favor and look for how to set up an inbound Wireguard server on OPNsense somewhere else.
Good video overall but you skipped over some key parts during setup, you assumed knowledge of Wireguard client AND you didnt show in YOUR Nord setup what values you were inputting. Like you said it was taken from the NORD config, yeah sick but WHAT was taken!! Took me so long so try and figure out what lines I needed to use. Try not to gloss over small stuff, video is 50mins long anyway, another 2 mins cant hurt :)
Thanks for the tips! I have already covered VPNs extensively in the past and people can find them. Unlike most others my videos are somewhat sequential.
@Jims-Garage valid point, then when you mention the other video, please put a link on screen.
I appreciate your hard work!
I appreciate your work, but the WireGuard configuration is unfortunaltely wrong.
1) You need to copy the public key of the WireGuard CLIENT (windows, android, etc...) to the public key field of the peer in OPNsense, not the servers (instance).
2) If you configure a WireGuard interface (which you do not need necessarily), you can spare the outbound nat rule. Firewall rules are sufficient to reach e.g. the internet.
3) The allowed IPs field at the peer, has nothing to do which ip the clients can reach. It relates to the clients ip address (which client is allowed to connect).
I have another issue with the Wireguard setup from this walk-through: when I configured it this way up to creating a peer, all outbound trafic form LAN to WAN stopped working. It took me some time to find out why that was happening and when I deleted the wireguard setup and wireguard interface everything worked fine again.
Yeah this is so frustrating. Copying the instance's public key into the only peer's public key field is just wrong and someone new to wireguard are just going to have a miserable time setting things up if they watch this video. There's just so much confusing and wrong information about wireguard. Why even make a video if you're just going to add to the confusion.
Lol. When port forwarding, you said its dead easy... Thats not dead easy in my opinion. My old router was easy, this is hard, but doable. I guess it all depends on what once skill lvl is on..
If you're just starting out I recommend Sophos XG - it's much simpler and most things are done with a wizard.
@@Jims-Garage oh, i hoped this was a plugin.
I thought this was supposed to be a beginner video.
It is, it's the second part. There's a minimum level of knowledge you should have before thinking about running your own firewall.
@@Jims-Garage I already run a Mikrotik Hex with 4 VLans; I appreciate your efforts, but couldn’t find what I was looking for.