99% percent of the videos out there claim to get you started with OPNsense, but what I saw there was just bullshit about downloading and installing, sometimes then they showed the interface but stop at the relevant parts.... "How to use the firewall". This is where your video is gold because it finally explains useful things! Thanks for this short but great explanatory video
I forget about your channel. You can go watch someone else with a 5 minute video but you will spend 3 hrs filling the gaps left out. Your video instructions are clear and direct. Thank you.
There are so many superficial and useless Opnsense videos out there - this one is not the case! - thank-you for posting this, and taking the time to explain things properly
I rarely, if ever comment or like a video, but this is one of the best I have seen, and I'm only half way through. Really easy to understand, explained well, and more importantly, shown what the changes do. As others have said, other videos make assumptions on knowledge levels. Great work
This is by far the best working run through on how the interfaces relate to one another and I learnt some great tricks with moving the rules around as well. Great stuff. I was almost there but since you easily explained how the data is matched to a a top down approach, it makes logical sense and I imagine it as if there was water pouring in from the tip rule and the different filters the data out like different water filters take out the different minerals ... and then you are left with the pure water (DATA) that can freely flow into the system. This really helped me diagnose and also get both my NORD VPN rules ordered correctly and my Wire guard up and running as well.... Just understanding that the Lan Interface has the highest hierarchy in the system just below the WAN interface.... lets me look at the LAN interface rules first, then replicated them into each Vlan Subnet that I had created for IoS, Guest, MainLan and VPN Test Vlan. I had all of the RFC1918 Blocking sorted, but now have a solid understanding on where it needs to be in the rule list. Thank you so much for taking the time to explain this in an easy to understand and almost working lab style! FANTASTIC JOB!
I suggest merging the first "allow internet" and the second "block private ranges" rules together for simplicity. Instead of the two, you can make one "pass" rule where you choose "private ranges" as the destination and then INVERT the match. This way, the single pass rule allows traffic to all destinations except the private ranges - in other words only the internet. As a rule of thumb, avoid drop/reject rules when you can simply make stricter pass rules on top of the default "drop everything" rule.
The algorithm has done good work tonight! This is exactly what I was thinking of trying to search. No really, I hadn't even searched for this particular info yet, I'm still messing with unrelated things in OPN like monitoring and geoip, but here this is, right on time. Sometimes the algo scares me, but then things like this happen and I'm glad it works sometimes.
I was going nuts because LAN didn't have access to the Internet no matter what I tried. Had no clue that "pfctl -d" would do much more than just enable remote access to the OPNsense interface. Thanks a lot!
Thanks for the video, I had GeoIP blocking going on and also had port forward as well. Still I was seeing some unwanted activity on the machine where I have port forwarded. Then I realized that I need a proper rule sequence.
This is simply awesome. I am just starting my journey with opnSense. Very straight forward and precise explanation. I have a fair bit of experience with Fortigate and. Watchguard. This is done differently and it takes a bit to wrap one's head around it. Amazing video. I do have one question. On your wan rules for management you use the default ports 80 and 443. I would prefer mine to be something obscure. Is it just a matter of not using HTTPS as the port and using something like 52365
Help! how do I delete/disable floating rules or default rules? [edit] manage to remove the floating in config.xml, still no idea how to delete the default rules.
How to limit the auto-generated rules in opnsense, as my firewall generate at least 16 Lan1, Lan2 rules. but as I see you only have 4 auto-generated rules.
Question.... If all my "LAN" interfaces are members of a "Bridge", do I only need these "LAN" Rules applied to the Bridge Interface, not to each LAN Port individually?
Anyone know how to make a rule for one local device to use a different gateway? (Say you create a VPN gateway, and you want to send one device out through that VPN)
Thank you. Yet another very clear explanation of foundational firewall rules. I'm using pfSense. One question I have is are you trying to isolate all the local networks, including LAN2, by blocking RFC_1918 addresses in LAN1 instead of blocking them in IOT and GUEST?
Hi, I'm trying to switch from pfSense to OPNsense, but every time I add a rule on the Firewall the order of the rules changes, everything is out of the order I previously put and recorded, any tips? Thanks
Hey, might be a bug in the version you are running. Would you mind sharing a short screencap of this issue in our Reddit community? It will be very interesting to look at.
Thanks for the video! Quick question about the "Reject Private Ranges" rule... It's clear that this blocks pinging/access to private IP addresses on OTHER LANs, but it does NOT block pinging/access to another device on the SAME LAN. Is that expected? Thanks!
Nice guide. Just a tip for being more organized. In rules creation, category is used to give a name for category that is used to add category filter to firewall rules window. If you don't care about category but still want to log rule entries, then you can just give description and it will be shown on logs etc as description. If you don't type description, then default description "default allow rule" is used instead. Category can be left empty because it's just a filter.
Now that I am thinking about it, I may have left an impression, that category is imperative to fill in :D But you are right, it isn't, it's just "a nice to have".
Boa tarde, estou dificuldade de redirecionar a porta 80 para 9081. Meu servidor está na rede interna 10.0.0.131:80 e na porta externa 9081. Não consigo fazer esses direcionamento, poderia me ajudar ? Troquei a porta padrão de acesso ao console para porta 8086 e mesmo assim nao aceita regra.
Great Video thank you. You mention always using Floating Rules instead of WAN rules as WAN rules are ignored, but this is not my experience, is this something that has been fixed now?
I have SafeSearch enforced on my network through my router, but it's easily bypassed using Firefox Doh. Can this firewall block users from bypassing router rules using Doh?
There is no point and click solution that will do this for you. DOH is a DNS over HTTPs, so unless you have some serious DPI skills, you won't be able to block it on the protocol level. On the other hand you could block some of the DOH providers, like: 1.1.1.1, 9.9.9.9 and so on with a firewall rule. Not an elegant solution, but should work in most cases.
What IP addresses are you concerned about? I tried to make this video as IP-addressless (if it's even a word, lol) as possible. EDIT: Wait, do you mean why I added the Alias for private IP ranges? It is to block network access to any internal network you can think of (192.168.0.0/24 is not the only private IP range in the world of IT). Here is a Wiki page to extend your knowledge on this: en.wikipedia.org/wiki/Private_network
@@GatewayITTutorialsThank You for your reply........... I would not think that 192.168.0.0/24 is the only IP range in the world. what I am trying to get at is this. I am trying to follow your video to set up my Opnsensen on the firewall. You are not explaining in detail how you came up with the content IP addresses. It appears that you are looking at some secondary notes and typing them into the content field. Why do I need an IP address in the content field? How do I, the viewer of your video that has never done this before know what IP address I need to put in? You are not explaining what these sections are. I am by far not trying to say that I am not grateful for your videos, but looking at this video left me in the dark. I do get the (Name Field, Aliases are named lists of networks, hosts or ports that can be used as one entity by selecting the alias name in the various supported sections of the firewall. These aliases are particularly useful to condense firewall rules and minimize changes). And also I do get (Types Networks, are Networks are specified in Classless(If that is a word) Inter-Domain Routing format (CIDR). Use the correct CIDR mask for each entry. For instance, a /32 specifies a single IPv4 host, or /128 specifies a single IPv6 host, whereas /24 specifies 255.255.255.0 and /64 specifies a normal IPv6 network. Network type Aliases can contain exclusion hosts or networks. Exclusion addresses starts with “!” sign (eg !192.168.0.0/24) and can be used to exclude hosts or networks from current Alias or Network Group Alias. Even the Opnsense document website does not touch on the content section (docs.opnsense.org/manual/aliases.html). I was just hoping you would be able to explain that part. It could also be that I am over thinking that part of the instructions of your video. Thanks
You are a bit overthinking :) As I said in my previous comment, this alias will allow you to block ANY unauthorised access to ANY internal network that may possibly exist (now or in the future). To allow access to the networks you need access to, add "Pass" rule and specify a network or alias just above "Reject PrivateRanges" rule. So you could just "blindly" copy the contents of an alias I showed in the video and it will work, I promise)
@@GatewayITTutorials Thank You......Just to let you I have subscribed when I saw this video. You are the only one with this video explaining how to configure your Opnsense firewall.
"I can't think of any reason you'd need WAN rules" in the case that you're not using opnsense as an edge firewall, but rather as an internal firewall. ;)
Hey! Thank you for your hard work, friend. Top 3, open source firewalls, minimum 1 gigabit throughput, best configurability with ease of use? - Also top 3 hardware box which either “flashable” and or dual nic capable low power PC’s? Thank you, kindly. 😊
Top 3 OSS firewalls (as a bundle, order doesn't matter): - VyOS - pfSense/OPNSense - OpenWRT For the hardware to install them on, have a look at some of the STH videos/posts, like this one: www.servethehome.com/inexpensive-4x-2-5gbe-fanless-router-firewall-box-review-intel-j4125-i225-pfsense/
Hey. OPNSense doesn't check the traffic headers by default, it's not what it was designed to do, and to be honest I hate firewall appliances that do that as a default that you can't turn off, it leads to a lot of problems down the road. But there is a way to enable such functionality on OPNSense through a security package Sensei: it has a free version and a paid version. Install it, scroll through options, and test it out for yourself. It can block certain mime types, adult websites, malware websites and so on.
Your first rule (allow internet) is not, what it looks like! Better would be Wan, tcp and http/https only! Your rule allows traffic to the other Lan too. When you create rules, they should be named exactly what they are for.
TCP/HTTP is way too strict for a home setup, but naming it "Allow All" may be a better idea indeed. I was just used to the name WAN on my setups. Thanks for you suggestion.
My dear friend, I have learned a lot with your videos. Is possible that you make a video to configuring Postfix email Gateway and RSPAMD please into OpnSense?. 1.000 thanks!
Please do a video on OPNsense firewalls for example two Xbox one's on the same network playing the same game. I followed Spaceinvader One's pfsense video ( ua-cam.com/video/whGPRC9rQYw/v-deo.html ) but I have OPNsense and still have problems playing the same game on different PCs on the same network, where one will connect and the other gets an error. I believe the error is something to do with port 3074. It's just the last bit of Spaceinvader Ones video where he selects PureNAT and OPNsense either doesn't seem to support it or I can't find it. Please help 🙏
Hey there, this seems like a NAT issue. Please post it in our subreddit, I'll pick it up from there, because I can't make a video on this due to a fact that I don't own gaming console.
99% percent of the videos out there claim to get you started with OPNsense, but what I saw there was just bullshit about downloading and installing, sometimes then they showed the interface but stop at the relevant parts.... "How to use the firewall". This is where your video is gold because it finally explains useful things!
Thanks for this short but great explanatory video
I forget about your channel. You can go watch someone else with a 5 minute video but you will spend 3 hrs filling the gaps left out. Your video instructions are clear and direct. Thank you.
Hands down the best video concerning opnsense rules if found until now. Thank you very much.
There are so many superficial and useless Opnsense videos out there - this one is not the case!
- thank-you for posting this, and taking the time to explain things properly
I rarely, if ever comment or like a video, but this is one of the best I have seen, and I'm only half way through. Really easy to understand, explained well, and more importantly, shown what the changes do. As others have said, other videos make assumptions on knowledge levels. Great work
This is by far the best working run through on how the interfaces relate to one another and I learnt some great tricks with moving the rules around as well. Great stuff. I was almost there but since you easily explained how the data is matched to a a top down approach, it makes logical sense and I imagine it as if there was water pouring in from the tip rule and the different filters the data out like different water filters take out the different minerals ... and then you are left with the pure water (DATA) that can freely flow into the system.
This really helped me diagnose and also get both my NORD VPN rules ordered correctly and my Wire guard up and running as well.... Just understanding that the Lan Interface has the highest hierarchy in the system just below the WAN interface.... lets me look at the LAN interface rules first, then replicated them into each Vlan Subnet that I had created for IoS, Guest, MainLan and VPN Test Vlan. I had all of the RFC1918 Blocking sorted, but now have a solid understanding on where it needs to be in the rule list. Thank you so much for taking the time to explain this in an easy to understand and almost working lab style! FANTASTIC JOB!
Simple to understand and straight to the point. Thanks for the video.
I suggest merging the first "allow internet" and the second "block private ranges" rules together for simplicity.
Instead of the two, you can make one "pass" rule where you choose "private ranges" as the destination and then INVERT the match.
This way, the single pass rule allows traffic to all destinations except the private ranges - in other words only the internet.
As a rule of thumb, avoid drop/reject rules when you can simply make stricter pass rules on top of the default "drop everything" rule.
Great job explaining everything, finally a helpful video on firewall rules.
The algorithm has done good work tonight! This is exactly what I was thinking of trying to search. No really, I hadn't even searched for this particular info yet, I'm still messing with unrelated things in OPN like monitoring and geoip, but here this is, right on time. Sometimes the algo scares me, but then things like this happen and I'm glad it works sometimes.
This is brilliant, thank you for this. Best opnsense video I've seen so far on firewall rules.
Great video. Been opnsense user for 5 yrs. But the penny finally dropped on a few of the firewall things after seeing your video. Thanks!
I was going nuts because LAN didn't have access to the Internet no matter what I tried. Had no clue that "pfctl -d" would do much more than just enable remote access to the OPNsense interface.
Thanks a lot!
Saved this beginner hours. Thanks for this simple run-through, just brilliant.
this is the only useful opnsense video i found. you picked exactly the right usecases. thanks alot!
19:00 I opened a WAN rule to allow remote connection to OPNsense GUI and i did it in the "Firewall: Rules: WAN" and it is working perfect.
Excellent video - very clear demonstration and explanation.
You are a very good teacher, thanks for the upload!!!
Thanks allot. You explain the rules very easily to me.
Thanks for the video, I had GeoIP blocking going on and also had port forward as well. Still I was seeing some unwanted activity on the machine where I have port forwarded. Then I realized that I need a proper rule sequence.
This is simply awesome. I am just starting my journey with opnSense. Very straight forward and precise explanation. I have a fair bit of experience with Fortigate and. Watchguard. This is done differently and it takes a bit to wrap one's head around it. Amazing video. I do have one question. On your wan rules for management you use the default ports 80 and 443. I would prefer mine to be something obscure. Is it just a matter of not using HTTPS as the port and using something like 52365
why is reject private ranges a default rule on most firewalls? how do you do interVLAN routing then? between servers and users for example?
Very good informative video about opnsense.
Thanks so much for your very well explained tutorial. ❤
Great overview. Thanks for taking the time to create this.
Would blocking Private IPs block my access to OPNsense firewall itself if it is only accessable on my LAN1?
thanks for showing all the actually needed information - really helpful!
Great video, thank you! Regards from Chile.
This tutorial is heaven, thank you for the tutorial.
Sorry guys, which option does the VM use for the network? Internal network?
Help! how do I delete/disable floating rules or default rules?
[edit] manage to remove the floating in config.xml, still no idea how to delete the default rules.
How to limit the auto-generated rules in opnsense, as my firewall generate at least 16 Lan1, Lan2 rules. but as I see you only have 4 auto-generated rules.
Question.... If all my "LAN" interfaces are members of a "Bridge", do I only need these "LAN" Rules applied to the Bridge Interface, not to each LAN Port individually?
how can i add rules to only allow remote desktop (port 3389) from the outside to my lan, but only certain external ips or mac-addresses?
Anyone know how to make a rule for one local device to use a different gateway? (Say you create a VPN gateway, and you want to send one device out through that VPN)
I noticed on the floating rule only TCP traffic for HTTP and HTTPS was chosen. Wouldn't this be TCP/UDP instead of just TCP?
No, because HTTP/HTTPs is TCP only
Thank you!! This is what I was looking for!
Thank you. Yet another very clear explanation of foundational firewall rules. I'm using pfSense. One question I have is are you trying to isolate all the local networks, including LAN2, by blocking RFC_1918 addresses in LAN1 instead of blocking them in IOT and GUEST?
I usually isolate any network, including management, LAN, etc, and then allow access to other networks on "only if necessary" basis :)
@@GatewayITTutorials Got it, thanks.
how did you connect both debian with firewall.
Hi, I'm trying to switch from pfSense to OPNsense, but every time I add a rule on the Firewall the order of the rules changes, everything is out of the order I previously put and recorded, any tips? Thanks
Hey, might be a bug in the version you are running.
Would you mind sharing a short screencap of this issue in our Reddit community? It will be very interesting to look at.
@@GatewayITTutorials OK, thanks
Quite good introduction to OPN! Thank you!
Supurb video, thanks!
Thanks for the video! Quick question about the "Reject Private Ranges" rule... It's clear that this blocks pinging/access to private IP addresses on OTHER LANs, but it does NOT block pinging/access to another device on the SAME LAN. Is that expected? Thanks!
this is a good question. Seems to me it WILL block traffic on the same lan, if you don't provide a source ip range.
I want to schedule particular web site access, can i do it with OpnSense or please advise if need a different firewall, thanks
Nice guide. Just a tip for being more organized. In rules creation, category is used to give a name for category that is used to add category filter to firewall rules window.
If you don't care about category but still want to log rule entries, then you can just give description and it will be shown on logs etc as description.
If you don't type description, then default description "default allow rule" is used instead.
Category can be left empty because it's just a filter.
Now that I am thinking about it, I may have left an impression, that category is imperative to fill in :D
But you are right, it isn't, it's just "a nice to have".
Boa tarde, estou dificuldade de redirecionar a porta 80 para 9081. Meu servidor está na rede interna 10.0.0.131:80 e na porta externa 9081. Não consigo fazer esses direcionamento, poderia me ajudar ? Troquei a porta padrão de acesso ao console para porta 8086 e mesmo assim nao aceita regra.
You'll have to repeat that in English my dude, I know a couple of languages, but not that many)
Great Video thank you. You mention always using Floating Rules instead of WAN rules as WAN rules are ignored, but this is not my experience, is this something that has been fixed now?
It might have been, in a recent release. But because I got used to Floating rules, I can't change my ways now)
I have SafeSearch enforced on my network through my router, but it's easily bypassed using Firefox Doh. Can this firewall block users from bypassing router rules using Doh?
There is no point and click solution that will do this for you.
DOH is a DNS over HTTPs, so unless you have some serious DPI skills, you won't be able to block it on the protocol level.
On the other hand you could block some of the DOH providers, like:
1.1.1.1, 9.9.9.9 and so on with a firewall rule. Not an elegant solution, but should work in most cases.
Cool Video. Thx for the Tutorial.
Maybe you can provide instructions on how to set up an example network like yours in this video?:)
How did you come up with the IP address for the content? You did not explain How? or Why we need to have those IP addresses in there?
What IP addresses are you concerned about? I tried to make this video as IP-addressless (if it's even a word, lol) as possible.
EDIT:
Wait, do you mean why I added the Alias for private IP ranges? It is to block network access to any internal network you can think of (192.168.0.0/24 is not the only private IP range in the world of IT).
Here is a Wiki page to extend your knowledge on this:
en.wikipedia.org/wiki/Private_network
@@GatewayITTutorialsThank You for your reply........... I would not think that 192.168.0.0/24 is the only IP range in the world. what I am trying to get at is this. I am trying to follow your video to set up my Opnsensen on the firewall. You are not explaining in detail how you came up with the content IP addresses. It appears that you are looking at some secondary notes and typing them into the content field.
Why do I need an IP address in the content field? How do I, the viewer of your video that has never done this before know what IP address I need to put in? You are not explaining what these sections are.
I am by far not trying to say that I am not grateful for your videos, but looking at this video left me in the dark. I do get the (Name Field, Aliases are named lists of networks, hosts or ports that can be used as one entity by selecting the alias name in the various supported sections of the firewall. These aliases are particularly useful to condense firewall rules and minimize changes).
And also I do get (Types Networks, are Networks are specified in Classless(If that is a word) Inter-Domain Routing format (CIDR). Use the correct CIDR mask for each entry. For instance, a /32 specifies a single IPv4 host, or /128 specifies a single IPv6 host, whereas /24 specifies 255.255.255.0 and /64 specifies a normal IPv6 network. Network type Aliases can contain exclusion hosts or networks. Exclusion addresses starts with “!” sign (eg !192.168.0.0/24) and can be used to exclude hosts or networks from current Alias or Network Group Alias.
Even the Opnsense document website does not touch on the content section (docs.opnsense.org/manual/aliases.html). I was just hoping you would be able to explain that part. It could also be that I am over thinking that part of the instructions of your video. Thanks
You are a bit overthinking :)
As I said in my previous comment, this alias will allow you to block ANY unauthorised access to ANY internal network that may possibly exist (now or in the future).
To allow access to the networks you need access to, add "Pass" rule and specify a network or alias just above "Reject PrivateRanges" rule.
So you could just "blindly" copy the contents of an alias I showed in the video and it will work, I promise)
@@GatewayITTutorials Thank You......Just to let you I have subscribed when I saw this video. You are the only one with this video explaining how to configure your Opnsense firewall.
Hy I really recommended a video for dns ad blocking pls load up one!
It's up on the schedule, would be either AdGuard Home vs PiHole, or AdGuard home with OPNSense.
Let me know what you think is best :)
@@GatewayITTutorials I'd be interested in an OPNsense plugin such as AdGuard. I would love to eliminate my PiHole from my network
hello! congratulations for the video. I would like to know how to generate a proxy and firewall report in Opnsense? Type, Sarg or Lightsquid
"I can't think of any reason you'd need WAN rules" in the case that you're not using opnsense as an edge firewall, but rather as an internal firewall. ;)
How can we enable Postfix? i have check in plugin postfix plugin not appearing what to do?
you want to install Postfix directly on OPNSense?
Thanks for a very useful video!
very well huge help thanks a lot !
Great video
OPNsense vs Pfsense?
OPNSense ;)
@@GatewayITTutorials thanks:D
Hi do you have tutorial on how to block facebook app in phone using OPNsense? Thank you
Thank you!
Hey! Thank you for your hard work, friend. Top 3, open source firewalls, minimum 1 gigabit throughput, best configurability with ease of use?
- Also top 3 hardware box which either “flashable” and or dual nic capable low power PC’s? Thank you, kindly. 😊
Top 3 OSS firewalls (as a bundle, order doesn't matter):
- VyOS
- pfSense/OPNSense
- OpenWRT
For the hardware to install them on, have a look at some of the STH videos/posts, like this one:
www.servethehome.com/inexpensive-4x-2-5gbe-fanless-router-firewall-box-review-intel-j4125-i225-pfsense/
Hi how we can block the Mime Types in OPNsense firewall ?
Hey. OPNSense doesn't check the traffic headers by default, it's not what it was designed to do, and to be honest I hate firewall appliances that do that as a default that you can't turn off, it leads to a lot of problems down the road.
But there is a way to enable such functionality on OPNSense through a security package Sensei: it has a free version and a paid version.
Install it, scroll through options, and test it out for yourself. It can block certain mime types, adult websites, malware websites and so on.
Can you also do a tutorial for multi wan load balancing and failover thanks
Thanks for the suggestion. I'll add it to my videos-to-do list :)
@@GatewayITTutorials i think the latest ver has some issues with multi wan.
damn this video is gold.
Your first rule (allow internet) is not, what it looks like! Better would be Wan, tcp and http/https only! Your rule allows traffic to the other Lan too. When you create rules, they should be named exactly what they are for.
TCP/HTTP is way too strict for a home setup, but naming it "Allow All" may be a better idea indeed. I was just used to the name WAN on my setups. Thanks for you suggestion.
is possible that on not
great video!!!
My dear friend, I have learned a lot with your videos. Is possible that you make a video to configuring Postfix email Gateway and RSPAMD please into OpnSense?. 1.000 thanks!
That's a very specific usecase, but I'll think about it.
thanks
Please do a video on OPNsense firewalls for example two Xbox one's on the same network playing the same game. I followed Spaceinvader One's pfsense video ( ua-cam.com/video/whGPRC9rQYw/v-deo.html ) but I have OPNsense and still have problems playing the same game on different PCs on the same network, where one will connect and the other gets an error. I believe the error is something to do with port 3074.
It's just the last bit of Spaceinvader Ones video where he selects PureNAT and OPNsense either doesn't seem to support it or I can't find it. Please help 🙏
Hey there, this seems like a NAT issue.
Please post it in our subreddit, I'll pick it up from there, because I can't make a video on this due to a fact that I don't own gaming console.
Marquardt Stravenue
Carol Plaza
Berge Gateway
Abshire Throughway
Turner Prairie
Damion Street
Lucienne Square
Chet Extension
Roberts Mill
Rutherford Creek
Hills Springs
Mylene Well
Liliane Ford
Smith Cove
Conn Underpass
Lily Underpass
Albertha Underpass
Jones Grove
Keebler Ramp
Raegan Parkways
Wiza Expressway
Baumbach Loop
Fabian Court
Kylee Station
Rebekah Harbors
Margarete Rest
Swaniawski Green
Edwin Way
Hettinger Mill