Difference between revisions of "OPNsense"
(→Firewall: Rules: LAN) |
(→Firewall: Rules: LAN) |
||
Line 124: | Line 124: | ||
=== Firewall: Rules: LAN === | === Firewall: Rules: LAN === | ||
4 Automatically generated rules | 4 Automatically generated rules | ||
− | pass/in/firstMatch IPv4 UDP * 68 255.255.255.255 67 * * allow access to DHCP server | + | pass/in/firstMatch IPv4 UDP * 68 255.255.255.255 67 * * allow access to DHCP server |
− | pass/in/firstMatch IPv4+6 UDP * 68 (self) 67 * * allow access to DHCP server | + | pass/in/firstMatch IPv4+6 UDP * 68 (self) 67 * * allow access to DHCP server |
− | pass/ | + | pass/out/firstMatch IPv4+6 UDP (self) 67 * 68 * * allow access to DHCP server |
− | pass/in/firstMatch IPv4+6 TCP * * (self) 80 443 * * anti-lockout rule | + | pass/in/firstMatch IPv4+6 TCP * * (self) 80 443 * * anti-lockout rule |
− | pass/in/firstMatch IPv4 TCP/UDP | + | pass/in/firstMatch IPv4 TCP/UDP * * 127.0.0.1 3128 * * allow NAT Proxy |
− | pass/in/firstMatch IPv4 TCP/UDP | + | pass/in/firstMatch IPv4 TCP/UDP * * 192.168.1.1 3128 * * local route PROXY |
− | pass/in/firstMatch IPv4 TCP/UDP | + | pass/in/firstMatch IPv4 TCP/UDP * * 192.168.1.1 53 (DNS) * * local route DNS |
− | pass/in/firstMatch IPv4 | + | pass/in/firstMatch IPv4 any LAN net * * * WAN_LTE_GW_GROUP * Default allow LAN to any rule |
[[category:Projekte]] | [[category:Projekte]] |
Revision as of 12:28, 17 March 2021
Contents
- 1 installation
- 2 aim
- 3 setup
- 3.1 Interfaces: [LAN]
- 3.2 Interfaces: [WIFI]
- 3.3 Interfaces: [WAN]
- 3.4 Interfaces: [LTE]
- 3.5 System: Gateways: Single
- 3.6 System: Gateways: Group
- 3.7 System: Settings: Administration
- 3.8 System: Settings: General
- 3.9 Firewall: Aliases
- 3.10 Firewall: NAT: Port Forward
- 3.11 Firewall: NAT: Outbound
- 3.12 Firewall: Rules: Floating
- 3.13 Firewall: Rules: LAN
installation
prerequisite
- serial-cable / female<>female (null-modem)
- https://de.wikipedia.org/wiki/RS-232#Verkabelung_und_Stecker
- RX-TX (Pin2/Pin3) crossed
- GND <> GND
- putty
- speed 115200
- installer:opnsense
aim
Internet Internet : : DSL-Provider:(2.5Mbit/s) LTE-Provider:(100GB/month) : : : : .---+----. .----+-----. |fritzBox| NAT-Routers | SpeedBox | '---+----' '----+-----' | | 192.168.178.1/24 192.168.0.1/24 | | DHCP DHCP | | | .----------. | +-WAN--| OPNsense |--LTE--+ '----+-----' | LAN 192.168.1.1/24 | DHCP | | ...-----+-----... (Clients/Servers)
- DSL speed is very low, switch to LTE
- LTE data-volume is limited, failover to DSL
- cache windows updates to save bandwidth and download-volume
setup
- Versions: OPNsense 21.1.1-amd64
- CPU type: AMD GX-412TC SOC (4 cores)
Interfaces: [LAN]
- Device: igb0
- IPv4 Configuration Type: static IPv4
- IPv6 Configuration Type: None
Interfaces: [WIFI]
- Device: ath0_wlan1
Interfaces: [WAN]
- Device: igb1
- IPv4 Configuration Type: DHCP
- IPv6 Configuration Type: None
Interfaces: [LTE]
- Device: igb2
- IPv4 Configuration Type: DHCP
- IPv6 Configuration Type: None
System: Gateways: Single
WAN_GW
- Interface: WAN
- Address Family: IPv4
- IP address: dynamic
- Disable Gateway Monitoring: unchecked
- Monitor IP: 8.8.8.8
LTE_GW
- Interface: LTE
- Address Family: IPv4
- IP address: dynamic
- Disable Gateway Monitoring: unchecked
- Monitor IP: 1.1.1.1
System: Gateways: Group
WAN_LTE_GW_GROUP
- Gateway Priority: LTE_GW: Tier1
- Gateway Priority: WAN_GW: Tier2
- Trigger Level: Pcket Loss
- Description: failover group
System: Settings: Administration
- (Secure Shell)
System: Settings: General
- DNS servers: 8.8.8.8 WAN_GW
- DNS servers: 1.1.1.1 LTE_GW
- Gateway switching: Allow default gateway switching
Firewall: Aliases
- RFC1918
- Content: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
- Description: private networks
Firewall: NAT: Port Forward
Anti-Lockout rule
system default
redirect traffic to proxy
LAN1 TCP LAN1 net * ! RFC1918 80 (HTTP) 127.0.0.1 3128
(make transparent Web-Proxy work)
Firewall: NAT: Outbound
- Mode: Automatic outbound NAT rule generation
Auto created rule for ISAKMP
WAN LAN1 networks, Loopback networks, 127.0.0.0/8 * * 500 WAN * YES LTE LAN1 networks, Loopback networks, 127.0.0.0/8 * * 500 LTE * YES
Auto created rule
WAN LAN1 networks, Loopback networks, 127.0.0.0/8 * * * WAN * NO LTE LAN1 networks, Loopback networks, 127.0.0.0/8 * * * LTE * NO
Firewall: Rules: Floating
17 Automatically generated rules
IPv6 * * * * * * * Block all IPv6 IPv4+6 * * * * * * * Default deny rule ... IPv4+6 * * * * * * * let out anything from firewall host itself IPv4+6 * igb2 * * * LTE_GW * let out anything from firewall host itself (force gw) IPv4+6 * igb1 * * * WAN_GW * let out anything from firewall host itself (force gw)
Firewall: Rules: LAN
4 Automatically generated rules
pass/in/firstMatch IPv4 UDP * 68 255.255.255.255 67 * * allow access to DHCP server pass/in/firstMatch IPv4+6 UDP * 68 (self) 67 * * allow access to DHCP server pass/out/firstMatch IPv4+6 UDP (self) 67 * 68 * * allow access to DHCP server pass/in/firstMatch IPv4+6 TCP * * (self) 80 443 * * anti-lockout rule
pass/in/firstMatch IPv4 TCP/UDP * * 127.0.0.1 3128 * * allow NAT Proxy pass/in/firstMatch IPv4 TCP/UDP * * 192.168.1.1 3128 * * local route PROXY pass/in/firstMatch IPv4 TCP/UDP * * 192.168.1.1 53 (DNS) * * local route DNS pass/in/firstMatch IPv4 any LAN net * * * WAN_LTE_GW_GROUP * Default allow LAN to any rule