Difference between revisions of "OPNsense"

installation

prerequisite

• serial-cable / female<>female (null-modem)
• https://de.wikipedia.org/wiki/RS-232#Verkabelung_und_Stecker
  • RX-TX (Pin2/Pin3) crossed
  • GND <> GND
• putty
  • speed 115200
  • installer:opnsense

aim

see also: https://forum.opnsense.org/index.php?topic=22108.0

              Internet                 Internet
                 :                         :
     DSL-Provider:(2.5Mbit/s)  LTE-Provider:(100GB/month)
                 :                         :
                 :                         :
             .---+----.               .----+-----.
             |fritzBox|  NAT-Routers  | SpeedBox |
             '---+----'               '----+-----'
                 |                         |
         192.168.178.1/24            192.168.0.1/24
                 |                         |
               DHCP                       DHCP
                 |                         |
                 |      .----------.       |
                 +-WAN--| OPNsense |--LTE--+
                        '----+-----' 
                             |
                            LAN 
                       192.168.1.1/24
                             |
                            DHCP
                             |
                             |
                     ...-----+-----...
                     (Clients/Servers)

• DSL speed is very low, switch to LTE
• LTE data-volume is limited, failover to DSL
• cache windows updates to save bandwidth and download-volume

setup

• Versions: OPNsense 21.1.1-amd64
• CPU type: AMD GX-412TC SOC (4 cores)

Interfaces: [LAN]

• Device: igb0
• IPv4 Configuration Type: static IPv4
• IPv6 Configuration Type: None

Interfaces: [WIFI]

• Device: ath0_wlan1

Interfaces: [WAN]

• Device: igb1
• IPv4 Configuration Type: DHCP
• IPv6 Configuration Type: None

Interfaces: [LTE]

• Device: igb2
• IPv4 Configuration Type: DHCP
• IPv6 Configuration Type: None

System: Gateways: Single

WAN_GW

• Interface: WAN
• Address Family: IPv4
• IP address: dynamic
• Disable Gateway Monitoring: unchecked
• Monitor IP: 8.8.8.8

LTE_GW

• Interface: LTE
• Address Family: IPv4
• IP address: dynamic
• Disable Gateway Monitoring: unchecked
• Monitor IP: 1.1.1.1

System: Gateways: Group

WAN_LTE_GW_GROUP

• Gateway Priority: LTE_GW: Tier1
• Gateway Priority: WAN_GW: Tier2
• Trigger Level: Pcket Loss
• Description: failover group

System: Settings: Administration

• (Secure Shell)

System: Settings: General

• DNS servers: 8.8.8.8 WAN_GW
• DNS servers: 1.1.1.1 LTE_GW
• Gateway switching: Allow default gateway switching

Firewall: Aliases

• RFC1918
• Content: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
• Description: private networks

Firewall: NAT: Port Forward

generated:

no redirect	LAN 	TCP 	*       	* 	LAN address 	80, 443 	*       	* 	Anti-Lockout Rule

man-made (make Web-Proxy transparent):

enabled    	LAN 	TCP 	LAN1 net	* 	! RFC1918 	80 (HTTP) 	127.0.0.1 	3128 	redirect outbound traffic to proxy

Firewall: NAT: Outbound

Mode: Automatic outbound NAT rule generation

enabled	LTE 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	LTE 	* 	YES 	Auto created rule for ISAKMP
enabled	LTE 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	LTE 	* 	NO 	Auto created rule
enabled	WAN 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	WAN 	* 	YES 	Auto created rule for ISAKMP
enabled	WAN 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	WAN 	* 	NO 	Auto created rule

Firewall: Rules: Floating

17 automatically generated rules:

block/in/firstMatch	IPv6	* 	* 	* 	* 	* 	* 	* 	Block all IPv6
block/in/lastMatch	IPv4+6	* 	* 	* 	* 	* 	* 	* 	Default deny rule
...
pass/out/lastMatch	IPv4+6	* 	* 	* 	* 	* 	* 	* 	let out anything from firewall host itself
pass/out/lastMatch	IPv4+6	* 	igb2 	* 	* 	* 	LTE_GW 	* 	let out anything from firewall host itself (force gw)
pass/out/lastMatch	IPv4+6	* 	igb1 	* 	* 	* 	WAN_GW 	* 	let out anything from firewall host itself (force gw)

Firewall: Rules: LAN

4 automatically generated rules:

pass/in/firstMatch	IPv4   UDP 	* 	68 	255.255.255.255 	67      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 UDP 	* 	68 	(self)          	67      	* 	* 	allow access to DHCP server 	
pass/out/firstMatch	IPv4+6 UDP 	(self) 	67 	*               	68      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 TCP 	* 	* 	(self)          	80 443  	* 	* 	anti-lockout rule

man-made rules:

pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	127.0.0.1	3128    	*                * 	allow NAT Proxy 	
pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	192.168.1.1	3128    	*              	 * 	local route PROXY 	
pass/in/firstMatch	IPv4 TCP/UDP	*   	* 	192.168.1.1	53 (DNS)        *                * 	local route DNS 	
pass/in/firstMatch	IPv4 any    	LAN net	*      	*          	*       	WAN_LTE_GW_GROUP * 	Default allow LAN to any rule

Firewall: Rules: LTE

2 automatically generated rules:

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on LTE
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on LTE

Firewall: Rules: WAN

2 automatically generated rules:

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on WAN
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on WAN

Services: DHCPv4: [LAN]

• Subnet: 192.168.1.0
• Subnet mask: 255.255.255.0
• Range: from 192.168.1.10 to 192.168.1.245

Services: Web Proxy: Administration

General Proxy Settings

• Enable proxy: yes
• User error pages: Squid

Local Cache Settings

• Memory Cache size in Megabytes: 256
• Enable local cache: yes
• Cache size in Megabytes: 10240
• Enable Linux Package Cache: yes
• Enable Windows Update Cache: yes

Forward Proxy

• Proxy interfaces: LAN
• Proxy port: 3128
• Enable Transparent HTTP proxy: yes
• Allow interface subnets: yes

stuck at boot after update

• connect serial-console
• configure network interface dhclient igb1 (WAN in this case)
• revert last update opnsense-revert opnsense