Difference between revisions of "OPNsense"

From wiki.bastelbude.grade.de
Jump to: navigation, search
(Firewall: NAT: Port Forward)
(Firewall: NAT: Port Forward)
Line 99: Line 99:
 
  no redirect LAN TCP *      * LAN address 80, 443 *      * Anti-Lockout Rule
 
  no redirect LAN TCP *      * LAN address 80, 443 *      * Anti-Lockout Rule
 
man-made (make Web-Proxy transparent)
 
man-made (make Web-Proxy transparent)
  enabled LAN TCP LAN1 net * ! RFC1918 80 (HTTP) 127.0.0.1 3128 redirect outbound traffic to proxy
+
  enabled   LAN TCP LAN1 net * ! RFC1918 80 (HTTP) 127.0.0.1 3128 redirect outbound traffic to proxy
  
 
=== Firewall: NAT: Outbound ===
 
=== Firewall: NAT: Outbound ===

Revision as of 12:47, 17 March 2021

installation

prerequisite

aim

              Internet                 Internet
                 :                         :
     DSL-Provider:(2.5Mbit/s)  LTE-Provider:(100GB/month)
                 :                         :
                 :                         :
             .---+----.               .----+-----.
             |fritzBox|  NAT-Routers  | SpeedBox |
             '---+----'               '----+-----'
                 |                         |
         192.168.178.1/24            192.168.0.1/24
                 |                         |
               DHCP                       DHCP
                 |                         |
                 |      .----------.       |
                 +-WAN--| OPNsense |--LTE--+
                        '----+-----' 
                             |
                            LAN 
                       192.168.1.1/24
                             |
                            DHCP
                             |
                             |
                     ...-----+-----...
                     (Clients/Servers)
  • DSL speed is very low, switch to LTE
  • LTE data-volume is limited, failover to DSL
  • cache windows updates to save bandwidth and download-volume

setup

  • Versions: OPNsense 21.1.1-amd64
  • CPU type: AMD GX-412TC SOC (4 cores)

Interfaces: [LAN]

  • Device: igb0
  • IPv4 Configuration Type: static IPv4
  • IPv6 Configuration Type: None

Interfaces: [WIFI]

  • Device: ath0_wlan1

Interfaces: [WAN]

  • Device: igb1
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None

Interfaces: [LTE]

  • Device: igb2
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None

System: Gateways: Single

WAN_GW

  • Interface: WAN
  • Address Family: IPv4
  • IP address: dynamic
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 8.8.8.8

LTE_GW

  • Interface: LTE
  • Address Family: IPv4
  • IP address: dynamic
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 1.1.1.1

System: Gateways: Group

WAN_LTE_GW_GROUP

  • Gateway Priority: LTE_GW: Tier1
  • Gateway Priority: WAN_GW: Tier2
  • Trigger Level: Pcket Loss
  • Description: failover group

System: Settings: Administration

  • (Secure Shell)

System: Settings: General

  • DNS servers: 8.8.8.8 WAN_GW
  • DNS servers: 1.1.1.1 LTE_GW
  • Gateway switching: Allow default gateway switching

Firewall: Aliases

  • RFC1918
  • Content: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
  • Description: private networks

Firewall: NAT: Port Forward

generated

no redirect	LAN 	TCP 	*       	* 	LAN address 	80, 443 	*       	* 	Anti-Lockout Rule

man-made (make Web-Proxy transparent)

enabled    	LAN 	TCP 	LAN1 net	* 	! RFC1918 	80 (HTTP) 	127.0.0.1 	3128 	redirect outbound traffic to proxy

Firewall: NAT: Outbound

  • Mode: Automatic outbound NAT rule generation

Auto created rule for ISAKMP

WAN 	LAN networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	WAN 	* 	YES
LTE 	LAN networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	LTE 	* 	YES

Auto created rule

WAN 	LAN networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	WAN 	* 	NO
LTE 	LAN networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	LTE 	* 	NO

Firewall: Rules: Floating

17 Automatically generated rules

block/in/firstMatch	IPv6	* 	* 	* 	* 	* 	* 	* 	Block all IPv6
block/in/lastMatch	IPv4+6	* 	* 	* 	* 	* 	* 	* 	Default deny rule
...
pass/out/lastMatch	IPv4+6	* 	* 	* 	* 	* 	* 	* 	let out anything from firewall host itself
pass/out/lastMatch	IPv4+6	* 	igb2 	* 	* 	* 	LTE_GW 	* 	let out anything from firewall host itself (force gw)
pass/out/lastMatch	IPv4+6	* 	igb1 	* 	* 	* 	WAN_GW 	* 	let out anything from firewall host itself (force gw)

Firewall: Rules: LAN

4 automatically generated rules:

pass/in/firstMatch	IPv4   UDP 	* 	68 	255.255.255.255 	67      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 UDP 	* 	68 	(self)          	67      	* 	* 	allow access to DHCP server 	
pass/out/firstMatch	IPv4+6 UDP 	(self) 	67 	*               	68      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 TCP 	* 	* 	(self)          	80 443  	* 	* 	anti-lockout rule

man-made rules:

pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	127.0.0.1	3128    	*                * 	allow NAT Proxy 	
pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	192.168.1.1	3128    	*              	 * 	local route PROXY 	
pass/in/firstMatch	IPv4 TCP/UDP	*   	* 	192.168.1.1	53 (DNS)        *                * 	local route DNS 	
pass/in/firstMatch	IPv4 any    	LAN net	*      	*          	*       	WAN_LTE_GW_GROUP * 	Default allow LAN to any rule

Firewall: Rules: LTE

2 automatically generated rules:

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on LTE
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on LTE

Firewall: Rules: WAN

2 automatically generated rules:

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on WAN
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on WAN