Difference between revisions of "OPNsense"

From wiki.bastelbude.grade.de
Jump to: navigation, search
(Firewall: NAT: Outbound)
(stuck at boot after update)
 
(21 intermediate revisions by the same user not shown)
Line 11: Line 11:
  
 
== aim ==
 
== aim ==
 +
see also: https://forum.opnsense.org/index.php?topic=22108.0
 
<pre>
 
<pre>
 
               Internet                Internet
 
               Internet                Internet
Line 96: Line 97:
  
 
=== Firewall: NAT: Port Forward ===
 
=== Firewall: NAT: Port Forward ===
==== Anti-Lockout rule ====
+
generated:
system default
+
no redirect LAN TCP *      * LAN address 80, 443 *      * Anti-Lockout Rule
==== redirect traffic to proxy ====
+
man-made (make Web-Proxy transparent):
LAN1 TCP LAN1 net * ! RFC1918 80 (HTTP) 127.0.0.1 3128  
+
  enabled    LAN TCP LAN1 net * ! RFC1918 80 (HTTP) 127.0.0.1 3128 redirect outbound traffic to proxy
(make transparent Web-Proxy work)
 
  
 
=== Firewall: NAT: Outbound ===
 
=== Firewall: NAT: Outbound ===
* Mode: Automatic outbound NAT rule generation
+
Mode: Automatic outbound NAT rule generation
==== Auto created rule for ISAKMP ====
+
  enabled LTE LAN1 networks, Loopback networks, 127.0.0.0/8 * * 500 LTE * YES Auto created rule for ISAKMP
  WAN LAN1 networks, Loopback networks, 127.0.0.0/8 * * 500 WAN * YES
+
  enabled LTE LAN1 networks, Loopback networks, 127.0.0.0/8 * * * LTE * NO Auto created rule
  LTE LAN1 networks, Loopback networks, 127.0.0.0/8 * * 500 LTE * YES
+
  enabled WAN LAN1 networks, Loopback networks, 127.0.0.0/8 * * 500 WAN * YES Auto created rule for ISAKMP
==== Auto created rule ====
+
  enabled WAN LAN1 networks, Loopback networks, 127.0.0.0/8 * * * WAN * NO Auto created rule
  WAN LAN1 networks, Loopback networks, 127.0.0.0/8 * * * WAN * NO
 
  LTE LAN1 networks, Loopback networks, 127.0.0.0/8 * * * LTE * NO
 
  
 
=== Firewall: Rules: Floating ===
 
=== Firewall: Rules: Floating ===
17 Automatically generated rules
+
17 automatically generated rules:
 +
block/in/firstMatch IPv6 * * * * * * * Block all IPv6
 +
block/in/lastMatch IPv4+6 * * * * * * * Default deny rule
 +
...
 +
pass/out/lastMatch IPv4+6 * * * * * * * let out anything from firewall host itself
 +
pass/out/lastMatch IPv4+6 * igb2 * * * LTE_GW * let out anything from firewall host itself (force gw)
 +
pass/out/lastMatch IPv4+6 * igb1 * * * WAN_GW * let out anything from firewall host itself (force gw)
 +
 
 +
=== Firewall: Rules: LAN ===
 +
4 automatically generated rules:
 +
pass/in/firstMatch IPv4  UDP * 68 255.255.255.255 67      * * allow access to DHCP server
 +
pass/in/firstMatch IPv4+6 UDP * 68 (self)          67      * * allow access to DHCP server
 +
pass/out/firstMatch IPv4+6 UDP (self) 67 *              68      * * allow access to DHCP server
 +
pass/in/firstMatch IPv4+6 TCP * * (self)          80 443  * * anti-lockout rule
 +
man-made rules:
 +
pass/in/firstMatch IPv4 TCP/UDP * * 127.0.0.1 3128    *                * allow NAT Proxy
 +
pass/in/firstMatch IPv4 TCP/UDP * * 192.168.1.1 3128    *              * local route PROXY
 +
pass/in/firstMatch IPv4 TCP/UDP *  * 192.168.1.1 53 (DNS)        *                * local route DNS
 +
pass/in/firstMatch IPv4 any    LAN net *      *          *      WAN_LTE_GW_GROUP * Default allow LAN to any rule
 +
 
 +
=== Firewall: Rules: LTE ===
 +
2 automatically generated rules:
 +
pass/in/lastMatch IPv4+6 UDP * 67 * 68 * * allow DHCP client on LTE
 +
pass/out/lastMatch IPv4+6 UDP * 68 * 67 * * allow DHCP client on LTE
  
  IPv6 * * * * * * * Block all IPv6
+
=== Firewall: Rules: WAN ===
  IPv4+6 * * * * * * * Default deny rule
+
2 automatically generated rules:
...
+
  pass/in/lastMatch IPv4+6 UDP * 67 * 68 * * allow DHCP client on WAN
IPv4+6 * * * * * * * let out anything from firewall host itself
+
  pass/out/lastMatch IPv4+6 UDP * 68 * 67 * * allow DHCP client on WAN
IPv4+6 * igb2 * * * LTE_GW * let out anything from firewall host itself (force gw)
+
 
IPv4+6 * igb1 * * * WAN_GW * let out anything from firewall host itself (force gw)
+
=== Services: DHCPv4: [LAN] ===
 +
* Subnet: 192.168.1.0
 +
* Subnet mask: 255.255.255.0
 +
* Range: from 192.168.1.10 to 192.168.1.245
 +
 
 +
=== Services: Web Proxy: Administration ===
 +
==== General Proxy Settings ====
 +
* Enable proxy: yes
 +
* User error pages: Squid
 +
==== Local Cache Settings ====
 +
* Memory Cache size in Megabytes: 256
 +
* Enable local cache: yes
 +
* Cache size in Megabytes: 10240
 +
* Enable Linux Package Cache: yes
 +
* Enable Windows Update Cache: yes
 +
==== Forward Proxy ====
 +
* Proxy interfaces: LAN
 +
* Proxy port: 3128
 +
* Enable Transparent HTTP proxy: yes
 +
* Allow interface subnets: yes
 +
 
 +
=== stuck at boot after update ===
 +
* connect serial-console
 +
* configure network interface <code>dhclient igb1</code> (WAN in this case)
 +
* revert last update <code>opnsense-revert opnsense</code>
  
  
 
[[category:Projekte]]
 
[[category:Projekte]]

Latest revision as of 09:56, 6 December 2022

installation

prerequisite

aim

see also: https://forum.opnsense.org/index.php?topic=22108.0

              Internet                 Internet
                 :                         :
     DSL-Provider:(2.5Mbit/s)  LTE-Provider:(100GB/month)
                 :                         :
                 :                         :
             .---+----.               .----+-----.
             |fritzBox|  NAT-Routers  | SpeedBox |
             '---+----'               '----+-----'
                 |                         |
         192.168.178.1/24            192.168.0.1/24
                 |                         |
               DHCP                       DHCP
                 |                         |
                 |      .----------.       |
                 +-WAN--| OPNsense |--LTE--+
                        '----+-----' 
                             |
                            LAN 
                       192.168.1.1/24
                             |
                            DHCP
                             |
                             |
                     ...-----+-----...
                     (Clients/Servers)
  • DSL speed is very low, switch to LTE
  • LTE data-volume is limited, failover to DSL
  • cache windows updates to save bandwidth and download-volume

setup

  • Versions: OPNsense 21.1.1-amd64
  • CPU type: AMD GX-412TC SOC (4 cores)

Interfaces: [LAN]

  • Device: igb0
  • IPv4 Configuration Type: static IPv4
  • IPv6 Configuration Type: None

Interfaces: [WIFI]

  • Device: ath0_wlan1

Interfaces: [WAN]

  • Device: igb1
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None

Interfaces: [LTE]

  • Device: igb2
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None

System: Gateways: Single

WAN_GW

  • Interface: WAN
  • Address Family: IPv4
  • IP address: dynamic
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 8.8.8.8

LTE_GW

  • Interface: LTE
  • Address Family: IPv4
  • IP address: dynamic
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 1.1.1.1

System: Gateways: Group

WAN_LTE_GW_GROUP

  • Gateway Priority: LTE_GW: Tier1
  • Gateway Priority: WAN_GW: Tier2
  • Trigger Level: Pcket Loss
  • Description: failover group

System: Settings: Administration

  • (Secure Shell)

System: Settings: General

  • DNS servers: 8.8.8.8 WAN_GW
  • DNS servers: 1.1.1.1 LTE_GW
  • Gateway switching: Allow default gateway switching

Firewall: Aliases

  • RFC1918
  • Content: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
  • Description: private networks

Firewall: NAT: Port Forward

generated:

no redirect	LAN 	TCP 	*       	* 	LAN address 	80, 443 	*       	* 	Anti-Lockout Rule

man-made (make Web-Proxy transparent):

enabled    	LAN 	TCP 	LAN1 net	* 	! RFC1918 	80 (HTTP) 	127.0.0.1 	3128 	redirect outbound traffic to proxy

Firewall: NAT: Outbound

Mode: Automatic outbound NAT rule generation

enabled	LTE 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	LTE 	* 	YES 	Auto created rule for ISAKMP
enabled	LTE 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	LTE 	* 	NO 	Auto created rule
enabled	WAN 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	WAN 	* 	YES 	Auto created rule for ISAKMP
enabled	WAN 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	WAN 	* 	NO 	Auto created rule

Firewall: Rules: Floating

17 automatically generated rules:

block/in/firstMatch	IPv6	* 	* 	* 	* 	* 	* 	* 	Block all IPv6
block/in/lastMatch	IPv4+6	* 	* 	* 	* 	* 	* 	* 	Default deny rule
...
pass/out/lastMatch	IPv4+6	* 	* 	* 	* 	* 	* 	* 	let out anything from firewall host itself
pass/out/lastMatch	IPv4+6	* 	igb2 	* 	* 	* 	LTE_GW 	* 	let out anything from firewall host itself (force gw)
pass/out/lastMatch	IPv4+6	* 	igb1 	* 	* 	* 	WAN_GW 	* 	let out anything from firewall host itself (force gw)

Firewall: Rules: LAN

4 automatically generated rules:

pass/in/firstMatch	IPv4   UDP 	* 	68 	255.255.255.255 	67      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 UDP 	* 	68 	(self)          	67      	* 	* 	allow access to DHCP server 	
pass/out/firstMatch	IPv4+6 UDP 	(self) 	67 	*               	68      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 TCP 	* 	* 	(self)          	80 443  	* 	* 	anti-lockout rule

man-made rules:

pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	127.0.0.1	3128    	*                * 	allow NAT Proxy 	
pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	192.168.1.1	3128    	*              	 * 	local route PROXY 	
pass/in/firstMatch	IPv4 TCP/UDP	*   	* 	192.168.1.1	53 (DNS)        *                * 	local route DNS 	
pass/in/firstMatch	IPv4 any    	LAN net	*      	*          	*       	WAN_LTE_GW_GROUP * 	Default allow LAN to any rule

Firewall: Rules: LTE

2 automatically generated rules:

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on LTE
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on LTE

Firewall: Rules: WAN

2 automatically generated rules:

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on WAN
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on WAN

Services: DHCPv4: [LAN]

  • Subnet: 192.168.1.0
  • Subnet mask: 255.255.255.0
  • Range: from 192.168.1.10 to 192.168.1.245

Services: Web Proxy: Administration

General Proxy Settings

  • Enable proxy: yes
  • User error pages: Squid

Local Cache Settings

  • Memory Cache size in Megabytes: 256
  • Enable local cache: yes
  • Cache size in Megabytes: 10240
  • Enable Linux Package Cache: yes
  • Enable Windows Update Cache: yes

Forward Proxy

  • Proxy interfaces: LAN
  • Proxy port: 3128
  • Enable Transparent HTTP proxy: yes
  • Allow interface subnets: yes

stuck at boot after update

  • connect serial-console
  • configure network interface dhclient igb1 (WAN in this case)
  • revert last update opnsense-revert opnsense