OPNsense

From wiki.bastelbude.grade.de
Revision as of 12:32, 17 March 2021 by Kannix (talk | contribs) (Firewall: Rules: LAN)
Jump to: navigation, search

installation

prerequisite

aim

              Internet                 Internet
                 :                         :
     DSL-Provider:(2.5Mbit/s)  LTE-Provider:(100GB/month)
                 :                         :
                 :                         :
             .---+----.               .----+-----.
             |fritzBox|  NAT-Routers  | SpeedBox |
             '---+----'               '----+-----'
                 |                         |
         192.168.178.1/24            192.168.0.1/24
                 |                         |
               DHCP                       DHCP
                 |                         |
                 |      .----------.       |
                 +-WAN--| OPNsense |--LTE--+
                        '----+-----' 
                             |
                            LAN 
                       192.168.1.1/24
                             |
                            DHCP
                             |
                             |
                     ...-----+-----...
                     (Clients/Servers)
  • DSL speed is very low, switch to LTE
  • LTE data-volume is limited, failover to DSL
  • cache windows updates to save bandwidth and download-volume

setup

  • Versions: OPNsense 21.1.1-amd64
  • CPU type: AMD GX-412TC SOC (4 cores)

Interfaces: [LAN]

  • Device: igb0
  • IPv4 Configuration Type: static IPv4
  • IPv6 Configuration Type: None

Interfaces: [WIFI]

  • Device: ath0_wlan1

Interfaces: [WAN]

  • Device: igb1
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None

Interfaces: [LTE]

  • Device: igb2
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None

System: Gateways: Single

WAN_GW

  • Interface: WAN
  • Address Family: IPv4
  • IP address: dynamic
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 8.8.8.8

LTE_GW

  • Interface: LTE
  • Address Family: IPv4
  • IP address: dynamic
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 1.1.1.1

System: Gateways: Group

WAN_LTE_GW_GROUP

  • Gateway Priority: LTE_GW: Tier1
  • Gateway Priority: WAN_GW: Tier2
  • Trigger Level: Pcket Loss
  • Description: failover group

System: Settings: Administration

  • (Secure Shell)

System: Settings: General

  • DNS servers: 8.8.8.8 WAN_GW
  • DNS servers: 1.1.1.1 LTE_GW
  • Gateway switching: Allow default gateway switching

Firewall: Aliases

  • RFC1918
  • Content: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
  • Description: private networks

Firewall: NAT: Port Forward

Anti-Lockout rule

system default

redirect traffic to proxy

LAN1 	TCP 	LAN1 net 	* 	! RFC1918 	80 (HTTP) 	127.0.0.1 	3128 

(make transparent Web-Proxy work)

Firewall: NAT: Outbound

  • Mode: Automatic outbound NAT rule generation

Auto created rule for ISAKMP

WAN 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	WAN 	* 	YES
LTE 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	500 	LTE 	* 	YES

Auto created rule

WAN 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	WAN 	* 	NO
LTE 	LAN1 networks, Loopback networks, 127.0.0.0/8 	* 	* 	* 	LTE 	* 	NO

Firewall: Rules: Floating

17 Automatically generated rules

IPv6 * 	* 	* 	* 	* 	* 	* 	Block all IPv6
IPv4+6 * 	* 	* 	* 	* 	* 	* 	Default deny rule
...
IPv4+6 * 	* 	* 	* 	* 	* 	* 	let out anything from firewall host itself
IPv4+6 * 	igb2 	* 	* 	* 	LTE_GW 	* 	let out anything from firewall host itself (force gw)
IPv4+6 * 	igb1 	* 	* 	* 	WAN_GW 	* 	let out anything from firewall host itself (force gw)


Firewall: Rules: LAN

4 Automatically generated rules

pass/in/firstMatch	IPv4   UDP 	* 	68 	255.255.255.255 	67      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 UDP 	* 	68 	(self)          	67      	* 	* 	allow access to DHCP server 	
pass/out/firstMatch	IPv4+6 UDP 	(self) 	67 	*               	68      	* 	* 	allow access to DHCP server 	
pass/in/firstMatch	IPv4+6 TCP 	* 	* 	(self)          	80 443  	* 	* 	anti-lockout rule


pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	127.0.0.1	3128    	*                * 	allow NAT Proxy 	
pass/in/firstMatch	IPv4 TCP/UDP	* 	* 	192.168.1.1	3128    	*              	 * 	local route PROXY 	
pass/in/firstMatch	IPv4 TCP/UDP	*   	* 	192.168.1.1	53 (DNS)        *                * 	local route DNS 	
pass/in/firstMatch	IPv4 any    	LAN net	*      	*          	*       	WAN_LTE_GW_GROUP * 	Default allow LAN to any rule 


Firewall: Rules: LTE

2 Automatically generated rules

pass/in/lastMatch	IPv4+6 UDP 	* 	67 	* 	68 	* 	* 	allow DHCP client on LTE
pass/out/lastMatch	IPv4+6 UDP 	* 	68 	* 	67 	* 	* 	allow DHCP client on LTE