OPNsense Firewall & Router

Given the increasing threats to data and systems, I've proactively set up and configured a firewall as the initial step in securing my network.

Objectives

• Configure OPNsense firewall and routing services

• Access and make changes via web GUI

• Enable SSH and Console access

• Configure a VLAN (untrusted network) for home IoTs and guest.

• Enable DHCPv4, create a scope of IP addresses for any automatically connected devices

• Set Pi-hole as primary DNS server

Install OPNsense on the mini PC

I inserted a bootable USB and started installing OPNsense. I chose to skip configure LAGGS and VLAN at that moment because I was going to do it later with the web GUI.

I set up my first Ethernet port “igc0” as a WAN interface, and I connected the ISP modem to this port.

Then I set up the second port “igc1” as a LAN interface, and this is connected to my managed switch.

Moreover, my mini PC came with four Ethernet ports in total, so I decided not to assign interface for the other two ports for security reasons.

Once I’d configured the interface, it brought me to the login prompt, and I entered “installer” as a username and “opnsense” as a password to continue the installation.

Continue with the default keymap, select ZFS install, select stripe- no redundancy

Note: I prefer ZFS for my file system because ZFS does much better on power failure than UFS. ZFS will increase RAM usage ,but my hardware has 8GB of RAM, so there will be no trouble using ZFS.

After it rebooted, the screen will show WAN and LAN interfaces.

Configure OPNsense via web GUI

• Web GUI: https:// <LAN IP address>/

• Rename my domain and hostname

  I went to System > Settings > General to rename my domain into “myhomenetwork1.com”, and rename hostname into “EdgeFW”.

• Set listen interface and enable SSH/console

  Next, I navigated to System > Settings > Administration to set the listening interfaces to “LAN” only. This will help limit the access of VLAN clients and VPN clients to web GUI.

Moreover, I enabled Secure Shell and Serial console in case I needed to use it

When connecting via console, the baud rate is 115200.

Create VLAN for untrusted network (guest network)

I wanted to create a VLAN specifically for all of my IoTs and guests, so they would be on separate network traffic, which provided security and management. I can accomplish this by subnetting with another switch, but because VLAN is virtual and it can be configured on the same switch and wireless access point, doing this way is more cost effective for me.

On OPNsense web GUI, I navigated to Interfaces > Other Types> VLAN.

VLAN is created based on a physical interface, so I set my LAN interface “igc1” as a parent, and I set this VLAN tag 100, kept VLAN priority as default and “UNTRUSTED” as a description.

Next, I navigated to Interfaces > Assignments. Here I needed to add the new created VLAN into an interface. Now beside LAN and WAN, I had one more interface named IoTs.

Then navigate to Interfaces > GuestNetwork. Configured a few things below and setting static IPv4 as 192.168.2.1/24

This should be enough at the moment, I will continue my document for guest network in another document.

DHCPv4 and DNS configuration

I will enable a scope of IP addresses for any new devices connected to my network. However, this scope should be small, mainly because I want to set static IP addresses more any other services.

Firstly, I went to Services > ISC DHCPv4 > LAN, I set it range from 192.168.1.100 to 192.168.1.149

I did the same for IoTs interface, Services > ISC DHCPv4 > IoTs range from 192.168.2.100 to 192.168.2.149

I am also running Pihole as my DNS server, so I put the DNS server IP address here.