Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • OPNsense Beginner to Professional
  • Toc
  • feedback
OPNsense Beginner to Professional

OPNsense Beginner to Professional

By : Camargo
4.3 (8)
close
OPNsense Beginner to Professional

OPNsense Beginner to Professional

4.3 (8)
By: Camargo

Overview of this book

OPNsense is one of the most powerful open source firewalls and routing platforms available. With OPNsense, you can now protect networks using features that were only previously available to closed source commercial firewalls. This book is a practical guide to building a comprehensive network defense strategy using OPNsense. You’ll start with the basics, understanding how to install, configure, and protect network resources using native features and additional OPNsense plugins. Next, you’ll explore real-world examples to gain in-depth knowledge of firewalls and network defense. You’ll then focus on boosting your network defense, preventing cyber threats, and improving your knowledge of firewalling using this open source security platform. By the end of this OPNsense book, you’ll be able to install, configure, and manage the OPNsense firewall by making the most of its features.
Table of Contents (25 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: Initial Configuration
Section 1: Initial Configuration
Free Chapter
2
Chapter 1: An OPNsense Overview
chevron up
Chapter 1: An OPNsense Overview
About the OPNsense project
Rock-solid FreeBSD – HardenedBSD
Why OPNsense?
Features and common deployments
Where to get help?
Summary
3
Chapter 2: Installing OPNsense
Chapter 2: Installing OPNsense
Technical requirements
Versions and requirements
Downloading and installing OPNsense
Updating firmware
Installing plugins
Advanced – Accessing the CLI through SSH
FreeBSD packages
Summary
4
Chapter 3: Configuring an OPNsense Network
Chapter 3: Configuring an OPNsense Network
Technical requirements
Hardware considerations
Basic network configuration
Types of interfaces
Exploring virtual IPs
Network diagnostics and troubleshooting
Summary
5
Chapter 4: System Configuration
Chapter 4: System Configuration
Technical requirements
Managing users and groups
External authentication
Certificates – a brief introduction
General settings
Advanced settings
Configuration backup
Summary
6
Section 2: Securing the Network
Section 2: Securing the Network
7
Chapter 5: Firewall
Chapter 5: Firewall
Technical requirements
Understanding firewalling concepts
Firewall aliases
The firewall rules
Firewall settings
Diagnostics and troubleshooting
Summary
8
Chapter 6: Network Address Translation (NAT)
Chapter 6: Network Address Translation (NAT)
Technical requirements
NAT concepts
Port forwarding
Outbound NAT
One-to-one NAT
Summary
9
Chapter 7: Traffic Shaping
Chapter 7: Traffic Shaping
Technical requirements
Introduction to traffic shaping
Possible scenarios
Creating rules
Monitoring
Summary
10
Chapter 8: Virtual Private Networking
Chapter 8: Virtual Private Networking
Technical requirements
OPNsense core VPN types
Site-to-site deployments using IPsec
VPN deployments using OpenVPN
OpenVPN diagnostics
Summary
11
Chapter 9: Multi-WAN – Failover and Load Balancing
Chapter 9: Multi-WAN – Failover and Load Balancing
Technical requirements
Failover and load balancing
Policy-based routing
Troubleshooting
Summary
12
Chapter 10: Reporting
Chapter 10: Reporting
Technical requirements
System health graphs
Understanding Netflow and how to use it
Exploring real-time traffic
Troubleshooting common problems in the network using Netflow and graphs
Summary
13
Section 3: Going beyond the Firewall
Section 3: Going beyond the Firewall
14
Chapter 11: Deploying DHCP in OPNsense
Chapter 11: Deploying DHCP in OPNsense
Technical requirements
DHCP concepts
DHCP server
DHCP relay
Diagnostics
Summary
15
Chapter 12: DNS Services
Chapter 12: DNS Services
Technical requirements
Core DNS services
DNS plugins
DDNS
Troubleshooting
Summary
16
Chapter 13: Web Proxy
Chapter 13: Web Proxy
Technical requirements
Web proxy fundamentals
Basic configuration
Web filtering
Reading logs and troubleshooting
Summary
17
Chapter 14: Captive Portal
Chapter 14: Captive Portal
Technical requirements
Captive Portal concepts
Setting up a guest network
Web proxy integration
Common issues
Summary
18
Chapter 15: Network Intrusion (Detection and Prevention) Systems
Chapter 15: Network Intrusion (Detection and Prevention) Systems
Technical requirements
IDS and IPS definition
Suricata and Netmap
Rulesets
Configuration
SSL fingerprint
Troubleshooting
Summary
19
Chapter 16: Next-Generation Firewall with Zenarmor
Chapter 16: Next-Generation Firewall with Zenarmor
Technical requirements
Layer7 application control with Zenarmor
Choosing a Zenarmor edition
Installing and setting up the Zenarmor plugin
Summary
20
Chapter 17: Firewall High Availability
Chapter 17: Firewall High Availability
Technical requirements
High availability concepts
Configuring high availability
Testing the HA configuration
Summary
21
Chapter 18: Website Protection with OPNsense
Chapter 18: Website Protection with OPNsense
Technical requirements
Publishing websites to the world
About the NGINX plugin
Installing and configuring the NGINX plugin
Adding WAF rules
Troubleshooting
Summary
22
Chapter 19: Command-Line Interface
Chapter 19: Command-Line Interface
Technical requirements
Directory structure
Managing the backend daemons
Useful system commands
Advanced customization
Filtering log files
Summary
23
Chapter 20: API – Application Programming Interface
Chapter 20: API – Application Programming Interface
Technical requirements
Concepts
Setting up API keys
API calls
Summary
Why subscribe?
24
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Features and common deployments

Let's dive into OPNsense's core features and the most common scenarios to deploy it.

Core features

What are the core features? The OPNsense core features all come with the default OPNsense installation, without any additional plugins.

The core features are as follows:

  • 802.1Q virtual LAN (VLAN) support: The IEEE's 802.1Q, also known as Dot1q, is a network standard for supporting VLANs. This allows us to set a lot of different networks, with logical divisions or broadcast domains, using a VLAN-capable network switch. This is very useful when we need to define different networks using a single physical network interface, with which we can separate packets from different networks sources, using VLAN tagging. We will explore this in more detail in Chapter 3, Configuring an OPNsense Network.
  • Stateful inspection firewall: OpenBSD's PF firewall, or just pf, was ported to FreeBSD in version 5.3. This packet filter is very flexible and easy to use. As someone who comes from the Linux world, I must admit it's easier to understand than iptables. The OPNsense webGUI generates the pf rules that are used for packet filtering and Network Address Translation (NATs). If, like me, you're a curious person and have access to a running OPNsense firewall, you can sneak a peak at the /tmp/rules.debug file to see some of the pf rules. But be warned – don't touch anything there yet! In Chapter 5, Firewall, we will dive into the world of firewalls. If you are not running OPNsense yet, don't worry! In the next chapter, we'll install and configure it.
  • Traffic shaper: OPNsense uses another firewall component, ipfw, the native packet filtering for FreeBSD, to classify and prioritize packets for the traffic shaping. With a traffic shaper, you'll be able to limit and reserve bandwidth and prioritize Quality of Service (QoS) traffic.
  • DHCP server and relay: The Dynamic Host Configuration Protocol (DHCP), as the name suggests, is a protocol to lease IP addresses to hosts in a network. OPNsense has both server and relay capabilities; the most common one, the DHCP server, is used to set an address pool configured dynamically to hosts on the network. The second one is used when hosts can't access the DHCP server directly, such as if the DHCP server relies on another network segment.
  • DNS forwarder: The Domain Name System (DNS) is the base of our modern internet; without it, we would need to know every website IP address to access it. The DNS server and forwarder do the job of resolving domains to IP addresses. OPNsense has more than one native service to do this job, Unbound and Dnsmasq; both are resolvers. To enable a DNS server, such as Bind, you will need to install the Bind plugin. We will talk about plugins in the next chapter. The default option in the core OPNsense installation is the Unbound service.
  • Dynamic DNS (DDNS): OPNsense has a dynamic DNS client to update its hostname to an external DNS service. This is often used to access OPNsense externally while using a dynamic IP address; in this way, every time the ISP's IP address changes, the DDNS client will update the hostname in the external DNS service. Otherwise, you will only be able to access OPNsense by externally finding a way to discover which IP address your OPNsense machine is using at the moment.

    Important Note

    Dynamic DNS is a plugin installed by default on OPNsense.

  • Intrusion Prevention System (IPS): Also known as an IDS, an IPS, or an IDPS, this is one of the most significant improvements in OPNsense compared to pfSense. The service used for pfSense is Suricata. Unlike Snort, which was used in the pfSense versions back in 2015 (when OPNsense was forked from it), it runs multithreaded. The OPNsense team implemented support for netmap, a network framework for high-speed packet processing. Moreover, the OPNsense project has Proofpoint support, which allows its users to use a high-quality ruleset. Instead of blocking a source or destination IP after matching a rule (as pfSense's IPS implementation used to work), OPNsense now just blocks the connection that corresponds with a rule, if in IPS mode; otherwise, it is in IDS mode, it will just alert. How does this improve IPS filtering? Suppose that one host in your LAN matches with an IPS rule, and it's a false positive if the system blocks the source IP. The host will stop communicating with the internet, and the user will be calling your boss, complaining about you and the firewall. However, if the IPS blocks the single connection that is matching with a rule, maybe the user will notice that a single application or website has stopped working, which has to be better, right?
  • Forwarding caching proxy: This is also known as a web proxy. This service is native to OPNsense; it can be used to cache websites components like JavaScript, Cascading Style Sheets (CSS), images, fonts, and so on. You can also use it to control access to the internet using authentication, block websites with blocklists, make some basic access control lists, and intercept HTTPS/SSL traffic in transparent mode. In Chapter 13, Web Proxy, we will talk about it in detail and present some alternatives maintained by third-party developers such as CloudFence, such as installing and using those alternative plugins. What really matters is the possibility of doing high-quality web filtering using OPNsense, and it is indeed very much possible because of this open source beauty!
  • Virtual Private Network (VPN): The VPN options available in the OPNsense core are IPSec and OpenVPN. Both can be used as site-to-site and client-to-site (also known as roadwarrior) setups to connect a user securely over the internet.

Captive portal: Talking about guest networks and controlling users to join a network, this also applies to the captive portal in OPNsense. This feature can be used with the web proxy to authorize users to use the internet and has widespread usage in hotels, airports, shopping centers, and so on.

  • Built-in reporting and monitoring tools: These features can help a lot in troubleshooting scenarios. There are real-time and historical graphs, with a friendly user interface, packet capture (also known as tcpdump), and Netflow, and the list is increasing with each new version.

Here are some of the other great OPNsense features:

  • QoS
  • Two-Factor Authentication (2FA)
  • OpenVPN
  • IPSec
  • High availability (CARP)
  • A captive portal
  • Proxy
  • A web filter
  • IDPS
  • Netflow

There are many other features that can be added in OPNsense through plugins, and we will see in detail each core function and some plugins later in this book.

Note

You can obtain a full list of features at https://opnsense.org/about/features//.

Common deployments

OPNsense is very powerful and versatile and can be used in many ways. I'll try to cover the most common deployments, as follows:

  • Network router: We can use OPNsense as a network router. It even has an option to completely turn off packet filtering, which improves the network throughput a lot, becoming just a network router without firewalling and NAT functions. Without additional plugins, the routing capabilities are minimal, straightforward, and serve well in a small network. Using OPNsense as a simple network router is the same as buying a Cirrus aircraft to fly in the same airdrome forever; you know that you can fly for hundreds of miles but prefer to stay just a mile away from the same runway. As a private pilot, I can't think of anything better than this comparison.
  • Firewall with WAN failover: This is one of the most common deployments – OPNsense as a perimeter or an internal firewall. You can even use it as a cloud firewall, combined with some plugins such as the ZeroTier VPN, which we will explore in detail in Chapter 8, Virtual Private Networking. A firewall without additions will cover network Layer 3 and 4 packet filtering, and only that! In this scenario, it will probably be used to block untrusted packets from an external network. It can also be used to port forwarding (NAT and PAT) and block outgoing packets that aren't allowed to leave the LAN. When more than one WAN is available, it is possible to enable failover and outbound load balance to ensure good availability of internet access.
  • I[DP]S: Whether combined or not with the firewall function, OPNsense can be used as a great network IDS or IPS, alerting and blocking (with the IPS turned on) packets from the monitored networks. The Suricata implementation in OPNsense is very well rounded, and with suitable hardware, you can achieve a few gigabits per second of throughput.
  • Guest network wireless gateway (a guest network): With a captive portal enabled, you have a lot of control over a guest network. You can combine a firewall, WAN failover, an IPS, and a web proxy with the captive portal to build a robust solution.
  • VPN server: OPNsense has excellent support for Certificate Authority (CAs) and certificates, users, and group management, locally and externally, and you can, for example, use it as a robust OpenVPN server solution for hundreds and maybe thousands of simultaneous users, using proper hardware. It will cover two-factor authentication and many features that can be enabled to work with a VPN, such as web filtering and DNS filtering.
  • Web proxy and filtering: Using Squid as the web proxy server, OPNsense can act as a powerful web proxy and web filter. As a well-known and ubiquitous web proxy service, Squid allows you to do web proxying in transparent or explicit modes, HTTPS/SSL intercepting, web filtering with an external categories database, and so on.

There are other possible deployments, such as a web application firewall, a next-generation firewall, an advanced network router, a DNS filtering appliance, and Software Defined WAN (SD-WAN). It's not possible to cover all the possibilities in one book, but we will explore the most common ones in the following chapters.

End of Section 5
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete