Topic: pfsense or opensense (Read 5685 times)

burakkucat · « **Reply #30 on:** December 16, 2022, 04:47:55 PM »

Folks, just a gentle reminder to keep this thread on the topic for which it was created: "pfsense or opensense" (according to the Subject line, above).

Strikes, industrial action, industrial inaction, pay and conditions are all appropriate topics for discussion . . . but in a suitable thread, created in "Chit Chat" section of this web-site.

chenks · « **Reply #31 on:** December 19, 2022, 05:13:41 PM »

Box arrived today.

The psu supplied, IMO, is a bigclive special and I wont be trusting it unsupervised.
Will need to try and source one from a more reliable source.

Alex Atkin UK · « **Reply #32 on:** December 19, 2022, 10:59:53 PM »

Did it come with a 3A or 5A? I was surprised mine came with only a 3A wall wart rather than the typical 5A bricks.

It didn't seem one of the worst, but obviously without seeing the isolation internally its impossible to know.

chenks · « **Reply #33 on:** December 20, 2022, 11:17:31 AM »

Quote from: Alex Atkin UK on December 19, 2022, 10:59:53 PM

Did it come with a 3A or 5A? I was surprised mine came with only a 3A wall wart rather than the typical 5A bricks.

It didn't seem one of the worst, but obviously without seeing the isolation internally its impossible to know.

12V 3A "Model 1230"
it's the lightest PSU i've seen so far - no faith in it at all.

centre pin positive so should be easy enough to find a good replacement.

chenks · « **Reply #34 on:** December 20, 2022, 04:43:32 PM »

Quote from: Chrysalis on November 28, 2022, 01:59:23 PM

Even better seen your post when I submitted mine, I am going to add this repo, nice find.

did you manage to try this and get it working?

Chrysalis · « **Reply #35 on:** December 20, 2022, 05:54:13 PM »

Not yet, I will try tonight if I remember.

chenks · « **Reply #36 on:** December 20, 2022, 05:57:00 PM »

Quote from: Chrysalis on December 20, 2022, 05:54:13 PM

Not yet, I will try tonight if I remember.

i've got the plugin installed and configured, but haven't yet enabled it for use at the moment.
i'll want to use it alongside unbound, so have set the port for adguard to 5353, but haven't yet worked out how to use it alongside unbound quite yet, so i'm not routing any traffic thru adguard at the moment.

edit - got it working from the looks of it. enabled unbound, then set query forwarding to adguard IP/port. adguard is now showing dns queries, and blocked queries.
although this might not be the correct way to do it, as all the queries in adguard show as coming from the router, not the individual clients.

chenks · « **Reply #37 on:** December 20, 2022, 09:04:24 PM »

after an hour or so play, i have got my opnsense router up and running. set up my desired DHCP reservations, and the couple port forwarding instances i use.

is this possible to do with opnsense?

i've added my nordvpn account to opnsense as a vpn client (using https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm although stopped at the unbound part), and it's showing as connected (albeit no traffic actually routing thru it just now).
i want to route either specific URLs or specific LAN clients thru the VPN (ie not ALL traffic), i believe this will probably be policy based routing?

example
i want to route all traffic from 192.168.50.10 thru the VPN
i want to route any device accessing www.blah.com thru the VPN

Chrysalis · « **Reply #38 on:** December 20, 2022, 11:42:18 PM »

Yeah so if you go to the firewall rules GUI.

You can create a rule under LAN (outbound), and set specific target ips/ports and then just above the advanced section at bottom you should see a Gateway option.. You can choose the gateway that the hits on that rule pass through, thats policy based routing. The policy rule needs to be above the catch all rule.

This can be made much easier in two ways.

You can (a) make an IP alias so multiple IP's tied to a alias, then use the alias as target IP for the rule, or (b) make a hostname list (so for specific services/websites) then the domains will periodically be auto resolved, and those IP's will be added to the associated rule.

Hostname list is add an alias, set type to URL (IPs), and in the content box add hostnames such as google.com. I cannot remember if this will auto catch sub domains also, so test or play safe and do all sub domains you need.
You can also use ASNs so most likely the best way is either ASN or domain names, so e.g. can use steam ASN to be a catch all for all steam traffic.

I was going to test when I made this post, but can see you did that side now, so thanks for posting back here on that.

chenks · « **Reply #39 on:** December 21, 2022, 07:50:13 AM »

Quote from: Chrysalis on December 20, 2022, 11:42:18 PM

You can create a rule under LAN (outbound), and set specific target ips/ports and then just above the advanced section at bottom you should see a Gateway option.. You can choose the gateway that the hits on that rule pass through, thats policy based routing. The policy rule needs to be above the catch all rule.

hmm ok.
think as a starting point i want to add a rule to force all traffic from 1 particular LAN client thru the VPN (the client has a static local IP address).

so in Firewall: Rules: LAN
i create a new rule?
a lot of that i'm not sure what to fill out, but in the gateway section i only see the WAN_DHCP, not the VPN.

Chrysalis · « **Reply #40 on:** December 21, 2022, 08:41:48 AM »

Is the VPN connection up and running? you wont see the gateway if its down.

I see they have policy based routing on the guide you linked, although I forgot to mention the outbound NAT part.

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm 11-13. In this example its changing your catch all (default rule).

If you unsure of how to add LAN rules, you can copy the existing default allow LAN rule, then just edit the gateway on the copy, and add the restrictions e.g. source IP 192.168.50.10 instead of any. Afterwards drag it above the rule you copied from.

chenks · « **Reply #41 on:** December 21, 2022, 09:11:33 AM »

Quote from: Chrysalis on December 21, 2022, 08:41:48 AM

Is the VPN connection up and running? you wont see the gateway if its down.

I see they have policy based routing on the guide you linked, although I forgot to mention the outbound NAT part.

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm 11-13. In this example its changing your catch all (default rule).

If you unsure of how to add LAN rules, you can copy the existing default allow LAN rule, then just edit the gateway on the copy, and add the restrictions e.g. source IP 192.168.50.10 instead of any. Afterwards drag it above the rule you copied from.

yes the VPN is connected, i can see the VPN WAN IP address in the VPN connection status.
however i didn't have the interface enabled, i enabled that and it now is listed in the gateway option.

on the NordVPN link, i stopped the config at the point where it wanted to change the unbound settings, as i didn't want it to apply to the entire network.

meritez · « **Reply #42 on:** December 21, 2022, 11:15:23 AM »

I've noticed OPNsense are quicker to support new stuff like 25G nics

chenks · « **Reply #43 on:** December 21, 2022, 01:57:07 PM »

i'm doing not to bad getting opnsense set up considering i've never used it before.

got the openvpn server configured and working (allowing me to vpn into my network from outside)

haven't gone back to look at adguard home further yet, so still have that disabled and just using the built-in unbound (end point cloudflare) for now.

also haven't gone further into getting the openvpn client working yet for the specific lan client. not sure whether to wipe the vpn client completely and start again, or adjust what i'd already set up to get it working, the client is definitely connected as i can see the WAN ip that the VPN has given.

Chrysalis · « **Reply #44 on:** December 22, 2022, 03:19:11 AM »

DNS is a special case, I believe the LAN outbound rules will not affect routing for DNS queries originating from the firewall itself, would have to force unbound to only use the NordVPN interface.

For that need to either change the default gateway to NordVPN (which you already said dont want to do) or setup a static route for the DNS ip(s) to make them use the VPN. If you make the client devices behind NAT use remote DNS directly, then you could reroute those via a policy.

Looking at the NordVPN guide you linked, I would disable DHCP registration option to prevent a DNS outage every time a dynamic DHCP changes. The rest looks ok, except the bit you didnt want to do for your entire network which was to force all outbound over the VPN link for DNS queries. So not sure the best way you can handle DNS as you dont want DNS leakage, but you have said you dont want DNS queries going over the VPN for excluded traffic.

Meritez yep, probably due to them having more frequent updates, as the hardware support will come from the underlying FreeBSD version. I have been planning to migrate my home setup to opnsense for a while, was going to do it when I migrated to FTTP. But might do it sooner. Although it doesnt have a system patches package so would have to manually maintain my patches.

News:

Author Topic: pfsense or opensense (Read 5685 times)

burakkucat

Re: pfsense or opensense

chenks

Re: pfsense or opensense

Alex Atkin UK

Re: pfsense or opensense

chenks

Re: pfsense or opensense

chenks

Re: pfsense or opensense

Chrysalis

Re: pfsense or opensense

chenks

Re: pfsense or opensense

chenks

Re: pfsense or opensense

Chrysalis

Re: pfsense or opensense

chenks

Re: pfsense or opensense

Chrysalis

Re: pfsense or opensense

chenks

Re: pfsense or opensense

meritez

Re: pfsense or opensense

chenks

Re: pfsense or opensense

Chrysalis

Re: pfsense or opensense