Post

OPNsense - Firewall Setup

OPNsense is an open source, FreeBSD-based firewall and routing software developed by Deciso, a company in the Netherlands that makes hardware and sells support packages for OPNsense. It is a fork of pfSense, which in turn was forked from m0n0wall built on FreeBSD. It was launched in January 2015.

The Web UI and Setup

If you only want to use this box to get internet access out from your network, and you have no internal servers / services running, just installing the ISO ensures that you are essentially done, and do not need to make any further changes to your new OPNSense firewall / router. You can adjust the default dashboard if you like, but other than that you are set, and should be able to access the internet if you have your connections set properly, and plugged into your ISP modem.

If you wish to access your internal servers, there is more to do.

System -> Settings -> Administration

Navigate, in the left menu, to System -> Settings -> Administration and change the port setting from 443 to 440. OPNSense, by default is setup to provide access to the WebGUI on port 443. We, however, want to get access to our self hosted sites on port 80 and 443, so we need to change the SSL port for OPNSense to something else. We’ll use 440 for this purpose.

Scroll down, and find the “Alternate Hostnames” section. Add any domain names you will be using on your internal network from outside to this box separated by spaces. It’s important you add these here, or OPNSense will assume an attempt to reach the site may be some sort of attack.

Now scroll all the way to the end of the page and Save. After saving, always check to see if an Apply option shows up at the top of the page as well, and click it if necessary.

Once you save this page it should redirect you automatically after about 30 seconds, back around to the new port 440. If it doesn’t you can access it via the IP address and port 440 by typing in https://ip.of.your.firewall:440, where you put the actual IP in place of my place-holder text here.

Check for Updates

Go to System -> Firmware -> Updates, and let the system check for any updates, then install the updates. It’s important to do this as there may be security patches and other fixes that will help make the system better.

(Optional) Change your LAN IP

Next, we’ll go to Interfaces -> LAN (NOTE: this step is optional). If you want to change the subnet IP addresses for your local network (defaults to 192.168.1.x), then you can do that here. Scroll down to the “IPv4 Address” fiels and put in the address you prefer. Then scroll to the bottom and change it. Click ‘Save’, then go to Services -> DHCPv4 and change your DHCP range if needed so that you have addresses in the same IP. Again click ‘Save’, and ‘Apply’ if necessary.

You may need to disable and re-enable your connection to get it to pull a new address from the updated IP range.

Setup Firewall Rules for Access from Outside your Network

First we’ll setup an Alias, as this will let us create fewer separate firewall rules.

Go to Firewall -> Aliases and click the “+” to add a new Alias. Call the alias web_server_ports, then select the Type as “Port(s)”. Now in the Content field enter 80, then press Tab, and it should turn into a chip icon. Next enter 443 and again press Tab. Give this a description of “web server ports” and Save / Apply.

Add another Alias, and call it ‘web_server_host’ and give it a Type of
“Host(s)”. Next, in the content, enter the IP of your web server machine. Finally, give it a description of “web server host”, and click Save / Apply.

Now navigate to Firewall -> NAT -> Port Forward. Here we want to add a new rule, so click on the “+” icon, and make sure it’s Enabled, and “WAN” is selected.

Next, we’ll make sure we select the following:

  • TCP/IP Version = IPv4
  • Protocol = TCP
  • Destination = WAN Address (in the video I say WAN Net, but we want WAN Address)
  • Destination Port Range = (choose your alias) web_server_ports
  • Redirect Target IP = web_server_host
  • Redirect Target Port = web_server_ports
  • Feel free to enter a Description like “http(s) port forward”
  • NAT Reflection = Enable

Save this rule, and Apply.

Now we need to setup our final piece for NAT Redirection to work properly. Navigate in the left menu to Firewall -> Settings ->Advanced.

Enable the following by checking their associated checkbox:

  • Reflection for port forwrads = checked
  • Reflectionf or 1:1 = checked
  • Automatic outbound NAT for reflection = checked.

Scroll to the bottom, and Save. Apply if necessary.

You may need to update host addresses in your proxy manager after changing your DHCP settings. But once your proxy manager is setup (assuming you’re using one) you should be able to reach all of your self hosted services from inside, or outside of your network.

This post is licensed under CC BY 4.0 by the author.