Cover

Leseprobe

Practical OPNsense

Markus Stubbig

Practical OPNsense

Text: Markus Stubbig
Publisher: BookRix GmbH & Co. KG
4th edition 2023
Editing by Kelda Neely
$Revision: 1.36 $
$Date: 2023/05/20 16:47:16 $

Cover, diagrams, and screenshots by author unless otherwise credited.
All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever without the written permission of the publisher except for the use of brief quotations in a book review.

Preface

Even though OPNsense has established itself in the firewall world, the software has not made it into Gartner’s Magic Quadrant. Despite this hitch, OPNsense continues to remain popular in the open source community. Additionally, hardware available in the web store is growing to a respectable portfolio.
Still, how useful is an OPNsense firewall, when almost all of the data traffic is encrypted? Hardly any website works without HTTPS, and the firewall does not recognize the content of the data communication. OPNsense has a solution to this problem as well, which can be found in Chapter 14. This chapter explains how the firewall decrypts the IP packets, scans the content for viruses and malicious websites, and then forwards the packets to the recipient in an encrypted form. No expensive subscriptions are required and can even be used on a home network.
For those who like to explore, it is worth taking a look at the ever-growing list of available plug-ins. The list contains all the features that the developers did not include in the standard software, but which are somehow part of the firewall’s workspace: dynamic routing, WireGuard, various proxies, and more than seventy other extensions.
The list of plug-ins also includes duplicate features. Is a DNS service needed? Choose between Unbound and DNSmasq. There are even more choices when it comes to VPN: OpenVPN, IPsec, WireGuard, or perhaps OpenConnect.
As you make your decisions and continue testing, I wish you a lot of fun trying things out and being amazed.

Preface of the third edition

OPNsense is 6 years old and has gradually grown up. There’s been no quarrels with the code donor pfSense, instead OPNsense invests in better security and code quality. Additionally, the web interface is now a linguist and can handle ten languages.
OPNsense’s popularity is growing steadily: respectable computer magazines favorably review the firewall and large IT companies offer services around OPNsense. In Google Trends, OPNsense is getting closer and closer to its predecessor pfSense.
The third edition of the book is dedicated to OPNsense’s success. All chapters are tested with version 21.1. As expected, many restrictions have been dropped because the developers of OPNsense always stay up-to-date and react to security vulnerabilities in the shortest time possible.

Have fun reading and trying things out – and be ready for wonderful surprises.

Preface of the first and second edition

OPNsense started its life as a bitchy little sister of pfSense who wanted to be superior: better code, better security, better licensing, better targets – and even better open source then its siblings!
With these grandstanding words OPNsense separated from pfSense in 2014. The OPNsense developers started with a spring-cleaning of the pfSense source code. They presented the first version of OPNsense at the beginning of 2015: they tidied up all the code and added a modern web GUI without changing the functionality.

After all the effort, did OPNsense actually make the cut and find friends? If so, who are they? As it turns out, well-structured and documented source code, as seen in OPNsense, is apparently a significant attribute for an open-source firewall! And several celebrities from the security world have complimented OPNsense, first and foremost of these being the chief developer of monowall.
Probably every pfSense administrator has taken a brief look at OPNsense and reviewed its differences. The OPNsense web interface appears in a responsive design, while the known features from pfSense are accessible only from swiveling menus. This improvement adds to the already positive impression of OPNsense.
This book will show you how to operate OPNsense and the many features which are all possible with this open-source firewall.

Enjoy reading and trying things out – and be ready for wonderful surprises (and even a bit of cursing).

Overview

Part 1, For Beginners, sets up the network environment with physical devices or on a virtual platform. All machines get an operating system and a quick configuration, followed by essential functions, like routing and IPv6.

In part 2, For Intermediates, the firewalls fulfill some pressing tasks, which must be present in every network. As a packet filter and address translator, they will connect and isolate the attached subnets.

Part 3, For Experts, dives into enterprise-grade topics and establishes site-to-site VPN tunnels and firewall clusters for high-availability. An in-depth look inside the data flow provides good-old NetFlow. And the included proxy server can even sniff inside TLS connections.

Outside the closed lab environment OPNsense acts in part 4, For Hackers, as DSL router, load-balancer for multiple Internet links and even as Sheriff for data trespassers.

Part 5, For Admins, provides many small hints that make daily work with the firewall more fluent and straightforward. After that, OPNsense uploads its configuration file to the cloud and stores it revision-safe on a DropBox or Google Drive. Finally, let’s check out the programming interface of OPNsense.

Resources

https://opnsense.org
The homepage of OPNsense offers a good start into the topic and links to the official documentation, to the forum, and the download area.

https://github.com/opnsense
The source code is hosted at GitHub, where anybody can review the code and its development process. It also offers the build tools and tutorials on how to compile the code yourself.

https://docs.opnsense.org/
OPNsense for reading: manuals for user and developer, how-to documents with many screenshots and step-by-step tutorials. Almost as comprehensive as a full book.

https://forum.opnsense.org/
The forum is the first place to find small tutorials, discussions, and support from the community. The language is not limited to English, and many posts are in German.

Legal

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. The author cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

Introduction

OPNsense is an open-source network operating system for routers and firewalls. It is based on FreeBSD Unix and contains such applications as Squid, pf, StrongSwan, and OpenVPN with a consistent web interface. OPNsense runs on physical hardware, as a virtual machine, or in the cloud.
Although it offers a wide range of functions, it has not yet become a well-known brand. Even though it hits it out of the ballpark for its functionality and usability. OPNsense combines the charm of Unix with the functional range of a professional firewall at a very low budget.

OPNsense is:

Evolving.

And that’s said in a positive light because it means there is room to grow. In addition, implementing features is sometimes out of the ordinary: the provider-centric QinQ-tagging and VXLAN are included, but IPv6 does need focus.

Open Source.

The advantage of an open-source solution isn’t always its price. There is no license cost involved, but its use requires time and resources from an IT department to set up; and when it is finally set up, the software may be poorly documented and not provide vendor support.
Thus, the main advantage of open source is the ability to detect unwanted code. At the time of writing, it is rumored that the NSA will force vendors to install backdoors in their security software. For a consumer who installs a firewall system, that is almost impossible to discover. But it is a big drawback when these firewalls are used in your own network.
On the contrary, security experts can review open-source products and have a good chance of finding malicious code. Furthermore, it is challenging for vendors to install a backdoor in the source code if it is available for everybody to read and analyze.

Try before Buy.

You can (and should) evaluate OPNsense thoroughly before spending money on infrastructure. That’s the same idea as with a shareware application. Who is happy about limited functionality or a demo license that expires after 30 days?
In this context, try means evaluating with sample scenarios and buy stands for deployment in the local environment.

Hardware-independent.

OPNsense is a software that requires some sort of hardware or virtual infrastructure. Since there are many options, all of which are acceptable, choosing the right one isn’t easy. In terms of requirements and desired characteristics, for example, which piece of electronics is needed to saturate a 34 Mbps link with a VPN tunnel doing strong encryption? In the past, software-based network solutions could not keep up with the performance of a hardware device. The main reason for this was the terrible cooperation between software drivers and underlying hardware. The choice of network adapters, mainboards, CPUs, and memory is virtually unlimited, which makes it impossible for the software to get the maximum performance out of every combination.
Nowadays, regular servers or embedded systems have surprisingly good performance. Even with a non-optimized software and small packet sizes, it is possible to break the bandwidth level of 100 Mbps.
The Dutch corporation Deciso [1] and its Netboard A10, A20 and the DEC product series tackled the question about which hardware component is best for the job. Optimization, adaptation and marketing have led to a respectable firewall appliance.

Unix.

Within OPNsense is a customized FreeBSD. Access to the operating system is possible but protected by a password. Login is permitted from the console menu or by an SSH connection. This flexibility allows you to customize, enhance, or install additional tools. Be careful though, these changes might also lead to unstable behavior.

Best Of.

Although OPNsense doesn’t reinvent the wheel, it does implement many services from the Unix and Linux domain. The software has attained rock-solid stability after years of development. The web proxy comes from Squid, the SSH server is a subsidiary of OpenSSH and the firewall ruleset is the packet filtering engine pf from BSD.
Is use of OPNsense, an open-source software, theft of intellectual property? Not at all! It simply proves that open source works. When license terms are met, it is perfectly legal to integrate 3rd party software. It is highly recommended, especially in the security world, that application developers do not invent another crypto algorithm; but rather use stable free libraries.

History

The history of OPNsense is coupled with monowall and pfSense. At the beginning of 2003, monowall started as a firewall which used FreeBSD as its operating system. One year later, pfSense forked monowall with the goal of being better. This approach worked well and in 2006 pfSense outperformed its predecessor regarding functionality and popularity.
The concept behind pfSense and its development was successful. In the following years, they released one version after the other.
The rivalry apparently ended in January 2014 when monowall published its ultimate stable version. The project announced its end later in February 2015 and ceased development on its firewall software.
Later in 2014, the US enterprise Electric Sheep Fencing LLC offered commercial support for pfSense and finally took over the firewall distribution. This acquisition resulted in a license change, which made it difficult for developers to get the source code.
This political change to pfSense and the downfall of monowall was the main reason that some Dutch and German developers started their firewall distribution as a fork of pfSense. Their aims were code quality, security, transparency, and tight integration with the community. The title OPNsense is a tribute and reminder of its pfSense origin.
The first version of OPNsense came out in January 2015 and was pfSense code dressed up in a nice suit. The developers began significant work below the surface to replace version after version of pfSense code with their own code. In the current 2023 version, both firewall distributions have few code lines in common.
OPNsense publishes new releases on a precise semiannual basis. This regular interval makes update schedules easy, and the community likes this strategy. Indeed, critical security patches have been released in the meantime, when necessary, so there is no need to wait for the next major release.

OPNsense and pfSense compete with the same goal in mind, to win the trust of its users. The winner has not been decided: OPNsense with its fresh start and clear goals versus pfSense with its long-time confidence, stability, and reputable name. Recently, Google Trends reveals the increasing success of OPNsense. It is foreseeable in the near future that both firewall products will equal in popularity.

Part I

For Beginners

Chapter 1: Quickstart

The first chapter provides a brief introduction to the OPNsense firewall, takes a tour of the web interface, and presents the login, system status, and network adapters.

What is OPNsense?

The OPNsense firewall is a security product to protect networks. It consists of software that runs on computers with x86_64 processors. It is based on the Unix derivative FreeBSD and provides the administrator with security features via a web interface. A command line is also available for initial setup and troubleshooting.

The software is independent of a physical device. This allows the user to run the OPNsense firewall on their own hardware or as a virtual machine.

IP address

A newly installed firewall always binds the IPv4 address 192.168.1.1 to the first network adapter. This allows a network connection, even if there is no console available for the initial setup. No default route is set, so the connection must originate from the same IP network.
A client from inside the firewall’s IP network can type the IP address into a web browser and obtain a login to complete the initial setup dialog as shown in Figure 1.1.

Setup

The web interface provides access to the OPNsense firewall. The web service is encrypted by default and can be reached at:
https://192.168.1.1/
A brand new firewall starts with the installation dialogue that asks for hostname, IP addresses, and an admin password. These answers then create the configuration. At the end of the Q&A session, OPNsense activates the selected settings and redirects the user to the dashboard as shown in Figure 1.2.

On the command line, the firewall allows a Secure Shell (SSH) login. The credentials are the same as the web interface. SSH access is initially disabled and must be enabled (see Chapter 5).

Overview

The OPNsense firewall web interface welcomes the signed-in administrator with the Dashboard. The Dashboard summarizes the local system: hostname, version, memory usage, and a list of network adapters.
The menu structure is divided into:

  • Reporting. Real-time and historical throughput statistics for the local firewall are located here.

  • System. The administrative settings, such as time zone, SSH access, notification, routing, backup, and update are found in this section.

  • Interfaces. This is where the network adapters receive their IP addresses. This applies to physical adapters as well as network bridges, tunnel adapters, and wireless NICs.

  • Firewall. This section is used to create policies for packet filtering, address translation, traffic shaping, and logging.

  • VPN. The settings for Virtual Private Networks (VPN) are available in this section.

  • Services. Configure network-related services such as DHCP, DNS, NTP, and intrusion detection.

  • Power. Use this section to restart or shut down the system.

The menu contains additional items when plug-ins are installed.

Summary

Although the OPNsense firewall is not easy to explain in five minutes this chapter offers a short introduction to get a user going. At its core is the FreeBSD operating system, which uses an IP address on the network and provides administrator web access. A wizard asks the usual questions for an initial setup and does the configuration. After a successful login, the web interface displays the system status and hardware utilization.

Chapter 2: Lab Network

An OPNsense firewall would be useless without a surrounding network to protect it. In practical terms, it is best to set up a separate lab network. Within this environment, it is safe to experiment with the firewall and its features without affecting any productive services.

All topics within this book have a practical background. Each chapter begins with the basics to establish an understanding or to refresh dusty knowledge. The examples and exercises are meant to be played with and rebuilt.
The chapters are based on the exact same network diagram, which represents a small corporate network with two remote sites and redundant wide area network (WAN) connections. Depending on the complexity of the topic, it might be enough to use only a small part of the lab network.
Some chapters might have a different setup or an additional device. In that case, this will be explained in detail at the beginning of the section.

Resources

Using the exact same setup for the lab network removes the need to modify the infrastructure between chapters, i.e. there is no need to re-cable or modify the virtual environment. This saves time and prevents error. And after a few chapters, the lab network will become more and more familiar, since the names of firewalls, clients, network adapters, and IP addresses remain unchanged. The complete network diagram is printed in Figure 2.1. The following chapters will use only part of this network for demonstration purposes.


There is no need to have physical access to the devices. It is even possible to operate the lab remotely.

The choice for hardware components depends on the expected throughput. More memory, CPU cores, and disk space will lead to a more powerful firewall that can handle higher bandwidth and more user sessions.
The official specifications for memory and disk capacity take into account bandwidth and activated features. The minimal requirements are low enough to run the full lab on a laptop computer or on cheap hardware. For example, an OPNsense firewall requires 2 GB memory and a 4 gigabyte hard disk.

Despite the ability to run a lab on minimal requirements, more CPU cores, memory space, and disk space are always encouraged. Table 2.1 gives the specifications for different configurations. The numbers are based on official documentation [2].


Some chapters use isolated networks, others need Internet access. The path to the Internet is always through the firewall RT-core. The firewall expects Internet access behind its network adapter em0. This is done with a NAT adapter in a virtual environment. In a physical setup, connect the network adapter to the DSL router. Any scenario that leads to the Internet is welcome.

Virtualization

It is possible to fully virtualize all devices used in the lab network. Each firewall becomes a separate virtual machine (VM) with virtual network cables connecting neighboring VMs. The interconnecting networks between the VMs are VMnetX (at VMware) and vboxnetX (at VirtualBox). A physical network adapter in the host system is only required when mixing the lab with real gear. Table 2.2 lists which interface belongs to which virtual network.


The Management network segment provides access to the firewall’s web interface. The best-suited connection types are bridged and host-only. In bridged mode, the VM is exposed to the surrounding network via the host’s physical network adapter. In host-only mode, the VM is accessible only by the host (and other VMs on the same host).
Though not technically required, the network adapters of the VMs can use a predefined MAC address to help interpret the output. This technique makes it easy to recognize a device when reading a command output or when comparing it with the samples in the book.
All labs are tested and validated with VMware Workstation 17, VMware ESXi 8 and VirtualBox 7.

Hardware

OPNsense performs well on all devices with x86_64-type architecture. The brand of the network adapter is not that important since the lab setup is intended to demonstrate features and not to provide the best possible performance. Check the FreeBSD hardware compatibility list [3] to see compatible gear.

Networks

The network architecture between the firewalls is based on Ethernet. Every subnet is its own broadcast domain. It is therefore important not to mix cables of different segments. Two methods are available to correctly separate the subnets: by switches or by VLANs.

Separate by switches

Each network segment uses a separate network switch or hub. The switches are not interconnected.
A smaller 5-port device is acceptable since the subnets are rather small. Any brand and model should be sufficient for the job.

Separate by VLANs

All cables are connected to a single switch. Cables and switch ports that belong to the same network segment are members in a common virtual LAN (VLAN). For example, all switch ports leading to the WAN-2 core network will be a member of VLAN 6.
The switch device must have enough ports to provide connectivity for all the firewalls. The switch is not required to provide routing between VLANs. A regular VLAN capable layer 2 switch is adequate.

It is even possible to mix both modes. For instance, both WAN segments could connect to one switch and the site subnets could connect to another switch. The requirements correspond to the method Separate by VLANs.

Firewall

The OPNsense firewall uses the current stable version 23.1 as a 64-bit image. If different versions or additional devices are included, then the lab is modified by replacing the device in question.
Each firewall has one additional network adapter for management access. That way, an SSH client will still reach the firewall even if some configuration change has failed and the regular interfaces become inaccessible. If the hardware does not provide an extra interface for device management, it is acceptable to skip this option.

The lab firewalls are serially numbered. The device number is echoed in the IPv4, IPv6, and MAC addresses. This allows easy device identification in a command output listing.
The name of each network adapter is printed next to the device icon. The full IPv4 address is added below. Information about IPv4 subnet and IPv6 prefix is presented at the network line icon.

Addressing

The subnetworks of the imaginary remote sites use private IPv4 addresses and unique local IPv6 addresses. Each site has a client computer, which is used only to validate a feature or generate traffic. The required command set is limited to ping, traceroute, netstat and a web browser. Even the choice of the operating system is irrelevant – the demo lab picks Debian and Windows due to their popularity.
The area between the sites is the core network. Devices in this network use the address ranges 192.0.2.0/24 and 198.51.100.0/24, which are reserved for documentation (RFC 5737).
The addressing of IPv6 also uses two unequal prefixes to visually simplify the differences: prefix fd00::/16 is used in site networks and prefix 2001:db8::/32 is used in the core network.

The address ranges are intended exactly for this purpose and do not collide with public prefixes. Furthermore, the addressing is kept straightforward. All ranges are structured uniformly and have only “regular” netmasks of /24 (IPv4) or a prefix of /64 (IPv6).
Table 2.3 summarizes the IPv4 and IPv6 ranges attached to the VMnet networks. Additional addresses (e.g. for PPPoE, tunnel, CARP) are derived from the same ranges.

Lab Server

The lab server provides infrastructure services. It can run on physical hardware or as a virtual machine. If the OPNsense firewall is evaluated for a client/server protocol, the lab server will be the counterpart. It can accept requests from the firewalls on NTP, DNS, Syslog, FTP/TFTP, NetFlow and HTTP. The deployed lab server runs on Debian 11.

Utilization

Each chapter uses a subset of the full lab network. Lesser devices provide better control, simpler examples and briefer command output. This limitation leads to a better overview. Feel free to insert additional firewalls to dive deeper into features.

Chapter 3: Platform

The next step is all about setting up the lab components. It begins with the creation or purchase of the equipment, followed by installation and finally networking.
As mentioned in section Virtualization, the lab can run on physical hardware or find its home entirely in a virtual environment. This makes a big difference in the structure, but is irrelevant for the example scenarios in the following chapters.
The installation procedure is the same for all methods: it first begins by creating the virtual networks, which are separated either by a virtual switch or a port group. The next step is to set up the virtual machines (VMs) and finally the new VMs put their network adapters into the local VM networks.
The choice of virtualization software depends on your personal preferences. The following explanations apply to VMware ESXi, Workstation and Player, and VirtualBox.

This chapter cannot substitute as a reference manual for VMware or VirtualBox! The installation of the VMs requires a basic knowledge of the respective products. The descriptions only cover the installation of the new VM and not why the individual steps are necessary or advantageous.

Preparation

The firewall installation starts with a live image in ISO format. The website of OPNsense [4] always offers the latest release for download.
The lab in this book uses version 23.1 and the ISO image

OPNsense-23.1-OpenSSL-dvd-amd64.iso

First, in a hardware lab, copy the ISO file to a DVD or USB flash drive and start the server or laptop from this medium. Devices with a 32-bit CPU are no longer supported – the latest version for 32-bit devices is 20.1.

VMware

VMware has a wide range of products, but the main ones for the lab are ESXi, Player, and Workstation. The lab begins with the setup of the virtual networks.

Workstation Pro

VMware Workstation Pro is a software application for Windows and Linux that supports virtual machines.
The configuration takes place in the Virtual Network Editor. If not already present, create the virtual networks VMnet1 to VMnet7 there. Choose type Host-Only and do not use DHCP. The subnet IP is insignificant since it is not addressed in the lab.
Next, create the virtual machines. The procedure is always the same:

  1. Start VMware Workstation

  2. File → New Virtual Machine…

  3. Type of configuration? Custom (advanced)

  4. Hardware compatibility: pick the latest (e.g. Workstation 17.x)

  5. Installer disk image file (iso): select the ISO file from the previous section Preparation

  6. Virtual machine name: RT-1
    Location: no preference

  7. Number of processors: 1
    Number of cores per processor: 2

  8. Memory for the virtual machine: 2 GB (or more)

  9. Network connection: use host-only networking (the wizard allows only one single network card, the others will follow later)

  10. SCSI Controller: LSI Logic

  11. Virtual disk type: SCSI

  12. Disk: Create a new virtual disk

  13. Maximum disk size (GB): 6
    Store virtual disk as a single file

  14. Disk File: no preference

The newly created machine will need a cleanup: a firewall does not need a floppy drive, sound card, USB controller, and printer. However, it does need more network adapters.
VM → Settings provides an insight into the soul of the virtual machine. That’s the right place to add and delete objects until the settings fit. New network adapters are always of type Custom with an assignment to the corresponding VMnet. The fixed MAC address is hidden behind the Advanced button at Network Adapter.

The version used is VMware Workstation 17.0.0 on Windows.

Workstation Player

The software VMware Workstation Player is a reduced feature version of VMware Workstation Pro. It is free of charge for non-commercial use.
Dialogues and procedures are similar, so the settings in the previous section also apply here.
The properties of the virtual networks cannot be changed, but the default setting is acceptable.
The creation of a VM begins with the button Create a New Virtual Machine. Then some questions will follow concerning the installer image, the name, and location of the VM, and finally, the size of the hard disk.
All other details are adjusted outside the wizard. The same parameters apply as for VMware Workstation.
The Linux version of the VMware Player is not suitable for the demo lab because the dialog window does not show the selection of VMnet networks. All host-only network adapters of the OPNsense firewall are in the same network. Manual adjustments of VMnet networks and manipulation inside the .vmx file of a VM do not yield any improvement.
The best alternative under Linux is VirtualBox .

The version used is VMware Workstation Player 17.0.0 on Windows.

ESXi

VMware ESXi is a Type 1 hypervisor. It does not run as an application on an operating system, but works directly on the physical hardware. A graphical web client creates and manages the virtual networks and machines. Internally, the virtual firewalls communicate with each other via virtual switches, as illustrated in Figure 3.1 [5].


First, create a switch within the ESXi world. This switch later carries the virtual networks with segmentation by VLANs. The principle corresponds to the physical environment from section Hardware in virtual form.

The virtual network environment starts in the navigator of the web client under Networking in the register Virtual switches. If the lab is isolated inside the ESXi, no physical network adapter is required. For everything else, the following configuration requires the unused network card eth1, which is listed as vmnic1 in ESXi.

  • Click on Add standard virtual switch

  • vSwitch Name: vSwitch1
    Uplink 1: vmnic1 (that’s the unused network adapter in the server. Leave the field empty if the lab does not need to communicate with the outside world)

  • Click on Add

After the new switch vSwitch1 is created, it will not yet have any VLANs or ports. VLANs correspond to a port group at ESXi and are created and assigned at the register Port groups. Click the button Add port group to set up the first group. The VLAN number is important if the VMs are to communicate with a physical network. VLANs 1401 to 1407 are used for the demo lab.

  • Name: VMnet1

  • VLAN ID: 1401

  • Virtual Switch: vSwitch1

This step is identical for the other networks VMnet2 to VMnet7. The virtual network environment is then complete and should resemble the list in Figure 3.2.

The scenario for creating virtual machines starts in the navigator under Virtual Machines. The button Create / Register VM triggers the wizard. It will ask several questions; answer them as follows.

  1. Select creation type: Create a new virtual machine

  2. Select a name and guest OS:

    • Name: RT-1

    • Compatibility: ESXi 8.0 virtual machine

    • Guest OS family: Other

    • Guest OS version: FreeBSD 13 (64-bit)

  3. Select storage: pick the right datastore

  4. Customize settings:

    • CPU: 1

    • Cores per Socket: 2

    • Memory: 2 GB

    • Hard disk 1: 6 GB

    • SCSI Controller 0: LSI Logic Parallel

    • USB Controller 1: (remove)

    • Network Adapter 1: VM Network

    • CD/DVD Drive 1: Host Device

Since OPNsense is installed four separate times, it is advisable to copy the ISO file to the ESXi server datastore and mount from it. For the virtual machine CD/DVD drive, select Datastore ISO File. Once using the file browser, upload the .iso file, and then select it for the VM to use. The new VM will then start from this DVD image. The live system will be booted and will need to be installed as instructed in Chapter 4.

The newly created VM is still missing some network cards. Use the properties of the VM to add the network adapters and place them in the correct VMnet. Table 2.2 lists the affiliation of firewall interface to the virtual network.

The version used is VMware ESXi 8.0.0.

VirtualBox

VirtualBox is an application for Windows, Linux, and macOS that creates and hosts virtual machines.
VirtualBox has a clear portfolio of products. It does not offer more than one virtualization application, but it does provide several configuration methods. The Oracle VM VirtualBox Manager is included in the normal installation. It is easy to use but requires an X11 interface under Linux. Alternatively (or complementary) phpVirtualBox supports the setup [6]. It is a web-based manager that provides the look and feel of the Oracle manager inside the browser.
VirtualBox also offers a command line, so that the lab setup can be completely scripted.

vboxnet

The journey begins with the creation of the virtual networks vboxnet1 to vboxnet7.

Oracle VM VirtualBox Manager

With VirtualBox, the configuration of VMs and networks is controlled by the same program.

  1. File → Tools → Network Manager

  2. Click on the Create icon for each Host-only Ethernet adapter

  3. Click on the section DHCP Server to disable the DHCP service for every network adapter

phpVirtualBox

The advantage of phpVirtualBox is that it provides a look and feel identical to the operation of the VirtualBox Manager GUI. Therefore, the virtual network set up is the same as the Oracle Manager setup described in the previous section.

CLI

The command line expects a lot of typing work for one-time use. The procedure differs between Linux and Windows:

Linux

  1. Log-in to the Linux host system as vbox user

  2. Create each vboxnet with the command
    VBoxManage hostonlyif create

Windows

  1. Start a command prompt and navigate to the path
    %ProgramFiles%\Oracle\VirtualBox

  2. Create each virtual host-only network with the command:
    vboxmanage.exe hostonlyif create

VirtualBox on Windows assigns the new network adapters a name of “VirtualBox Host-Only Ethernet Adapter”, followed by a number.

The accuracy of the virtual networks’ setup can only be checked later when the network is live and in use.

Virtual machines

The next step is to create the virtual machines. The process is similar for all VMs, so the examples only show the steps from the first device.

Oracle VM VirtualBox Manager

The setup in the management software of VirtualBox is done via a wizard. The following description also applies to phpVirtualBox.

  1. Machine → New…

    • Type is BSD, Version is FreeBSD (64-bit)

    • Base Memory: 2 GB (or more)

    • Processors: 2

    • Hard disk: 6 GB (or more)

  2. After creating the VM, adjustments are still important so that the network adapters play along in the right networks (Figure 3.3).

    • Mount the DVD with the image from section Preparation

    • Network

      • Declare adapter as Host-only Adapter

      • Attach to vboxnetX (Linux) or “VirtualBox Host-Only Ethernet Adapter X” (Windows)

      • Under Advanced change the type to Intel PRO/1000 MT Server. This is one of the most powerful network adapters (see Chapter 20), but the others also work well.

    • Adjust MAC address if desired (not mandatory)

    • Four NICs can be set up via the GUI. All others (RT-1 is the only VM with a fifth NIC) via the command line, see section CLI below.

CLI

The command line setup expects commands that correspond to the GUI mouse clicks.

  1. The journey via the command line path begins with the creation of a virtual machine using the example of RT-1.

    VBoxManage createvm --name "RT-1" --register
    VBoxManage modifyvm RT-1 --memory 2048
    VBoxManage modifyvm RT-1 --ostype "FreeBSD_64"

  2. Attach a DVD drive with inserted DVD image from section Preparation.

    VBoxManage storagectl RT-1 --name "IDE Controller" --add ide
    VBoxManage storageattach RT-1 --medium OPNsense-23.1-OpenSSL-dvd-amd64.iso --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive

  3. Create a new hard disk and connect it.

    VBoxManage storagectl RT-1 --name "SATA Controller" --add sata
    VBoxManage createhd --filename "RT-1/RT-1.vdi" --size 6144 --format VDI --variant Fixed
    VBoxManage storageattach RT-1 --storagectl "SATA Controller" --medium "RT-1/RT-1.vdi" --port 0 --type hdd

  4. Setup and attach network card nic5 in host RT-1. This NIC must be created via the CLI because the GUI is limited to four adapters.

    VBoxManage modifyvm RT-1 --nic5 hostonly
    VBoxManage modifyvm RT-1 --hostonlyadapter5 "vboxnet6"
    VBoxManage modifyvm RT-1 --hostonlyadapter5 "VirtualBox Host-Only Ethernet Adapter #6"
    VBoxManage modifyvm RT-1 --nictype5 82540EM
    VBoxManage modifyvm RT-1 --macaddress5 001516010601

    The instruction in line 2 is for VirtualBox on Linux and line 3 uses the naming convention on Windows.

The first virtual firewall is now created and ready for installation. The procedure for the remaining devices is identical, except for the network adapters. To determine if everything is adequately connected, see Chapter 5 when the firewalls are assigned their IP addresses.

The used version is VirtualBox 7.0.4.

Hardware

The networks between the firewalls need a strict separation because many protocols look for the best way on their own. And this runs – especially with IPv6 – through unwanted paths if network separation is unclean.
In the network diagram, each firewall adapter is visually connected to a horizontal line which represents a network segment. Each segment is its own switch or VLAN on a shared switch, as described in section Networks.

For example, the network segment with IPv4 range 192.0.2.0/24 contains several firewalls and its network adapters:

  • RT-1:em4

  • RT-3:em2

  • RT-core:em2

The adapters are connected to a 5-port switch. The switch has no other connections or uplinks.
When using VLAN tagging, the cables of the firewall devices are connected to a managed switch, for example on the first three switch ports. Listing 3.1 provides the configuration for a Cisco Catalyst switch. The OPNsense firewalls do not notice this VLAN mapping.

vlan 1406
name WAN-2_192.0.2.0
!
interface range GigabitEthernet1/0/1 - 3
switchport mode access
switchport access vlan 1406

       Network separation with switch ports and VLANs (Listing 3.1)

The configuration and setup of the cable can only be validated later when the interfaces of the firewall are equipped with IP addresses as outlined in Chapter 5, i.e. when the ping command can detect errors.

Embedded systems

OPNsense is based on BSD but is only offered for AMD64 architectures. Images for other platforms, such as ARM or MIPS, are not available.
The boot process on a regular PC or server with a keyboard, screen, and DVD drive is simple: insert DVD and boot. The installation starts in Chapter 4.
The installation becomes more difficult with embedded hardware because the procedure depends on the physical components. Embedded devices are minimalistic and therefore usually do not require a DVD drive or a display port, and the operating system is stored on a flash medium.

A practical example is the APU 1D4-Board [7] of the Swiss manufacturer PC-Engines. It is equipped with three Gigabit network adapters, SD card, serial console, and two USB slots.
The OPNsense repositories do provide a precompiled flash image, but the recommended installation method is via a USB stick. The APU board boots from this medium and starts the installation of the operating system. The installation image for devices with serial console includes the keyword serial in its file name.

  1. First retrieve the image file from the OPNsense download server.

    wget https://pkg.opnsense.org/releases/23.1/ OPNsense-23.1-OpenSSL-serial-amd64.img.bz2

  2. When downloading via the Internet, it is advisable to validate the result. This prevents transmission errors and intentional manipulation. The repository provides a file signature that can be verified using the onboard tools of a Linux system.

    wget https://pkg.opnsense.org/releases/23.1/OPNsense-23.1.pub
    wget https://pkg.opnsense.org/releases/23.1/OPNsense-23.1-OpenSSL-serial-amd64.img.bz2.sig
    openssl base64 -d -out /tmp/image.sig -in OPNsense-23.1-OpenSSL-serial-amd64.img.bz2.sig
    openssl dgst -sha256 -verify OPNsense-23.1.pub -signature /tmp/image.sig OPNsense-23.1-OpenSSL-serial-amd64.img.bz2

  3. Next unzip the file.

    bunzip2 OPNsense-23.1-OpenSSL-serial-amd64.img.bz2

  4. The file image
    OPNsense-23.1-OpenSSL-serial-amd64.img
    must then be copied to an empty USB stick so that it is bootable. The physdiskwrite [8] tool performs this task on any Windows PC with Administrator privileges.

    physdiskwrite.exe -u -d 1 OPNsense-23.1-OpenSSL-serial-amd64.img

    physdiskwrite writes the image file to the specified drive with the -d option

    Imprint

    Publisher: BookRix GmbH & Co. KG

    Publication Date: 05-22-2023
    ISBN: 978-3-7554-4288-2

    All Rights Reserved

Next Page
Page 1 /