OPNsense Discussions

[xiaofan]

I know this isnt exactly an OPNsense thread, but apalrd just released a (imo) very good video detailing the setup process of a new OPNsense box walking through why you might want to enable or disable some of the more obscured options. He's also a huge proponent of getting more people onboard with IPv6

It is probably good to start a new thread on OPNsense as it is also very popular.

OPNsense website:
https://opnsense.org/
Get started:
https://opnsense.org/users/get-started/
Documentation:
https://docs.opnsense.org/
Forum:
https://forum.opnsense.org/
Official shop: (nice HW but not cheap)
https://shop.opnsense.com/

 

[xiaofan]

It is interesting that we have pfSense (https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/) and OpenWRT (https://forums.hardwarezone.com.sg/threads/openwrt-router-firmware.5967482/) thread in this forum, but only one OPNsense thread (and a special case only).
https://forums.hardwarezone.com.sg/...wall-on-old-hardware-with-single-nic.6675808/
The interface of OPNsense seems to be quite different from pfSense. Some people thinnk the OPNsense interface is more modern but I actually think both are pretty okay.

OPNsense getting started HW choice: a low power Intel x86_64 mini PC with multiple Intel network cards will be a good choice. Now there are low cost options with either four Intel Gigabit NICs or four 2.5Gigabit NICs, especially from Taobao or AliExpress or Amazon.

You can go to the pfSense thread which has good HW recommendation.

An example mini PC for OPNSense (as well as OpenWRT and pfSense)


OPNsense introduction tutorial:
https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/




The guy seems to have quite some nice articles about OPNsense, like the following.
https://homenetworkguy.com/how-to/ways-to-secure-access-to-opnsense-and-your-home-network/

 

[xiaofan]

I have just switched one of my home networks from OpenWRT Proxmox VM to OPNSense 23.7 series VM (now at 23.7.3).

I have not done much though, just basic Internet, Unbound DNS with DoT is working fine (1.1.1.3 CloudFlare Family DNS).

DNS Blocking lists are also working but I think it is not as good as pfBlockerNG in pfSense.


Adguard Home is another good choice since there is a community plug-in for OPNsense.


Pi-hole is another choice but you need another machine.

I have setup Zero Tier but it does not seem to work (need to check why).
https://docs.opnsense.org/manual/how-tos/zerotier.html

TailScale is not available as a plug-in but it is not so difficult to build from source. It seems to work fine after the installation.
https://tailscale.com/kb/1097/install-opnsense/
I intend to try a few things.
1) DDNS (probably DuckDNS) (Edit: DONE)
2) Wireguard VPN server (Edit: DONE)
3) OpenVPN ? (Edit: I am not interested in OpenVPN in reality, so I will not try this).
4) Singtel 6rd IPv6 (Edit: not working).

 

[theoryunited]

Some things that may be interesting

1. A unique plugin in OPNSense. Eg. https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.html , there are also probably others but I cannot list them all. But probably pfSense has more of its own unique plugins.
2. There is the community repo at https://www.routerperformance.net/opnsense-repo/ providing some plugins and packages. This includes tailscale (not a plugin, but is an option if you do not want to build from source) and AdguardHome. (FYI if you use this don't immediately update OPNSense when new updates come because plugins may break)
3. Seems to be quite common to use something like Pi-Hole / AdguardHome and set the upstream to the Unbound instance, instead of using the blocklists from Unbound. I personally use AdguardHome -> Unbound with DoT -> Quad9 upstream. Not sure if this is also common in pfSense and the other alternatives.

For the things you plan to try

1. os-ddclient plugin for DDNS
2. os-wireguard plugin for Wireguard (not sure why plugin instead of built-in)
3. OpenVPN is built-in
4. There is support for 6RD (should be similar to pfSense's setup?)

 

[xiaofan]

I use Pi-hole with Asus and OpenWRT. But I am playing with Adguad Home now for the Asus side. I still prefer Pi-hole user interface myself.

pfSense has the excellent pfBlockerNg which IMHO is quite a bit better than Pi-hole and Adguard Home.
https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
I was hoping to see something similar to pfBlockerNG but it seems to me there is nothing similar. Some people recommend to use Zenarmor which seems to have higher hardware requirement.
https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.htmlhttps://docs.opnsense.org/vendor/sunnyvalley/zenarmor_hardwarerequirements.html
The simpler alternative is to use Pi-hole, Adguard Home, or just using built-in Unbound Blocker list plus geo-ip list.

For now I will try Adguard Home first -- I will not use the package but rather using an LxC container running on the Proxmox VM. I just got it setup (using the Adguard Home as DNS server for OPNsense) and it seems to work fine.

 

[TheCoolDude89]

I have also moved to OPNsense from pfSense and i do find the interface more user friendly in my own testing. Zenarmor is a good IPS/IDS and i am still trying to figure out how to have similar pfBlocker functions in OPNsense.

 

[theoryunited]

It is interesting that we have pfSense and OpenWRT thread in this forum, but only one OPNsense thread (and a special case only).
https://forums.hardwarezone.com.sg/...wall-on-old-hardware-with-single-nic.6675808/
The interface of OPNsense seems to be quite different from pfSense. Some people thinnk the OPNsense interface is more modern but I actually think both are pretty okay.

Another OPNsense introduction tutorial:
https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/

The guy seems to have quite some nice articles about OPNsense, like the following.
https://homenetworkguy.com/how-to/ways-to-secure-access-to-opnsense-and-your-home-network/

Also from homenetworkguy, comparing differences between OPNSense and pfSense: https://homenetworkguy.com/review/detailed-comparison-between-opnsense-and-pfsense/ . Might be useful for those coming from pfSense if you cannot find the things you want

 

[xiaofan]

DDNS Documentation:
https://docs.opnsense.org/manual/dynamic_dns.html
DuckDNS documentation: no guide for OPNsense, only guide for pfSense
https://www.duckdns.org/install.jsp
Both the above do not help too much. I have to follow the folloing guide and it works fine.
https://www.wundertech.net/how-to-set-up-ddns-on-opnsense/

 

[xiaofan]

OPNsense documentation on IPv6 using 6rd, seems pretty basic
https://docs.opnsense.org/manual/ipv6.htmlhttps://docs.opnsense.org/manual/interfaces.html
Unfortunately it does not work, even though the router gets an IPv6 address and there is a gateway shown (which seems to be wrong).

root@OPNsense:~ # ping -6 ipv6.google.com
ping: UDP connect: No route to host
root@OPNsense:~ # netstat -nr6 | grep default
root@OPNsense:~ # netstat -nr4 | grep default
default            121.6.69.254       UGS      vtnet0

 

[xiaofan]

I am not so sure if @bert64 can help here for IPv6 related issue.

Edit on 2-Sept-2023: this turns out to be a long-standing OPNsense issue.
https://github.com/opnsense/core/issues/3903
Running route add -inet6 default -interface wan_stf in shell fixed the issue for me, at least from the router itself I can get IPv6 working now.

On the LAN side, that is another story. I have never been able to get the LAN side working with Wireless APs with OpenWRT/pfSense and now OPNsense.

root@OPNsense:~ # ping ipv6.google.com
ping: UDP connect: No route to host
root@OPNsense:~ # route add -inet6 default -interface wan_stf
add net default: gateway wan_stf
root@OPNsense:~ # ping -c 4 ipv6.google.com
PING6(56=40+8+8 bytes) 2400:d803:xxxx:xxxx:: --> 2404:6800:4003:c05::8a
16 bytes from 2404:6800:4003:c05::8a, icmp_seq=0 hlim=57 time=4.362 ms
16 bytes from 2404:6800:4003:c05::8a, icmp_seq=1 hlim=57 time=4.239 ms
16 bytes from 2404:6800:4003:c05::8a, icmp_seq=2 hlim=57 time=4.437 ms
16 bytes from 2404:6800:4003:c05::8a, icmp_seq=3 hlim=57 time=4.620 ms

--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 4.239/4.415/4.620/0.138 ms

 

[xiaofan]

Wireguard setup is quite smooth and it works out of the box (using the DDNS domain name).

Documentation:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Speedtest results (wireless connection, Windows 11 laptop)
OPNsense (Proxmox VM, Intel J4105 mini PC) as the Wireguard server
Windows 11 laptop connected to Asus router, using wireless, as the Wireguard client

If you prefer a video guide, you can try watching the following.



For those who come from pfSense, you can use the following guide to see the differences.

 

[xiaofan]

From the dashboard

 

[xiaofan]

Using built-in Unbound DNS Block List, I can get only 78% for the ads block test. (DoT upstream 1.1.1.3 Cloudflare Family DNS). The CPU usage is also high if I enable most of the block lists.
https://d3ward.github.io/toolz/adblock.html
Using Adguard Home and a few block lists, I can get 87% for the ads block test. (DoH upstream 1.1.1.3 Cloudflare Family DNS)

 

[theoryunited]

Using built-in Unbound DNS Block List, I can get only 78% for the ads block test. (DoT upstream 1.1.1.3 Cloudflare Family DNS). The CPU usage is also high if I enable most of the block lists.
https://d3ward.github.io/toolz/adblock.html
Using Adguard Home and a few block lists, I can get 87% for the ads block test. (DoH upstream 1.1.1.3 Cloudflare Family DNS)

Actually for the blocklists, Steven Black's List will have overlap with some of the other lists since it also sources them when creating the unified list, eg. AdAway and Dan Pollock. See https://github.com/StevenBlack/hosts
FYI the No Tracking Blocklist is no longer maintained: https://github.com/notracking/hosts-blocklists

I'm actually surprised that Unbound DNSBL causes higher CPU usage. Might try it out and see if it happens on my machine if (very big if) I have time.

 

[xiaofan]

Actually for the blocklists, Steven Black's List will have overlap with some of the other lists since it also sources them when creating the unified list, eg. AdAway and Dan Pollock. See https://github.com/StevenBlack/hosts
FYI the No Tracking Blocklist is no longer maintained: https://github.com/notracking/hosts-blocklists

I'm actually surprised that Unbound DNSBL causes higher CPU usage. Might try it out and see if it happens on my machine if (very big if) I have time.

Good point about the block lists.

Here is what I will probably use in the end: only three lists enabled, yet I can get 93% for the Ad Block Test site.
https://d3ward.github.io/toolz/adblock.html

 

[theoryunited]

I think generally as long as you can get 80/90%+ (depending on your preference), that is a good start. The issue with tests like these is it depends on too many factors, like browser, extensions used, upstream DNS etc.

I think whichever blocking tool you use, just start with the good well known blocklists like the one xiaofan is using then add / remove lists or individual entries if you find trackers / ads you want to block since it depends on your setup / usage.

Eg. The amount of blocking you use in your tool will probably be different when you use Cloudflare vs Google vs Quad9. Even for Cloudflare when you use 1.1.1.1 vs 1.1.1.2. On that note something useful here: https://techblog.nexxwave.be/public-dns-malware-filters-tested/

 

[xiaofan]

Indeed the test results will depend on multiple factors. I always disable uBlock Origin browser extension for this test.

BTW, I think by using DNS Blocking Lists along, you will at most achieve 93% (140/150) as it will not be able to block "Cosmetic Filter" category and "Ad Scripts Loading" category. uBlock Origin is able to block them.

So in the end, you will need both the DNS Blocking Lists and ad-block browser extensions like uBlock Origin.

 

[xiaofan]

Next step I will learn more about Firewall rules

Firewall related things first.

The long video actually covers Firewall rules as well.


Shorter video clips may be easier to follow.

 

[xiaofan]

After that, I may want to try out VLAN. I played a bit with VALN last time with pfSense using the cheap TP-Link TL-SG108E but I did not go deep as I did not have the real needs at that time. I still do not have the real needs as of now. So this will probably just an experiment.



Using OPNsense + Unifi with VLAN

 

[xiaofan]

Some other interesting things to learn.

Let's Encrypt certificate using ACME


Bridging two NICs


ntopng
https://docs.opnsense.org/manual/how-tos/ntopng.html