Added to our list of Home Network Security Devices and Appliances is the OPNsense firewall. This is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
OPNsense started as a fork of pfSense® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time.
OPNsense Core Features
- Traffic Shaper
- Two-factor Authentication throughout the system
- Captive portal
- Forward Caching Proxy (transparent) with Blacklist support
- Virtual Private Network (site to site & road warrior, IPsec, OpenVPN & legacy PPTP support)
- High Availability & Hardware Failover ( with configuration synchronization & synchronized state tables)
- Intrusion Detection and Prevention using Suricata
- Antivirus Engine – OPNsense offers the industry standard ICAP to protect http and https connections against ransomware, trojans, viruses and other malware.
- Build-in reporting and monitoring tools including RRD Graphs
- Netflow Exporter
- Network Flow Monitoring
- Support for plugins
- DNS Server & DNS Forwarder
- DHCP Server and Relay
- Dynamic DNS
- Encrypted configuration backup to Google Drive
- Stateful inspection firewall
- Granular control over state table
- 802.1Q VLAN support
- and more.. see features
Miminum and recommended hardware requirements can be found here.
- An old PC or device which will function as your router.
- A minimum of 2 NIC cards in the PC.
- A keyboard and monitor for the initial setup.
- Optional: An off the shelf wireless router capable of installing DDWRT Firmware to provide wireless access point.
Download OPNsense and create a bootable .iso on a CD/DVD, the file is approximately 261MB. You can use free burning software such as the open source InfraRecorder software. We will be assuming you have a CD/DVD-ROM on the PC you will be installing OPNsense on. If not, you can install OPNsense from a USB device. You have to assure your PC is set to boot from USB as its first device (for help getting a bootable USB device setup with OPNsense, see this article or use another program like Roofus or ISO to USB.
Setup & Configuration
Once you log into OPNsense you arrive at the lobby. The Dashboard will give you general information about your firewall and is configurable with different information widgets as seen here.
Using the Wizard to Verify or Change Settings
During the initial installation you saved your initial configuration. It is best to go through the settings Wizard to confirm or change basic settings.
On the left panel, select System, Wizard. Your first screen you can choose your DNS provider. Here we have selected Cloudflare’s DNS 220.127.116.11 & 18.104.22.168 as our provider. You can also check Enable DNSSEC and Harden DNSSEC data when using Cloudflare DNS. Click Next when done.
Setup Your TimeZone
Next in the Wizard is setting the time zone. It is important to get the correct time zone especially if your OPNsense firewall will be your networks NTP provider for your network. This will assure your connected devices always have the correct time.
Next in the Wizard: If your OPNsense firewall will be functioning as a router, providing IP addresses for your network, you will want to make sure DHCP is selected here. You can also check the two boxes below to Block RFC1918 Private Networks and Block Bogon Networks.
Configure LAN Interface
Next in the Wizard: Pick or confirm which IP address you want your OPNsense Firerwall to be. Changing it here will prompt you to login again with the new IP address once the Wizard is completed. Once you have completed the Wizard click Apply.
Changing DHCP Lease Ranges
Not in the Wizard: If you ever want to change the DHCP ranges for your network, this is available in Services, LAN. This area is also where you can assure DHCP is in fact turned On or OFF.
One of the best options to OPNsense is its selection of optional plugins and packages making your OPNsense firewall that much more configurable. To install packages from the left panel go to System, Firmware, Plugins. If your system can handle it, I would suggest you install the Suricata package. You could use Snort instead however if your firewall has a multicore processor, Suricata is better suited to utilize a multicore processor. Either Suricata or Snort will enhance your firewall capabilities with corporate grade Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). More on Snort vs. Suricata. To view a list of plugins available click here. Another plugin worth mentioning is Clam Antivirus.
Setup Suricata – Settings Tab
Now that Suricata is installed you can configure it in the left panel by going to Services, Intrusion Detection, Administration. In the Settings tab you can enable or disable Suricata and enable or disable its Intrusion Prevention capability here. If you enable only Suricata, it will only show you alerts which have been triggered by its intrusion detection rules. If you want to be able to block those possible intrusions and not just be alerted, check IPS mode also as seen in the image below.
Next you need to tell Suricata which networks to monitor and block intrusions from. Here we have selected both WAN and LAN. Note that selecting both will increase overhead CPU and RAM usage. This test system we are using has an Intel I3, 3.30GHz quad core processor with 16GB or RAM (available in our shop). This proved to be adequate to handle both simultaneously with multiple rules setup as you will see.
Setup Suricata – Download Tab
Selecting the Download tab will allow you to select the rulesets you would like Suricata to apply to your intrusion prevention. Note that many of the rule sets probably would not apply to a basic home network and would apply more to webservers and mailservers. It is important to not install more rulesets than you think you need for your particular network. The more applied can significantly degrade speed and usage and cause false positive issues. Here is an example of some selected rule sets which might be more tailored to a small home network below. You can click the image to get a full view of the ones we selected for this review.
To begin selecting rule sets to apply, click the little “pencil” icon to the right of the rule set.
Setup Suricata – Configuring the rule set
After clicking the pencil or edit icon, here you can enable the rule as seen below. You will want to use the drop down to also change all alerts to drop actions unless you only want your firewall to report intrusion incidences instead of blocking them. Click Save changes to apply your settings. Note that all the rules selected have subrules which we will see later.
Setup Suricata – Rules Tab
The Rules tab shows you all of the sub rules from the rule sets you have applied. This shows you weather specific rules are currently set to Alert or Block. You can change each of them here, as seen below.
Setup Suricata – User Defined Tab – Country IP Blocking
The User Defined tab area allows to block entire country IP ranges. For example, here we have blocked China, India, Russia and the Ukraine. To begin adding rules, click the + icon seen below.
Setup Suricata – Country IP Blocking Setup
Clicking the “+” icon above you start configuring the country IP blocking options. Below is the self explanatory settings you can use to block country IP ranges.
In the GeoIP/Dirrection you have the option to block IP’s from the source. This means no connection will be allowed from an IP originating from that specific country to your network. If you select Destination, then this means no connection will be allowed from your network to the specific country. If you select Both, this will block all connections to and from the specific country.
Be sure to check Enabled and then save changes when done. Your User defined tab will become populated like the image above.
Suricata Setup – Alerts Tab
The Alerts tab shows you all of the triggered rules from traffic that has hit your firewall. Since we have both IDS & IPS enabled, we are given alerts and blocked notifications from the WAN and LAN here.
It is the Suricata rules like this that makes an OPNsense firewall superior in many ways to protect your IOT and devices on your network.
Notice under the destinations column below we have removed our specific IP addresses to give you an idea of what you would see. Where you see Your Lan Device IP, a device on our network going out to the WAN has triggered a rule. In this case a SSL certificate for a top level suspicious domain .xyz. This means something on our network has tried to access this domain but has been blocked. It is the Suricata rules like this that makes an OPNsense firewall superior in many ways to protect your IOT and devices on your network.
Where you see Your Firewall IP, traffic has been blocked at the firewall from the WAN. In this case traffic was blocked from the specific countries we added earlier. All that traffic was unsolicited by our network.
*This is also where you can troubleshoot legitimate traffic being blocked and find out which rules you would might want to disable or allow for your specific network setup.
Suricata Setup – Schedule Tab
It is important to setup the update scheduling for your firewall. In the Schedule tab you can begin setting an update schedule for various services (yours may vary based on your network). The basic settings you would need are:
- Update and reload intrusion detection rules – here we have set ours to 23 hours.
- Automatic firmware update – suggested once every few days to once a week.
Setup a Wireless Access Point (optional)
Wireless NIC cards on a OPNsense box have not been very stable when creating a bridged network between the LAN and WLAN and some report limits of poor wifi coverage in 2.4/5Ghz. A Wireless Access Point running the same antennas has much more coverage than the internal cards so we will be using an off the shelf router with DDWRT firmware installed on it for an Access Point.
Check to see if your router is supported by DDWRT here
Once you have DDWRT installed, log into the DDWRT router and begin setting it up as a Wireless Access Point.
Remember on the Basic Setup page of the DDWRT Access Point, to AssignWAN Port to Switch to give you an extra Lan Port
(Not covered in video below).
How to setup a Wireless Access Point on a DDWRT router
If you prefer not to install and use DDWRT you can also buy an inexpensive router which can operate as a wireless access point right out of the box, like the Asus N300. Or a router like a Nighthawk X6 R8000 even has the option to dully function as a wireless AP.
ASUS N300 Wireless Access Point Setup