
Added to our list of Home Network Security Devices and Appliances is the OPNsense firewall. This is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
Check out our store for OPNsense configured devices
OPNsense started as a fork of pfSense® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time.
Setup Your TimeZone
Next in the Wizard is setting the time zone. It is important to get the correct time zone especially if your OPNsense firewall will be your networks NTP provider for your network. This will assure your connected devices always have the correct time.
DHCP Server
Next in the Wizard: If your OPNsense firewall will be functioning as a router, providing IP addresses for your network, you will want to make sure DHCP is selected here. You can also check the two boxes below to Block RFC1918 Private Networks and Block Bogon Networks.
Configure LAN Interface
Next in the Wizard: Pick or confirm which IP address you want your OPNsense Firerwall to be. Changing it here will prompt you to login again with the new IP address once the Wizard is completed. Once you have completed the Wizard click Apply.
Changing DHCP Lease Ranges
Not in the Wizard: If you ever want to change the DHCP ranges for your network, this is available in Services, LAN. This area is also where you can assure DHCP is in fact turned On or OFF.
Installing Plugins
One of the best options to OPNsense is its selection of optional plugins and packages making your OPNsense firewall that much more configurable. To install packages from the left panel go to System, Firmware, Plugins. If your system can handle it, I would suggest you install the Suricata package. You could use Snort instead however if your firewall has a multicore processor, Suricata is better suited to utilize a multicore processor. Either Suricata or Snort will enhance your firewall capabilities with corporate grade Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). More on Snort vs. Suricata. To view a list of plugins available click here. Another plugin worth mentioning is Clam Antivirus.
Setup Suricata – Configuring the rule set
After clicking the pencil or edit icon, here you can enable the rule as seen below. You will want to use the drop down to also change all alerts to drop actions unless you only want your firewall to report intrusion incidences instead of blocking them. Click Save changes to apply your settings. Note that all the rules selected have subrules which we will see later.
Setup Suricata – Rules Tab
The Rules tab shows you all of the sub rules from the rule sets you have applied. This shows you weather specific rules are currently set to Alert or Block. You can change each of them here, as seen below.
Setup Suricata – User Defined Tab – Country IP Blocking
The User Defined tab area allows to block entire country IP ranges. For example, here we have blocked China, India, Russia and the Ukraine. To begin adding rules, click the + icon seen below.
Setup Suricata – Country IP Blocking Setup
Clicking the “+” icon above you start configuring the country IP blocking options. Below is the self explanatory settings you can use to block country IP ranges.
In the GeoIP/Dirrection you have the option to block IP’s from the source. This means no connection will be allowed from an IP originating from that specific country to your network. If you select Destination, then this means no connection will be allowed from your network to the specific country. If you select Both, this will block all connections to and from the specific country.
Be sure to check Enabled and then save changes when done. Your User defined tab will become populated like the image above.
Suricata Setup – Schedule Tab
It is important to setup the update scheduling for your firewall. In the Schedule tab you can begin setting an update schedule for various services (yours may vary based on your network). The basic settings you would need are:
- Update and reload intrusion detection rules – here we have set ours to 23 hours.
- Automatic firmware update – suggested once every few days to once a week.
(663)