basically the advanced version of PiHole.

What is important: TWO NETWORK CARDS LAN(intranet) and WAN(internet)

No matter if you install it as Virtual Machine Appliance on your server or on a dedicated router box.

It is meant to sit between your company LAN(intranet) and your internet router(WAN) and can/should be used as DHCP as well, probably replacing a (anyways not properly working?) Windows DHCP or even a DSL Router’s DHCP.

Give users, developers and businesses a friendly, stable and transparent environment. Make OPNsense the most widely used open source security platform. The project’s name is derived from open and sense and stands for: “Open (source) makes sense.”

https://wiki.opnsense.org/intro.html

Features:

  • Intrusion Detection and Inline Prevention
    • Build-in support for Emerging Treats rules
    • Simple setup by use of rule categories
    • Scheduler for period automatic updates
    • The inline IPS system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize cpu utilization. This deep packet inspection system is very powerful and can be used to mitigate security threats at wire speed.
  • Virtual Private Network
    • Site to site
    • Road warrior
    • IPsec
    • OpenVPN
  • Dynamic DNS
  • Stateful inspection firewall
  • Traffic Shaper
  • Captive portal
    • Voucher support
    • Template manager
    • Multi zone support
  • Forward Caching Proxy
    • Transparent mode supported
    • Blacklist support
    • Squida caching web proxy which can be used for web-content control, respectively. These packages rely strongly on CPU load and disk-cache writes.
  • High Availability & Hardware Failover
    • Includes configuration synchronization & synchronized state tables
    • Can be combined with Traffic Shaping
  • Build-in reporting and monitoring tools
    • System Health, the modern take on RRD Graphs
    • Packet Capture
  • Support for plugins
  • DNS Server & DNS Forwarder
  • DHCP Server and Relay
  • Backup & Restore
    • Encrypted cloud backup to Google Drive
    • Configuration history with colored diff support
    • Local drive backup & restore
  • Granular control over state table
  • 802.1Q VLAN support

what i am missing here/would be cool to be included:

  • block DNS request to known malware servers (piHole like) but i guess that is what squid will do?
  • daily scans from outside and inside based on (hopefully up to date) exploit database of the business LAN (while all machines up and people at work) for security holes
  • partner with PEN-testing company for yearly pen tests (basically: try to hack the company with whatever means possible also phishing mails and virus ridden word.doc)

getting started:

  1. download iso: http://mirror.dataroute.de/opnsense/releases/18.1/OPNsense-18.1.6-OpenSSL-dvd-amd64.iso.bz2
    • sha256sum:
    • ee296edf026abd23b01d04c2aee7b9a0578ad4b3aa039e50eb40f720f13eac58
    • OPNsense-18.1.6-OpenSSL-dvd-amd64.iso.bz2
    • unzip: bunzip2 OPNsense-18.1.6-OpenSSL-dvd-amd64.iso.bz2
  2. create a new VirtualBox FreeBSD 64Bit VM and insert the iso
    • it will guide you through a live cd run but not install anything on harddisk

 

https://docs.opnsense.org/manual/install.html

Port Assignments

By default the system will be configured with 2 interfaces LAN & WAN. The first network port found will be configured as LAN and the second will be WAN.

IP ranges & DHCP

The WAN port will have a dhcp client and expects to be assigned an IP adress.
The LAN port will have a dhcp server, a static ip of 192.168.1.1/24 and offers ip adresses in the range of 192.168.1.100-200.

Users & Passwords

Default user: root / password: opnsense

Also good to know

For security reasons ssh is disabled by default and the console access is password protected.

https://wiki.opnsense.org/intro.html

 

install on harddisk:

  1. ssh into the box with ssh installer@192.168.0.XX (your box’s ip shown in console)
  2. it will greet you with this dialog:
  3. and guide you through setup on disk.
  4. first thing you probably want to do is: check for updates
    • select update server: 

news:

admin