How to Install OPNsense firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

open sense is a popular firewall which is a fork of the more familiar PF sense firewall and what it intends to do is to be more open source but also offer more frequent updates so for example you'll find that at the time of this recording PF sensors using FreeBSD version 12 whereas opensense is using version 13. now although there's a different major versions there is still a chance that both do have the same vulnerability in which case I wouldn't really be considering using both of these in a tube and a firewall solution so open sense is more of an alternative to PF sense if you will now aside from the appeal of being open source one of the actual benefits I would say that opensense brings to the table is local support of a plug-in known as Zen armor formerly known as Sensei which offers Next Generation capabilities now you can use it in pfSense but you would have to manage that through the cloud and that for me is just a deal breaker but how do you install Urban sense well if that's something that you're interested in finding out then stick around and watch this video because that's what will be going on before we try installing opensense onto a computer it's best to make sure that that computer is actually compatible so over here on open sensors website it'll give you some of the details about the architectures and that are supported as well as some of the hardware requirements key things to point out are that we need an x86-64 CPU in other words your typical Intel or EMD CPU which is 64 bits so if you've got a like a really old computer which is 32-bits then that's not going to work similarly an actual Raspberry Pi for example won't work either because that uses an armed CPU versus one of these x86 64 versions most computers that are out there would easily meet the reasonable requirements here which is a dual core CPU four gig of memory and 40 gig of storage space I mean do you mention you know you could put this onto like memory cards as well but one thing to point out is you don't want to be installing this on a USB flash drive it just wouldn't be able to tolerate the number of writes required because a firewall is going to be generating a lot of logs it's got to store those logs somewhere and typically they'll actually go wherever the actual operating system is installed so in most cases you'll probably go with an SSD it's typically going to have a lot more than 40 gig of storage capacity so you shouldn't have really any problems trying to meet those requirements if you are going to be thinking about more features you can have more users on the network more traffic throughput then you might want to think about more actual cores more memory more storage capacity as I suggest here but typically a computer these days would easily handle those requirements now if you don't already have a computer to install Urban Sense on then you might want to consider one of these protective books now you can get them in different sizes so you can get two Port versions which is the minimum we're looking for for a firewall four ports as well as six port and the appeal of having all these extra interfaces that I'm going to be breaking a network down into little individual Network segments for security reasons and it's better if you can dedicate an entire interface to each individual Network segment that way you get better firewall throughput for all of your computers another appeal about these is that they also support asni which is good for VPN encryption now you can download the installation software directly from open sensors website now there is a drop down menu for the architecture type but because it only supports one CPU type it doesn't give you any other choices really but it does give you quite a few options when it comes to the image type now which one you pick depends on how you're planning to do your installation and what it is you actually want to install onto so the default setting is VGA and if you've got a physical computer for example and you want to create a bootable USB drive and boot from that then just leave it on its default settings here now on the other hand if you actually want to create a virtual machine and Boot It from an ISO image or you've got a physical computer and that's going to build in DVD drive and you want to boot back from a nice image then you change the actual image type to DVD now normally with operating systems what I would do is I would just go for the iso image but what I found and what I've seen in the actual forums is that the imaging software that's used to create bootable USB drives does have a problem with the iso image so if you want to create that bootable USB drive you do want to make sure you go for the VGA option there other than that it's a case of picking the closest server to you from the drop down option here for the mirror location so I'm just going to pick that then click on download and it starts the actual download process now the file that you've downloaded will be archived and that's because it's been compressed into a smaller file and if you've opted for the iso image in particular you'll need to be able to extract that file from the archive in order to be able to use it now your typical Linux distro does actually come supplied with an archive manager but operating systems like Windows don't meaning you have to download and install one so a common one that I use is called 7-Zip so I've downloaded that from the executable and install the software and now that I've done that what I can do is right click on the file here and then there's an option in the menu for 7-Zip and then that opens up a bigger menu giving me options so in this case I just want to extract the iso image from that actual compressed file so I'm just going to select extract here and then that'll give me the natural ISO image that I can use if you're planning to create a bootable USB drive then you're going to need some software that can take the image file you've downloaded and right back to a USB drive now your typical Linux distro usually comes supplied with that type of software but Windows doesn't in which case we need some additional software for a Windows computer Rufus is a common option so if we scroll down to the download section we've got a choice here of an executable and also a portable version what I've done is to actually just download the executable itself I've still got an image file here that I've downloaded which is compressed and I haven't uncompressed it because Rufus can actually handle that so what I'm going to do is double click on the executable I then get a warning message pops up basically the application needs Advanced privileges user access control for example it needs to actually format the flash drive so I've got to give it that permission so I'll click yes it automatically detects my USB drive now if you do have multiple drives do make sure you pick the correct one it could be because basically it's just going to completely overwrite that drive believe the boot selection on the default settings and then click on select to actually tell it which image to use now I've got multiple files to pick from but I want to make sure I pick the actual image file so you can see we've got ISO files but then we're going to dot IMG file that's the uh the one that I downloaded to create a bootable USB drive so we'll select that and click on over there's nothing else here I particularly want to choose so I'm just going to click Start it pops up a warning in my case because I've already got a USB drive that's been used in the past it's complaining basically it's got multiple partitions that are all going to be destroyed I'm going to click OK because I want it to proceed it then warns me again it's basically just making sure that you are deleting everything do you know that are you absolutely sure so yeah that's fine click on OK and then off it goes and it it's going to delete all the partitions it's going to completely rewrite this drive it'll do verification afterwards and then eventually I'll end up with a bootable USB drive now I'm going to be installing open sense as a virtual machine on esxi because it's going to make the actual recording for this video a lot easier but the installation process is going to be the same even if you use a physical computer I just want to point out in particular issue I run into when trying to install this on esxi so we'll create a new virtual machine click on next I'll just give it a name here or the OS family will just pick other the OS version We Go for free BSD 13 and it's the 64-bit version because that's what open sense uses click on next tell it where to create this virtual machine click on next the key thing I want to point out is this the scuzzy controller it defaults to VMware para virtual and I've found it actually ran into problems by just going with that specific option um it'll get so far through the installation process and it'll fall over because it can't write in the actual hard drive so it's better to change that to LSI logic parallel I mean set all this other settings as you wish but do make sure you change that scuzzy controller setting now whether you install open sense onto a virtual machine or a physical computer the process is going to be the same so we'll power this on and then as soon as it gives me the option I'll click on the console window here I don't really get much time to make any decisions when it comes to the actual boot process but really it doesn't make any difference what's going to happen is it's going to boot up from the installation image that I've provided this virtual machine and then it's going to Halt at a login prompt so once it gets to that stage I'll bring you back well the computer is now booted up but we're sitting at a login prompt in other words the actual installation process hasn't even started and the reason for that if you look at the welcome messages because it's booted into live mode so in other words it's booted up a computer and it's giving us a working firewall but we actually want to install uh open sense onto our computer in which case I need to actually start the installation process so to do that we need to log in as installer it does mention higher up in a message not such user installer but it does exist so I'll hit return then put in the password which is open sense and then that actually starts the installed process it defaults to a US keyboard so I do need to change that so I'll just use the up and down arrow keys to find my keyboard then hit return I'll hit your Barrel again because I don't want to actually test this keyboard I'm doing what works and then I've got a choice of either ufs or ZFS as the file system to install onto in which case I'm going to opt for the more modern ZFS so I'll select that hit return now if this hasn't been a physical computer and I wanted redundancy I'd have two drives and I'd opt for a mirror for the boot operating system because that's usually what you use for an operating system it's unusual to use any of these other rear options for actual operating systems so typically you must say it will be the mirror but in the case of a virtual machine or if you've only got one hard drive anywhere it'd go for this option here which is stripe because when it comes to actual virtual machines all of the redundancy takes place either within the hypervisor itself or you're storing onto shared storage such as a Nas for inside for example and that's got redundancy built in so it would be unusual to want some sort of redundancy for your hard drives in a virtual machine anywhere in any case once you've made your choice hit return now it then comes up with a list of drives that are available now I've only actually got one uh choose from so I'm just going to press the space key here to pick my drive and then I'll hit return and then it's warning me that it's going to basically wipe the contents of the disk so I was just using the left Arrow there I had to change it from no team yes and off it goes and starts the process now once that installed process is finished it gives us a choice between changing the root password and completing the install now you can change the root password now if you like but later on what we'll be doing is running an installation wizard the first time we log in and one of the things that's going to ask you to do is to change the root password anyway so in which case what we're going to do is I'm going to opt for complete install and I'll just use the down arrow key to select that what I'm going to do first though is I want to disconnect the CD drive I'm just going to scroll down tell it to disconnect that uh disconnect anyway and override the lock yes I do come back and pick my virtual machine hit return and then off it goes starts to reboot well the computer is now back up and running then we've got our basic installation of open sense onto this computer you'll see in this console prompt here that there's no mention of it being in live mode it has actually installed open sense onto the computer and in my case I've got two interfaces one's the Lan interface one's the one interface so where is the one interface has obtained an IP address through DHCP the Lan interface will always have this IP of 192.168 1.1 so for me to actually complete the installation process and then start managing open sense I would need to connect a computer to the actual firewall so typically you'd plug the firewall into a switch plug your computer into a switch the computer will obtain an IP address through DHCP because open sense actually runs a DHCP service out of the box and then what you would do is connect to this IP address of 192.168.1.1 through a web browser now connecting this Windows computer to the same network that the Lan interface of open sensors connected to so if I'll pull up the actual details for this interface here you can see that it's got an IP address of 192 168 1.100 it obtained this from the DHCP server 192.168 1.1 in other words open sense and it's using it as its default gateway as well as its DNS server so not surprisingly when I point my web browser to https um 192.168.1.1 I'm getting a connection to open sense but the browser doesn't trust this um certificate because it's self-assigned so I need to bypass that so I need to click on advanced and then just tell it to proceed basically so we'll click on that option and then it asks me to log in so I'm going to log in as root and the password is open sense yeah so because we're logging in for the first time it's going to start an actual wizard just to complete that basic install so we're going to click on next so I'm going to change the name if you like and change the domain name I mean I'm going to leave the host name as is but I'm going to at least change the domain name I like to use cloudflare for my DNS servers on the internet so I'm going to put in the ones that provide some form of malware protection for DNS searches but because open sense is getting an IP address on the one interface through DHCP you can see there's an option here where any DHCP server that's provided over the one would override these so I'm going to deselect that option and by default it's set up to have its own Unbound DNS server so we're just going to leave that set as is I'm also going to enable these options to take advantage of DNS SEC so there's one to enable the support as well as to harden against DNS so data problems click on next you can change the time server you can change the actual time zone if you like so I'm going to make mine a bit more specific set mine to London and click next it's then setting up the details for the one interface now you can set this up with a static IP address for example you can set up a PP or ethernet pptp and so on in my case I'm just going to leave this set to DHCP as is because that's perfectly fine the only thing I need to do is to disable these features one is to block RFC 1918 private networks as well as the Boggle networks that's just because this is actually connecting to another Upstream firewall so it's going to need connectivity to some private IP addressing on my actual network if this was touching the internet I would have left those on their defaults though in any case however you set the actual band interface or click on next next thing it wants to know is what do you want to use for the IP addressing for the Lan interface now in my particular case I don't like using these default IP addressing it makes it easier for a hacker if somebody would have gone to this network that information is the default and I don't like doing that it's not really a good security practice to leave things on the default so what we're actually going to do is we're going to change at least the third octet and in my network I use completely different IP addressing anyway but for the sake of this demo what that's all we're going to do is just change the third octet if you want to make the actual Network range bigger you can lower the actual subnet mask if you want to make it smaller and you can increase it 24 is usually the typical for networks anyway so click on next and now it's actually asking do you want to change the root password so it gave us that option earlier on but since it was going to ask me in the Wizard anyway I thought well may as well just leave it and until now to change it so I'm gonna put password in that I want to use but I would recommend something which is a lot more stronger a lot more complicated than this to use a password manager to me this is the best time to do it because you can copy and paste in a very long and complex password whereas if you're on a console and session yeah you wouldn't really get those options so now that I've changed that I mean it just said if you just leave it empty it'll stick to the existing one but as I said it's better to not use a default password in the first place so you do want to use something better click on next and then that's it all we now need to do is click on reload the actual changes to apply the only thing that bear in mind is I've changed the IP address so there's a bit more work to get done now because I changed the IP address of open sense my web browser here is just basically timed out in other words it's still trying to connect to the old IP address of open sense and it's going to keep trying but it's just going to sit on this page forever another thing to point out is the computer I'm using is also holding on to an old IP address that it got from the DHCP server on open sense in other words opensense didn't force it to release the IP address and ask for a new one so what I need to do first is to actually go to the actual network card for this computer it's easiest way I think to do it is to just disable the interface re-enable the interface and then if we have a look at the details of the network card now you'll see how the third octet has actually changed now this time around for whatever reason it's 192 168 100.10 but it doesn't really matter it's really up to the DHCP server when IP addresses it hands out now I need to now point this web browser to the proper IP address which will be 100.1 again then it's a self-signed certificate that the web browser doesn't trust so I need to accept that and we'll Now log in as root I'm logging with the password that I gave it during the the Wizard setup and now we're connected into uh open sense and the basic installation is now complete now this video is only really intended to cover the basic installation of open sense and there is a lot more things that can be done to make this firewall better but one thing I do need to do is make some alterations to the DNS service and that's because the one thing the actual firewall is listening to DNS requests on the one interface by default but also because of the way it's been set up particularly in my situation the DNS service isn't working the way I want it to work and my computers can't get access to the internet as a result so if I go down to services and if I then go down to Unbound DNS and then to General you can see here by default the network interfaces that it's using our all which are recommended but I as I say I don't want that I don't want this listening on an actual one interface so I'm going to select Lan only and then I'm going to click save and then I'll click apply changes another thing that I need to do is go to query forwarding because if I open a tab here if I type in say google.com for instance hit return it just basically times out it can't actually get connect to a connection to the Internet it's trying to go to that Unbound DNS server the Unbound DNS server in turn is then trying to get to the root servers but the way I've got this set up is that I'm restricting access to only the cloudflare server so I need to come back here and I need to override this here by selecting this option to use this the actual lab system name service for query forwarding so the actual DNS server it's actually answering internal DNS requests but it's not coming back with the response for public DNS resolution until I enable this box here so as it as you can see these were the servers I told it to use itself but now it's actually going to use those for doing DNS forwarding basically for the actual computers on the internal Network so I'll click on apply if we then go back to my web browser and then click on refresh you can see I've now got access to the internet so what we've got is just a basic installation of the firewall it is working but it does need a lot more work so for example firewall rules could certainly do with improving they're just too open I do actually have a video that covers how to actually set up basic firewall rules for instance but there's a whole host of other things you can do with a firewall like this including um setting up plugins like Zen armor for instance to give you a bit of visibility of your traffic and so on well thanks for making it to the end of this video I really do hope you found it useful if so then do click the like button and share us that'll help get the video to more people who might find it useful as well if you've got any comments or suggestions please post those in the comments section below and if you're new to the channel and you'd like to see more content like this then yes do subscribe just remember to set the Bell icon to actually send you notifications when your content gets released although I also post to Twitter as well as Facebook if you'd like to help Channel and support it you can actually make contributions through PayPal and buy me a coffee I've also got links to patreon and there's also the join membership option for YouTube itself patreon and YouTube members do have the option to actually benefit from Early Access as well but above all many thanks for watching this video I'll see you in the next one [Music]

Info

Channel: Tech Tutorials - David McKone

Views: 14,727

Rating: undefined out of 5

Keywords: opnsense install, opnsense tutorial, opnsense firewall, opnsense install guide, opnsense install on pc, opensense install, how to install opnsense, how to install opnsense on vmware, how to install opensense, opnsense how to install, opensense how to install, install opnsense on vmware, install opnsense vmware, opnsense installation, opnsense, pfsense alternative

Id: -v7MFDpjI9g

Channel Id: undefined

Length: 25min 49sec (1549 seconds)

Published: Mon Oct 24 2022