HOW TO SETUP OPNsense: From First Boot to Fully Functional (with IPv6!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone today I'm finally making a video about open sense my absolute favorite firewall router distribution I can't really call it a Linux distribution because it's actually based on FreeBSD but it's an absolutely fantastic firewall router that's great for small business and home users and is extremely powerful on what it can do and how good its web UI is So today we're going to go through the basics of setting up open sense the stuff that I do when setting up a new network and we'll talk a little bit about what future videos I have planned for this topic so come along with me on this adventure so what kind of Hardware am I using to try to open sense well if you watched my homelab tour link up here I'm using a protectly fw4b and that's a relatively older model of their vault but it runs open sense very very well and I'm very happy with it so for this video projectally was kind enough to send me their fw4c which is the two and a half gig version of The Vault that I have so they offer these pre-installed with open sense you can get them so here it is so it looks pretty much identical to the fw4b that I have and I've been using for a few years now it's got a 12 volt DC Barrel Jack and four rj45s this one has four Intel i225 V3 two and a half gigabit Nix the slightly cheaper fw4b has Intel gigabit next on the other side you've got USB 3 headphone jack I don't know why you do that on firewall but whatever two HDMI and a RJ45 com Port this is the Cisco style terminal Port you can set this up in open sense if you want to use a terminal for monitoring a text terminal which is a lot easier if you're in like an environment where you don't have a keyboard and mouse handy don't have a rat keyboard mouse that kind of thing so it comes with the DC Supply a power cord it's a 40 watt Supply although it probably won't use that much expected using 16 Watts power consumption for the device by itself with no accessories comes with a DB9 serial cable if you want to come into it I actually have one of these with USB built in that I'm going to use but whatever you like a vase amount if you want to mount it on the back of your monitor it also has holes to mount it on the wall if you want to mount it on your wall instead and screws for that so why would you need two and a half gig versus one gig or even 10 gig or higher for your firewall there's really two questions to ask first is how fast is your internet and second is how many vlans do you plan on having and what traffic is going to flow between those vlans now you might not be able to answer both of those questions right away but hopefully by the end of the video you'll be able to understand what I'm talking about by this essentially all of your traffic going to and from the internet has to pass through this box so if your internet speed is faster than gigabit then you'll need faster than gigabit adapters here and all of your Hardware connected to this will also need to be faster than gigabit if you expect to get faster than gigabit to the internet the second one is a little bit trickier to answer if I have two servers that are both connected by two and a half gigabit to a switch but they're on separate vlans they'll only be able to talk to each other as fast as they can go through the firewall so if I have a single two and a half gig connection from the firewall to the switch they can do two and a half gig half duplex so one one stream in One Direction if I want to have a lot of traffic going between vlans it could potentially saturate even the two and a half gig on this but probably certainly a one gig on a slower box so this is where you start talking about things like a 10 gig firewall router even if you only have 100 megabit internet and it's because you want to do a heavy amount of VLAN segmentation and a lot of filtering between those where you need the high-speed hardware for your inter-v-lan traffic to come up to the router and back as to how much CPU resources you need for your router I can't tell you that right now but I'm planning on doing a video in the future of testing ntop and some of the other more intense logging and DPI packages in open sense so stay tuned for that video so now that we have hardware and we're ready to set it up let's plug in our interfaces if you buy a box pre-configured from protectly the WAN Port will be Wan and the Lan Port will be land if you're doing it on your own then the first adapter will be Lan and nothing else will be configured so when you boot this thing up if it has a PC speaker it'll beep and sing a song that's how you know it's booted up and ready to go then you can plug it into your laptop and it should get an IP address on 192.168.1 network so we're going to connect you into web browser at 192.168.1.1 that's the default IP address for completely default settings the username is root and the password is opensense no capitalization for either one now it's going to take us to the first start Wizard and here is where we're going to set up our ISP internet connection so the wizard will guide us first up we get to choose a name for our system you can pick whatever you want but I like things like firewall or router whatever that is so we'll call it firewall next up you can pick a domain whatever you do don't pick something ending in dot local dot local is reserved for mdns and you are not using mdns with this so you can pick something that's not in use around the world or you can pick a domain that you own or a subdomain that you own or like home.lan or whatever you want as we'll say home.land and here it gives us options for DNS as well we could add a DNS server who had a forward we could allow it to use DNS servers from the WAN interface or we could choose to be a resolver and I'll get into more on that in a bit so we're just going to leave it as the default here set our time zone America Detroit so now the most important part of the first run setup we need to set up our internet connection to our ISP and first we're going to do this for ipv4 so if your ISP hasn't given you any information you're probably going to want to pick DHCP so ipv4 type DHCP and you're probably going to want to leave all the rest of this at the default unless you have a good reason not to if you're using a business connection or something else with static IPS or if you've bought more than one IP from your ISP they might give you that information statically in which case you can set up static instead of DHCP if your ISP is pretty old school they might also use pppoe so they've given you a username and password that you need to connect not just like for web interface or things like that but actually connect to the network then you'll have to use pppoe and those options here pppoe I'm gonna have PPP OE configuration here in my case like most isps I'm going to be using DHCP so it's going to give me an address from the DHCP server of the ISP now there's two check marks on here that are important no matter what ISP you're using or connection type the second one I'm going to describe first it's block bogon networks so there's no more ipv4 space at all left to assign from Ayanna it's all gone you can't buy it anymore however there's some space that's reserved by rirs for IPv6 transition and so that space hasn't been allocated yet there's also some allocations that are special like the documentation prefix like 203 with localhost prefix at 127 and those are not routable on the internet so block Bogan networks will block those specific subnets from coming in on your Wan interface usually you want this checked unless you're doing something really special in home lab the other one the first one block RFC 1980 networks this is a bit more special so if you've done networking for a little while you might be familiar with like 192.168 those sort of subnets which are for free use by anyone on private networks so those Network works are 192.168 16. 172.16.12 and 10 slash eight so if you've seen that work start with 172.16 or 1 and 2.168 or 10. it's part of this RFC 1918 Reserve private space and anyone running a private Network can use his IPS on their own so in general your ISP should not be giving you an IP in the RFC 1918 private space however some isps are giving addresses in the 10 space for things like that in that case you'd have to uncheck this box opensense also bends the carrier grade nap prefix 100.64 into this space even though it's not really RFC 1918 and so if your ISP is using carrier grade net you'll almost always have to deselect this box so that would allow RFC 1918 addresses on the Lan also if you're home labbing and you're behind another router you'd have to deselect this as well in my case my test setup is using carrier grade Nat so I'm in the 100.64 space so I have to uncheck the box so next up we need to choose a subnet for our Lan interface now most people will choose 192.168.1 as their home network and that's a valid choice but you don't want to be overlapping with other people's subnets especially if you want a VPN to your friend's house or if your work or some other coffee shop might be using that Network you can't VP at home so what I recommend people do is choose one of the three RFC 1919 prefixes so 10 172.16 or 192.168 and then randomly generate all of the numbers that they're not using so if you want a slash 24 which is standard you would need to generate the first three octets randomly so you'd be 10 dot blank.blank or 172.16.blank or run into it 168 blank so in this case I'm going to use the 10 Network and I randomly generated two numbers 212 and 46. so 10.212.46 and then the first address will be the routers that'll be not one and our subnet mask will be a24 if you know you need to have more devices on your network you can expand this but a 24 is usually good for home users and last step in the Wizard we need to set a new password so by default I said the password's open sense you're going to want to pick something more secure what you choose is up to you but type it in here and now that it's done we reload to apply changes so at this point because I changed Lan interface to be the random subnet of the 10 Network I'm not able to connect anymore so now that my new open sense router is set up I need to connect to it so 10.212 not 46.1 obviously you choose whatever random numbers you use because that's your new subnet so before we get back to our setup process a quick primer on how we get subnets for ipv4 and IPv6 so this is essentially the network we have right now so ISP comes in and assigns an IP address to our router over DHCP in this case it assigned to 169 the 96.119 22 so this is our public IP address it's not really public because it's carrier grade Nat but if we weren't Gary right now that's what it would be my laptop has this address 10.212 to 46.10 so that's on our private subnet that we defined earlier so when my laptop wants to send a packet to the internet it'll set the destination so it says to from and so it's like I would like to send a packet to 1.1.1.1 and I am 10 to 212-46.10 and that way the other side when it gets the packet knows it has to send the packet back to this address so then at this point we can send the packet out of the router the router says oh no this 10 is a private address we can't have that so it changes it to be 100.69.96.119 and that is called Network address translation it might also translate the port 2 just beyond the scope of this so now it's pretending that it is the one that sent the pack in and it sends it on to the ISP in this case the 100 is a carrier grade Nat so our ISP is going to translate it again into something else so it says no no our real address is 6.42.96.7 and that's the isps carrier grade Nas server and then it sends it out onto the internet so when the packet comes back it has to get untranslated back into foreign [Applause] router which has to untranslate it again into 10 . 212.46.10 and then it can send it out of the destination so that's how our replies get back because every node that's doing that has a table of all of the mappings they've used so when packets come back from the internet they know where to go so IPv6 is a little bit different instead of asking for a single address from our ISP and hiding all of our nodes behind that one address we ask for a range so we could ask for 2001 bb8 69.69 so it might give us this would be a slash 56. so our ISP gives us this whole range and says this subnet and everything below it is yours so we then take that and we say okay we're going to make one subnet out of that so we say okay we're going to use subnet one and turn that from a 56 into a 64. and then our client says okay I'm going to take that subnet I'm gonna give myself an address on that subnet and the address it gives itself might be something like foreign so now my client has a full address that's part of did I do too many not either so client has a full 128-bit address that's part of our 64-bit subnet that's part of the 56-bit subnet that our ISP gave us so we're taking the large prefix from our ISP we're breaking it down into subnets and then our clients are assigning themselves their host part which is the end of the IP on that subnet so anyone on the internet can see this long address and it means specifically this computer now I'm sure a lot of you are screaming about privacy right now and there's two things to consider here first of all your ipv4 address wasn't private before so in the past if you had a public ipv4 address it would be I don't know 6.78.9 people could still track that your router still had that address the only thing you were anonymizing was with which specific computer in your house those were all anonymized behind your router's address but your house was not and secondly in IPv6 we have essentially that same level of anonymity because individual hosts choose their suffix and they'll randomly regenerate it roughly every 24 hours so especially modern iOS Android Mac and windows devices they're going to regenerate that 64-bit suffix on the end over and over and over so you can't track the suffix they'll also generate new suffixes for every Network they're on Linux systems can do this too but they usually disable it by default so that servers have more stable addresses and you can also add both a stable address and an unstable privacy address at the same time and use them both for different reasons so now when we set up IPv6 and open sense we're expecting to get a prefix from our ISP from which we are going to delegate a single subnet out of our prefix so they gave us this range which has two zeros for us to fill in we filled in those with zero one we gave that to our LAN so this is where we have to configure in open sense how we get the prefix and how we break up that previous to our individual Networks so everything is working for me let's take a look at some steps you might take to debug if it's not working for you at this point so first thing I'm going to do is I'm going to go to interfaces overview here and I'm going to look at the WAN interface so we should be seeing DHCP for up dhcpv6 up this means we found the isp's DHCP server when we're connected so we have a MAC address that's our router itself we have an ipv4 address that's our router itself and we have an ipv4 Gateway that's our ISP next up we have the IPv6 link local and this doesn't really mean anything because there's a link local on every single IPv6 subnet so the fact that we have one just means IPv6 is enabled next up we have an IPv6 address this is a 128. so your ISP may or may not give you a V6 address over DHCP they're not required to but usually they do in this case it's outside of our normal subnet for our delegation and that's fine then they've delegated us to this subnet so 9900c 62 that's what we use to make our subnets and in this case we Auto detected the Gateway and it's an fe80 so the Gateway is a link local address it's perfectly fine that's our isps Gateway they gave us two DNS servers one for V4 one for V6 you can query DNS records over V4 over or V6 it doesn't matter what type of query you're doing all of them can be answered either way so it's very likely all of your DNS traffic will go over V4 or V6 it doesn't matter so we have thousand base T so it's gigabit that's what I'd expect with this and we have some packets going so that's looking good one more Quirk to check is if your subnet mask here in IPv6 is not a slash 64. it could be a problem with the prefix delegation it's sort of a bug in open sense I'm not entirely sure what they're thinking but basically we have to make sure that the prefix delegation we request from the ISP matches the prefix delegation we actually get so if we go down here to WAN interface we'll see what size or delegated prefix was in this case it's a 62. so then we're going to go to here to interfaces Wan and we're going to ask for a 62. so in most cases you'll start with a 48 and see what you get the ISP might give you nothing if you ask for too big you can also check this box that says send IPv6 prefix hint that'll tell the ISP what size you actually like usually you should request a 48 see if that fails then try a 56 see if that fails try 60. if they're giving you less than a 60 they're probably a pretty bad ISP or they're on mobile ISP mobile isps tend to get about 64s they might do a little bit differently so whatever size you end up getting come back here to prefix delegation size and put it in so it'll ask for the same size as what it's actually getting that way some of the calculations it does in the track interface work correctly so if you still have connectivity or if you have static addressing you're not sure if it's right maybe the thing you want to look at is either the routing table or the gateways so if we go to system gateways single we can see our gateways here so you're always going to have at least two gateways one for V4 and one for V6 and if you're using DHCP on the WAN it'll create them for you automatically so when DHCP we end dhcp6 if you're using pppoe they should also be created here automatically if you're using static addressing the wizard will create them for you the first time you'll have to update them here so in this case Gateway that's your isps default gateway for V4 and then this is the Gateway it auto discovers for V6 it shows them online but it's not doing monitoring if we want we can enable Gateway monitoring here so we just uncheck the disable Gateway monitoring I'll do that for both of these now it's basically going to Ping the Gateway continuously and tell us what the Ping time is and if it's up if you have more than one Wan interface this would be used for your Wan failover I like to enable it just to keep track of the gateways I kind of graph this data over time so we should start seeing data pop up pretty soon here there we go 0.2 milliseconds that's about what we expect for a local connection in my case I found that the V6 Gateway has a much lower Ping On The V4 Gateway it's probably just an artifact of how Comcast network is managed but that's what I've seen another tool that's really useful for troubleshooting is looking at the routing table so for here we go to routes status and it shows you only 10 by default but I'm going to show all so the First Column is Proto it's going to be either IP before IPv6 then the destination and then where the route goes to there's a number of flags here that if you look up BSD route Flags is basically the output of the BSD route command so essentially the way the routing table works is there is a list of all the possible destinations that it knows about they could be a single address that could be a subnet or they could be all which is default and the most specific route wins so if I have a route to 10 212.46.0.24 that entire range would go out on link number one because that's the Gateway however this 10.212.46.1 that's a more specific route so I would prefer this route in the table over this route if it doesn't find it around the table it goes to default so there's an election process for default gateways if you have more than one Wan interface I'm assuming you only have one Wan interface so you should have a default gateway that should be your isp's gateway and finally opensense has a built-in ping and trace route tool that you can use you can just go up to the search box and search for Ping and click on it it'll take you there or Trace route or also uh DNS DNS lookup so all three of those can be useful to help in debugging when you're trying to get your Wan interface set up so one final step in our initial setup before we start hardening is how we want to handle our IPv6 Lan Network so open sense defaults to using DHCP V6 on the Lan and I'm not a fan of that so let's look at how we can figure that so you come over here interfaces LAN so by default it has its set for static ipv4 and IPv6 track interface so static means we have manually defined the address so in this case we set our randomly generated subnet and subtract interface means it's going to use a prefix delegation for ISP in this case it's using prefix ID 0. now here it says allow manual adjustment of dhcpv6 and router advertisements we're going to check that and save and then apply so in IPv6 there are two ways of Distributing addresses to clients one is dhcpv6 which is sort of for clients a holdover from ipv4 in general you don't want to be using this for clients dhtpv6 is really good for prefix delegation to routers and that's what we're using on the land side but on the land side we should be using a technology called slack or stateless Auto configuration so in ipv4 there were a number of protocols that all did little bits of things and they had to work together to get a cohesive ipv4 Network so we had ARP which we had to use to discover MAC address on the local network we didn't have any way of detecting if two people had the same IP address it would just break everything we used DHCP to statically allocate addresses to clients from the server so they would request an address on the server and they'd get a single address um we also had icmp which we could use for mostly for pings we didn't really do much else with it a number of other protocols an IPv6 all of this is condensed into a single protocol called icmp V6 and this replaces ARP it replaces duplicate address discovery which is something we didn't even have in before it replaces it can replace dhcpv6 for clients to address with a whole lot more functionality available now it can replace sending DNS servers and other options to clients and things like that so in general configuring the router advertisements which is one of the features of icmp is something we have to do now in open sense for IPv6 so to configure them we come in here to Services router advertisements and we click on our interface which is Lan so because we said we wanted to configure them manually they're not configured so we have a number of options here for how we want to set them if we look at the help for this this is essentially setting the mo and a flag so if you hear a lot of networking people talk about the m flag yo flagged a flag those are different bits in the router advertisement that describe what capabilities router has to the client so in ipv4 the client we just broadcast to everyone hey everyone I need an address and the DHCP server would send an address back saying you can have 10.2 12.46 to 69. and then it would get that one address that'd be its address and IPv6 any router can broadcast itself its prefix so what its subnet range is and if clients are allowed to use that prefix on their own and a client could connect to more than one router at the same time talk to all of them get an address from all of them and then use all of them and that's a perfectly valid thing in IPv6 so when the router is broadcasting it's broadcasting itself whether or not it has internet access so it's a default gateway or not when it's prefixes any additional more specific routes it would like to push and if clients are allowed to connect via DHCP V6 which is the stateless or the manage flag M and whether or not they're allowed to self-assign an address so usually we would like the a flag which is slack if you have some really old clients um think Windows 7 supports Rd and SS maybe it doesn't if you have like Windows 10 and newer and like I don't know the last five years or six years or so you should be fine to use only slack so at some point Microsoft added support to add rdnss which is to send DNS servers over router advertisements and essentially that made dhcpv6 obsolete for clients so we're going to use unmanaged and router priority can be normal if you have more than one to ride around your network you could set this to low high or normal this is how clients elect a default gateway on their own like I said unlike an IP before you're allowed to have more than one router in IPv6 and clients we use this to elect their own default gateway normal is very normal so your options here to check use DNS from dhcpv6 that's usually a good option if you have your own DNS server internally you could put that here instead if I uncheck this you can put your own DNS servers here they'll get published over Rd or rdnss and you also have the domain search list so in DHCP it sends out the domain for clients to use so when they connect to and they get a DHCP address they get both a DNS server and they also get a domain name and that is used for local Discovery so DNS service Discovery and things like that so in this case it would be sending out home.lan as the DNS search list to clients so if we just check use DNS configuration from DHCP it'll do that automatically so we'll save that and we'll go to dhcpv6 and make sure our DNS settings look good there too so in this case we're not going to enable the DHCP V6 server because modern clients should be using the RAS with rdnss and they shouldn't need DHCP V6 so in this case the DHC peer server is going to default to using our own local DNS server and that's what we want that's good now one case you might want to enable the httpv6 is if you're doing Network booting that's one feature that doesn't come with the RAS so if you're doing Network booting you have to enable the HTTP V6 then you need to use the assisted flag instead of the unmanaged flag so in assisted mode clients can choose to use either slack or dhcpv6 or both you could also use the stateless mode instead where they use slack to get an address but they're allowed to query DHCP servers for options only but not for an address so now it's time for hardening in general opensense has very good security defaults so we'll block all traffic all of it there are a couple exceptions by default if you're using DHCP it'll allow traffic from your isp's DHCP server and if you use the wizard it'll allow traffic from your Lan to go anywhere and so that means we can get out to the internet right now the internet can't get back in that's a pretty good default and we're going to stick with that it's pretty good so the first Harding step isn't even going to be to touch the firewall we're going to look at DNS first so if you've run the wizard you'll be using Unbound for DNS your clients will be getting your address of your router as their DNS server over dhcpv4 and rdnss over V6 so if I ask my laptop what is DNS server let's see what we get so if I dig so it's going to do a DNS query to google.com so we got an answer that's an a record so that's Google's address but this is the server's address and in this case this is the IPv6 address of my open sense box so perfect so we always want to give clients our router as their DNS server from there we can make security choices for them assuming we trust our open sense router which you probably do if you're running open sense so where does opensense get its DNS information from that's the key so in general the DNS protocol is designed for record authentication but not for transport layer security so if we query DNS server and we get a DNS record back if that domain has enabled dnssec we can verify cryptographically that the DNS records we got are correct so someone hasn't tampered with the records however anyone on the wire looking at that could have intercepted that traffic and read it that's not particularly sensitive it's the at it's the DNS name of the site so it's not the full URL but just the host name but it's still somewhat sensitive information we don't want to be leaking to everyone if you're in the US isps have been known to be collecting and selling that information which is very unfortunate but it does happen another unfortunate thing is that because we're connecting to DNS servers by their IP address it's very hard to validate them by name so if we want to connect a cloudflare for example they're well known to be 1.1.1.1 but how do we validate that the results we're getting are actually from the real cloudflare and not from some server impersonating 1.1.1.1 so it's very easy for a router on the wire to modify the packet header to change the source and destination address so if we send a DNS packet to 1.1.1.1 there's no guarantee that someone on The Wire didn't take that packet answer the query correctly and return it to us as if it was 1.1.1.1 we can verify that they answered correctly but not that they were actually 1.1.1.1 we can't verify they're actually cloudflare so that's a problem with with traditional DNS and port 53. so depending on your security stance we have three options for DNS our router is always going to be the caching DNS server for our Network so all of our clients are going to go to our router our router can either go Upstream to our internet service provider they will probably have a DNS server that's relatively good it might not be great but it's probably relatively good and it's probably going to have a lot of common websites in cash already so it should be pretty fast so that's option one option two is we could be a recursive resolver in this case we're going to use the well-known anycast IP addresses of the DNS root servers we're going to connect to the root servers ask them where is com then ask com where is Google then ask Google where is google.com and it's going to go down this chain of VNS records finding the NS records for the servers resolving them resolving the addresses and this is what most ISP DNS servers are going to do on their own now both of these options are using traditional DNS Port 53 so where ISP could be snooping our traffic could be redirecting it to their servers we don't know in a lot of places DNS blocking is essentially mandated or commonly done if you're in an environment where you're very restricted so especially Enterprise and organizational networks they will often restrict that you must use their DNS servers for blocking reasons or whatever and in that case you'll have to use the Upstream from the Lan provider now the third option is to trust an external resolver and connect to it over DNS over TLS or DNS over https Unbound supports DNS over TLS so I'm going to show you how to connect to quad 9 a very popular non-profit resolver over DNS over TLS so here's quad Nine's website so quad9.net then I clicked on more options so it's going to show me the TLs names so one advantage of v and silver TLS is we're connecting to it by IP address but we're verifying The Connection by hostname so in this case we're using dns.quad9.net and it's going to use a TLS certificate like a website would to verify that we're actually connecting to that resolver not just anyone so we're going to go here to Services unbounded DNS DNS over TLS so let's add the quad 9 server so over here their address is 2620 FeFe and 2620 Fe 9. so we put the IP here and we need the CN so this is the name on the certificate and that is going to be dns.quad9.net so let's save that and let's also add the other one 2620 FeFe and that again is going to have the same dns.quad9.net so let's save those and apply so one other thing we have to change here is in system settings General we uncheck allow DNS servers to be overridden by DHCP on Wan we'll save that so we go to on.quad9.net and it says yes we are using quad 9. so we're set up so one last security feature you're probably used to is opening ports for things like games your peer-to-peer applications essentially port forwarding and the IPv6 equivalent so let's see how we set that up in open sets so if you have a specific application like a game it's probably going to tell you what TCP and UDP port numbers you need but you can also here to Wikipedia list of TCP and UDP port numbers and you'll find essentially everything important so in my case I would like to open a port for Doom which is on Port 666 great number so next up I need to find my IP address so in this case I know my interface is en14 so on Mac OS they say ifconfig en14 on Linux you'd say IPA and on Windows you'd say like ipconfig all or something like that so my ipv4 address is 10.212 to 46.10 and my V6 address is this long thing here it's not how it says secured every operating system has a bit of a different Syntax for that on a Mac OS secured means it's the permanent address temporary would mean it's the Privacy address windows will say things like that too I don't remember what the exact wording is but in this case I need the secured address because that's the one that's not changing for privacy reasons so now we go back here and we go to firewall rules when so I'm going to create a rule on the WAN interface because I want to allow Connections in to my network from the WAN from the outside so we're going to add a rule it's going to pass so it's coming from the WAN and the direction is in in this case the protocol is going to be IPv6 and we're going to use TCP so Source could be any so it could be from anywhere on the internet and the destination is going to be single host or Network then I'm going to take my long V6 address here paste in there 128. destination Port range so you could have a well-known port I'm going to say other I'm going to use 666. that way I can play Doom if you want to log packets you can do that too and you can add a description or a category these aren't really used by the system but they're just for your own benefit so this would be gaming and description we could say what we're doing to my laptop so let's save that when we're done we have to click apply oops supposed to be a slash 128. so that's how easy it is to let someone on the land side connect to our computer over IPv6 it's a little bit more complicated for ipv4 because you have to deal with port forwarding so let's do with port forwarding now so in this case we've got a firewall Nat because we hate Nat port forward we're going to add a rule here for that so again interface is going to be Wan we're an ipv4 this time and then protocol is TCP the destination is in this case is going to be this firewall so that means that the person on the outside has requested our public IP address and the port range they requested is going to be again other that's the port of Doom and then redirect Target IP that's the IP address within our private Network so I'm going to go back over here copy my own address paste in there it's a single Hoster Network that address and the same port again I can give it a category you can say gaming so we have two options at the bottom that are very useful the second one filter rule Association add Associated filter rule that will automatically that will automatically create a rule in the firewall to allow this traffic Nat is not a firewall it's just a method of translating ports so by adding a Nat rule here we're allowing the port 666 traffic to be translated to our internal destination IP however the firewall still has to allow that traffic so with this ad Associated filter rule does is it automatically creates a firewall rule that's matched up with this net rule to allow the traffic through because we've created an App rule so presumably we also want to allow it through the firewall net reflection is another tricky one so essentially what net reflection does is when a client on the local system tries to connect out to our own public IP should it allow that traffic to reflect back to the internal IP you might hear it called a hairpin Nat usually I like to enable this however if you use IPv6 you won't have this hairpin problem it'll just everything will disconnect to each other correctly by its Global IP but if you're using Legacy V4 you might have to enable a hairpin routing here so we'll save that and again we'll apply the change so now I can let people connect to my Doom server on my laptop on Port 666 on both V4 and V6 so we're 37 minutes into this video now and I've run out of time to cover any more topics in open sense this is such an incredible piece of software that it's just not possible to cover it all in one video so I'm going to start a series and I'm looking for your input for future topics in the series I already asked my friends on Discord and they told me they wanted let's see basics of multiple subnets and vlans and routing and filtering between them so that's coming up they also said analytics and traffic monitoring so that's coming up too also on the to-do list VPN server and VPN client possibly two videos possibly one they're kind of related and uh yeah so those are the things on my ideas list for opensense if you've got anything else you want to see let me know in the comments below as always feel free to jump into my Discord server link down below for that I have a Blog too you're welcome to follow or subscribe or whatever you want to do um if you like to make any tips I have a Kofi account it's not monthly or anything like patreon but feel free to support me there if you're interested and as always I'll see you on the next adventure

Info

Channel: apalrd's adventures

Views: 30,166

Rating: undefined out of 5

Keywords:

Id: Yb7JdIFriKI

Channel Id: undefined

Length: 38min 15sec (2295 seconds)

Published: Mon Aug 28 2023