OPNSense: Protect Your Home LAN With a Transparent Filtering Bridge with Step by Step Instructions

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I'm going to show you why the home router you're currently using sucks and then we'll look at how to make your network effectively bulletproof against most every type of Cyber attack because here's what we're going to do today we're going to use opnsense to build a cheap two Port transparent filtering bridge that you put in line with your existing cable DSL or Fiber modem packets come in they get inspected filtered and then passed on to your network when safe to do so and best of all it requires zero changes to the rest of your network config which has no idea that it's even there keeping you safe let's get to [Music] it hey I'm Dave welcome to my shop I'm making this video by popular demand after my most recent episode which was dedicated to making the best of a bad situation how to fortify your existing home router as best as possible and this is true whether you have cable DSL fiber or even satellite you should definitely watch that episode too but you can watch it afterwards as the order in which you do things doesn't really matter matter now near the end of that episode I made reference to two popular security packages pfSense and OPN sense now you might already have the general idea that some people build little boxes like pie holes that they attach to their Network to do things like ad blocking and DNS but we're going to go many steps beyond that by including features such as IDs or intrusion detection systems and IPS or intrusion Protection Systems we'll also install antivirus directly on the router to catch threats before they even get close to your PC's own defenses now there's just one arbitrary choice that we have to make and that's to choose between pfSense and OPN sense which are very similar that's made both easier and more difficult by the fact that OPN sense is a fork or a derivative of PF sense so they're actually related people have done entire episodes on which one to pick but let me fast forward past all that and just select OPN sense as our choice for today mostly because I prefer the UI and the configuration system so OPN sense it is now if you did want a video on pfSense instead I'd like to points you to one by Network Chuck and I'll put a link in the video description now I don't know Chuck but if I were to describe him I'd say he's like the Jolly younger cousin of a long gray bearded network administrator his beard isn't gray just yet but it'll get there one day all the faster for the fact that he's clearly hepped up on some serious coffee because nobody is that friendly and a Boolean all the time he makes some great content though and even has CCNA classes so if you ever wanted to be a Critical Care nursing assistant or whatever that is he's your man Link in the video description there are in fact quite a few videos on YouTube about OPN sense but the thesis of most of them is that same your home router socks replace it with this and heck I'll probably steal that well-worn idea for my own thumbnail so I'll confess here but it's still kind of bogus because that little home router that you got from the cable company does more than one job first of all it's a physical Bridge from like coax to ethernet because if you have cable that coax cable coming into your house is useless to you without this box after all in other words you can't just throw it away you need it or at least some of it second it routes package between the internet side and your homeand it uses natat or network address translation to allow many devices in your home to all share your single public IP address seamlessly and it presents a firewall that blocks incoming connection attempts that are not previously authorized and third if it has more than one port as most such routers do today then it's also a switch so when they say throw it away which part and how do you throw away just that part and keep the others and that's the rub you usually can't now the closest that you'll get is the place your ISP router or whichever router you've purchased to work with your ISP into bridge mode this means it turns off its DHCP its that and all the other router style features and just dutifully shovels packets to and from the internet without a care in the world as to what's in them you then need something behind that box to do all of the security Gateway and router related functionality that your isp's modem had been doing all along who are you I'm fine thanks who are you rest assured that OPI incense can do all that and much more but at minimum that means you've got a new router to learn a firewall to set up rules to configure ports to forward and all that and in fact when we set it up that is the default if you don't go out of your way to do it differently op and sense will serve as a security layer router natat DHCP all behind your existing one on the ISP modem it would still work great except for reverse port forwarding and maybe you want to go that way but I wanted a simpler solution because sometimes you don't want to add more headaches to your life you just want the security part and that's why I'm going to show you the the easy solution that those Fat Cats on YouTube don't want you to know about the transparent filtering Bridge it sounds scary but it's actually super simple well as the name implies it's transparent to the network you have one port on a box labeled in and one port labeled out and you connect your cable modem or your DSL modem or whatever your ISP supplies are you bought into the import and the rest of your network goes into the outport from there on op and sense will do nothing more than inspect and mitigate attacks by filtering traffic as it comes right out of the modem now to do that we have to install OPN sense and then configure it as a transparent filtering Bridge which is a few extra steps if you don't want a transparent Bridge you just stop at the end of the default installation and then set up whatever rules you want to get started you'll need your hardware and software in hand if building a router has always sounded a bit like Wizardry it's likely just because you weren't aware that all you need to make a router is two Network ports and some kind of decent processor so what has at least two ports and a good CPU well sadly not the Raspberry Pi a standard Pi only has one networ Jack and it doesn't really have the CPU horsepower to run live IPS and IDs on any kind of bandwidth thus we need at least a Mini PC like an Intel Mini PC for basic gigabit internet with security filtering I recommend something a bit more powerful than an Intel atom at this point like an I3 or an i5 for my 5 gabit service I'm running a 10 Core I5 from protect Le known as The Vault but it really depends on the amount of traffic that you need to process a gigabit is a lot less than 10 gbits the Vault matches its power ful CPU with six Network ports two of which are 10 GB SFP plus so it's perfect for my scenario but for just experimenting and tinkering around it can be something as simple as an Old Dell Dimension that you fire a second network card into it doesn't need to be fancy you can grab a two-port Mini PC as low as $65 and I'll put a few links in the video description now one nice thing about the process that I'm going to go through in a bit here which is to set up the transparent filtering bridge is that once you plug the router in there are no changes to the rest of your network you're not monkeying with your DH CP with your Gat with your VPN nothing everything stays the same and that way you don't have to undo it if it doesn't work all you have to do is unplug the cable and plug it back into where it used to go and you can reverse this whole process and throw the router away or more likely fix it and figure out what you did wrong in the configuration to make it fail so basically what I'm saying is it's pretty safe to monkey with if you're doing the transparent Bridge Approach because nothing else changes once you've got a piece of Hardware to dedicate to the task we need software and in this case it's free OPN sense is actually a custom version of Linux meeting you install it as you would any other operating system as opposed to say an application that you install on top of an existing system you can use rofus on the PC or bolina etcher on a Mac to create the USB stick and I'll assume that you can get that far that you've got the USB stick in hand okay to get rolling we'll boot off the USB installation stick we'll let it run and do its thing up until it gets to about the login prompt and when it does we'll enter installer as the username and OPN sense with no capital letters which is the default password once we get into into the gooey portion of the installer we can accept the default key map and then select the ufs file system we select our SSD confirm that we want a swap size of just 8 GB because we're just taking the default here and we'll make sure that we want to format the drive I will say yes and it will proceed with the format it will then copy all the files over required for the installation now in real time this takes a few minutes but it's not an unduly long process as soon as it's done we have the option of setting the root password for the system so let's do that now now I'll pick okay and I'll enter in my password which I'll be asked to repeat for confirmation which I will then do then when that's done we're given the option of rebooting the system so we'll pick that from the menu complete install exit and reboot with that OPN sense is now installed and as soon as the system reboots it will come back up predictably as OPN sense when the system does come back up we can leave it to Simply autoboot we'll let it toll on through its boot process here which is rather verbose being Linux and of course when it gets to the final login prompt we'll now want to log in as root with a new password that we just specified in the installation program which I hopefully you remembered or wrote down and from there we can see the DHCP IP address that we got and that'll be the address that we can now use in the webui to do everything further that we need to do assuming the port configuration wizard during the installer properly set up your network ports and it always has for me so far then your new router should be availablein the browser at the IP address shown in the console a moment ago now this is if you've got the Lan Port plugged into your Lan of course you need need to have that much set up for this point you could also do it as a second or as an optional management interface which is how I do it if you have three or more ports but with a two case just make sure you're talking to the Lan address now if you're having a really good day and mdns is working for you you can just type OPN sense into your address bar and that should resolve automatically once you log in you'll find the OPN sense dashboard on the left is the navigation bar for moving around the UI in the middle is the current system status here we can see I'm running a 10 12 gen i5 and that there are 32 GB of RAM and about a half a terab of storage plenty for a router and now we can follow one of two different approaches we can leave the router as it is and start adding whatever firewall rules and security packages we want or we can configure this new router as a transparent Bridge so that it can sit silently behind our cable DSL or Fiber router just filtering traffic and that's the approach that I've opted to use so let me take you through those steps now along the way you'll get to see quite a bit of the configuration UI and get kind of a handle on how this thing is laid out I'll also put a recipe including these instructions in the video description which you might actually find easier to follow if you're doing it step by step either way it's easier to see it in advance first so let's get on to the config as there are quite a few steps that I'm going to rip through to make this work the first thing we need to do is to disable the outbound natat rule generation that's on the firewall Gat outbound menu and we want to select the disable outbound Nat rule generation radio button in step two we need to set a couple of Val values in the system tunables table this is like windin from the 1990s let's go to system settings tunables and we need to create two entries here one for pill Bridge set to one and one for pill member set to zero next we need to create a bridge from our input port to our output port to do so we navigate to interfaces other types bridge and we click the plus button to create a new bridge for both interfaces we pick both the WAN and the Lan give it a name and just accept the defaults for the rest for step four we navigate to interfaces assignments and we click on the plus button to create a new interface assignment we give our Bridge a descriptive name and we make sure that enable is turned on for the ipv4 config we select DHCP and for IPv6 I leave that disabled after we click save here you might also want to click apply changes in the top right which can take some time now in step five on the W interface we must deactivate the blocking of private and bogon networks we navigate to inter faces when and we make sure that both of those check boxes are turned off in Step six we turn off the DHCP server to do so we navigate through Services dhcpv4 Lan and we uncheck the enable box here now in Step seven we create some pass all rules basically we're going to add a firewall rule to each interface for now that says just pass all traffic to make sure that everything works and then you can find two the rules to your liking later if you need it for each firewall rule we'll give it a descriptive name like pass all and set the action to pass and leave the rest of the rule as defaults we need to create one for the WAN the land and for the bridge and then you should be set in Step eight under firewall settings Advanced we need to disable the anti-lockout rule just make sure the disabled checkbox is set here and you're done and finally we need to remove the IP addresses from our Lan and Wan interfaces since they will be part of the bridge to do so we go to interfaces L and then interfaces when and in each case we set the IP type to none if it's not already working at this point you should be able to restart the box and if you've followed the steps correctly you should now have a transparent filtering Bridge the W Port connects directly to your modem box and the land port connects the rest of your land to the bridge no changes are needed at either end and it should all just work unfortunately it doesn't do a lot yet now you could configure firewall rules to block certain traffic or connections from various countries that you don't want to accept and so on but beyond that it just sits there shuttling traffic back and forth we want it to be proactive checking traffic for us to make sure it's safe to get that functionality we have to turn on IDs and IPS so let's do that now and by the way this is a process you'll want to follow even if you're not using the transparent filtering Bridge because these services are not enabled by default so brow down into Services intrusion detection Administration and then turn on the enabled checkbox for the intrusion detection system which is actually a piece of software known as surata but it's now built into opensense if you have a reasonable amount of CPU power or not too much traffic you should also enable IPS mode as well as well which will turn on the intrusion prevention system once you've done so you should be able to return to the lobby and within a minute or so you should see the surata service actively running which indicates that your protections are in place now there's at least one more thing I recommend you do with your setup and that is to install the clam AV service to do so we have to install a plug-in we go down to system firmware plugins Tab and after it's had some time to download and populate the list you should see a veritable cornicopia of plugins that you can install and play with use a search box for clam and you will find the clam AV service where you can click the plus box to install it once that's complete we need to turn it on and then update the signatures to do that browse to Services clamav configuration and turn on the enable checkbox I also suggest you turn on the fresh clams service now on the signatures page the first time you hit here you will see a button to download signatures and that took me a solid 20 minutes so it don't be surprised when you find that that first signature update is pretty lengthy now if you've made it this far congratulations there are a lot more things you can do with opnsense and if there's enough response from the audience in the form of new subs and likes I'll even look at diving deeper into it for now if you did find any of today's episode to be interesting or entertaining remember that I'm mostly in this for the subs and likes so please be sure to leave me one of each before you go today and if you're already a subscriber thank you please do consider turning on all notifications for the channel so you don't miss an episode if once a week turns out to be too often you can always turn it back off if you or somebody you know maybe on the autism Spectrum check out the free sample of my book on Amazon it's everything I know about living your best life on the Spectrum thanks for joining me out here in the shop today in the meantime and in between time I hope to see you next time right here in Dave's Garage

Info

Channel: Dave's Garage

Views: 540,401

Rating: undefined out of 5

Keywords: pfsense setup, pfsense router, opnsense guide, opnsense web interface, opnsense firewall configuration step by step, how to, home server, pfsense firewall, opnsense firewall, pfsense setup and initial configuration, pfsense setup home network, opnsense, installing opnsense, opnsense configuration, bridge, transparent bridge, transparent router, transparent gateway, transparent firewall, firewall, pi-hole

Id: dTUvlFfThPw

Channel Id: undefined

Length: 15min 13sec (913 seconds)

Published: Mon Apr 01 2024