Ultimate Beginner's Guide to OpnSense - Installation - Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody and welcome to Jim's Garage today is the first in what's probably going to be three videos focusing on open sense I'm going to start off with the beginner steps of installation and Hardware we're then going to move on to some initial configuration so we'll cover all the basics things like subnets vlans vpns all that good stuff before moving on to more advanced configurations such as high availability yeah that's right running two in a failover mode but before before we do that let's set the scene so if you're watching this video the entry level one you might be thinking hm I've heard about fir Wars what are they and why might I want one well because you've heard of open sense you've probably done a bit of research now open sense is an open-source FreeBSD based firewall that is next Generation because it has a host of advanced features and a number of plugins that you can go to further enhance the initial default configuration so the reason you might want a firewall or the reason I advocate you do get a firewall is because you want to protect your network now as you're doing home labbing you're probably going to want to be externalizing services or at least playing with Advanced features now anything you're externalizing is going to be attacked that's just a fact but I don't want to cause undue concern 99% of the time probably higher than that it's just going to be automated Bots that are trying to access your service and any upto-date firewall should be able to deal with that without issue however in the odd case that it doesn't manage to do that a firewall brings with it numerous benefits such as micro segmentation segmenting your network so that if an attack is successful hopefully that attack cannot propagate through your network there's also a whole host of other things like intrusion detection systems intrusion prevention systems SSL scanning all of that kind of stuff that will come on to to later in the videos now there are a number of firewalls out there and open sense is probably the most popular within the home labing Community if you've watched any of my videos you'll know that I use sofos XG but after this series I've already done the prep for this I'm seriously considering jumping over to open sense that should hopefully become evident as we get into the video series because it's super capable and it's a really attractive easy to ous guey so to build a firewall you've basically got two options you can either do what's called a bare metal so that's just like building a dedicated computer as a firewall that's great or you can do a virtual machine approach that's what I'll be covering in this video through the demonstration but the setup and the process will be exactly the same for a physical setup now for a hardware I'll cover both physical and virtual albeit virtual you've probably got the hardware for a physical setup you don't need any anything fancy for a minimum setup I recommend at least two cores and 4 GB of RAM although the official documentation says you can get away with less obviously if you want more of the features enabled so things like IDs and IPS and maybe if you have say gigabit internet you probably want to be more at the four cores and 8 gigs of RAM end but your mileage may vary in terms of Hardware I recommend getting yourself some inter NYX those network interface cards specifically things like the i210 or the I 350s I'll link those in the description below and I'll also put reference on my GitHub for all the hardware recommendations and I also recommend if you want to take this a step further to have a look at some 10 gig networking options things like the melanox connect X Series can be picked up for relatively cheap on eBay but do bear in mind that you'll need to have something like a 10 GB enabled switch to to take full advantage of that for a virtualized setup you've probably already got a system that's capable and following the same recommendations for the physical machine you'll be in a good position so let's get straight into the deployment process for open sense as I mentioned I'm going to be deploying this in a virtual setup but the process for the installation is pretty much identical we're going to download an ISO first for a virtual machine we'll be uploading this to our hypervisor in this case proxmox but if you're going to do this on a physical machine you'll want to burn that ISO to a USB stick like you would do pretty much any operating system now you might be thinking why would I want to do this with a virtual setup well the reason for that in my opinion is portability that's one of the key advantages for virtualization it means that I can seamlessly back up my entire firewall which comes with all of its configuration and ultimately restore it even to a new machine if I want to change my host it also opens up the ability for failover if you say got a proxmox cluster with similar Hardware those VMS can fail over so giving you high availability and also it enables you to make changes on the fly so adding new hardware tweaking existing setups Etc it's also probably a better use of existing Hardware that typically won't be fully utilized some people do raise concerns around security and probably the true purist would state that you should have a firewall on bare metal and that's all it should be doing from probably an academic standpoint that's correct but pretty much everything these days is in the cloud and virtualized and as long as you take sensible precautions there shouldn't be really any additional risk that's introduced through virtualization so with that said and to just reestablish the fact that the process for this video will be exactly the same let's head into the deployment and get this thing set up so the first thing we need to do is head over to the open sense website and start the download process for the image feel free to have a look around and review all of the features there's some really cool documentation on there that will give you a feel of what this will be able to do so head over to the download section and we're going to download the DVD ISO image do bear in mind that there are separate images that you can install so you could have it roou on a stick for example but as you can see here we want the DVD ISO image so from here select DVD choose a mirror that makes sense to where you're based and then just hit the download button once that's downloaded we'll move on to the next stage so now that that's completed you can see here that I've got a B zed2 file now luckily 7zip can open that so whichever unpacker you're using open it and extract the ISO file which you'll find here this is the ISO file that you can then burn to a USB stick if you're doing a physical install I recommend something like Rufus I'll link that in the description below but now that we've got the iso as you can see in the background we're going to upload this to proxmox so that we can create a virtual machine and specify this image so heading over to proxmox you need to go into one of your nodes so I'm going to open up this I'm going to head down to my local storage and I'm going to select ISO images so now to get this ISO onto the machine we just hit upload and then we select the file so in this case it was in my downloads and then I click this click open and then I can hit upload and it will start to upload the file now typically you can use the download from URL instead of this method but because it's that bz2 compress file proxmox doesn't understand what to do with it so we need to unpack it and use the iso method that we're doing here so hit upload and when that's done it should show in the background like this one here great if it shows there you're ready to move on to the next step so what we're going to do is now set up a virtual machine that'll eventually look something like this so to do that we're going to create a virtual machine choose the node that you want it to be on if you have more than one I'm going to call this one open sense test I'm going to start it at boot you don't have to do that that's optional it does what it says on the tin and that's all we need to change for this part I'm going to hit next now I'm going to choose the image that we just uploaded so as you can see I've actually got got my Nas mounted to my proxmox because I use that as a storage backup and for larger just more General storage if you don't know how to go and do that you can check out my video where I specify how to do that I'm going to change this from traz to local remember that's where we put the iso and now hopefully all of those isos are available to select and here you can see open sense DVD so we're going to click that then we're going to hit next the system is fine as it is and you can click next now there is a move towards everything being Q35 and using the ovmf BIOS and open sense does officially support that however there is a note on their site that says this is quite new and it isn't fully tested so I'm going to keep it simple and use the default and hopefully we can migrate this at a later time when we're comfortable moving on to the diss this is what it says this is where it's going to install the data for open sense so for my setup I have four nvme drives in a RAID 10 and we'll come on to that in a minute when we go through the installation process as to what those different versions are basically it gives me half the storage but it gives me redundancy so if a drive fails I'm in a good spot to select that I need to hit the storage and I'm going to choose nvme so that's my quad nvme card I want to do SS emulation and want enable discard because that enables some of the more advanced features of ssds and it enables proxmox to reclaim some of the unused or deleted space so we're going to click next then we come on to the core count now this will be dependent on your hardware and as I said I recommend you use four cores so because mine's a multi-socket system I'm going to use two sockets two cores which gives me four I'm going to change the type to be the host so that it gets all the features of the host CPU because it's spread across two sockets I'm going to enable Numa but if you've just got the one socket just give it four cores select host and you don't need to do anything else so let's click next and then it's going to ask for memory now I'm going to untick a ballooning device because that won't work if you're using Hardware pass through and also I like to pin my Ram so that I don't get into unexpected scenarios where there might be too much requests for Ram and then VMS start failing so I'm going to change this to 4 gigabytes and then hit next you can obviously increase both the CPU and the memory later on if say for example you have more users on your system or maybe you upgrade your internet and you find that the old one is struggling that's more difficult if you've got a physical machine but it should still be possible next we come on to to the network now I'm just going to skip this for now and click next because we'll go into the network section in a moment because I'm going to assume that you've got multiple Nicks and you want to select the right one for the one and the Lan you're going to need a minimum of two to make this work but I'm going to set up three because in later videos we're going to set up high availability and I want to set that on its own dedicated interface you don't have to but that's the way I'm going to do it now that we come to the confirmation screen just double check that everything you've set is right and what you expect and when you're ready hit finish that's going to go away now and create that new virtual machine and as you can see it's over here open sense test and that's created and from the go that looks right four CPUs four gigs of RAM and that default 32 gigs of space that's more than enough for this setup and you can always increase it if you need to so remember I've said you need a minimum of two Nicks and if we go to the hardware tab you can see we've only got one so we need to sort that out and also this is using the virtual Bridge zero which is actually the Nick that my proxmox host itself use and good practice dictates that you don't want to share that interface so I'm going to head over now to proxmox Dell so my actual machine and then I'm going to hit the network tab this lists all of the Nicks that are on my proxmox box now there's probably more here than you have on your if you're just starting out and let me explain what this is so these four here the enps so that is a quad Port 1 gbit Nick so each Port is 1 gbit and it's RJ45 so your standard ethernet connection Eno 1: 4 are SFP plus 10 gbit so I've got four 10 gig ports on this machine and four 1 gig ports on this machine now it doesn't really matter too much about the speed you can always upgrade that in the future and the beauty of virtualization means that you can actually just swap out the network cards and assign the same vmb to it and you don't have to worry about it breaking or any driver issues within the virtual machine because we're going to set it up to be defaultly paravirtualized it doesn't see what it is under the hood so what you need to do now is to go to create and then you want to create a Linux bridge now give this a name is going to defaultly populate this and you want to set which Bridge Port it's set to now you'll want to do one vmb to one Bridge Port so what you'll end up with is something like this you can see that vmbr0 is on eno1 vm1 is on eno2 and so forth I've got a onetoone relationship with those now for the firewall I recommend that your onean is obviously unique and it can't be used by anything else and I recommend the same for your Lan so you'll see on the right hand side here I put some comments in so I know which is which and because it's often quite difficult to know physically the ports aren't always in a logical order on the right hand side I've labeled where they are on the card because the order isn't logical and it can be jumbled up so Port one doesn't necessarily become F1 you get the idea so there is a handy tool called f tool ethernet tool which you can actually run some commands and it will blink the LEDs for these specific network interface cards so you'll be able to easily identify which one you're plugging into so now if I zoom out so you can see the right hand side sorry it's a bit small you can see here that for the one I currently have set up over here open sense I've assigned vmb 6 to F2 and vmb7 to F3 and I've also labeled that this one's going to be the onean and this one's going to be the Lan so as I said before I'm going to use three network interface cards on my open sense because in later videos we're going to do high availability and I want that as a dedicated Nick now you don't actually have to do that physically within proxmox that's because whilst you do need two physical one for the one and one for the Lan actually that high availability link could just be another instance of the Lan card because we can use a VLAN to separate the traffic so with those two set up this is the bare minimum configuration feel free to go and set up a ha if you need to we can head over into open sense now and we can click on hardware and then we can click add and in add we want to add a network device now if you remember we can set up vmb6 for the one and we can click add add and then we can click the other one which was vmb 7 for the Lan so here I drop down and I get the Lan and then I can click add Now the default we probably don't want to have so I'm going to remove that one and we've now got the two we've got the Lan and the onean and as I said before if we want to add another one we can go to network device and then as I said I can put the ha onto the Lan so I can click that one again and then just click add and so now I've got another interface albe it it's assigned to the same physical Port so we're going to need some vlans in future videos but let's not complicate this one anymore so now when I boot this up for the first time it's going to see three network interface cards and as you can see here they've all got separate Mac addresses great so I'm going to shut down the one I've already got running as my test because it's going to be be using the same network cards and I'm going to spin up the new one and guide us through the whole setup stage so I'm going to shut this one down and then I'm going to start the deployment so now we're ready to click on our virtual machine and we're ready to go to the console and we can hit start now the first time you hit start on open sense it's going to install or it's going to run in what's called live mode so don't think that that's installed it's just running in memory what we actually need to do is to force it to install I'll show you how to do that once this is booted up one thing that's handy is you can see at the bottom press any key to start the configuration path from an existing config so do note that that's a really useful feature if for whatever reason your firewall breaks you'll then be able to recover hopefully your config and import it into a new machine so you don't have to start from scratch now might be timing out during this process because at the moment I don't have anything plugged into my one or Lan interfaces if it does look like it's hanging just give it time this will pass but if you've already confident and you know which ones your Lan and wport are going to be you could just plug this into your ISP router or modem and it should pick that up and continue much quicker so now we've come to the end of the installation or at least the startup as I mentioned it isn't actually installed yet is running in memory and if you read the welcome message on the screen in front of you you can see that we need to log in as the user installer to start this installation process so let's log in as the installer installer and the password quite handily is open sense so I'm going to type that password in and get onto the next step so hitting return we should now go into the guey so I'm going to continue with the default key map for my keyboard that's fine and then we get on to the technical configuration for installation now the only two real options you need to worry about on this screen are the install ufs and ZFS now because my machine is already using a raid Drive which is actually ZFS I'm just going to do the ufs method now that's probably what you're used to if ever you've installed say bare metal before you're just going to install it onto a drive if however you want some redundancy in your firewall setup either physically or virtually perhaps you want to pass through two drives and what you can do in that sense is set up a mirror so that you have two copies of your data on two separate hard drives ssds whatever they might be I'm going to show you how to do this with ufs because my underlying Hardware as I said is already raid so I'm going to hit return on ufs and then I need to select the drive that I passed through now we know it's not 1 gig that's the actual ISO we've mounted so it must be the one below which is 32 gig and if you remember going back to where we created the virtual machine it was 32 gigs so I'm going to select down and hit okay it's going to ask if we want to continue with a default swap size of 8 gig that's fine I'm going to hit okay and are you sure you're going to lose all of your data at this point so yes in my instance we know it's a clean drive and then it's going to go away wipe those and then do the installation which is actually going to copy from the live installation onto this disc we've just partitioned so I'm going to cut the video here and join you on the other side once this is completed so now that's completed we're asked if we want to change the root password obviously I recommend you change that from open sense but for this video I'm going to ignore it I'm going to exit and reboot now that this is rebooting you should be in a position if you haven't already to plug your machine I.E the one that you probably on right now into the Lamport on the open sense router so now you can see that this is booting up for the first time and it's reading it from the hard drive instead of the DVD ISO and once this is completed it should be able to pick up an IP address you'll be able to plug your current machine into the Lamport or into the switch that's then plugged into the Lamport and we should be able to then access the web guey so here you can see that I've got the Lan which is the 1.1 so when I plug my machine into the Lan Port the guey for open sense should be accessible on the IP address now I haven't actually connected my w Port yet so it's not picking up an IP address for the internet we'll solve that in a minute so I'm going to now plug into the lanport from this machine into the the new open sense virtual machine and fingers cross we should be able to access the open sense guey so now in my browser if I head to 1 1921 168 1.1 I should reach the guey now this is a good sign albeit we do get a warning that's because it's using a self-signed certificate but we can ignore that so let's proceed and voila we've now reached the guey for open sense and we can begin the initial configuration wizard so we're going to log in with root and the password will be whatever you specified at the end of The Wizard in my case I left it as open sense so I'm going to hit log in so starting the initial configuration so I'm going to click next now you're going to want to set up a few things on this page firstly you want to set the DNS servers now if you're using something local like a py hole or an adod you want to specify those values here however if you don't have those set up yet I recommend you use something like Cloud flare so 1.11.1 and quad n the clues in the title those will typically be better than your ISP provided DNS resolvers you possibly want to put on DNS SEC for security on DNS and then hit next next it's going to ask what time servers you want to use because obviously anything with a firewall making sure that the time stamps are aligned is critical so choose your time zone and then hit next next is going to ask you to configure the one port now the one port is your internet port and typically you're going to be giving a DHCP lease so it should automatically pick up your IP address however different modes are supported so static if you've got a static IP address ppoe pppt Etc and you'll need log credentials certainly for Pope I'm just going to leave it as DHCP because mine's designed to pick it up automatically from the ISP and I don't want to go down this route too much but I'm currently behind my sofos XG so this is going to pick up an internal IP address on my w Port don't worry about that the MAC address you can set here to spoof things we can change all of this later I'm just going to keep this simple to get you up and running there shouldn't be anything else we need to configure in this but if you did need to configure it here you can put in your static IP address details Etc Upstream Gateway on all of those things I'm going to assume you know what those are if you've chosen to go down a static IP route anyway so scrolling down to the bottom I'm going to hit next next we do exactly the same as we did for the WAN but on the Lan and this is going to be the IP address for open sense so I'm going to leave this as 1.1 and I'm going to leave the subnet mask of 24 that gives us 250 for usable IP addresses within this address range you can obviously change this to whatever you want but if you change it and don't have DHCP enabled you might temporarily lock yourself out so hit next then you can keep the current password or change it I'm going to keep it as is for this demonstration and fingers crossed we hit reload is probably going to knock you off the goey but when it reboots up you should be back now on the dashboard so I'll let this do its thing and I'll see you on the other side that was actually much quicker than I thought so I recommend the first thing you do is check for updates so it's going to go away pull down those updates and you should then be up to running on the latest version so once you've had a read through here if you're that way inclined scroll all the way to the bottom and just click the update button okay this is the bit where it's probably going to throw you out the firewall it's going to restart but there are mess mes on screen to tell you exactly what it's doing so now that install is coming to an end and it's likely going to have to reboot some of those components and refresh the web UI so now it said that it upgrade is finished and the device is being rebooted so let's stay patient and wait for it to come back online so now that's completed and I've been taken back to the login page so let's log back in and then hopefully we go straight to the dashboard and so if you followed those steps closely fingers crossed you're in this position now we have open sense up and running and as you can see there's CPU usage there's traffic flowing through the network everything looks fine so let's validate that we've got some connectivity you can do that by just opening up any web browser running a ping whatever it may be and so if we go to the best website in the world you can see here that I now have internet access and all of this traffic is being rooted ed through open sense and we can validate that by going to some of the system logs and checking the traffic so if I now go over to reporting and click traffic you'll see that there's traffic coming in and out of the network and so for example if I run something like a speed test we'll be able to see this get maxed out so if I head to fast.com run that you'll see here instantly I'm getting a spike so everything is up and running and working and even things like DNS resolution is taking place cuz it could resolve fast.com brilliant so now you have open sense up and running and that's going to conclude this video as I said I'm going to be going into the next step where we're actually going to configure this and make use of it so in the next video we're going to be looking at things like subnets vlans vpns Etc and I'll show you how to configure all of those so a quick wardrobe change later but I hope you found that video both interesting and accessible now I know my setup is slightly complicated due to the use of multiple Nicks and an existing setup but really all you need is two Nicks that are dedicated to open sense and the high availability option is optional so hopefully you'll join me on the next video where we're going to begin to configure open sense and touch on all of the things that have probably attracted you to open sense in the first place so things like vlans yes you're going to need a a vline capable switch to do that things like vpns Network segmentation and subnets and eventually we're going to move on to high availability so we can replicate this setup across physical nodes to give us redundancy failover and something that is really useful the ability to reboot your servers without knocking out the internet for yourself and more critically the rest of the family anyway take care guys please give this a like and a subscribe if you found this useful and and I'll see you on the next one take care [Music] everybody

Info

Channel: Jim's Garage

Views: 27,957

Rating: undefined out of 5

Keywords: proxmox, linux, hackers, hacking, protect, tech, technology, homelab, security, inernet security, how to stop hackers, opnsense, opnsense install guide, opnsense setup, opnsense vs pfsense, opnsense install, opnsense proxmox

Id: vJBoCgptF-0

Channel Id: undefined

Length: 30min 5sec (1805 seconds)

Published: Sun Nov 26 2023