7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 1/24

USING OPENSENSE AS FIREWALL

Hardware setup

Supported hardware architectures

At the moment, OPNsense® 15.1.x is available for x86-32 (i386) and x86-64 (amd64) bitmicroprocessor architectures. Full installs on SD memory cards , solid-state disks (SSD) or hard diskdrives (HDD) are intended for OPNsense .

While the range of supported devices are from embedded systems to rack mounted servers, werecommend to use a 64-bit versions of OPNsense, if the hardware is capable of running 64-bitoperating systems . It is possible to install and run 32-bit (x86-32, i386) versions of OPNsense® on 64-

bit (x86-64, amd64) PC hardware, but we do not recommend it, especially not for new deployments.

Hardware requirements

For substantially narrowed OPNsense® functionality there is the basic specification. For fullfunctionality there are minimum, reasonable and recommended specifications.

Minimum

The minimum specification to run all OPNsense standard features that do not need disk writes, meansyou can run all standard features, expect for the ones that require disk writes, e.g. a caching proxy likeSquid .

Minimum hardware requirements

Processor 500MHz single core cpu

RAM 512 MB

Install method Serial console or video (vga)

Install target SD or CF card with a minimum of 4GB, use nano images for installation.

Reasonable

The reasonable specification to run all OPNsense standard features, means every feature is functional, but perhaps not with a lot of users or high loads.

Reasonable hardware requirements

Processor 1 GHz dual core cpu

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 2/24

RAM 1 GB

Install method Serial console or video (vga)

Install target 40 GB SSD, a minimum of 1GB memory is needed for the installer to run.

Recommended

The recommended specification to run all OPNsense standard features, means every feature isfunctional and fits most use cases.

Recommended hardware requirements

Processor 1.5 GHz multi core cpu

RAM 4 GB

Install method Serial console or video (vga)

Install target 120 GB SSD

Hardware guide

The hardware required for your local OPNsense, will be determined by the intended minimumthroughput and the feature set.

Feature set

While most features do not effect hardware dimensioning, a few features have massive impact on it.The candidates are:

Squid

a caching web proxy which can be used for web-content control, respectively. Thesepackages rely strongly on CPU load and disk-cache writes.

Captive portal

settings with hundreds of simultaneously served captive portal users will require more CPUpower in all the hardware specifications displayed below.

State transition tables

it is a known fact, that each state table entry requires about 1KB (kilo bytes) of RAM. Theaverage state table, filled with 1000 entries will occupy about ~10MB (mega bytes) of RAM. OPNsense usage settings with hundred of thousands of connections will require memoryaccordingly.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 3/24

Throughput

The main hardware-factors of the OPNsense setup involved are CPU, RAM, mass storage (disc), thenumber and quality of network interfaces.

Throughput(Mbps)

Hardwarerequirements

OPNsense Featureset

Users / Networks

1-10 Basic spec. narrowed few (1-10)

11-150 Minimum spec. reduced adjusted (10-30)

151-350 Reasonable spec. all substantial (30-50)

350-750+ Recommended spec. allsubstantial+ (50-150+)

Mbps (Mbit/s or Mb/s) - Megabit per second - 1,000,000 bits per second

Network interface cards

as always and as the FreeBSD hardware-lists and -recommendations say, Intel® networkinterface cards (NIC) for LAN connections are reliable, fast and not error-prone. Intel chipsetNICs deliver higher throughput at a reduced CPU load .

Supported hardware

The FreeBSD 10.1-RELEASE is the base of OPNsense. All FreeBSD drivers are included in theOPNsense kernel, and the hardware compatibility is the same.

Features

OPNsense provides the features available in expensive commercial firewalls, and even beyond that inmany cases. It can be configured and upgraded through a web-based interface, and requires noknowledge of the underlying underlying FreeBSD system.

Install & firmwareupdate

Live CD, USB installers available Easy upgrade by web-based click-to-upgrade Command-line interface opnsense-update tool (since 15.1.6.1) Console, web-based modern Bootstrap based GUI, SSH and serial console

management RRD graphs reporting

Traffic shaping and filtering Real-time information using Ajax

Functionality andconnectivity

Virtual Private Networks using IPsec , L2TP, OpenVPN , or PPTP PPPoE server High availability clustering; redundancy and failover including CARP and pfsync Outbound and inbound load balancing Quality of Service (QoS)

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 4/24

Dynamic DNS Captive portal uPnP Multi-WAN VLAN(802.1q ) DHCP server and relay IPv6 support Multiple public IP addresses/multi-NAT RADIUS/ LDAP Multiple resolvers (DNS forwarder, Unbound ) Aliases supported for rules, IP addresses, ports, computers, and other entities

Firewall androuting

Stateful firewall Network Address Translation Filtering by source/destination IP address, protocol, OS/network fingerprinting Layer 7 protocol inspection or Deep Packet Inspection Flexible routing Per-rule configurable logging and per-rule limiters (IP addresses, connections, states,

new connections, state types), policy filtering (or packet marking), TCP flag statefiltering, scheduling, gateway

Packet scrubbing Layer 2/bridging capable State table "up to several hundred thousand" states (1 KB RAM per state approx) State table algorithms customizable including low latency and low-dropout

Source: Jos Schellevis, en.wikipedia.org.

History

The OPNsense project is a January 2nd, 2015 software development split off of pfSense®, which initself is a 2004 fork from Manuel Kasper's famous m0n0wall .

OPNsense got a recommendation by Manuel Kasper , the founder of m0n0wall in February 2015!

Fork

So why did we fork? The three main reasons are:

Technical , Focus on clean codebase that can be used by developers and is maintainable. Community , Build a thriving community that gives and shares. License , A simple 2-clause BSD license for the sources and the tools to build it.

For starters, we have technical reasons to fork. As much as we love the functionality/feature set of pfSense, we do not enjoy the code quality and anarchistic development method. We like structure,achievable goals set forth in a roadmap with regular releases and a decent framework.

Much work has already been done to lay a basis for this:

The build-tools have been completely rewritten from the ground up with clear and easy toread build scripts that are portable and small,

OPNsense is now a package that can be installed on top of our custom FreeBSD build (youcan literally do pkg remove opnsense and are left with a almost standard FreeBSD basesystem),

The firmware upgrade process is now (almost completely) done with pkg, Captive portal has been rewritten and does not make use of the kernel patches anymore, New features (captive portal) have been implemented with a clear structure,

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 5/24

The check_reload_status functionality, effectively the backend daemon starting andstopping components, has been fully rewritten in Python,

Fully reworked the GUI to a modern Bootstrap based one that is also easier to customize ifyou want to.

Moving forward the focus will not so much be on more features (although some will be added), but we

will focus on quality and security.

On the security part the main issue is that we need to separate logic. The GUI should not performtasks that require root access.

As for quality , all new features will be build using a solid framework with a Model View Controller.For this purpose we choose Phalcon as it is the fastest open source PHP framework available. And wewill gradually migrate parts inherited from pfSense to the new framework to avoid a big-bangapproach.

There is much more to say about this and how the final model will look like, but more on that will be

available later when closing in on 15.7. (If you follow github and our wiki closely, you will notice thatthis work is moving at a very rapid pace).

A thriving community can only exist when people are willing to share. We want to make it easier for people to join and help to build the community. With pfSense this has been rather difficult as the toolsto build it are difficult to use and often do not work in the first few attempts. And since last year theyare not freely available any more, you need to apply for access with ESF. We believe a good opensource project has nothing to hide so access to the sources should be there for all. It will remain amystery why ESF made that move as commit rights and read rights are totally different.

Transparency A real concern with pfSense is transparency. Since Netgate bought the majority share of

pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fenceof competitors has scared quite a lot of people. Also the license has changed for no apparent reason…

With OPNsense we want to restore a stable project with clear goals and a very simple license that issuitable for forking and making OEM versions. We think a community project is there for all to useand work with.

That being said it is important to know that Deciso has been a long time sponsor of pfSense and wehave invested a lot of time and money into it. We helped to make it a success in Europe. Until Netgate

bought the company there was room for many others like us, but that has changed unfortunately.

We like pfSense and hope both projects can be successful and learn from each other.

Final conclusion At the end it all boils down to the direction we will go both technical as well ascommunity involvement and transparency.

You are invited! Try OPNsense, be part of the community and help the project move forward.

Source: Jos Schellevis, opnsense.org.

Name

The name "OPNsense" bears resemblence to the suffix of its progenitor's name pfSense® . OPNsensestands for: "Open (source) makes sense" , and is intended to represent the core philosophy of theOPNsense project. It in deed aims to keep its source base open and free to developers, entrepreneurs and non-technical users as well; see "Why Open Source Makes Sense" by Linus Torvalds and DavidDiamond (2001).

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 6/24

Installation and Initial Configuration

Install method

The easiest method of installation is the USB-memstick installer. If your target platform has a serialinterface choose the "serial image. 64-bit and 32-bit install images are provided. The followingexamples apply to both.

Write the image to a USB flash drive (>= 1GB) or an IDE hard disk, either with dd under FreeBSD orunder Windows with physdiskwrite

Using FreeBSD:

dd if=OPNsense-XXX-amd64.img of=/dev/daX bs=16k

where X = the ad device number of your USB flash drive (check dmesg)

Linux:

dd if=OPNsense-XXX-amd64.img of=/dev/sdX bs=16k

where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX)

(ignore the warning about trailing garbage - it's because of the digital signature)

OpenBSD:

dd if=OPNsense-XXX-amd64.img of=/dev/rsd6c bs=16k

The device must be the ENTIRE device (in Windows/DOS language: the 'C' partition), and a raw I/Odevice (the 'r' in front of the device "sd6"), not a block mode device.

Mac OS X:

sudo dd if=OPNsense-XXX-amd64.img of=/dev/rdiskX bs=64k

where r = raw device, and where X = the disk device number of your CF card (check Disk Utility)(ignore the warning about trailing garbage - it's because of the digital signature)

Windows:

physdiskwrite -u if=OPNsense-XXX-amd64.img

(you must use v0.3 or later!)

Create a bootable USB flash drive with the downloaded and unpacked img file. Configure your systemto boot from USB.

Default behavior is to start with Installation (I). If you want to use start it as a LiveCD choose (C)

Install to system

The installation process involves a few simple steps.

1. Configure console - The default configuration should be fine for most occasions.2. Select task - The Quick/Easy Install option should be fine for most occasions. For a minimum

install choose Custom Installation and do not create a swap slice, but other than that you can

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 7/24

follow default settings. The minimum specification means you can run all OPNsense standard features, expect forthe ones that require disk writes, e.g. a caching proxy like Squid.

3. Are you SURE? - When proceeding OPNsense will be installed on the first hard disk in thesystem. You **will** lose all files on that disk. If another disk is to be used then choose aCustom installation instead of the Quick/Easy Install.

4. Reboot - The system is now installed and needs to be rebooted to continue withconfiguration.

Initial configuration

With a (vga) monitor attached, when your system uses the Intel em(4) driver, then the defaultconfiguration is used. Installation ends with the login prompt. By default you have to log in to enter theconsole.

Notice the login prompt. A user can login with the credentials, "root" and password to the consolemenu. The default credentials after a fresh install are "root" and password "opnsense".

VLANs and assigning interfaces

If your system has hardware inside and does not use em drivers or when no config file canbe found then you are asked to assign Interfaces and VLANs. VLANs are optional. If you donot need VLAN's then choose no .

LAN, WAN and optional interfaces

The first interface is the LAN interface. Type the appropriate interface name, for example"re0". The second interface is the WAN interface. Type the appropriate interface name, eg."re1" . Possible additional interfaces can be assigned as OPT interfaces. If you assigned allyour interfaces you can press [ENTER] and confirm the settings. OPNsense will configureyour system and present the login prompt when finished.

Minimum installation actions

In case of a minimum install setup (i.e. on CF cards), OPNsense can be run with all standardfeatures, expect for the ones that require disk writes, e.g. a caching proxy like Squid. Do notcreate a swap slice, but a RAM Disk instead. In the GUI enableSystem Settings Miscellaneous RAM Disk Settings and set the size to 100-128 MB ormore, depending on your available RAM; afterwards reboot.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 8/24

System Settings Miscellaneous RAM Disk Settings

Then via console, check your /etc/fstab and make sure your primary partition has rw,noatime insteadof just rw .

Update

Further information: OPNsense Forum

Since the OPNsense project is relatively new and its developers are on high gear and heavy duty totransition the legacy code base to our new structured design aiming at sustainable project quality and

product security, the OPNsense project focused on new comprehensive and reliable updatefunctionalities:

Console

After starting or rebooting the OPNsense appliance, the console (via vga or ssh terminal session) showsa welcome message and initial network details are presented.

Welcome message

* * * Welcome to OPNsense [version] 1 (platform) 2 on OPNsense * * *

WAN (re0) 3 ->

LAN (bge0)4 -> v4: 192.168.1.1/24 5

FreeBSD/[platform] 2 (OPNsense.localdomain) 6 (ttyv0) 7

login:

Notice the login prompt. A user can login with the credentials, "root" and password to the consolemenu. The default credentials after a fresh install are "root" and password "opnsense".

The console menu shows 13 options.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 9/24

The console menu

0) Logout 7) Ping host

1) Assign interfaces 8) Shell

2) Set interface(s) IP address 9) pfTop

3) Reset the root password 10) Filter logs

4) Reset to factory defaults 11) Restart web interface

5) Reboot system 12) Upgrade from console

6) Halt system 13) Restore a configuration

opnsense-update

OPNsense features a new command line interface (CLI) tool "opnsense-update". Via menu point8) Shell , the user can get to the shell and use opnsense-update. For help type opnsense-update -help and [Enter]

Upgrade from console

The other method to upgrade the system is the root console option "12) Upgrade from console" 8.

GUI

An update can be done through the GUI via System Firmware 9.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 10/24

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 11/24

Howto transparent firewall bridge Transparent Firewall / Filtering Bridge

Abstract

A transparent firewall can be used to filter traffic without creating different subnets. This application iscalled filtering bridge as it acts as a bridge connection two interfaces and applies filtering rules on topof this.

Requirements

For this howto we need a basic installation of OPNsense with factory defaults as a startingpoint.

And an appliance with 2 physical interfaces.

Considerations

To create this howto version OPNsense 15.7.11 has been used. If you use a different version someoptions can be different.

Configuration in 10 easy steps

Please note: during the configuration you will be asked to "Apply" your changes several times,however this may affect the current connection. So don't apply anything unti l completely finished! Youneed to Save your changes for each step.

Step 1 - Disable Outbound NAT rule generation

To disable outbound NAT, go to Firewall ->NAT ->Outbound :Disable Outbound NAT rule generation

Step 2 - Change system tuneables to enable a filtering brigde

Enable filtering bridge by changing net.link_bridge.pfil_bridge from default to 1 in System ->Settings- >System Tuneables

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 12/24

Step 3 - Create the bridge

Create a bridge of LAN and WAN, go to Interfaces ->Assign ->Bridges:Add Select LAN and WAN.

Step 4 - Assign a management IP/Interface to the bridge

To be able to configure and manage the filtering bridge (OPNsense) afterwards, we will need to assigna new interface to the bridge and setup an IP address.

Go to Interfaces ->Assign ->Available network ports , select the bridge from the list and hit +.

Now Add an IP address to the interface that you would like to use to manage the bridge. Go toInterfaces ->OPT1 enable the interface and fill-in the ip/netmask.

Step 5 - Disable Block private networks and Block bogon networks for WAN

Goto Interfaces ->WAN and unselect Block pri vate networks and Block bogon networks .

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 13/24

Step 6 - Disable the DHCP server on LAN

To disable the DCP server on LAN goto Services ->DHCP Server ->LAN and unselect enable.

Step 7 - Add Allow rules for all traffic on each of the three interfaces (WAN/LAN/OPT1)

This step is to ensure we have a full transparent bridge without any filtering taking place. You cansetup the correct rules when you have confirmed the bridge to work properly.

Goto Firewall ->Rules and add a rule per interface to allow all traffic of any type.

Step 8 - Disable Default Anti Lockout Rule on LAN

As we now have setup allow rules for each interface we can safely remove the Anti Lockout rule onLAN

Goto System ->Settings ->Admin Access :Anti-lockout and select this option to disable

Step 9 - Set LAN and WAN interface type to 'none'.

Now remove the IP subnets in use for LAN and WAN by changing the interface type to none. GotoInterfaces ->LAN / Interfaces ->WAN to do so.

Step 10 - Now apply the changes.

If you followed each step, then you can now apply the changes. The Firewall is now converted to afiltering bridge.

Done.. ready to set your own filtering rules

Now you can create the correct firewall/filter rules and apply them. To acces the firewall you need touse the IP adress you configured for the OPT1 Interface.

TIP: Don ' t for get to make sur e your PC/L aptop is conf igured with an I P adress that fall s with in theI P range of the OPT1 subnet!

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 14/24

Setup freeradius accounting test Goal of this tutorial

This tutorial can be used to test your Captive portal setup with radius accounting, it's not intended to

use for production setups (because we only use simple flat files for everything). We used Ubuntu linuxfor this setup, a different operating system might result in some paths being different.

User limits on the OPNsense firewall are set right after login, the Radius server should tell the firewallhow much resources are left for the user that logged in successfully. A normal login sequence look likethis:

[login] -> [send accounting start] -> [send interim updates while connected] -> [on logout, sendaccounting stop]

Setup

To setup freeradius in ubuntu, execute the following command:

apt-get install freeradius

Arrange client access

Edit the file /etc/freeradius/clients.conf and append a block for your network, as sample we will use10.211.55.0/24.

client 10.211.55.0/24 {secret = testing123shortname = test-network

}

Enable daily session limits

Enable daily session limits, which needs accounting to signal the clients use.

In /etc/freeradius/sites-available/default uncomment daily in authorize and accountingsections.

in /etc/freeradius/radiusd.conf uncomment daily in the instantiate section append to /etc/freeradius/dictionary

ATTRIBUTE Daily-Session-Time 3000 integerATTRIBUTE Max-Daily-Session 3001 integer

uncomment sradutmp in the accounting section, to be able to use the radwho command.

Add test users

You can add your test users to /etc/freeradius/users, they should look like this:

"test" Cleartext-Password := "test", Max-Daily-Session := 1800Framed-IP-Address = 10.211.55.100,Reply-Message = "Hello, %{User-Name}"

Make sure the second and third lines are indented by a single tab character.

This should result in a user with a maxim use per day of 1800 seconds.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 15/24

Test radius

For the initial test, it might be practical to debug the traffic going in and out from Freeradius. The nextsteps help you start Freeradius in debug mode, without output to console:

/etc/init.d/freeradius stopfreeradius -X

Google drive backup

Free storage

Because Google officially offers a free storage of 15 GB and nearly unlimited traffic, a remote backupof an OPNsense configuration file is gratis, the only thing you need is an account at google ([1] ) .

Easy API

An application programming interfaces (API) for Google Drive was released in 2013. This APIempowers third-party developers to easily write apps for Google Drive.

Surety

Low level positives

The Google account used to sign in to Google Drive is characterise by an optional two-factorauthentication, a security measure, via authenticator app on Android/iOS or SMS. HTTPStransport layer security communication is available by default.

Non-descript level negatives

About Google are reports of forced-nearby relationships with intelligence agencies in regardto US national interests. Information leakage to intelligence may not be in the interest ofnon-US users, and using Google Drive may lower their domestic level of privacy.

Remote backup

For the OPNsense® GUI menu item, see Remote backup (using Google drive) .

In OPNsense 1 you can backup your configuration directly and automatically to Google Drive , usingthe new backup feature. Every backup will be encrypted with the same algorithm used in the manual

backup so it's quite easy to restore to a new installed machine.

After set-up, the backup feature will do first store of the OPNsense config file and subsequently a dailynew backup of changed config content.

Setup Google API usage

First we need to have a project in the google developer console:

Go to https://console.developers.google.com/project Create a project and give it a name, you may leave it default it doesn't really matter for this.

Enable the Drive APIo In the left menu APIs -> "Drive API" -> Enable

Open the project and start to create an api keyo In the left menu : APIs & auth -> Credentialso Click on the button "Create new Client ID"o Choose "Service account", followed by "Create Client ID"

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 16/24

Download the key and save it (for your own use) Click "Generate new P12 key" and download the key (for your own use, you

need this one later) Copy Email Address, you need it later.

Create a Google Drive folder

Next thing is to create a folder in Google Drive and share it to the "service user" you've just created.

Go to https://drive.google.com Choose "NEW" and the folder to create a new folder, the name doesn't really matter (for

example type OPNsense). right click the newly created folder and choose share

o paste the email address from the service account and "send" Now open the folder and copy the folder ID ( in the url, the last piece after #/folders/, it's

quite long)

Setup the account in OPNsense

Now we can put it all together, login to your OPNsense firewall and go to the backup feature (default :https://192.168.1.1/diag_backup.php )

On the bottom of the page are the options for the Google Drive backup, enable the feature and fill inthe parameters. Email address is acquired in step 2, the key in step 1. Choose a strong password to

protect your data and fill in a number of backups you want to keep.

When you click Setup/Test Google Drive, the firewall will automatically save and test your settings

and you will receive either an error (connectivity issues) or a list of config files currently in the backup.

The moment the feature is enabled, it will do a daily compare of the last file in backup and the currentconfiguration and creates a new backup when something has changed.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 17/24

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 18/24

Now, determine what daemons of Quagga you want to running. Please see the Quagga documentationfor the names of the daemons you want to run. In this document, we will configure Quagga for OSPF,and will therefore be running the zebra and ospfd daemons. If this does not match your desiredsetup, please adjust the instructions accordingly.

An easy way to bootstrap Quagga configuration is simply to create empty configuration files for the

required daemons, like this:root@example:~ # cd /usr/local/etc/quagga/ root@example:/usr/local/etc/quagga # touch zebra.conf ospfd.conf root@example:/usr/local/etc/quagga # chmod 600 zebra.conf ospfd.conf root@example:/usr/local/etc/quagga # chown quagga:quagga zebra.conf ospfd.conf root@example:/usr/local/etc/quagga # ls -al total 8drwxr-x--- 2 quagga quagga 512 Sep 15 13:24 .drwxr-xr-x 27 root wheel 3072 Sep 14 10:36 ..-rw------- 1 quagga quagga 0 Sep 15 13:24 ospfd.conf-rw------- 1 quagga quagga 0 Sep 15 13:24 zebra.confroot@example:/usr/local/etc/quagga #

After this, create a file named /etc/rc.conf.d/quagga with the following content:

quagga_enable="YES"quagga_daemons="zebra ospfd"

Finally, start the quagga daemons using service quagga start like this:

root@example:~ # service quagga start Checking zebra.confOKStarting zebra.Checking ospfd.confOKStarting ospfd.root@example:~ #

Configuring Quagga At this point, Quagga is up and running but isn't actually doing anything. The vtysh tool may now beused to perform configuration of Quagga. Exactly how this works is out of scope of this document - seethe Quagga Documentation to learn how to configure and use Quagga.

If you have a multi-user system, and you want other administrators to be able to administer quaggausing vtysh, the minimum they need to be granted in order to access vtysh (which gives them full permissions to quagga in the default configuration) is:

Via the OPNsense User Manager (System -> User manager) the user needs to be granted theUser - System - Shell account access permission.

The user needs to be granted membership in the quagga UNIX group. ( Note: Not aOPNsense group named quagga, but rather the group in the underlying operating system ).A user may be added to the group using the command pw groupmod quagga -mexampleuser . See the manual page for pw(8) for more options.

Watchquagga Quagga includes the watchquagga daemon which will attempt to restart quagga in case of crashes orfaults.

A basic (untested) configuration would be by putting the following in /etc/rc.conf.d/watchquagga:

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 19/24

watchquagga_enable="YES"watchquagga_flags="-d zebra ospfd"

Don't forget to start watchquagga using service watchquagga start :

root@example:~ # service watchquagga start Starting watchquagga.

root@example:~ #

Caveats Quagga is unaware of the OPNsense configuration. Therefore it knows nothing about the

OPNsense interface names, instead you always have to work with the operating system'sdevice names. These can be seen using the Status -> Interfaces page on thewebconfigurator.

OPNsense is unaware of Quagga. Therefore, if you perform conflicting configuration onQuagga, OPNsense might clobber it and the other way around.

Configuration backups will not include the Quagga configuration. The appropriateconfiguration files need to be backed up seperately.

Appropriate firewall rules need to be installed to permit routing protocol traffic. This Wiki page is still new, and a work in progress, and the procedures here have not yet

been validated for production use.

Configure CARP Overview

One of the more powerful features of OPNsense is to set-up a redundant firewall with automatic fail-over option. This chapter describes step by step how to create a set-up based on two networks. The192.168.1.0/24 will be used for the internal network and 172.8.0.0/24 will be used to route our traffic tothe internet.

When using CARP ( https://www.freebsd.org/doc/handbook/carp.html ), all fail-safe interfaces shouldhave a dedicated ip address which will be combined with one shared virtual ip address to communicateto both networks. In the picture above the dashed lines are used to mark the virtual addresses.

The configuration file (xml) for both firewalls can be downloaded from the wiki.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 20/24

Terminology

There is some terminology involved in setting up a CARP cluster, which we will explain briefly first:

CARP

Common Address Redundancy Protocol uses IP protocol 112, is derived from OpenBSD and usesmulticast packets to signal it's neighbours about it's status. Always make sure that each interface canreceive carp packets. Every virtual interface must have a unique Virtual Host ID (vhid), which is sharedacross the physical machines. To determine which physical machine has a higher priority, theadvertised skew is used. A lower skew means a higher score. (our master firewall uses 0).

pfSync

Together with CARP, we can use pfSync to replicate our firewalls state. When failing over you need tomake sure both machines know about all connections to make the migration seamless. It's highlyadvisable to use a dedicated interface for pfSync packets between the hosts, both for security reasons(state injection) as for performance.

XMLRPC sync

OPNsense includes a mechanism to keep the configuration of the backup server in sync with themaster. This mechanism is called xmlrpc sync and can be found under System -> High Availability.

Setup interfaces and basic firewall rules

Our example uses three interfaces, which all have a rather basic setup.

Master

Go to interfaces, make sure you have all three interfaces assigned and setup the following addressesand subnets:

LAN 192.168.1.10/24

WAN 172.18.0.101/24

PFSYNC 10.0.0.1

Next we need to make sure the appropriate protocols can be used on the different interfaces, go tofirewall -> rules and make sure both LAN and WAN accept at least carp packets (see protocolselection). Because we're connecting both firewalls using a direct cable connection, we will add asingle rule to accept all traffic on all protocols for that specific interface. Another option is to onlyaccept traffic to the GUI port and pfSync protocol.

Backup

The backup server needs it's own dedicated addresses, we will use these:

LAN 192.168.1.20/24

WAN 172.18.0.102/24

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 21/24

PFSYNC 10.0.0.2

Because we are going to synchronize firewall settings between both hosts, we only need to make surethat the pfsync interface can accept data from the master for the initial setup. Use the same rule as usedfor the master on this interface.

Setup Virtual IPs

On the master node we are going to setup our Virtual IP addresses, which will also be used for the backup node after synchronisation. Go to Firewall -> Virtual IPs and add a new one with the followingcharacteristics:

Type Carp

Interface WAN

IP addresses 172.18.0.100 / 24

Virtual password opnsense (the example uses this)

VHID Group 1

Advertising Frequency Base 1 / Skew 0

Description VIP WAN

And another using the following:

Type Carp

Interface LAN

IP addresses 192.168.1.1 / 24

Virtual password opnsense (the example uses this)

VHID Group 3

Advertising Frequency Base 1 / Skew 0

Description VIP LAN

Setup outbound NAT

When traffic is going out of the firewall it should also use the virtual IP address to make a seamlessmigration possible. The default for OPNsense is to use the interfaces IP address, which is in our casethe wrong one.

Go to Firewall -> NAT and select outbound nat. Choose manual outbound nat on this page and changethe rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).

(optional) Setup DHCP server

When using dhcp for the local area network, there are some things to consider. All clients should usethe virtual address in stead of the physical address it's normally propagating. Next thing to consider isthere will be two servers active at the same time, which should know of each others pools. If dns

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 22/24

requests are also forwarded by OPNsense, make sure the dhcp server sends the right ip address. Theseare settings used in our example (on the master server):

DNS servers 192.168.1.1

Gateway 192.168.1.1

Failover peer IP 192.168.1.20

Setup HA sync (xmlrpc) and pfSync

First we should enable pfSync using our dedicated interface using the master firewall. Go to System ->High Availability, enable pfsync and select the interface used for pfSync. Next setup the peer ip to theother hosts address (10.0.0.2).

Now we need to configure the settings we want to duplicating to the backup server using the xmlrpcsync option. For our setup we will enable the following:

Synchronize rules

Synchronize NAT

Synchronize DHCPD

Synchronize Virtual IPs

Finalize setup

Just to make sure all settings are properly applied, reboot both firewalls before testing.

Testing setup

First go to Status -> Carp in the OPNsense webinterface and check if both machines are properlyinitialized.

To test our setup, we will connect a client to the local area network and open a ssh connection to a host behind both firewalls. Now when connected you should be able to look at the state table on bothOPNsense firewalls (Diagnostics -> States) and they should both display the same connection. Next tryto pull the network plug from the master firewall and it should move over to the backup withoutloosing (or freezing) the ssh connection.

Howto use the API Overview

All components that are using the full architecture of OPNsense automatically receive API capabilities,for this simple tutorial we use the firmware module but others will function in the same way. APIaccess is part of the local user authentication system, but uses key/secret pairs to separate accountinformation from machine to machine communication. Secrets are not stored on OPNsense and can bedownloaded only once, if lost, a new key has to be generated for your application.

A user can have multiple keys, our advice is to create a unique key for every application in use.

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 23/24

Creating keys

API keys are managed in the user manager (system_usermanager.php), go to the user manager pageand select a user. Somewhere down the page you will find the api section for this user.

Click on the + sign to add a new key. When the key is created, you will receive a (single download)with the credentials in one ini file. The contents of this file look like this:

key=w86XNZob/8Oq8aC5r0kbNarNtdpoQU781fyoeaOBQsBwkXUtsecret=XeD26XVrJ5ilAc/EmglCRC+0j2e57tRsjHwFepOseySWLM53pJASeTA3

Code sample (python)

For the python code sample we use the nice "requests" library (http://docs.python-requests.org/en/latest/ ), which makes http calls very easy.

Before you can start, make sure your OPNsense has a valid SSL certificate (or choose to ignore it fortesting purposes by setting verify=False), don't forget to verify that the selected user may access thefirmware page.

The web interface uses the same logic that will be available for the api, in this example we will collectsome status information from the firmware module and print it out for the user.

It all starts with creating the request and waiting for the response, all data interaction is using jsonformat, both for the responses as for the request data (when sending POST data).

First step of the example is importing the required libraries, then define the endpoint url and credentialsto use and finally fire the (get type) request. As soon as we receive the response, we parse the jsonstring back to a dictionary and print some data depending on the response.

# import librariesimport jsonimport requests

# define endpoint and credentials

api_key = 'w86XNZob/8Oq8aC5hxh2he+vLN00r0kbNarNtdpoQU781fyoeaOBQsBwkXUt'api_secret = 'puOyw0Ega3xZXeD26XVrJ5WYFepOseySWLM53pJASeTA3'url = 'https://192.168.1.1/api/core/firmware/status'

# request datar = requests.get(url,

verify='OPNsense.pem',auth=(api_key, api_secret))

if r.status_code == 200:response = json.loads(r.text)if response['status'] == 'ok' and response['status_upgrade_action'] ==

'all':print ('OPNsense can be upgraded')print ('download size : %s' % response['download_size'])print ('number of packages : %s' % response['updates'])if response['upgrade_needs_reboot'] == '1':

print ('REBOOT REQUIRED')elif response['status'] == 'ok' and response['status_upgrade_action'] ==

'pkg':print ('OPNsense can be upgraded, but needs a pkg upgrade first')

elif 'status_msg' in response:print (response['status_msg'])

else:print ('Connection / Authentication issue, response received:')

7/21/2019 Using Opensense as Firewall

http://slidepdf.com/reader/full/using-opensense-as-firewall 24/24

print r.text

Using curl

Simple testing with curl is also possible, the sample below uses the same credentials, but ignores the sslcertificate check (-k) for testing.

curl -k -u"w86XNZob/8Oq8aC5hxh2he+vLN00r0kbNarNtdpoQU781fyoeaOBQsBwkXUt":"puOyw0Ega3xZXeD26XVrJ5WYFepOseySWLM53pJASeTA3" https://192.168.1.1/api/core/firmware/status

And schedule the actual upgrade of all packages using:

curl -XPOST -d '{"upgrade":"all"}' -H "Content-Type: application/json" -k -u"w86XNZob/8Oq8aC5hxh2he+vLN00r0kbNarNtdpoQU781fyoeaOBQsBwkXUt":"puOyw0Ega3xZXeD26XVrJ5WYFepOseySWLM53pJASeTA3" https://10.211.55.100/api/core/firmware/upgrade