OPNSense: Protect Your Home LAN With a Transparent Filtering Bridge with Step by Step Instructions
HTML-код
- Опубликовано: 31 мар 2024
- Dave details how to set up OPNSense on a miniPC and how to configure it as a transparent filtering bridge. He also sets up IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) via Suricata and deploys the ClamAV antivirus solution on the router. For my book on life on the Spectrum: amzn.to/49sCbbJ
Any requests to contact me on Telegram, etc, are scams...
Errata: OPNSense is FreeBSD, not Linux!
If you do not have a management interface (third port), don't set the LAN interface IP4 config to None - set a static IP for it so you can still reach it later. Sorry for this oversight!
Follow me on Facebook at davepl for daily shenanigans!
Follow me on Twitter at @davepl1968
Great pfSense tutorial by Network Chuck: • your home router SUCKS...
How virtualize a firewall by Techno Tim: • How to Virtualize Your...
Protectli Valut: protectli.com/
Dual NIC Mini PC: amzn.to/3xkgM6q
Elite MiniPC: shop.azulle.com/products/byte...
$65 Mini PC: www.aliexpress.us/item/325680...
Recipe for Configuring OPNSense as a Transparent Filtering Bridge:
www.zenarmor.com/docs/network...
Download OPNSense: opnsense.org/download/ 
Наука
Love the fact that I could follow your step-by-step without getting lost. Yes! Do more OPNsense stuff. Add a segment on using a machine with built-in Wi-Fi so I don’t have to go down the add a separate access point gadget to complicate matters.
My Arris router is a cable + wifi router, pretty rare nowadays tp find one of those
pf/opnsense suck at wifi, don't do this, that's not what they're for. look into openwrt
Built-in Wi-Fi won't work as well as a dedicated AP but more importantly very few chipsets work properly in FreeBSD in AP mode.
Sadly, I COMPLETELY agree with you. THAT is why I’m hoping that people MUCH SMARTER than me (like Dave here) can suggest solutions so we can get that “built into the router” AP without needing that “extra/separate” AP gadget, it’s software and another layer of complexity.
@@eDoc2020 it works from 300' feet away, thats good enough for me
Love the one-liners. @0:57 "The order in which you do things doesn't really matter," said with a completely straight face. CCNA dig pretty funny too!
Technically, the order DOESN'T matter if you perform them as a single atomic operation, right? :-)
Critical Care Nursing Assistant 😆
Your opnsense box is several magnitudes more powerful than my desktop, lol.
I was thinking the same thing 😂 I’m overdue for an upgrade 😬
That makes 3 of us.
Oh no! Get new pants and shoes when they get worn!
@@Tony-xc5sk- up that 1 to 4 of us!
@@CiscoWes I have i3 10100 lol
In my professional life I must have done setup of OPNsense / pfSense more than 300 + times. But, I swear, never heard or imagined transparent filtering bridge. Thank you Dave for enlightening me and the world about it. Will surely put in to practice.
Glad I could bring something new to the table!
Have had it on my todo to figure out how to set up transparent filtering on a naked Linux system. But too many other tasks taking time.
In my case, I want an existing firewall to believe an external box with modem should look like a local interface so the firewall sees (and thinks it owns) the public IP.
yeah he reach Saudi Arabia also , i will do as he advice, thanks dave
Me neither and i still dont rly see what the Point of it is. It doesnt come clear to me in this video.
@@SpriGgEx Transparent here means it looks like a layer 2 switch. No changes to any IP numbers. So it isn't visible. Until one of the firewall rules decides to block something. Then it's just a magic cable that blocks the bad connections.
So the computer on the inside can still believe that it owns the public IP number and runs without firewall.
Like the no ads at the start... Easy to settle into the video. 👍🏼👍🏼
get premium, seriously, it makes youtube everything you want it to be
@@thaphreak really? it will filter sponsor messages that creators include in their videos?! sign me up!
@@pete3897no it won't
@@pete3897 There is an extension that does this called "SponsorBlock For RUclips". It's a game changer.
@@pete3897
Almost really, however you can scrub past that stuff, so yeah…really is worth the cost of admission.
This is exactly the sort of opnsense configuration I was looking for to implement for home clients. Beautiful, clear and concise video. Much appreciated. Looking forward to more content!
Love everything you do Dave! As someone who will be doing the same thing when my new rack mount server arrives I do hope you make more videos on this and similar topics. You're experience and teaching style "works" for me - and I am thankful to have found your channel!
Critical Care Nursing Assistant... lol.
I was wondering if he was joking or not.
But, it 4/1 is it not?
it went past me for a moment then i was wait a min... what?!
😂 brilliant.
Still beats MCSA :)
Made me actually laugh out loud 😂
_"Errata: OPNSense is FreeBSD, not Linux!"_ I'm an old, grey-bearded Unix sys admin, and that makes me like it even more.
That is what I was wondering, I remember pfsense was unix and I thought maybe they ported it over to Linux? Thanks for the clarification.
why do you hate linux?
If you are oldd... like me you like for sure the documentation "Nerds 2.0.1: A Brief History of the Internet" // It is by Robert X. Cringely, he did make some really great docus about the beginning. A much watch :) :)
You mean there are other *nix based OSs than Linux? FreeBSD is one of the OG versions of Unix. It is horrible what AT&T (or whatever their name was at the time) did to this *nix branch!
Which severely limits it in wifi support, for example. I'd love it to be based on Linux. I guess this "ex-MS" guy doesn't see the difference, because he said "Linux" at least twice. Geez...
I appreciate the straight forward approach Dave, and I've noticed quite a few experts nit-picking, I haven't seen anything significant enough to disregard the video. Thanks for this.
If you Google for Suricata there's plenty of people talking about how often it blocks things due to false positives and it wont see most malware as its delivered over SSL. The best you can really do is region and IP blocklists which require much less CPU power.
Experts who needlessly nit-pick are just being difficult. Source, I work in the industry and listen to it daily. From a big-picture standpoint the video is great.
a grown up man advocating for a youtuber.
You dont need to defend him, he is old enough and probably accepts his mistakes. Gotta love Fans of youtubers, DONT BE a fan of a youtuber.
@@ICEMANZIDANEYawn. I got bored after grown up.
@@ICEMANZIDANEAssumption much? Maybe he’s just offering a fellow human being some kindness and support. Even grownups appreciate an attaboy from time to time. If you think that’s only for kids, then I’m sorry for you.
I jumped off the slow moving Ubiquiti ship and landed on a Firewalla Gold life raft. So impressed with this little setup after testing that I'm putting them in client offices now.
Set it up takes less than two minutes and further desired segregation/isolation changes are so easy I don't have to bring my networking knowledge.
So easy to setup a mess of these around the state and control them from one browser tab at home office.
First time here and I particularly like the straight forward approach to "like, subscribe, and join". Sharing valuable information is what brings me to RUclips and keeps me coming back. Step by step instructions make the difference.
Man, when this guy posts you know its going to be a good video!!! Very Excited for this one!!!! Thanks Dave!
Appreciate the straight forward approach you use. Would love to see more content like this.
I appreciate your no nonsense approach to narration. Then add just a bit of humour to fill the time as needed. 👍
Same. I can't stand modern RUclips and their rewarding of crap filler content to meet a certain video length.
Thanks Dave!
Thanks Dave. You had me up till 3am as a spur of the moment setting up a new router. My boss said to tell you not to do it again. Thanks 😅
Thank you for delving deeper into this subject, please keep this type of content coming! I'm also on the spectrum and as an AuDHDer I find your presentation suits me better than most RUclips creators as it's to the point! I need all go and low show to get through tutorials and can follow along with you without losing interest waiting for the next step! Keep up the great videos and thank you for all you have done for us geeks on the spectrum!
Yeah this is perfect. Would love a deeper episode digging into the experience.
This looks like a simple way for most of us to add security and avoid the headaches of having to mess with the rest of our network. Every time I've looked at setting up something like this I've worried about just what you said, ending up with my network down and no understanding of how to get it back up. This set up doesn't leave you facing that prospect. Thanks so much for sharing this with us all. I'll be giving this a try.
I've been running pfsense since 2018 with version 2.4.3. Currently running 23.09.1. It's been very solid for me. I have the AV, IPS, IDS, etc all enabled and route at 10Gbps over Multimode Fiber and SFP+. I went with an AMD Ryzen 7 5700GE as the CPU for it with 16GB of RAM. It's enough for my 10Gbps FTTH Internet connection and multiple users as well as a VPN.
To me, it's a solid system and I don't know how I ever did before by buying proprietary Cisco Meraki stuff that cost an arm and a leg in licensing. I really like pfsense and I recommend it.
Cool man. What do you use for your VPN client? I tried setting up a native W10 client but didn’t have much luck. Planning to try again and do more searching on best options.
That is one fat pipe!
I used to do the UniFi stack and ripped it all out. I went for microtek, cheap 2.5G switch and a NAS using an amd 4600GE and a stack of cheap nvmes. SMB 3 can combine 2.5G so NAS has 5G and so does my main PC. I have a WiFi 6E ap 2.5G uplink that covers the whole house with 2.4GHz switched off for everything else except my media pc which is on 2.5. It's works ok. Sometimes the microtek router crashes so i added a fan to it and set it to reboot once a week (2 different issues). The NAS uses no raiding and backs up to a pair of 10Tb WD gold on external caddy. I can literrally grab them and have everything. Photos and docs sync to Google drive. 1G symmetric ftth is the fastest i csn get.
pfSense is epic
@@bdlii I use OpenVPN still. Old habbit. There is WireGuard now also available but haven't configured it yet.
In grade school my parents got me an Atari 2400, and it was so cool. That got me into electronics. Then I mowed a lot of lawns and bought a TI 99/4a, and that got me on a route towards computer science. Now I am a cofounder of a shop that makes software that has helped change the world.
Don’t discount consoles, but understand the power of a fully customizable computer.
OK Dave -- show us an OPNSense install on a TI99 ! Definitely not comparable to the Intel Atom, so it should work pretty good, right?
As a 5th grader in 1967, I would occasionally help my father transcribe his handwritten FORTRAN programs into something an IBM 1130 could read, using, you guessed it, an IBM29 80 Column Card Puncher. (He was getting his BSEE via night classes compliments of his employer.)
@@IBM29 oh god, I remember once helping my dad and dropping a whole stack of punchcards. I don’t remember anything after that.
@@michaeldeloatch7461 lmao!!!
@@michaeldeloatch7461 It’d actually be really fun to see that happen. I’d imagine you’d get close to 309K baud, if not less.
OPNSense is what I use for a lot of BGP edge routers. It works great for sub-10Gig networks. There's also a lot of ISP modem/router combos that mess up IPv6 in bridge mode. So there's a decent chance you may no longer have IPv6 when not using their router.
This video was linked in a forum post so I watched out of curiosity especially regarding the transparent bridge since I already use OPNsense. Getting to the end, I decided I would subscribe (was watching it on the forum site) and arriving at RUclips discovered I already had, so changed my alerts to 'all' and tapped the like. Very well done video, clear and easy to follow, thank you.
Back in the days we called it ”bump in the wire”. Have set up a few cisco ASA with transparent filtering. Love your videos ❤ / retired CCNP-R/S, CCNP-S 😅
Thank you, Dave. I'm the go to "network admin" for many in my family as well as a few business/organizations. I've used PiHoles, which are ok for light or low traffic networks, but i've found that I need a lot more power. Thank you for showing us this. I will start tinkering with it myself and then see if I can apply this to (especially) the businesses and organizations whose networks I help keep up to date. Please share more OPNSense stuff.
The Unbound DNS plugin dose a good job for DNS filtering, Pi-Hole is hard to beat from an admin and stats standpoint though.
This is my first hearing of a transparent filtering bridge, thanks for sharing. 👍
me too and im in the internet biz lol
firsttime hearings
This episode was interesting and entertaining, Dave. More, please!
Wow. Love seeing these type of videos. Your presentation is great. I need to do this to my setup!!!
While I probably won’t go the transparent bridge route (pun intended), seeing OpnSense being run through like this makes me want to dive in. Been running MikroTik gear for over decade and have been curious about OpnSense but often ended up overwhelming myself with info and putting it on the back burner. Great video!
MikroTik makes cool stuff too... there's always a trade off as things become more hardware-focused or software-defined. They seem to be a good mix in between.
cheap mikrotik router + their winbox ui is quick and simple , swiss knife for the network
What is (or is there) the equivalent for transparent filtering bridge for MikroTik, seems pretty CPU intensive so thinking it’s not something a 750 series would offer..
This is a great start, but unfortunately IDS/IPS is severely limited to being almost useless because of HTTPS/TLS. A PKI can help quite a bit but is more advanced configuration and introduces issues itself with certificate pinning. I would recommend a video on EDR or even something like Crowdsec, which is more effective than an IDS transparent bridge.
Yeah, I was wondering about that. Surely it wouldn't be able to inspect HTTPS/TLS packets...?
is it possible to test downloading the test virus from antiviurs site and seeing if ids/ips catches it?
I asked AU - Certainly! Detecting viruses over HTTPS (encrypted) delivery is a crucial aspect of network security. Here’s how Intrusion Prevention Systems (IPS) handle this:
Traffic Inspection:
HTTPS traffic is encrypted using TLS/SSL protocols, making it challenging to inspect the payload directly.
However, modern IPS solutions can perform deep packet inspection even on encrypted traffic.
They achieve this by:
Decrypting the encrypted traffic temporarily.
Analyzing the decrypted content for malicious patterns.
Re-encrypting the traffic before forwarding it to the destination.
Challenges:
Performance Impact: Decrypting and re-encrypting traffic adds computational overhead, affecting system performance.
False Positives: Decrypting traffic may lead to false positives if the IPS misinterprets benign content as malicious.
Privacy Concerns: Decrypting user data raises privacy concerns, especially in enterprise environments.
TLS Inspection:
Some IPS systems support Transport Layer Security (TLS) inspection.
They maintain a database of trusted certificate authorities (CAs) and use it to validate server certificates during decryption.
If a server certificate is not trusted or revoked, the IPS can block or alert on the traffic.
Signature-Based Detection:
IPS systems use signature-based detection to identify known malware patterns.
They maintain a database of signatures for various threats.
When inspecting decrypted traffic, they compare it against these signatures.
Behavioral Analysis:
Advanced IPS solutions employ behavioral analysis.
They learn normal traffic patterns and detect anomalies.
For example, if an encrypted connection suddenly transfers large files, it might raise suspicion.
Heuristics and Machine Learning:
Some IPS systems use heuristics and machine learning.
They analyze traffic behavior and adaptively learn to identify new threats.
Evasion Techniques:
Malicious actors use evasion techniques to bypass IPS inspection.
They split payloads across multiple packets or use obfuscation.
Modern IPS solutions continuously evolve to counter these techniques.
In summary, while detecting viruses over HTTPS is challenging due to encryption, modern IPS systems employ various techniques to inspect and protect against threats even within encrypted traffic
@@DaveGamesVT - it can still tell domains/IPs and block known-bad or known-compromised sites. But, yes, to really inspect, it would need to MitM the HTTPS traffic to decrypt, inspect, and then encrypt it again. But it can still detect many types of traffic without decryption, just not payload inspection.
@@jroysdon I'm a newbie to this topic but wouldn't that make the virus scanning option for this completely useless?
Dive deeper! You make great videos explaining things so good.
Wow you’re such a good explainer! I just got a Lenovo tiny pc to make my own router and I love the fact that you said all the pros and cons of keeping your isp router. We need more of this content! You’re great keep it up
Been running pfsense as my main router for 17 years. Love your videos. One thing I would add. If people are using the Internet Provider' box, they usually include WiFi, and your setup with the transparent filtering it won't see wifi packets.
I plan to disable the wifi from the ISP box and implement a much better managed wifi router behind the OPNSENSE bridge that has full capabilities compared to most ISP boxes these days that limit what you can and can't do
hmm this would be only if they're not using the ISP's box only as a bridge?
@@johnnygolden7401which did you order
*FreeBSD not Linux based
Was about to say the same thing 😏
Die-hard fan of both, and was also about to say it.
One of many errors in this vid I'm afraid - eg bridges don't route packets, they bridge frames
When I tried BSD, I was blown away with sheer consistent performance, smoothness and stability. I tried ghostBSD and it was really good.
Beat me to it!
Thanks Dave, I didn't even know this was out there. The whole reason I come here.
Actually just updated my firewall at the beginning of 2024. Using a "Qotom Q20332G9-S10" 4 x 10gbps SFP+ ports, 5 x 2.5gbps rj45 ports, 64 GB Ram, 2TB NVMe m.2. Running Proxmox on the bare metal with OPNSense as VM, as well as PiHole as another, and my Cloud Backup as a third. Works very well. About $500 USD all in. Love your content Dave!
You're tempting me into trying this out. I have a 1Gbps connection which my Unifi UDR can't pass fully when running the on board IDS & IPS so this transparent filter makes a lot of sense to me. Thanks for the guidance and will try this out soon when I have found a suitable box to load it onto.
Dave... More Please!! Thanks for the great video today as well.
Just here for the thumbnail. Dave epic videos slam dunks inspiring to us who are trying to break into and get a glimpse of IT
I could just hug you Dave! Thank you.
Upgraded from Subbed to "Notify All" This is EXCELLENT content!
He's a "solid bell" for me too.
the momment his stle sunk in , i did the same. Straight to the nitty gritt . love it
Just upgraded to subscribe. Notify all loading
Thanks Dave -- just about the best content yet among all your vids I have watched.
Great straightforward approach Dave. Very interesting video.
Thank you.
Well Done.
Your presentation style makes it a pleasure to revisit old times (Tech, in my case) and still tinker with the house set up!
Thanks for this. Now my next network project!
I use PFsense myself. An excellent product.
Quick edit: gigabit only needs a reasonably new Atom, or a Sandy Bridge era pentium... Dave is right, faster needs more horsepower, especially with IDS/IPS. Also: PF and OPN sense are BSD based, not Linux. Not that it matters.
It can matter for hardware support. Linux supported Intel i226 NICs before FreeBSD. I use pfSense CE, but I'm thinking of switching to OPNsense. I'm worried that pfSense CE could become paid software like pfSense Plus.
BSD\UNIX\LINUX same thing.
Regarding being BSD based and not Linux, it does matter.
The reason I stopped using PFSense, was essentially due to the extremely out of date Intel drivers.
Switched to Linux (using VyOS), the exact same box, had a 4x performance improvement doing the same thing.
Me too, got a Netgate 4100, mounts in my rack. pfsense, lots of packages to choose from.
I run pfSense+ with Snort (inline)and pfBlockerNG on a Netgate SG-4860 appliance. I rarely see CPU usage over 20%... and that is only an Atom 4 core C2558. I really like having the ZFS Boot environments.
amazing been running OPNsense for about a year now, when i got my Fiber in at the home
Good video! I might try to put this in front of my Firewalla box as a transparent bridge with protection rules as you showed and see how it goes. 😁
Thanks for the demo. I really enjoy the content you make and have learned alot of great tips from your channel
Awesome video Dave, very educational and helpful for home protection. Easy to follow along as well! Much appreciated!
enjoyed that, and love that we average Jo's can take back some control at little expense. Thank you Dave!
BTW I paused and went to google for a win.ini file example to remember what I used to do, I think it was there that I did dual booting back in the 90's :)
Thanks for this video. It's not the first video from the channel I've seen, but it's the one that made me subscribe. I'm looking forward to more OPNsense videos since I'm looking at setting it up as my main router\fw.
Me too, same here
More opnsense videos please. You make it so easy!
Already a subscriber, and I really liked what you're puttin' down in this video, sir!
Awesome, thank you!
Great video, Dave. Transparent bridging is a jewel that often gets overlooked. You can also do it with the Synology routers -- which IMO have the best parental and content filters available in their price class.
I loved this video! And I would also love to see a deeper dive into opensense!!
Would love to see more in-depth configuration follow up.
Dave I love your approach ..All killer, no filler. Got a new sub!
@ 6:30 in the video.
I love the penultimate solution to something not working as you thought it would. “Just unplug the cable and put it back where is used to go”. That's my kind of solution, easy and not requiring a ”what the hell did I do” investigation and an undoing, before it all works as it was. We know these things often progress without notes and the odd bit of finger pokin’ logic as one get into it. The ultimate solution, of course, when it does not work as intended, being pull out the plug and go to the pub. There is always, always, someone there who has the answer, all it takes is remembering it what it was.
I used my ISP router to feed my network router mainly because it was a well known load of junk. I had to use it as there is a VOIP line connection land line and they will not let out the data to enable a move. I have since reverted to the ISP router as I got a new updated one after the old one expired. I should get back to using a safer method again. Before my old management cry of "are we exposed" becomes a realty.
This is like the worst video thumbnail in the history of youtube, but i cant help but love it 😊. Great video and content as always
Great content.
1) As a slightly paranoid person, the option to have a separate LAN-interface as the only access to control OPNSense would be interesting.
2) A deeper dive to settings would be great
3) Perhaps a word about using "privacy VPN's" with this setup (to my understanding would prevent this from functioning as intended) and same question about HTTPS and other "secure" protocols - can this setup scan/check that type of content?
#3 correct, this can't understand encrypted traffic. The benefits this device offers are things like blocking countries.
Hi Dave. You are both brilliant & a genius at these essential, practical IT video tutorials. Magnificent content. Bravo!
Great rapid fire information on OPNSense. I would to see a deep dive.
Love your videos, because it give me some ideas, what to do in the near future on my home network. I'm now so far, as having VLANS to seperate any kind of critical stuff, IoT(rash), Wifi etc. But your videos give an inspiration to my next further steps. Thank you so far.
Thanks Dave, I was just looking at getting a physical firewall and your video is really great for getting started.
As always, I can't get enough! More please!
Bravo! Great content, would like to see more of a deep dive in this and more similar content. Thank you Dave!
MORE PLEASE! This was awesome!
Nice one Dave! just what I've been looking for.......
Dave - thanks for suggesting a interesting project to do at home. I discovered quickly that first I needed to set-up management access to my box on OPT1, so that I could fix the things I fouled-up when creating the bridge. In my case, I only plan accessing the box using a laptop and a physical cable on the OPT1 lan-port.
how do you setup a mgmt interface and access the gui from it?
@@Chester-hk6zp I'd like to know this too.
This reminds me of the old Smooth Wall I had setup years ago. I had 3 NICs in it, so I can have an in, out and a DMZ.
14:57 Dave's book helps you understand autism, how to adapt, childhood, parenting, relationships. It's good for anyone who might be or might interact with those on the autism spectrum (and anyone working in tech). I recommend his book without hesitation. I had my local library buy a copy.
I've been running OPNSense for about 7 years now. Minor correction, OPNSense is FreeBSD/Unix not Linux. Great video Dave!
Back around 2000 we implemented a filtering bridge (we called it a Fridge since it was an appliance lol).
IIRC it was built on one of the BSDs which had the quirky feature at the time of being able to inspect IP packets with the interfaces bridged and no IP address bound.
It was the outside firewall on a DMZ for a large law firm. One of the selling points was you physically had to walk up to it to do anything to it!
FYI -- small technical note - OPNsense is based on freeBSD based, not Linux - big difference to guys like me who nitpick about the differences...lol...but in the *nix world these days, it hardly matters :). I currently run pfSense and for some reason, it doesn't want to update to the latest version. Some plugins, I use (especially pfBlocker) can't be upgraded because they require the updated pfSense OS, which means those plugins are no longer the latest version. Since I'm looking at a reload/rebuild to get to the latest pfSense version, I may opt for OPNsense, thanks to this video. :)
OPNsense is great. Deciso also offer commercial support but don't seem to be mega cash grabby yet. There's also a third party add on (Zenarmor) available that gives you ngfw features like content filtering and other fancy crap. I'd use it for customers, no problem.
If your pfsense is failing to upgrade, here is the super secret sauce to correct the situation. Just run it into pfsense shell [ press f8 on pfsense console or ssh it ]
certctl rehash
pkg-static update -f
pkg-static install -fy pkg pfSense-repo pfSense-upgrade
once completed, just visit upgrade, you will get latest updates.
The use of FreeBSD as a base platform is great from a stability perspective - it is pretty much bombproof as far as *nix is concerned but the community is very slow to add new device drivers and then it takes an extra age for the drivers to trickle down into pfsense and opnsense. Opnsense seem to be more responsive to adding new PHY support than pfsense but it is still a lengthy process. It's a stability vs new shiny thing support tradeoff. Not that we don't need support for new shiny things.
I've been running pfsesne for a few years and I'm comfortable with it. But it comes down to what you prefer and get used to. Both forks are great.
Shoutout to Chuck!
Yes, the Critical Care Nurses Assistant
Nice explanation David. Another project placed on my "To Do List".
Thanks Dave, we need more fun and exciting cyber security videos and other ways of protecting us and our families online
Incredibly helpful. I'm typically over cautious whenever touching my OPNsense configuration, having caused some self inflicted outages - due to ignorance & an inherent rtfm aversion.
Dave, thank you for vetting IDS & IPS and ClamAV and showing us how to implement. I am hopeful that you will decide to help us with more OPNsense configuration help.
I'm using my implementation for: VLAN segregation (tv, cams, laptops, iot, printers, guests), DHCP, firewall (internet, no internet, and port filtering). How would I implement country filtering?
Love it Dave ! You should make your own fork of this. “DaveSense” 😀
Yes, please, a playlist of videos dedicated to options to consider using this pc now wedged between our modem and router...
Love the money shot of the heat sink in slow rotation.
I would like to see a deeper dive because many of the features you enabled won't really work without deep packet inspection set up. I don't think deep packet inspection is possible in transparent bridge mode but I would love to be proven wrong about that.
I got it working in pfSense. Your NIC must support RSS and netmap. I always have issues with igb and em cards (probably because igb drivers are built on em.) igc and ix cards work great.
There are both inline and legacy deep packet inspection ids/ips. Inline is a bit more powerful.
I use the inline ips on the lan and limiters on the WAN. Also I think for the sake of the NIC memory it may be relevant to consider using two separate NICs of matching types.
It is also worth noting that NICs only support certain types of ethernet cables. ie no cat8 on an i225 nic if you want everything to work perfect. cat5e or cat6a
If we're talking ISP all-in-one device (modem, router, switch, and possibly wifi) but connect the transparent bridge downstream of the ISP device, then you're loosing the switch and wifi functionality (or the IDS/IPS/AV capability on those other interfaces). You'd want to put the bridge between the modem and the router (like you did with your DMP), but that isn't possible with ISP provided all-in-one devices.
Thank you, Dave! I appreciate your simple to follow videos. :)
Glad you like them!
Fantastic video Dave, I´m a noob in opnsense and this is a good begining to make it work, thanks a lot
Your previous video was so popular a Telegram scammer reached out to me pretending to be you. This person told me I had won a Macbook pro and iPhone pro... all for being a such a great subscriber.
You are!😊
Same thing happened to meet with Explaining Computers - they should leave our teachers alone!
I always ask them to send me their Credit Card Number, SS number and Mothers maiden name before any further communication from them!
Thanks for this, quite interested in doing this. The $109 PC (with case, 8GB ram, 128GB SSD) should be fine for Starlink I would think.
Been using pfsense for years as a secondary firewall device on a backup network service, but never seen anything like this. Thanks for the new information and will put it to use very shortly. Need to get a device for home.
Thank You! The sooner the better the deeper dive!
Interesting video, nice to watch as well. I would 100% use a dedicated management interface (on a 3rd interface). That way you don’t pollute your wan traffic with local management traffic. You also don’t have the risk of making the box unmanagable. Anwyay, transparant bridges are cool ❤ I first used one 22 years ago, on redhat linux with iptables. Bridging was just new in the kernel, exciting times 😂
Great video. Would be interesting to see it in action, e.g. examples of some of the IDS/IPS logs and some of the 'nasties' it's blocking.
I'd like to know how many IDS rules it has and when all that security gets updated and by whom. As for Clam AV, no thanks, Each PC has a better handle on that.
I'd like to see him purposefully go to many bad places to see it effectiveness.
Great video, informative and straightforward configuration description - just how it should be done!
You've got my vote for additional videos. My suggestion is a video to dive into more detail of the transparent filtering bridge in operation, such as: what does a client see when packets are rejected due to geo-ip or virus detection, etc., how to setup log monitors and notifications, backing up the configuration and any other operational suggestions.
I can't see how the ClamAV works through the bridge. I'm pretty sure the configuration is correct, but when I try the Eicar test download the signature appears instead of being blocked. Any suggestions are appreciated. I suspect the ClamAV plugin depends on a Web Proxy??
Good video, I will try this once I choose a mini-pc.
Dave do some videos on network level ad blocking, vpn hosting, ddns (Dynamic DNS for those who are not it savvy) and nas (network attached storage)
Very good video! Question, if you have mainly SSL/TLS traffic, how is it going to perform IDS/IPS on packets. Is it just IP reputation based at this point? Or, is the router actually doing HTTPSi (HTTPS inspection) by performing a MitM?
If you're in the middle of the traffic, you can see the entire handshake of establishing the HTTPS/TLS connection, and for corporate networks that use things like Suricata, yes, they do perform HTTPSi, examining the contents of the encrypted packet and then passing them on into the network. The procedure would be the same on your little transparent bridge, it sniffs the keys for the HTTPS connection, and then examines the packets for things that violate the rules you set, and then passes on the good packets while rejecting suspicious or dangerous connections.
@@orangejuche Nope - that would be an example of a MitM attack. In corporate settings, the HTTPSi inspector has it's own certificate which all corp machines are configured to trust (either by adding it as a certificate, or it being issued by a corp specific root CA, which is added as a certificate). At least, that's what the docs I found say
@@td19xyz My bad, you are correct, and I was incorrect. Suricata can't see what is in an encrypted packet without an HTTPS proxy with a trusted root CA that performs decrypt and encrypt of the traffic and forwarding of the decrypted traffic stream to Suricata. This doesn't mean Suricata is useless for handling HTTPS traffic, as while it can't see what is inside, it still has the metadata of the connection, and can filter attempted HTTPS connections from servers on a list of untrusted clients.
Great video on a subject we all need. I love the direct, fast and no bull crap delivery. Please keep up with this type of content. Now subscribed and looking forward to more.....
Hi Dave,
Definitely would like to hear more from you about OPNSense. It's something that I've been thinking of putting on my network. Hello from Australia!
DOCSIS is the gate keeper. will you explain that?
DOCSIS = Data Over Cable System Interface Specification. This is the set of standards implemented in CMTS routers operated by cable companies and cablem modems in customer locations that control how IP packets are mapped from Ethernet Layer 2 onto RF layer 2 in different frequency ranges on coax cable. DOCSIS standards also influence how other protocols like TFTP, NTP and DHCP are used to push configuration files to devices, sync them in time for remote monitoring and assign IP addresses to the modem itself and devices plugged into the LAN side behind the modem based on provisioned service attributes. DOCSIS helps limit physical access to the carrier's network based upon previously recognized device MACs but other than that, DOCSIS itself adds no protection to guiard against malicious traffic for either the provider or customer.
@@stratfanstl DOCSIS is no standard. It cost aroud 200 USD to get your router to be able to unwrap that data. So my question is who is behind DOCSIS, so who gets the money.
@@nocontabanconmiastucia939 DOCSIS modems are considered on the cable provider's side of the "demarc". You cannot obtain DOCSIS software to run on a user-controlled device tied to the provider's coax. If the provider doesn't recognize the MAC, they won't allow it to connect and only they can push firmware to the device. DOCSIS **is** a set of standards created by CableLabs, a consortium of RF and IP engineers doing joint standards development for cable providers and manufacturers of gear.
Thanks for your Book! Looking forward to reading it.
Thanks Dude!