My basic OPNsense configuration

Homelab Jul 05, 2019

Ever since first setting up my home's network I wanted to try using OPNsense. Since I was very new to both this and pfSense I was struggling to figure things out in a timely fashion, and ended up going with a basic pfSense setup for my homelab and office side of the network, relying on my internet-provider-provided router for the rest of the home network.

This is part one of my homelab re-organization project.

Using my D-Link "smart managed" router's VLAN functionality I had effectively split the network in two, with two fully separate routers handling either side. This worked fine and served my needs at the time, but I want to do this better now.

As someone in the YouTube comments of my video pointed out too, I too had not at all done anything in pfSense's VLAN section. This was fine for my goals then, as I didn't have one router route everything. This time I want to have one router route my entire home network, so that will be one of my goals.

The setup

pfSense has been running as a virtual machine on the Dell R510, and it was working fine that way. Some people are wary of running a router in a virtual machine, which I cna understand, but as it was serving only my homelab anyway I did not have to worry about it too much. To be able to perform necessary upgrades to the Dell though, I need to be able to shut it down, so it's time to reinstate my router-PC-thing, which I called Dotori.

In case you're curious, Dotori is the romanized version of 도토리, korean for Acorn.

Installing OPNsense is very easy. If you're at all familiar with installing most every Linux flavor, it'll be roughly the same. All it takes is for you to download the right version, "burn" it to a USB stick, boot from it, and follow the steps.

I kept my pfSense and LG routers running while setting up the OPNsense one, just so I had the time to do this right without completely killing my home network until I finished things, so I mostly had it running separately with only my laptop plugged into it. As I set up more and more, I could slowly switch over individual parts until everything was done. If you are in a similar situation and have the ability to do so, this is a very stress-free way to do it, so I highly recommend it.

LAGG

The router I am using has a total of 6 NICs. I set up the first one as the "internet-in" port, the following four in a LAGG configuration, and the remaining port left open in case I ever need to directly plug my laptop into the router for maintenance or whatnot.

I have been wanting to try out a LAGG configuration as it seems to make sense and has benefits over just relying on one port. However, I do understand that with my home setup I most likely won't be able to tell the difference, but nonetheless I have the hardware available for it, and I can benefit from the learning experience of setting things up this way.

Note: Your switch must support link aggregation functionality or this will not work. This functionality is usually only available in smart or smart-managed (aka half-smart) switches. Be sure to check your switch' manual to make sure it supports this before trying it out yourself.

In OPNsense, head on over to Interfaces » Other Types » LAGG.  In there I added a new configuration, combining em1, em2, em3 and em4 on my particular machine using the LACP protocol — also referred to as 802.3ad.

Now head over to Interfaces » Assignments, and add the newly created LAGG. One this is done, head on over to Interfaces » [LAGG] and enable the newly created interface. You can also rename it while you're here if you like. As I am planning on relying solely on VLANs for my new setup I did not set up IPv4 configuration here, but if you're planning on just having one, VLAN-free network, you would set IPv4 Configuration Type to Static IPv4 here most likely.

VLANs

As I mentioned before, my plan this time around was to rely on one router (this one) to route my entire network, including home stuff, so it was time to try out OPNsense' VLAN features.

For my plan I want to have three VLANs; Office, Servers and Home. I'll create those now.

Head on over to Interfaces » Other Types » VLAN. Here I added the three aforementioned ones. Each one has the LAGG interface as its parent interface, and each one has a unique VLAN tag set. The tag is arbitrary, so pick what makes sense for you. Do remember them though, you'll likely need to set up both your switch and additional devices to use these same tags.

Now head on over to Interfaces » Assignments and add each of the VLANs you just created. Once added they'll likely be called something like OPT2, OPT3, et cetera. Let's fully enable them and give them more convenient names too.

For each of the VLANs, go to Interfaces » [name of its interface], check the enable checkbox and set its description to something logical. For me I named them Office, Servers and Home. For each of these I also set their IPv4 Configuration Type to Static IPv4. Then, at the bottom I set up the desired IP address of the router, and thus range of each VLAN. As I am not using IPv6 at all I have all interfaces' IPv6 setting set to None.

Once you've done this, things still won't work until you have actually enabled the IPv4 service on each of these interfaces as-well. While I understand the thinking here, I must admit that the UX flow of OPNsense is a bit clunky in this regard. It's better as compared to pfSense in that it explains things a bit better, but they both could use a bit of improving in the UX department. But I digress.

For each of the VLAN you set up, head over to Services » DHCPv4 » [name of your VLAN]. In there, enable the first checkbox, and set a desired From/To range. This is the range from which it will pick and assign an IP address whenever a device connects that does not have a static IP assigned already. I would recommend you set the range to be big enough for however many devices you can, but don't use up the entire range as you'll probably want some IPs available for static assignments. Static assignments cannot be made with IPs that are within this range.

I decided on the 10.10.10.x range for my Office VLAN, 20.0.0.x for Servers, and 192.168.1.x for Home.

Once you have done this, your router should now be able to assign IP addresses in each of the VLANs.

Setting up VLAN tags on your Switch

An example of how one can set up VLANs per port.

While the specific way of configuring this depends on your switch, the concept is of course the same.

On my D-Link switch I created the same VLANs as I did on the router, and assigned some of the ports to the appropriate VLANs. On my particular switch I have three choices for each port; Untagged, Tagged and Not Member. I can only select one of the three with a radio button.

How the D-Link lets you set per-port settings for a VLAN.

This means that I am not able to have both untagged and tagged devices on the same port be part of the same VLAN. I am not sure if this is common, or specific to my switch's implementation, but it kind of makes sense.

As I wanted to ensure devices can't interact with one another unless I specifically set them to be able to do so, I default all ports to be not a member of any VLAN, and for VLANs like Servers only allow tagged devices to be part of it. This way no rogue device should be able to jump across unless it is in the right port and has the right tag set, of course. VLAN tagging is not security, I know, but it can help.

I set up office (= work machine) is able to join both Office and Servers VLANs. As for my home devices I relied on the router's untagged option to include them in the Home VLAN, and no switch port these home devices are on can join any other VLAN.

I also ensured that my Raspberry Pi running Pihole is accessible both in the Home as-well as Office VLANs. Pihole is another thing that used to run as a container on the Dell, but I moved it to a separate device for now so I can take the Dell offline and work on it.

Note that you should make sure to include whatever ports your router is connected to for each of the VLANs you have set up, otherwise no device will be able to communicate with the router. This probably seem obvious to you, but it took a second for me to make this realization. Ahem.

Firewall

Before anything will be allowed to make contact with anything else, you should configure OPNsense's firewall. By default OPNsense creates a few "anti lock-out" rules on the LAN interface, but as I am not using this interface at all, I replicated these to on my interfaces.

To make it a little easier to manage these kinds of firewall rules, I created a group that contains both my Home and Office VLANs. Actually, I included LAGG and OPT2 as-well although that's not really necessary I suppose. I deliberately keep my Servers VLAN separate as I want to enforce more strict rules there. To create your own firewall group, head on over to Firewall » Groups and create one there.

Next, head on over to Firewall » Rules » [name of group or interface] so we can manually define both anti-lockout rules as-well as any additional rules we need.

Some of my firewall rules as I have configured them right now

The first three rules shown in the screenshot are to replicate OPNsense' default anti-lockout rules. The fourth one enables Apple's zeroconf auto-lookup magic™ effectively, and the subsequent three rules allow DNS lookup only to my pihole and specifically prohibit it to anywhere else. This way no rogue device (I'm looking at you, Google Home Mini) can try to circumvent my ad blocker. The final rule allows any local device to contact anything else, effectively enabling both internal inter-device interaction as-well as actually being able to browse the internet.

For my Servers VLAN I more deliberately enable specific ports and communications, relying more on a default-deny setup for both incoming and outgoing traffic. It'll take some initial effort to set things up in a basic way, but it feels safer this way.

OPNsense' Dashboard

Closing thoughts

I'm glad I was able to finally dive more into VLAN support on the router itself. While my previous setup worked fine for what I needed then, it's nice to have everything together now whilst still being able to silo things off. It's also pretty nice to have a full overview of what's happening on my network right from OPNsense's Dashboard. I have only scratched the surface of what's possible with OPNsense, but I feel like I have gotten at least one step deeper than I have thusfar, and I'm glad for it.

I have been running this particular setup for a week or two now and it's been going well. The router box seems capable enough to support my network, even with the traffic of a few game services I have been developing running on my server, so that's nice.

Comparing OPNsense to pfSense, I must admit that I like OPNsense a lot more. While it's obviously based on the same system/code, I feel like they've gone in a much better direction that has resulted in an easier (though not easy) to use system that you feel more in control over. While certain areas like its VPN server integration are still, in my opinion, needlessly complicated and optuse, I have hope that these will get more user-friendly in time.

While not a full how-to, I hope that this article helped you get some ideas as to how to perhaps set up your own network. If you have any questions I'll certainly try to help. You can find me on Twitter right here.

Thank you.