Building a Business - Ep. 2: Installing OPNSense or pfSense as our Firewall and Router.

Рет қаралды 20,331

Күн бұрын

There are timestamp below, for those wanting pfSense, or OPNsense, I tried to cover both, and give you timestamps for the separate installs of each. Please feel free to jump around to the parts that make the most sense for you.
Be on the lookout for our next networking episode where we setup VLANs for our business. We'll learn why VLANs are useful for several reasons, and the importance of using them for performance, and security.
=== Links ===
OPNSense Main Website
opnsense.org/
pfSense Main Website
www.pfsense.org/
Support my Channel and ongoing efforts through Patreon:
www.patreon.com/bePatron?u=23...
=== Timestamps ===
00:00 Beginning
00:09 Introduction to pfSense and OPNSense as a Firewall and Router
03:05 Thank you to my Patrons over at Patreon, and my subscribers at KZfaq
03:40 Downloading pfSense and OPNSense
06:05 Uploading your image to Proxmox
07:30 Creating our pfSense Virtual Machine Firewall from the Image
14:00 Creating our OPNSense Virtual Machine Firewall from the Image
15:48 Setting our VM to Start when the Host Server Boots
16:19 Installing pfSense in our Virtual Machine
19:50 Removing our Virtual Install Media for pfSense
20:15 Configuring our Basic Network in pfSense Prompt
26:03 Very Brief look at the pfSense Web UI - changing the root password.
27:04 Installing OPNSense in our Virtual Machine
31:07 Removing our Virtual Install Media for OPNSense
31:30 Configuring our Basic Networking in OPNSense Prompt
35:25 Very Brief look at the OPNSense Web UI - the Startup Wizard
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: mastodon.partecipa.digital/ @MickInTX
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
www.patreon.com/bePatron?u=23...
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest).
=== Attributions ===
Intro and Outro music provided by www.bensound.com

Пікірлер: 55

@Maleko48 Жыл бұрын

I finally got pfSense setup on my ProxMox box with direct hardware pass thru at the front of my network yesterday. Can't wait to setup all the fun stuff next. :D

@AwesomeOpenSource Жыл бұрын

It's coming. We are taking this a step at a time so people have plenty of time to work along with us.

@WC1376C22 Жыл бұрын

Hello from Houston. It has been two and half years since I started my "Home Lab" journey. I am now at the point where I am about to do a major rework (same old tired equip though :( ). I have been going through your playlist for the last week trying to organize my network on paper, and found myself stuck on the foundation...the router/firewall. This video is "on time-on target", Thanks.

@AwesomeOpenSource Жыл бұрын

Timely and helpful. 2 for 2!

@dexterflodstrom9975 Жыл бұрын

This is just the series I need! Thanks a lot, these are really helpful.

@AwesomeOpenSource Жыл бұрын

Glad to hear it!

@selfhosted Жыл бұрын

Great information here! Love how you take time to explain everything. Well done 👍

@AwesomeOpenSource Жыл бұрын

Glad it's helpful.

@akiladissanayaka282 Жыл бұрын

Really helpfull tutorials. Helped a lot

@AwesomeOpenSource Жыл бұрын

Glad it helped

@Tchucho 10 ай бұрын

another awesome video!

@AwesomeOpenSource 10 ай бұрын

Thanks for the visit

@quddus404 Жыл бұрын

Thank you!

@AwesomeOpenSource Жыл бұрын

You bet!

@mitchross2852 Жыл бұрын

I love opnsense. You should make a guide how to set up dmz for self hosting, exposed via internet.

@AwesomeOpenSource Жыл бұрын

In future videos, we'll be showing how to use pfSense and OPNSense for these types of purposes. This was just step one.

@mistakek Жыл бұрын

If you are planning to use OpenVPN in your pfsense/opnsense install, in the VM CPU settings you should set it to host, and turn on the AES flag so OpenVPN can take advantage of that directly in the CPU.

@AwesomeOpenSource Жыл бұрын

Great tip! Thank you for that!

@accordracer85 Жыл бұрын

In my business we use PFSense but I would never suggest putting it in a VM. Since this is a business, you want up time to be near 100%. One main reason for NOT putting the router in a VM is if the host needs to be rebooted for patching or becomes unresponsive. By making the router a VM, you will take down an entire network if the host needs to be restarted. Ideally, the router should be on its own hardware. Even if someone is just starting out, production systems should be treated with a very high level of care and security. Just my 2 cents.

@AwesomeOpenSource Жыл бұрын

Totally understand this thought, and agree with a single install, it may not be ideal, but if we are starting with limited hardware, then it may be the only option too. But, as we grow we can move our learned skills, and use other hardware, or clusters, etc.

@vitorhugopereiradesousa1721 Жыл бұрын

Hum, if you have issues with the host you can replicate/make it redundant by having it installed on a nas, the machine will just change host if anything happens. But maybe we can have another excellent video on how to make it work 😉

@WolframWebers Жыл бұрын

@@AwesomeOpenSource Not really. With PCI-passthough you bind the physical network port of the host to a specific network port of the guest. Thus, you cannot just migrate or clone the guest to another host. Even worse, if you plan to migrate the guest to target host would have to have the very same physical setup. What would be possible is to setup 2 *sense guests attached to 2 different WAN ports and use *sense builtin HA capability. That way you could at least shutdown one guest without losing routing capabilities. But if you shutdown the host you still will kill your WAN access. The better setup would thus be to setup 2 hosts connected to the WAN with 2 redudant lines, maybe one in standby. Then you could install proxmox on both as host OS and *sense instances as guests. Then you could make use *sense builtin HA capabilties. That way could even shutdown one host and still have routing capability. Would have been better to describe all those possible use cases with respective pitfalls. Not to mention those risks introduced with PCI-passthrough when running several guests on the same machine.

@enderst81 Жыл бұрын

LXC/LXD would be awesome if they could do live migration in clusters.

@enderst81 Жыл бұрын

14:50 You can check the Qemu Agent box then install the plugin after first boot.

@AwesomeOpenSource Жыл бұрын

Indeed, and great tip on the QEMU agent.

@raheelkhan2257 Жыл бұрын

The best but I need more ti to make 100% best soft hehehehe thanks for the video bro.

@AwesomeOpenSource Жыл бұрын

Any time!

@lezz27 Жыл бұрын

Thank you for the quick walk through. I do have a question for you. Of all the video I came across, everyone of them shows how to install Opnsense on Virtualbox/Vmware Workstation and then create a separate network where the FW talks only to these other virtual machines with that secluded network. My question is what if I want to install Opnsense on a VMWare Workstation/Virtual box and then I want my current physical LAN traffic to be routed through the firewall, is that possible? If yes, what kind of NIC config I need to setup on the VirtuaI instance of Opnsense? I know I can get a physical pc with some additional LAN card on it and then set it up that way. But given the current situation I am in, I do not have a spare machine and can only spin a vm. Thanks in advance.

@AwesomeOpenSource Жыл бұрын

You can do what you're sugesting, but you need your Modem out (LAN) line to first go into your OPNSense machine. So it may just be a matter of distance from modem to machine.

@lezz27 Жыл бұрын

@@AwesomeOpenSource Thank you for your response. That's how I have it setup now except for the fact that the uplink from the router(lan) interface is connected to a switch and my PC running Opnsense VM is then connected to this switch. So its like router>>switch>>Opnsense host machine. Now the most important question. How should I configure the 2 NIC's on Vmware Workstating/Virtual Box. Should I have them as Bridge for the WAN and NAT for the LAN? Also, how will the other machines on LAN know that traffic needs to filtered via Opnsense VM firewall? Do I update the DHCP default gateway info on the router to match the Opnsense ip? Thanks!

@lezz27 Жыл бұрын

@Awesome Open Source, do you have suggestions for me? I have almost tried everything that I could think of but was not able to get this to work the way I want. Any help is appreciated.

@johndan4986 Жыл бұрын

Quick qsn: are u using on board pcie Network card or external pcie card? I tried to use the same method on my Dell r720 with 2 10gb ports or 2 1gb ports. But it failed to passthrough the pcie card. The vm fails to start. As per small info I got after discording proxmox doesn't allow to public addresses to passthrough.

@johndan4986 Жыл бұрын

After traking too much with the system. I discovered that i was enabling all functions for the pcie card yet it was not supposed to be enable since the system needs to know that u detaching the ports from eachother.

@AwesomeOpenSource Жыл бұрын

Yep, as you found the 'all functions' option will enable multiple ports for a single NIC, and if you then try to select each one separately, it can definitely cause issues. Sorry for not clarifying that better in the video.

@johndan4986 Жыл бұрын

Is it possible to redirect proxmox network through pfsense vm ?? I want the server to get its network from pfsense. As well as the vms.

@pixel_xo Жыл бұрын

Does anyone have suggestions to a good open source Biometric attendance with Payroll ?

@AwesomeOpenSource Жыл бұрын

I haven't seen anything that advanced, but I'll look around and see what I can find.

@pixel_xo Жыл бұрын

@@AwesomeOpenSource thank you, I did a little digging around and found ERPNext has that module in it

@talapanda4208 Жыл бұрын

Any tips? I’m a newbie learning

@AwesomeOpenSource Жыл бұрын

Just what's in the video.

@marek.lochki Жыл бұрын

How is the security of the firewall out of the box once installed? Does it need more configuration? Closing comments seem like there is nothing more to do on the firewall.

@AwesomeOpenSource Жыл бұрын

When I've installed either one, they both have all ports blocked on incoming out of the box. You can of course go in and setup port-forwarding, NAT Reflection, and so many other things in the settings, but out of the box I'd say ready for home use with no self-hosting going on.

@marek.lochki Жыл бұрын

@@AwesomeOpenSource thank you for confirming that not much more needs to be done once the initial setup is completed. For someone like me who doesn't know too much about configuring firewalls it's reassuring to hear. However, I do like to tinker and learn.

@TheNaive 4 ай бұрын

Can i use it on ubantu vps

@AwesomeOpenSource 4 ай бұрын

I don't htink you'd want to run this on a VPS. Maybe if I understood your goal better.

@TheNaive 4 ай бұрын

@@AwesomeOpenSource sorry I didn't mention it i am using hostinger shared web hosting and planing to try Oracle free tier vps, but it has limited resources for free and everything will be managed by me. I wanted control panel but nothing was helpful, all panel were limited to php, node, and no one support docker, rancher so I decided to go from root level deploy but firewall is need for server, then I came accross your video, thank you for your reply but now I have decided to use ufw for firewall install rancher, docker on it run containers Thanks for reply though

@AwesomeOpenSource 4 ай бұрын

So, for instance, Digital Ocean offers a firewall option to put in front of your VPS. Not sure about what Hostinger or Oracle offer. If you want to try DO for free, in the video description I have an affiliate link that will give you $50 US in credit to test out for a couple of months, so you can do a good number of VPS for that amount. If you stay I get a creidit, if you cancel I don't. Simple as that, and no pressure to stay, but might help you see what is out there, and let you compare.

@TheNaive 4 ай бұрын

@@AwesomeOpenSource ok thanks 😃

@mikea8659 Жыл бұрын

Any reason for not creating Linux bridges ?

@AwesomeOpenSource Жыл бұрын

Not sure I'm following the exact question, so if I'm not, lt meknow, but I didn't because I don't want people following along to use their VirtIO bridge connected directly to their WAN, but instead to make a specific NIC be the WAN for their network. If you mean Linux bridges in a more general sense, I think that the *sense projects are really great for a host of reasons, and that they will likely serve the purpose overall with a lower learning curve.

@Darkk6969 Жыл бұрын

Bridge is typical for VMs to share network resources. For firewall you're better off having dedicated NICs for it.

@jensplsnkwn8152 Жыл бұрын

The target is a clearly defined dmz so you want to route traffic to be able to set rules. In a homelab it doesn´t matter because in most cases you have a (wifi) router instead of a modem so all traffic is behind routers firewall and nat-ed and you just open the ports you need. In a business enviroment it´s more likely that a server is directly connected to the internet. To be honest in a bit larger business enviroment you also don´t use proxmox because there is a pool at least for failover and yeah it´s possible to mange pools with proxmox but there are better solutions with a dedicated managing vm. In most cases there is also san or nas solution. Under these circumstances rhel (KVM), xenserver (XEN) or VMWare (Exsi) is the way to go, ... in my humble opinion.