Scratch Setup
-
Good day Legends.
I come to you as a complete noob in the industry.
I have a Big desire to run enterprise level systems. but before i get there i need a little more of an understanding to what is needed to achieve my main objectives.Currently i have been making use of opnsense as a Firewall, this has been working for some time now. but there Billing model is WACK.
With that said, we recently received a a CE image of Pfsense.
I was able to install the System and get it running on multi wan and a VPN that will detect the down WAN and switch to the new IP/WAN.however we are now only beginning the deep setup.
My Goals.
1 Highst priority (HA)
2. With my VPN, i dont want to keep addind new IPs to the Config file to assist with routing to the multiple VM's ill be using. (Should we setup DNS on the Firewall or have it direct to our own DNS servers)
3. DNS Rebind attacks, on our current network we do experience rebind attacks, we have tried to add the Subnets to the VPN to allow this to pass, however we still have the Rebind attacks. Whats the industry standard for setup here to asisst with this resolve.
4. With regards to VLANs, We had detected on our OPNsense that it is allowing inter-routing between VLANs, this is obviously a security risk as we use VLANs to assist with Isolations.
5. Wireguard setups. (Will be attempting this to have this connect to a remote destination that wil in turn be used as a Secondary site to our main Network.
6. Rulesets (Will we be able to import the Current Rule)So to those whom read this far, truly thankful.
Here is the main Questions.
What would the industry standard be for a setup as above.
How would you recommend the Migration from Opnsense and pfsense should be done.
With HA is it recommended to Compose both FW at the start of the installation and setup, or would it be possible to have this done after first firewall is up and running.Again Thanks to all the Legends that assisted in creating this project and the community
-
@Friederich Quite a broad set of questions and I'm sure others will chime in.
But to start I can comment on the migration process which I have sort of gone through, but in the other direction, as a way to learn. And there is no simple conversion tool that can take the config and translate it between e.g. OPNSense and pfSense unfortunately. Or any other firwall for that matter.
What I ended up doing was to set up a "lab version" of the new firewall and make it accessible from the same computer as the main firewall. Having access to both UI's at the same time allowed me to slowly work through the settings, one by one until I felt it was good enough to deploy.
With pfsense there are things you can do with the config.xml, if you are careful. So you can create the first static IP in your DHCP server list. Then edit the downloaded config.xml and add all the other IP's you want. You might even be able to take the OPNSense config file and clean it up and then paste it into the pfsense xml and upload. Easy to mess things up though so you have to be careful here...
Once I had things close to what I wanted, I started deploying copies of my servers behind this firewall (most or all are virtualized). Or I moved the live version over temporarily for testing anything like VPN's, Port Forwards and VLANs etc.
On the topic of VLAN's, I don't think OPNSense is behaving any different than pfsense to be honest.
- With regards to VLANs, We had detected on our OPNsense that it is allowing inter-routing between VLANs, this is obviously a security risk as we use VLANs to assist with Isolations.
I can't remember if a new VLAN automatically gets an allow any rule in OPNSense. But in pfsense you have to add that yourself, otherwise they are completely closed off without any access to anything, not even internet. But in order to stop any inter VLAN routing, you need to add deny rules above, to block any inter VLAN routing that you do not want to allow.
-
pfSense treats VLANs just like any other interface. It will route between all interfaces/subnets but only if the firewall rules allow it. Only the LAN interface has any pass rules by default.
So if you're seeing traffic incorrectly passed between VLANs you need to change the firewall rules to prevent it.
-
When composing a HA environment. What would the impact be on VPN,Vlans and Wireguard tunnels.
Will we have to compose this with the use of CARP ip for the VPN & Wireguard in order for connections to remain stable, With previous experience when i did a test setup, we ended up losing connection to all VPNs and that was a little big fail haha.
Then adding on to this, would it be recommended to setup both FW at the same time following there settings and ensuring its done the same manner (replication of the main Firewall) or focus on the main, once thats up and running we can import the config and do the required Adjustments for the Firewalls to be prepped for the HA within the environment.
-
I would certainly recommend setting both up at the same time. It's almost always easier to than trying to add a secondary node to an existing setup.
Planning the IP addresses used by the two nodes and CARP VIPs is much easier.VPN tunnels are not hitless at failover. The cryptographic state is not shared between the nodes so tunnels always need to reconnect at failover or failback.
-
Awesome. thank you for that information, would the fallback/Failover connection occure automatically tho if the CARP is setup or would it mean that clients would have to get a secondary VPN config to allow for them to connect to the secondary firewall... These are the tough questions that dont really get the attention they should haha.
Will then build a VM to Prep for seconday firewall thats coming. Just need to ensure the same Interfaces are up on the VM to allow for simple Export en import of Config when the Physical Unit arrives.
With CARP. is my understanding correct that within the Network, all nodes would use the CARP ip to assist with routing, Pfsync would just be used for state confirmation between the Two Firewalls.
When i did the CARP ips for My WAN/LAN within my home lab, my WANs remained Primary and secondary, however the LAN keept stating backup on both Firewalls and that was causing a little routing problems within my network. With obvious reason being State changes between the two firewalls and the network not sure which route to exit on. haha. -
@Friederich said in Scratch Setup:
would the fallback/Failover connection occure automatically tho if the CARP is setup
Yes. Clients will be able to reconnect to the same end point, the CARP VIP, automatically. They just will be disconnected at failover and have to reconnect.
If you see backup VIPs on both nodes one may have been demoted. It's far more common to both as master when there's some layer2 issue between them.
