Differences

This shows you the differences between two versions of the page.

--- equipment:fw4c_opnsense [2023/11/20 15:40] – [Install OPNsense] dirk
+++ equipment:fw4c_opnsense [2023/11/25 09:46] (current) – [Wireguard VPN] dirk
@@ Line 9: / Line 9: @@
   * login as 'installer' with password 'opnsense'
   * select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.
+Link: https://www.youtube.com/watch?v=_IzyJTcnPu8
+===== Connect =====
   * plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
     * NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are matched up.
   * log in using 'root' and the password you set during install
-  *
+  * go to Interfaces / Assignments and swap the LAN and WAN ports if needed (see above note)
+    * once this step is complete, you'll need to plug the wire into the new LAN port and re-login
+===== Setup =====
+  * go to Interfaces / LAN
+    * make sure it is enabled and locked
-===== Connect =====
+    * config type Static IPv4
-  * Plug in using PoE injection or 12V 0.5Amp Power adapter
+    * set IPv4 address to your desire (10.23.79.1/24 for me)
-  * Connect computer to ETH0
+    * upstream gateway is auto-detect
-  * Setup computer with 192.168.1.XXX address
+    * Save/Apply
-  * Connect to EdgeRouter at 192.168.1.1 (note: I don't actually use this IP block)
+  * go to Interfaces / WAN
-  * Probably need to accept any exceptions / agree to connect
+    * make sure it is enabled and locked
-  * Login with "ubnt" "ubnt"
+    * block private and bogon networks
-===== Initial Setup =====
+    * config type DHCP (for CenturyLink at least)
-  * Run Wizards
+    * Save/Apply
-  * Choose WAN+2LAN2: This will make eth0 internet port and with "only use one LAN" checked will make the other 4 ports a network
-    * DHCP
-    * Enable the default firewall
-    * Only use one LAN
-  * Apply, Apply Changes, Reboot
-  * Must now plug computer into port 1, 2, 3, or 4
-  * Must now plug internet connection into port 0
-  * Navigate back to 192.168.1.1
-  * Login with "ubnt" "ubnt"
 ===== Setting up with CenturyLink Quantum Fiber =====
   * This service provider requires traffic from the ONT to go to a router set to VLAN 201
-  * From Dashboard click Add Interface --> Add VLAN
+  * go to Interfaces / Other Types / VLAN
-    * VLAN ID: 201
+  * create new by clicking on the "+"
-    * Interface: eth0
+    * Device: vlan01
+    * Parent: igc0 (the address of the WAN port)
+    * VLAN tag: 201
+    * VLAN priority: Best Effort
     * Description: Internet
-    * MTU: 1500
+    * Save
-    * Address: Use DHCP
+  * go to Interfaces / Assignments
-===== Update firmware from EdgeRouter site =====
+    * change WAN to the new vlan01 that you just created
-  * Download latest firmware
+    * Save/Apply/Reboot(?)
-  * Go to "System"
+  * Plug line from internet into WAN port.
-  * Upload a file button in the "Upgrade System Image"
-  * Select file
-  * Reboot
 ===== Firewall/NAT =====
 ==== Port Forwarding ====
-  * WAN interface: eth0 (or eth0.201 if applicable)
+  * go to Firewall / NAT / Port Forward
-  * Hairpin NAT: enabled
+  * create new rule by clicking on the "+"
-  * LAN interface: switch0
+    * Interface: WAN
-  * Port Forwarding rules if unraid/ Nginx:<code>80      Both  192.168.1.X  180   HTTP tomcat
+    * Protocol: TCP
-     Both  192.168.1.X  1443  HTTPS tomcat
+    * Source Advanced should all be "any"
-      Both  192.168.1.X        SSH brimble</code>
+    * Destination: WAN address
-  * Port Forwarding rules if standalone:<code>80      Both  192.168.1.X  HTTP tomcat
+    * Destination port range: select outside port (example: 80 or 443)
-     Both  192.168.1.X  HTTPS
+    * Redirect target IP: Single host or Network / internal IP address of the server (10.23.79.4)
-      Both  192.168.1.X  SSH brimble
+    * Redirect target port: (other) / internal server port (example: 180 or 1443)
-   Both  192.168.1.X  Plex</code>
+    * Description: whatever
-==== Firewall Polices ====
+    * NAT reflection: Enabled
-  * Setup VPN:
+    * Filter rule association: Add associated filter rule
-    * login to command line using CLI button or SSH
+    * Save/Apply
-    * Enter configuration mode<code>configure</code>
+  * repeat for other forwarded ports
-    * Add firewall rules for the L2TP traffic<code>set firewall name WAN_LOCAL rule 30 action accept
+    * Port Forwarding rules if unraid/ Nginx:<code>80      Both  10.23.79.X  180   HTTP tomcat
-set firewall name WAN_LOCAL rule 30 description ike
+     Both  10.23.79.X  1443  HTTPS tomcat
-set firewall name WAN_LOCAL rule 30 destination port 500
+      Both  10.23.79.X        SSH brimble</code>
-set firewall name WAN_LOCAL rule 30 log disable
+    * Port Forwarding rules if standalone:<code>80      Both  10.23.79.X  HTTP tomcat
-set firewall name WAN_LOCAL rule 30 protocol udp
+     Both  10.23.79.X  HTTPS
+      Both  10.23.79.X  SSH brimble
+   Both  10.23.79.X  Plex</code>
+  * Hairpin NAT:
+    * go to Firewall / Settings / Advanced
+    * Check "Automatic outbound NAT for Reflection"
+    * Save / Apply
-set firewall name WAN_LOCAL rule 40 action accept
+==== Wireguard VPN ====
-set firewall name WAN_LOCAL rule 40 description esp
+=== Create Instance and Peers ===
-set firewall name WAN_LOCAL rule 40 log disable
+  * go to System / Firmware / Plugins and install os-wireguard
-set firewall name WAN_LOCAL rule 40 protocol esp
+  * go to VPN / WireGuard / Settings / Instances
+  * create new instance by clicking on the "+"
+    * Enabled: check
+    * Name: WG1
+    * click the gear to create a Public/Private key pair
+      * we will call this public key "MAINPUBLIC" for rest of tutorial
+    * Listen port: 51820
+    * Tunnel address: pick a subnet not used elsewhere (10.23.0.1/24)
+    * Save/Apply
+  * go to VPN / WireGuard / Settings / General and enable WireGuard
+  * go to VPN / WireGuard / Settings / Peers
+  * create new peer by clicking on the "+"
+    * Enabled: check
+    * Name: iPhone / Macbook / whatever
+    * Public key: PEERPUBLIC (put in the key created when you setup the client... see below)
+    * Allowed IPs: something on the subnet configured above (10.23.0.11/32)
+    * Instances: select above instance (WG1)
+    * Save/Apply
+  * go to VPN / WireGuard / Settings / Instances / Edit WG1
+    * Add Peers into Peers drop down
+    * Save/Apply
+  * go to Lobby / Dashboard and restart wireguard
+=== Create interface ===
+  * go to Interfaces / Assignments
+  * in the drop down under new interface, select the WireGuard instance (wg1)
+    * Enable: check
+    * Description: WG1
+    * Save/Apply
+  * go to Interfaces / WG1
+    * Enable: check
+    * Description: WG1
+    * Save/Apply
+=== Create VPN Firewall rules ===
+  * go to Firewall / Rules / WAN
+  * create new rule by clicking on the "+"
+    * Action: Pass
+    * Quick: check
+    * Interface: WAN
+    * Direction: in
+    * TCP/IP Version: IPv4
+    * Protocol: UDP
+    * Source Invert: unchecked
+    * Source: any
+    * Destination Invert: unchecked
+    * Destination: WAN address
+    * Destination port range: from (other) 51820 to (other) 51820
+    * Description: allow wireguard inbound
+    * Save/Apply
+  * go to Firewall / Rules / [Name of interface assigned above (WG1)]
+  * create new rule by clicking on the "+"
+    * Action: Pass
+    * Quick: check
+    * Interface: WG1
+    * Direction: in
+    * TCP/IP Version: IPv4
+    * Protocol: any
+    * Source Invert: unchecked
+    * Source [Name of interface assigned above NET (WG1 net)]
+    * Destination Invert: unchecked
+    * Destination: any
+    * Destination port range: any
+    * Save/Apply
+=== Setup Clients ===
+  * This will differ based on device... principal is the same.
+  * iPhone
+    * Download WireGuard from app store
+    * create new
+      * Name: brimble.com
+      * Generate keypair
+        * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
+      * Addresses: This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
+      * Listen port: Automatic
+      * MTU: Automatic
+      * DNS servers: 8.8.8.8, 8.8.4.4
+      * click Add peer
+      * Public key: MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
+      * Preshared key: blank
+      * Endpoint: the address and port of your server (brimble.com:51820)
+      * Allowed IPs: 0.0.0.0/0
+      * Save
+  * macbook
+    * Downlaod WireGuard from app store
+    * create new
+      * Name: brimble.com
+      * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
+      * <code>[Interface]
+PrivateKey = whatever is there
+Address = This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
+DNS = 8.8.8.8, 8.8.4.4
-set firewall name WAN_LOCAL rule 50 action accept
+[Peer]
-set firewall name WAN_LOCAL rule 50 description nat-t
+PublicKey = MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
-set firewall name WAN_LOCAL rule 50 destination port 4500
+AllowedIPs = 0.0.0.0/0
-set firewall name WAN_LOCAL rule 50 log disable
+Endpoint = the address and port of your server (brimble.com:51820)
-set firewall name WAN_LOCAL rule 50 protocol udp
+</code>
+  * Save
+Link: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
+==== NAT for online gaming ====
+  * go to Firewall / Aliases
+    * create new alias by clicking on the "+"
+    * Enabled: check
+    * Name: NintendoSwitch
+    * Type: Host(s)
+    * Content: IP address of Switch
+    * Save/Apply
+  * go to Firewall / NAT / Outbound
+    * change mode to Hybrid so you can add manual rule
+    * create new rule by clicking on the "+"
+    * Interface: WAN
+    * Protocol: any
+    * Source address: NintendoSwitch
+    * Static-port: check
+    * Give it a description
+    * Save/Apply
-set firewall name WAN_LOCAL rule 60 action accept
+Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense
-set firewall name WAN_LOCAL rule 60 description l2tp
-set firewall name WAN_LOCAL rule 60 destination port 1701
-set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
-set firewall name WAN_LOCAL rule 60 log disable
-set firewall name WAN_LOCAL rule 60 protocol udp</code>
-    * Configure the server authentication settings<code>set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
-set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
-set vpn l2tp remote-access authentication mode local
+==== Services ====
-set vpn l2tp remote-access authentication local-users username <username> password <secret></code>
+  * DHCPv4
-    * Define the IP address pool<code>set vpn l2tp remote-access client-ip-pool start 192.168.100.90
+    * Range Start 10.23.79.100
-set vpn l2tp remote-access client-ip-pool stop 192.168.100.99</code>
+    * Range Stop 10.23.79.245
-    * Define DNS server(s) used by VPN<code>set vpn l2tp remote-access dns-servers server-1 <address> (currently 8.8.8.8)
+    * Save Apply
-set vpn l2tp remote-access dns-servers server-2 <address> (currently 8.8.4.4)</code>
+    * Static MAC/IP Mapping<code>brimNAS          10.23.79.4
-    * Define WAN interface which will receive L2TP requests (this one is for DHCP, see link for others)<code>set vpn l2tp remote-access dhcp-interface eth0</code>
+BrimUpstairsAP   10.23.79.5
-    * Define IPsec interface<code>set vpn ipsec ipsec-interfaces interface eth0</code>
+BrimDownstairsAP 10.23.79.6
-    * Commit changes and save<code>commit ; save</code>
-    * Link: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
-  * Parental Controls
-    * Add Ruleset
-    * Add New Rule
-      * Enter Description (Xbox)
-      * Action: Drop
-      * Protocol: All protocols
-      * State: All checked
-      * IPsec: Don't match on IPsec packets
-      * P2P: None
-      * Enter MAC Address of item in Source
-      * Set Start Time and Stop Time (UTC)
-    * Configuration
-      * Description: Parental Controls
-      * Default Action: Accept
-    * Interfaces
-      * Interface: switch0
-      * Direction: in
-    * Repeat for each device you would like to limit
-      * Xbox
-      * VizioTV
-      * AppleTVLR
-      * J3DS
-      * M3DS
-      * WiiU
-      * NintendoSwitch
-  * NAT
-    * default
-  * Firewall/NAT groups
-    * default
-  * Guest network setup: Turn on Guest Hotspot in unifi, create new wifi network and select "guest" as type.
-==== Services ====
-  * DHCP Server
-    * Static MAC/IP Mapping<code>brimNAS          192.168.1.4
-BrimblecomAP     192.168.1.5
-BrimDownstairsAP 192.168.1.6
-hoobs            192.168.1.7
 </code>
-    * Details
+  * DNS (System / Settings / General
-      * Range Start 192.168.1.100
+    * 10.23.79.1 to use ISPs
-      * Range Stop 192.168.1.255
+    * 10.23.79.3 if using PiHole
-      * Router 192.168.1.1
+    * 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
-      * DNS
+  * Dynamic DNS
-        * 192.168.1.1 to use ISPs
+    * go to System / Firmware / Plugins and download os-ddclient
-        * 192.168.1.2 if using PiHole
+    * go to Services / Dynamic DNS / Settings
-        * 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
+      * add new one by clicking on the "+"
+      * Enabled
+      * Service : easyDNS
+      * Username : easyDNS username
+      * Password : easyDNS token (not password). Token can be gotten from website
+      * Hostnames: brimble.com
+      * Check ip method: dyndns
+      * Interface to monitor: WAN
+      * Check ip timeout: 10
+      * Force SSL: checked
+      * Save/Apply
-  * DNS
-    * Cache Size 150
-    * Interface switch0
-    * Dynamic DNS (new)
-      * Interface: eth0.201
-      * Service: easydns
-      * Hostname: brimble.com
-      * Login: mdbrim
-      * Password: "easydns token"
-      * Protocol: easydns
-      * Server: BLANK!
-    * Dynamic DNS (old)
-      * Interface: eth0
-      * Service: noip
-      * Hostname: brimble.com
-      * Login: mdbrim
-      * Password: "noip password"
-      * Protocol: noip
-      * Note: if more are needed (shouldn't be) do Custom for service and call them noip2, noip3, etc
-===== Other Settings =====
-==== Hardware offload ====
-  * login to command line using CLI button or SSH
-  * Enter configuration mode<code>configure</code>
-  * enable hwnat offload<code>set system offload hwnat enable</code>
-  * commit and save<code>commit ; save</code>
-  * Link: https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading
-==== User setup ====
-  * Use "Users" button to change username / password
-==== PoE Passthrough ====
-  * Use "Actions/PoE" button on eth4 line on "Dashboard"
-    * PoE: Passthrough
-    * Save

brimble.com

User Tools

Site Tools

Differences

Page Tools