====== Setup OPNsense on Protectli FW4C ======
This will guide you through the setup of [[server:opnsense|OPNsense]] on a [[equipment:protectli_fw4c|Protectli FW4C Vault]].
===== Install OPNsense =====
* Download software from https://www.opnsense.org/download/
* System architecture: amd64
* image type: vga
* Use balenaEtcher or other usb boot drive creator to load the install image to usb.
* Turn on the device and boot from USB to load installer.
* login as 'installer' with password 'opnsense'
* select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.
Link: https://www.youtube.com/watch?v=_IzyJTcnPu8
===== Connect =====
* plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
* NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are matched up.
* log in using 'root' and the password you set during install
* go to Interfaces / Assignments and swap the LAN and WAN ports if needed (see above note)
* once this step is complete, you'll need to plug the wire into the new LAN port and re-login
===== Setup =====
* go to Interfaces / LAN
* make sure it is enabled and locked
* config type Static IPv4
* set IPv4 address to your desire (10.23.79.1/24 for me)
* upstream gateway is auto-detect
* Save/Apply
* go to Interfaces / WAN
* make sure it is enabled and locked
* block private and bogon networks
* config type DHCP (for CenturyLink at least)
* Save/Apply
===== Setting up with CenturyLink Quantum Fiber =====
* This service provider requires traffic from the ONT to go to a router set to VLAN 201
* go to Interfaces / Other Types / VLAN
* create new by clicking on the "+"
* Device: vlan01
* Parent: igc0 (the address of the WAN port)
* VLAN tag: 201
* VLAN priority: Best Effort
* Description: Internet
* Save
* go to Interfaces / Assignments
* change WAN to the new vlan01 that you just created
* Save/Apply/Reboot(?)
* Plug line from internet into WAN port.
===== Firewall/NAT =====
==== Port Forwarding ====
* go to Firewall / NAT / Port Forward
* create new rule by clicking on the "+"
* Interface: WAN
* Protocol: TCP
* Source Advanced should all be "any"
* Destination: WAN address
* Destination port range: select outside port (example: 80 or 443)
* Redirect target IP: Single host or Network / internal IP address of the server (10.23.79.4)
* Redirect target port: (other) / internal server port (example: 180 or 1443)
* Description: whatever
* NAT reflection: Enabled
* Filter rule association: Add associated filter rule
* Save/Apply
* repeat for other forwarded ports
* Port Forwarding rules if unraid/ Nginx:80 Both 10.23.79.X 180 HTTP tomcat
443 Both 10.23.79.X 1443 HTTPS tomcat
22 Both 10.23.79.X SSH brimble
* Port Forwarding rules if standalone:80 Both 10.23.79.X HTTP tomcat
443 Both 10.23.79.X HTTPS
22 Both 10.23.79.X SSH brimble
32400 Both 10.23.79.X Plex
* Hairpin NAT:
* go to Firewall / Settings / Advanced
* Check "Automatic outbound NAT for Reflection"
* Save / Apply
==== Wireguard VPN ====
=== Create Instance and Peers ===
* go to System / Firmware / Plugins and install os-wireguard
* go to VPN / WireGuard / Settings / Instances
* create new instance by clicking on the "+"
* Enabled: check
* Name: WG1
* click the gear to create a Public/Private key pair
* we will call this public key "MAINPUBLIC" for rest of tutorial
* Listen port: 51820
* Tunnel address: pick a subnet not used elsewhere (10.23.0.1/24)
* Save/Apply
* go to VPN / WireGuard / Settings / General and enable WireGuard
* go to VPN / WireGuard / Settings / Peers
* create new peer by clicking on the "+"
* Enabled: check
* Name: iPhone / Macbook / whatever
* Public key: PEERPUBLIC (put in the key created when you setup the client... see below)
* Allowed IPs: something on the subnet configured above (10.23.0.11/32)
* Instances: select above instance (WG1)
* Save/Apply
* go to VPN / WireGuard / Settings / Instances / Edit WG1
* Add Peers into Peers drop down
* Save/Apply
* go to Lobby / Dashboard and restart wireguard
=== Create interface ===
* go to Interfaces / Assignments
* in the drop down under new interface, select the WireGuard instance (wg1)
* Enable: check
* Description: WG1
* Save/Apply
* go to Interfaces / WG1
* Enable: check
* Description: WG1
* Save/Apply
=== Create VPN Firewall rules ===
* go to Firewall / Rules / WAN
* create new rule by clicking on the "+"
* Action: Pass
* Quick: check
* Interface: WAN
* Direction: in
* TCP/IP Version: IPv4
* Protocol: UDP
* Source Invert: unchecked
* Source: any
* Destination Invert: unchecked
* Destination: WAN address
* Destination port range: from (other) 51820 to (other) 51820
* Description: allow wireguard inbound
* Save/Apply
* go to Firewall / Rules / [Name of interface assigned above (WG1)]
* create new rule by clicking on the "+"
* Action: Pass
* Quick: check
* Interface: WG1
* Direction: in
* TCP/IP Version: IPv4
* Protocol: any
* Source Invert: unchecked
* Source [Name of interface assigned above NET (WG1 net)]
* Destination Invert: unchecked
* Destination: any
* Destination port range: any
* Save/Apply
=== Setup Clients ===
* This will differ based on device... principal is the same.
* iPhone
* Download WireGuard from app store
* create new
* Name: brimble.com
* Generate keypair
* This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
* Addresses: This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
* Listen port: Automatic
* MTU: Automatic
* DNS servers: 8.8.8.8, 8.8.4.4
* click Add peer
* Public key: MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
* Preshared key: blank
* Endpoint: the address and port of your server (brimble.com:51820)
* Allowed IPs: 0.0.0.0/0
* Save
* macbook
* Downlaod WireGuard from app store
* create new
* Name: brimble.com
* This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
* [Interface]
PrivateKey = whatever is there
Address = This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
AllowedIPs = 0.0.0.0/0
Endpoint = the address and port of your server (brimble.com:51820)
* Save
Link: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
==== NAT for online gaming ====
* go to Firewall / Aliases
* create new alias by clicking on the "+"
* Enabled: check
* Name: NintendoSwitch
* Type: Host(s)
* Content: IP address of Switch
* Save/Apply
* go to Firewall / NAT / Outbound
* change mode to Hybrid so you can add manual rule
* create new rule by clicking on the "+"
* Interface: WAN
* Protocol: any
* Source address: NintendoSwitch
* Static-port: check
* Give it a description
* Save/Apply
Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense
==== Services ====
* DHCPv4
* Range Start 10.23.79.100
* Range Stop 10.23.79.245
* Save Apply
* Static MAC/IP MappingbrimNAS 10.23.79.4
BrimUpstairsAP 10.23.79.5
BrimDownstairsAP 10.23.79.6
* DNS (System / Settings / General
* 10.23.79.1 to use ISPs
* 10.23.79.3 if using PiHole
* 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
* Dynamic DNS
* go to System / Firmware / Plugins and download os-ddclient
* go to Services / Dynamic DNS / Settings
* add new one by clicking on the "+"
* Enabled
* Service : easyDNS
* Username : easyDNS username
* Password : easyDNS token (not password). Token can be gotten from website
* Hostnames: brimble.com
* Check ip method: dyndns
* Interface to monitor: WAN
* Check ip timeout: 10
* Force SSL: checked
* Save/Apply