brimble.com

User Tools

Site Tools

Trace: fw4c_opnsense
equipment:fw4c_opnsense

This is an old revision of the document!

Table of Contents

Setup OPNsense on Protectli FW4C

This will guide you through the setup of OPNsense on a Protectli FW4C Vault.

Install OPNsense

  • Download software from https://www.opnsense.org/download/
    • System architecture: amd64
    • image type: vga
  • Use balenaEtcher or other usb boot drive creator to load the install image to usb.
  • Turn on the device and boot from USB to load installer.
  • login as 'installer' with password 'opnsense'
  • select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.

Link: https://www.youtube.com/watch?v=_IzyJTcnPu8

Connect

  • plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
    • NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are matched up.
  • log in using 'root' and the password you set during install
  • go to Interfaces / Assignments and swap the LAN and WAN ports if needed (see above note)
    • once this step is complete, you'll need to plug the wire into the new LAN port and re-login

Setup

  • go to Interfaces / LAN
    • make sure it is enabled and locked
    • config type Static IPv4
    • set IPv4 address to your desire (10.23.79.1/24 for me)
    • upstream gateway is auto-detect
    • Save/Apply
  • go to Interfaces / WAN
    • make sure it is enabled and locked
    • block private and bogon networks
    • config type DHCP (for CenturyLink at least)
    • Save/Apply
  • This service provider requires traffic from the ONT to go to a router set to VLAN 201
  • go to Interfaces / Other Types / VLAN
  • create new by clicking on the “+”
    • Device: vlan01
    • Parent: igc0 (the address of the WAN port)
    • VLAN tag: 201
    • VLAN priority: Best Effort
    • Description: Internet
    • Save
  • go to Interfaces / Assignments
    • change WAN to the new vlan01 that you just created
    • Save/Apply/Reboot(?)
  • Plug line from internet into WAN port.

Firewall/NAT

Port Forwarding

  • go to Firewall / NAT / Port Forward
  • create new rule by clicking on the “+”
    • Interface: WAN
    • Protocol: TCP
    • Source Advanced should all be “any”
    • Destination: WAN address
    • Destination port range: select outside port (example: 80 or 443)
    • Redirect target IP: Single host or Network / internal IP address of the server (10.23.79.4)
    • Redirect target port: (other) / internal server port (example: 180 or 1443)
    • Description: whatever
    • NAT reflection: Enabled
    • Filter rule association: Add associated filter rule
    • Save/Apply
  • repeat for other forwarded ports
    • Port Forwarding rules if unraid/ Nginx:
      80      Both  10.23.79.X  180   HTTP tomcat
443     Both  10.23.79.X  1443  HTTPS tomcat
22      Both  10.23.79.X        SSH brimble
    • Port Forwarding rules if standalone:
      80      Both  10.23.79.X  HTTP tomcat
443     Both  10.23.79.X  HTTPS
22      Both  10.23.79.X  SSH brimble
32400   Both  10.23.79.X  Plex
  • Hairpin NAT:
    • go to Firewall / Settings / Advanced
    • Check “Automatic outbound NAT for Reflection”
    • Save / Apply

NAT for online gaming

  • go to Firewall / Aliases
    • create new alias by clicking on the “+”
    • Enabled: check
    • Name: NintendoSwitch
    • Type: Host(s)
    • Content: IP address of Switch
    • Save/Apply
  • go to Firewall / NAT / Outbound
    • change mode to Hybrid so you can add manual rule
    • create new rule by clicking on the “+”
    • Interface: WAN
    • Protocol: any
    • Source address: NintendoSwitch
    • Static-port: check
    • Give it a description
    • Save/Apply

Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense

Services

  • DHCPv4
    • Range Start 10.23.79.100
    • Range Stop 10.23.79.245
    • Save Apply
    • Static MAC/IP Mapping
      brimNAS          10.23.79.4
BrimUpstairsAP     10.23.79.5
BrimDownstairsAP 10.23.79.6
  • DNS (System / Settings / General
    • 10.23.79.1 to use ISPs
    • 10.23.79.3 if using PiHole
    • 8.8.8.8 / 8.8.4.4 (or others) if hardcoding
  • Dynamic DNS
    • go to System / Firmware / Plugins and download os-ddclient
    • go to Services / Dynamic DNS / Settings
      • add new one by clicking on the “+”
      • Enabled
      • Service : easyDNS
      • Username : easyDNS username
      • Password : easyDNS token (not password). Token can be gotten from website
      • Hostnames: brimble.com
      • Check ip method: dyndns
      • Interface to monitor: WAN
      • Check ip timeout: 10
      • Force SSL: checked
      • Save/Apply
equipment/fw4c_opnsense.1700922950.txt.gz · Last modified: by dirk

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki