Book Image

OPNsense Beginner to Professional

By : Julio Cesar Bueno de Camargo
5 (1)
Book Image

OPNsense Beginner to Professional

5 (1)
By: Julio Cesar Bueno de Camargo

Overview of this book

OPNsense is one of the most powerful open source firewalls and routing platforms available. With OPNsense, you can now protect networks using features that were only previously available to closed source commercial firewalls. This book is a practical guide to building a comprehensive network defense strategy using OPNsense. You’ll start with the basics, understanding how to install, configure, and protect network resources using native features and additional OPNsense plugins. Next, you’ll explore real-world examples to gain in-depth knowledge of firewalls and network defense. You’ll then focus on boosting your network defense, preventing cyber threats, and improving your knowledge of firewalling using this open source security platform. By the end of this OPNsense book, you’ll be able to install, configure, and manage the OPNsense firewall by making the most of its features.
Table of Contents (25 chapters)
Section 1: Initial Configuration
Section 2: Securing the Network
Section 3: Going beyond the Firewall

Why OPNsense?

To give a short answer – because it is the best genuinely open source firewall project currently available!

Not satisfied with this answer? Fair enough! Let's go to the long one!

My personal experience

Back in 2009, I was a pfSense user and enthusiast when I decided to move from Linux-based firewalls to FreeBSD. Back then, I created a managed firewall service for small and medium businesses using Linux firewall distros. At that time, I was using IPCop and SmoothWall Express, two Linux-based distros. I started this project with IPCop, but I decided to move to Smoothwall Express later, from which IPCop was forked. Both were good options to run in an embedded firewall appliance with limited resources. As a long-time Linux user, I was very comfortable using something based on this operating system. I am from a time when we built firewalls using ipchains and, later, iptables scripts, without any GUI help. I know – I'm getting old! Changes were happening and the service grew, with customers demanding bigger firewall appliances with high availability capability. At this point, Linux had a problem; there was no good support for this feature, so I needed to go back to the drawing board.

From research, I have found two possible alternatives – OpenBSD and FreeBSD. The first one was a well-known security-focused operating system with a strong reputation, which looked like a great option to run as a firewall solution. However, there were some hardware compatibility limitations and a lack of a GUI to manage it. It was a crucial need that customers were asking for. I couldn't find any firewall GUI option available back then, and developing a new one as a one-person development team was not a suitable option. It was time to look at the FreeBSD choices.

By doing a quick Google search, I found a good option – m0n0wall. So, I downloaded it and started the tests! It impressed me! It was a light operating system with a good WebGUI running on a solid operating system. But at the very beginning, I found a problem – reading the official documentation, specifically on the topic of what m0n0wall is not, I discovered that it wasn't a proxy server, an Intrusion Detection System (IDS), or an Intrusion Prevention System (IPS), and losing these features was not an option! So, it was back to square one!

Googling again, I found a m0n0wall fork – a project called pfSense. It looked like a promising one, with everything I needed to implement at that time – WebGUI, high availability, and some plugins such as Squid/SquidGuard for proxying and web filtering, Snort for IDS/IPS, pf as the packet filter. Bingo! I had found what I was looking for! My first impression when testing on the PC engine-based hardware was disappointing! The performance was too low compared with the Linux options and even with m0n0wall. There were too many features for a hardware platform with few resources. Another problem to solve was that even the more powerful hardware I was testing on used a compact flash disk as mass storage, and enabling a service such as Squid for proxying and web filtering with a lot of disk writing meant that the Compact Flash (CF) card got damaged very quickly. But there was another option – installing the NanoBSD flavor of pfSense made things easier for the embedded hardware to run more smoothly, and with some coding, I was able to bypass the CF card limitations. So, I ran this solution as a firewall to many customers until 2015. That was the year I became a little bit frustrated with how the project was being driven; a lot of ideas were popping into my head, but the project community was not the same anymore. It was time for a fresh start. I even talked with some project contributors about starting a new fork, but the idea was not accepted by most of them. It was time to go back to Google to look for a good open source firewall project.

On one of these rainy days, when your creativity is low and you have no intention to code or think of a new solution, I decided to google for some open source firewall alternatives, and the results surprised me! I found something, a project called OPNsense, and it was a pfSense fork! At that moment, the sun shined on my keyboard, and I thought, that's it!! The more I read about the project history, the more convinced I became that I had found the perfect solution backing!

So, I started the tests, and it was fascinating! It was pretty easy to convert pfSense's XML configuration file to OPNsense, so my first labs were based on production systems, and the results were very satisfying. It was time to migrate the first customers to this new firewall platform. However, it had a limitation – web filtering. We had developed a custom SquidGuard plugin for pfSense, but it wasn't easy to convert it, as the webGUI was different. Fortunately, our first customers didn't need this feature. The first migration to OPNsense was a success! So, it was decided that OPNsense was the new option for our firewall appliances! Later, I developed a SquidGuard-based plugin for OPNsense, and we were able to migrate all the customers. Since then, I have moved from this company to a new one, CloudFence, and we have decided to support the OPNsense project as much as possible.

Some of the key features that led me to dive into the OPNsense project were: genuine open source motivations with the freedom that an actual open-sourced project must have – an MVC-based webGUI without direct root access to the operating system (except for legacy components), IDS and IPS with netmap support, excellent available plugins, two-factor authentication for VPN, and cloud backups, to mention just a few! The list is increasing with each new version; later, we will see each feature in detail, so don't worry about it for now!

Okay, so this book isn't a novel, but I had to tell my personal history with OPNsense because choosing an open source project as a contributor and user isn't like buying a product. It is about personal life decisions; it's about what you want to support and are passionate about, and that project was right for me. I tried to help it! This is a little bit of my personal story with OPNsense; I hope it can inspire you somehow! The whole story might need an entire book, and it isn't the purpose of this one to tell stories but rather to improve your OPNsense skills, so let's move on to OPNsense's features!