Post

OPNsense Setup

OPNsense Setup

\\ Information - OPNsense

OPNsense is a free and open-source firewall and routing platform based on FreeBSD. It is designed to provide network security and services like VPN and DNS, with a web-based graphical interface for easy configuration and management.

OPNsense offers a wide range of features and capabilities, such as:

  • Firewall: Stateful packet filtering with support for NAT, port forwarding, and traffic shaping to block unwanted traffic and protect your network.
  • VPN: OPNsense supports various VPN protocols, such as OpenVPN and IPsec, for secure remote access to the network.
  • Intrusion Detection and Prevention System (IDPS): OPNsense includes Suricata, an open-source IDPS that can detect and prevent network intrusions.
  • Web Filtering: OPNsense offers web filtering capabilities that can block access to specific websites and content categories. It also includes Sensei/ZenArmor: Optional add-ons that extend web filtering and security features with cloud-based threat intelligence and traffic analytics.
  • DNS and DHCP: OPNsense can act as a DNS and DHCP server, providing these network services to devices on the network.
  • High Availability: OPNsense supports high availability configurations, allowing for redundancy and failover in case of hardware or network failures.
  • ZenArmor: ZenArmor is an add-on to OPNsense that provides advanced threat intelligence and security analytics capabilities. It uses machine learning algorithms to detect and prevent cyber attacks in real time.

OPNsense is typically used by organizations of all sizes to protect their networks and ensure secure access to their resources. It is popular among IT professionals and network administrators for its flexibility, ease of use, and community support. With the addition of Sensei and ZenArmor, OPNsense provides even more advanced security capabilities to protect against modern cyber threats.


Before making any changes to software, systems, or devices, it’s important to thoroughly read and understand the configuration options, and verify that the proposed changes align with your requirements. This can help avoid unintended consequences and ensure the software, system, or device operates as intended.

⚠️ A default OPNsense installation is functional but not hardened.
This guide helps you establish a secure baseline configuration before applying customizations.


\\ System > *

// Access

Always create individual admin accounts and protect them with TOTP.

  1. Go to System > Access > Servers and create a new service for TOTP.
    • After creation, select it under System > Settings > Administration > Authentication > Server.
    • TOTP Service
  2. For each user, generate a seed under OTP seed and pair it with an authenticator app.

// Firmware > Plugins

Recommended plugins for a secure and manageable OPNsense setup.

  • ZenArmor (formerly Sensei):
    • os-sensei
    • os-sensei-updater
    • os-sunnyvalley
  • os-ddclient - Dynamic DNS support.
  • os-acme-client - Recommended for valid TLS certificates.
  • os-net-snmp - For SNMP monitoring.
  • os-qemu-guest-agent - For Proxmox/VM integration.
  • os-theme-vicuna - Dark mode theme.

    !!! Highly recommended to install for dark mode, bugs love light !!!

// Gateways > Configuration

  1. Configure the WAN interface first.

    This is normally done during OPNsense installation.

  2. For each gateway:
    • Disable Gateway Monitoring: unchecked
    • Monitor IP: 9.9.9.9 (Quad9) or your ISP gateway IP.
      • For IPv6: use 2620:fe::fe or another reliable IPv6 address.

// Settings *

Administration

  • Web GUI
    • Protocol: HTTPS
    • SSL Certificate: needs to be created first as described in section internal CA or ACME
    • HTTP Strict Transport Security: enabled
    • Access Log: enabled
    • Server Log: enabled
    • Listen Interfaces: Restrict to admin/management subnet
  • Secure Shell
    • Secure Shell Server: Disabled by default (enable only if needed)
    • Listen Interfaces: Restrict to admin/management subnet
  • Authentication
    • Server: Choose TOTP service (Access)

General

  • Hostname: opnsense (or any name you prefer)
  • Domain: home.local (or your own domain - internal CA or ACME)
  • Time zone: Europe/Berlin
  • Theme: vicuna

    !!! Highly recommended using dark mode, bugs love light !!!

  • Prefer IPv4 over IPv6: unchecked
  • DNS Servers: leave empty; we will use Unbound
  • DNS Server Options: both unchecked
  • Gateway Switching: unchecked

Logging

Adjust log retention and log level as needed. The defaults are usually sufficient.

Logging Settings System

// Trust > *

Authorities

Create an internal root CA and an intermediate CA to sign internal certificates. (You can skip this part if you want to use ACME only.)

  • Root CA: internal-ca (kept offline if possible)
    • Authorities Trust System :: Root CA
  • Intermediate CA: intermediate-ca (used for daily certs)
    • Authorities Trust System :: Intermediate CA

Certificates

  • For quick and unsigned certificate: generate an OPNsense certificate signed by your intermediate CA.
  • For a signed certificate: use os-acme-client (ACME) to issue a valid, auto-renewed certificate for the OPNsense GUI (e.g., opnsense.example.com).

Certificates Trust System

\\ Interfaces > *

  • Assignments
    • Assign your physical or virtual network ports as interfaces.

      Rename interfaces to meaningful names like WAN, LAN, DMZ, or MGMT for easier management.

    • Edit your assigned interfaces (e.g., configure WAN as PPPoE).
      • 7_WAN Interfaces
  • Settings
    • Disable most hardware offload options to avoid driver or stability issues.
    • Settings Interfaces

\\ Firewall > *

// Aliases > GeoIP settings

Add the following URL (replace <LICENSE-KEY>):

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<LICENSE-KEY>&suffix=zip

// Aliases > Aliases

  • Type: Host(s)
    • IP_S_DNS_NTP_INTERN
      • Content: 192.168.1.1,fd00:affe:affe:1::1

        Example IPs for default DNS and NTP used in this documentation and allowed internal rules.

      • Statistics: checked
      • Description: IP: service internal DNS+NTP (IPv4+IPv6)
    • IP_S_MDNS_SSDP
      • Content: ff02::fb,224.0.0.251,239.255.255.250
      • Statistics: checked
      • Description: IP: mDNS and SSDP hosts
  • Type: Network(s)
    • SUB_MULTI_BROAD
      • Content: ff00::/8,224.0.0.0/4,255.255.255.255,ff02::1,ff02::c,ff02::fb,ff02::1:2
      • Statistics: checked
      • Description: SUB: multicast + broadcast (IPv4+IPv6)
    • SUB_PRIV4
      • Content: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
      • Statistics: checked
      • Description: SUB: RFC1918 IPv4 private net
    • SUB_PRIV6
      • Content: fd00:affe:affe:0::0/48

        Example IPv6 ULA, adjust to your own range.

      • Statistics: checked
      • Description: SUB: RFC4193 IPv6 ULA
    • SUB_PRIV_BOGON
      • Content: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,224.0.0.0/4,255.255.255.255,fe80::/10,::1/128,ff00::/8,fc00::/7,ff02::1,ff02::2,2001:db8::/32,::/128,2002::/16,3ffe::/16
      • Statistics: checked
      • Description: SUB: RFC1918+Bogon+Local+Multicast+Additional
    • SUB_LINK_LOCAL6
      • Content: fe80::/10
      • Statistics: checked
      • Description: SUB: IPv6 link local
    • SUB_SITE_MC
      • Content: 239.254.0.0/16
      • Statistics: checked
      • Description: SUB: site-local multicast (RFC2365)
    • SUB_GLOBAL6
      • Content: 2000::/3
      • Statistics: checked
      • Description: SUB: IPv6 global unicast
    • SUB_ULA6
      • Content: fd00::/8
      • Statistics: checked
      • Description: SUB: IPv6 unique local address
  • Type: URL Table (IPs)
    • URL_BLOCKLIST
      • Content: https://ipv64.net/blocklists/ipv64_blocklist_all.txt
      • Statistics: checked
  • Type: Port(s)
    • PORT_DNS_BLOCK
      • Content: 53,853,2853,5355,9953
      • Description: PORT: DNS block ports
    • PORT_LB_NOLOG
      • Content: 53,2055,9200
      • Description: PORT: loopback no-log
    • PORT_S_MDNS
      • Content: 5353,5540
      • Description: PORT: mDNS (IoT/Thread)
    • PORT_S_SIP
      • Content: 3478,3479,5060,7078:7109,10000:30000
      • Description: PORT: SIP service

// Groups

Create groups as needed, e.g. default public net access groups.

  • Name: G_PUB_NET4_D
    • Description: default public net access [IPv4]
    • Members: add interfaces which should have internet access
    • Sequence: 5
    • (no) GUI groups: checked
  • Name: G_PUB_NET6_D
    • Description: default public net access [IPv6]
    • Members: add interfaces which should have internet access
    • Sequence: 6
    • (no) GUI groups: checked

// NAT > Port Forward

Forward NTP/DNS traffic to the firewall instead of blocking it.

  • Description: PF:: forward NTP to local [IPv4]
    • Interface: select interfaces
    • TCP/IP Version: IPv4
    • Protocol: UDP
    • Source / Invert: unchecked
    • Source: SUB_PRIV4
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 123
    • Redirect target IP: IP_S_DNS_NTP_INTERN
    • Log: checked
    • Filter rule association: None
  • Description: PF:: forward NTP to local [IPv6]
    • Interface: select interfaces
    • TCP/IP Version: IPv6
    • Protocol: UDP
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 123
    • Redirect target IP: IP_S_DNS_NTP_INTERN
    • Log: checked
    • Filter rule association: None
  • Description: PF:: forward DNS to local [IPv4]
    • Interface: G_PUB_NET4_D
    • TCP/IP Version: IPv4
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: SUB_PRIV4
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 53
    • Redirect target IP: IP_S_DNS_NTP_INTERN
    • Log: checked
    • Filter rule association: None
  • Description: PF:: forward DNS to local [IPv6]
    • Interface: G_PUB_NET6_D
    • TCP/IP Version: IPv6
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 53
    • Redirect target IP: IP_S_DNS_NTP_INTERN
    • Log: checked
    • Filter rule association: None

// Rules

Floating

  • Description: ALLOW:: F: NTP internal [IPv4+IPv6]
    • Action: Pass
    • Quick: checked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: UDP
    • Source / Invert: unchecked
    • Source: SUB_PRIV4, SUB_PRIV6
    • Destination / Invert: unchecked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 123
    • Log: checked
  • Description: ALLOW:: F: mDNS [IPv4+IPv6]
    • Action: Pass
    • Quick: checked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: UDP
    • Source / Invert: unchecked
    • Source: SUB_PRIV4, SUB_PRIV6, SUB_LINK_LOCAL6
    • Destination / Invert: unchecked
    • Destination: IP_S_MDNS_SSDP
    • Destination port range: 5353
    • Log: checked
  • Description: ALLOW:: F: MLD internal [IPv6]
    • Action: Pass
    • Quick: checked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv6
    • Protocol: ICMP
    • Source / Invert: unchecked
    • Source: fe80::/10
    • Destination / Invert: unchecked
    • Destination: ff02::16/128
    • Log: checked
  • Description: BLOCK:: F: DNS outside [IPv4+IPv6]
    • Action: Block
    • Quick: checked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: PORT_DNS_BLOCK
    • Log: checked
  • Description: BLOCK:: F: no rule WAN [IPv4]
    • Action: Block
    • Quick: unchecked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocol: any
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: unchecked
    • Destination: any
    • Log: checked
  • Description: BLOCK:: F: no rule local [IPv4]
    • Action: Block
    • Quick: unchecked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocol: any
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: unchecked
    • Destination: SUB_PRIV_BOGON, SUB_MULTI_BROAD
    • Log: checked
  • Description: BLOCK:: F: no rule WAN [IPv6]
    • Action: Block
    • Quick: unchecked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv6
    • Protocol: any
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: unchecked
    • Destination: any
    • Log: checked
  • Description: BLOCK:: F: no rule local [IPv6]
    • Action: Block
    • Quick: unchecked
    • Interface: none
    • Direction: in
    • TCP/IP Version: IPv6
    • Protocol: any
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: unchecked
    • Destination: SUB_PRIV_BOGON, SUB_MULTI_BROAD, SUB_PRIV6
    • Log: checked

00_WAN

  • Description: BLOCK:: WAN: blocklist (in)
    • Action: Block
    • Quick: checked
    • Interface: 00_WAN
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: any
    • Source / Invert: unchecked
    • Source: URL_BLOCKLIST
    • Destination / Invert: unchecked
    • Destination: any
    • Log: checked
  • Description: BLOCK:: WAN: no rule [IPv4]
    • Action: Block
    • Quick: checked
    • Interface: 00_WAN
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocol: any
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: unchecked
    • Destination: any
    • Log: checked
  • Description: BLOCK:: WAN: no rule [IPv6]
    • Action: Block
    • Quick: checked
    • Interface: 00_WAN
    • Direction: in
    • TCP/IP Version: IPv6
    • Protocol: any
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: unchecked
    • Destination: any
    • Log: checked

G_PUB_NET4_D

  • Description: BLOCK:: GPN4D: DNS outside [IPv4+IPv6]
    • Action: Block
    • Quick: checked
    • Interface: G_PUB_NET4_D
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: PORT_DNS_BLOCK
    • Log: checked
  • Description: ALLOW:: GPN4D: DNS inside [IPv4+IPv6]
    • Action: Pass
    • Quick: checked
    • Interface: G_PUB_NET4_D
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: G_PUB_NET4_D net
    • Destination / Invert: unchecked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 53
    • Log: checked
  • Description: ALLOW:: GPN4D: internet [IPv4]
    • Action: Pass
    • Quick: checked
    • Interface: G_PUB_NET4_D
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocol: any
    • Source / Invert: unchecked
    • Source: G_PUB_NET4_D net
    • Destination / Invert: checked
    • Destination: SUB_PRIV_BOGON
    • Log: checked

G_PUB_NET6_D

  • Description: BLOCK:: GPN6D: DNS outside [IPv4+IPv6]
    • Action: Block
    • Quick: checked
    • Interface: G_PUB_NET6_D
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: any
    • Destination / Invert: checked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: PORT_DNS_BLOCK
    • Log: checked
  • Description: ALLOW:: GPN6D: DNS inside [IPv4+IPv6]
    • Action: Pass
    • Quick: checked
    • Interface: G_PUB_NET6_D
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: G_PUB_NET6_D net
    • Destination / Invert: unchecked
    • Destination: IP_S_DNS_NTP_INTERN
    • Destination port range: 53
    • Log: checked
  • Description: ALLOW:: GPN6D: internet [IPv6]
    • Action: Pass
    • Quick: checked
    • Interface: G_PUB_NET6_D
    • Direction: in
    • TCP/IP Version: IPv6
    • Protocol: any
    • Source / Invert: unchecked
    • Source: G_PUB_NET6_D net
    • Destination / Invert: checked
    • Destination: SUB_PRIV_BOGON
    • Log: checked

LOOPBACK

  • Description: ALLOW:: LB:: 9200
    • Action: Pass
    • Quick: checked
    • Interface: Loopback
    • Direction: out
    • TCP/IP Version: IPv4
    • Protocol: TCP/UDP
    • Source / Invert: unchecked
    • Source: 127.0.0.1/32
    • Destination / Invert: unchecked
    • Destination: 127.0.0.1/32
    • Destination port range: PORT_LB_NOLOG
    • Log: unchecked

// Shaper

directionconfigvalue
down :: PipesBandwidthXY Mbit/s
 Queue2
 Scheduler typeFlowQueue-CoDel
 (FQ-)CoDel ECNchecked
 FQ-CoDel quantum300*(<Bandwidth>/100) = X or 1514
 DescriptionWAN-Download-Pipe
down :: QueuesPipeWAN-Download-Pipe
 Weight100
 maskdestination
 (FQ-)CoDel ECNchecked
 DescriptionWAN-Download-Queue
down :: RulesSequence2
 Interface00_WAN
 Protocolip
 Sourceany
 Src-portany
 Destinationany
 Dst-portany
 Directionin
 TargetWAN-Download-Queue
 DescriptionWAN-Download-Rule
up :: PipesBandwidthXY Mbit/s
 Queueempty
 Scheduler typeFlowQueue-CoDel
 (FQ-)CoDel ECNchecked
 FQ-CoDel quantum300*(<Bandwidth>/100) = X or 1514 or empty
 DescriptionWAN-Upload-Pipe
up :: QueuesPipeWAN-Upload-Pipe
 Weight100
 masksource
 (FQ-)CoDel ECNchecked
 DescriptionWAN-Upload-Queue
up :: RulesSequence2
 Interface00_WAN
 Protocolip
 Sourceany
 Src-portany
 Destinationany
 Dst-portany
 Directionout
 TargetWAN-Upload-Queue
 DescriptionWAN-Upload-Rule

// Settings > Advanced

SectionKeyValue
Bogon NetworksUpdate FrequencyWeekly
LoggingDefault blockchecked
 Default passchecked
 Outbound NATchecked
 Bogon networkschecked
 Private networkschecked
MiscellaneousDisable anti-lockoutchecked (Only when you created relevant firewall rules, else you will lock you out)
   
   
   

\\ Services > *

// Dnsmasq DNS & DHCP

Verify ISC DHCPv4/6 and Kea DHCP are not auto-enabled before configuration.

General

SectionKeyValue
DefaultEnablechecked
 InterfaceSelect all interfaces where you want enable DHCP
DNSListen port53053
 DNSSECunchecked
 No hosts lookupunchecked
DNS Query ForwardingQuery DNS servers sequentiallyunchecked
 Require domainunchecked
 Do not forward to system defined DNS serverschecked
 Do not forward private reverse lookupsunchecked
DHCPDHCP FQDNchecked
 DHCP default domainempty
 DHCP local domainchecked
 DHCP authoritativeunchecked
 DHCP reply delayunchecked
 DHCP register firewall ruleschecked
 Router advertisementsunchecked
 Disable HA syncunchecked
ISC / KEA DHCP (legacy)Register ISC DHCP4 leasesunchecked
 DHCP domain overrideunchecked
 Register DHCP static mappingsunchecked
 Prefer DHCPunchecked

DHCP ranges

Define your required DHCP ranges for the subnets you created in Interfaces.

DHCP options

Remember we defined the DNS server under Aliases with the alias IP_S_DNS_NTP_INTERN.

Entry (Description)KeyValue
Default DNS [IPv4]InterfaceAny
 TypeSet
 Optiondns-server [6]
 Option6none
 Value192.168.1.1
Default DNS [IPv6]InterfaceAny
 TypeSet
 Optionnone
 Option6dns-server [23]
 Value[fd00:affe:affe:1::1]

// Unbound DNS

General

KeyValue
Enable Unboundchecked
Listen Port53
Network InterfacesAll
Enable DNSSEC Supportunchecked
Enable DNS64 Supportunchecked
DNS64 Prefixnone
Enable AAAA-only modeunchecked
Register ISC DHCP4 Leasesunchecked
DHCP Domain Overridenone
Register DHCP Static Mappingschecked
Do not register IPv6 Link-Local addresseschecked
Do not register system A/AAAA recordschecked
TXT Comment Supportunchecked
Flush DNS Cache during reloadchecked
Local Zone Typetransparent
Outgoing Network Interfaces00_WAN

Query Forwarding

Example with home.local when used as internal domain,
plus example.com when set up with ACME.

Entry (Description)KeyValue
Dnsmasq (local)Enabledchecked
 Domainhome.local
 Server IP127.0.0.1
 Server Port53053
 Forward firstunchecked
Dnsmasq rev. (local)Enabledchecked
 Domain168.192.in-addr.arpa
 Server IP127.0.0.1
 Server Port53053
 Forward firstunchecked
Dnsmasq (pub.)Enabledchecked
 Domainexample.com
 Server IP127.0.0.1
 Server Port53053
 Forward firstchecked

Advanced

SectionKeyValue
General SettingsHide Identitychecked
 Hide Versionchecked
 Prefetch DNS Key Supportchecked
 Harden DNSSEC Datachecked
 Aggressive NSECchecked
 Strict QNAME Minimisation 
 Outgoing TCP Buffers32
 Incoming TCP Buffers64
 Number of queries per thread512
 Outgoing Range1024
 Jostle Timeout200
 Discard Timeout4000
 Private Domainshome.local,local,example.com
Serve Expired SettingsServe Expired Responseschecked
 Expired Record Reply TTL valuenone
 TTL for Expired Responsesnone
 Reset Expired Record TTLunchecked
 Client Expired Response Timeoutnone
Logging SettingsExtended Statisticschecked
 Log Queriesunchecked
 Log Repliesunchecked
 Tag Queries and Repliesunchecked
 Log local actionsunchecked
 Log SERVFAILchecked
 Log Level VerbosityLevel 1
 Log validation levelLevel 0
Cache SettingsPrefetch Supportchecked
 Unwanted Reply Thresholdnone
 Message Cache Size50m
 RRset Cache Size100m
 Maximum TTL for RRsets and messages86400
 Maximum Negative TTL for RRsets and messages300
 Minimum TTL for RRsets and messages60
 TTL for Host Cache entries900
 Keep probing down hostschecked
 Number of Hosts to cache2000

DNS over TLS

Use System Nameservers: unchecked

Server IPServer PortVerify CNDescription
9.9.9.10853dns.quad9.netQUAD9::Unsecured: No Malware blocking, no DNSSEC validation
149.112.112.10853dns.quad9.netQUAD9::Unsecured: No Malware blocking, no DNSSEC validation
2620:fe::10853dns.quad9.netQUAD9::Unsecured: No Malware blocking, no DNSSEC validation
2620:fe::fe:10853dns.quad9.netQUAD9::Unsecured: No Malware blocking, no DNSSEC validation

// ACME

Settings

KeyValue
Enable Pluginchecked
Auto Renewalchecked

Accounts

Let’s Encrypt:

KeyValue
Enabledchecked
NameLEv2-Stage
DescriptionLet's Encrypt - Staging (testing only)
E-Mail Addressadd your email address
ACME CALet's Encrypt Test CA
KeyValue
Enabledchecked
NameLEv2
DescriptionLet's Encrypt - Production (default)
E-Mail Addressadd your email address
ACME CALet's Encrypt [default]

Challenge Types

IONOS:

KeyValue
Enabledchecked
NameIONOS
Challenge TypeDNS-01
DNS ServiceIONOS domain
DNS Sleep Time0
Prefixcreate key at https://developer.hosting.ionos.de/keys (“Präfix”)
Secretcreate key at https://developer.hosting.ionos.de/keys (“Verschlüsselung”)

Automation

KeyValue
Enabledchecked
NameRestart OPNsense Web UI
Run CommandRestart OPNsense Web UI

Certificates

KeyValue
Enabledchecked
Common Nameyour domain, e.g. opnsense.example.com
ACME AccountLEv2-Stage (testing) / LEv2 (prod)
Challenge TypeIONOS
Auto Renewalchecked
Key Lengthec-256
AutomationsRestart OPNsense Web UI
DNS Alias ModeNot using DNS alias mode

// Dynamic DNS

Settings

Ionos Example [IPv6]:

Replace <IONOS_TOKEN>

KeyValue
Enabledchecked
DescriptionIONOS IPv6
Servicecustom
ProtocolCustom GET
Serverhttps://api.hosting.ionos.com/dns/v1/dyndns?q=<IONOS_TOKEN>&ipv6=__MYIP__
Hostname(s)full domain name (e.g. dyn.example.com)
Check ip methodInterface [IPv6]
Interface to monitor00_WAN
Force SSLchecked

Ionos Example [IPv4]:

Replace <IONOS_TOKEN>

KeyValue
Enabledchecked
DescriptionIONOS IPv4
Servicecustom
ProtocolCustom GET
Serverhttps://api.hosting.ionos.com/dns/v1/dyndns?q=<IONOS_TOKEN>
Hostname(s)full domain name (e.g. dyn.example.com)
Check ip methodipify-ipv4
Interface to monitor00_WAN
Force SSLchecked

General Settings

  • Enable: checked
  • Interval: 300

// Intrusion Detection

Settings

SectionKeyValue
General SettingsEnabledchecked
 IPS modeunchecked
 Promiscuous modechecked
 Interfaces00_WAN
DetectionPattern matcherHyperscan
LoggingEnable syslog alertschecked
 Enable eve syslog outputchecked
 Rotate logWeekly
 Save logs4

IPS mode requires netmap support and may affect performance. Enable only if needed.

Download

  • Select all and click Download & Update Rules
  • Select all and click Enable selected

Schedule

Cron Settings System

// Monit

General Settings

Add your information and credentials.

Alert Settings

Create a new entry. Below is an example mail format to be added.

Mail format (info):

Update monit <no-reply@DOMAIN> in from to your needs.

1
2
3
4
5
6
7
from: monit <no-reply@DOMAIN>
subject: $SERVICE $EVENT at $DATE
message: Monit $ACTION $SERVICE at $DATE on $HOST:
  $DESCRIPTION

Yours sincerely,
Monit

\\ Zenarmor > *

// Policies (Default)

Security

Policies Zenarmor

App Controls

  • Cloud Services
    • Apple Cloud
  • Conferencing
    • Google Hangouts Meet
  • Gaming
    • Facebook Games
    • Fortnite
    • Fortnite Tracker
    • Microsoft Xbox
    • Roblox Game
    • Samsung Games
  • Instant Messaging
    • Facebook Chat
    • Facebook Messenger
    • Facebook Video call
    • Google Chat
    • Google Hangouts
  • Media Streaming
    • Apple*
  • Mobile Applications
    • Amazon Firestick TV
  • News
    • Apple News
    • Bild.de
  • Online Shopping
    • Apple Appstore
    • Apple Store
    • Microsoft Wallet
  • Online Utility
    • Apple*
    • Microsoft Cortana
    • Microsoft MSDN
    • Microsoft Weather
    • Pivotal Tracker
  • Proxy
    • iCloud Private Relay
  • Remote Access
    • all except
      • Microsoft Continuum
      • Secure Shell
      • Teamviewer
  • Search
    • Microsoft Bing
  • Social Network
    • Facebook*
    • Google*
    • facebook.comment
    • facebook.statusUpdate
  • Software Updates
    • Apple Pipeline
    • Apple Telemetry
    • Intel Telemetry
    • Malwarebytes Telemetry
    • Microsoft Telemetry
    • Mozilla Telemetry
    • Windows Problem Reporting
  • Storage & Backup
    • all except
      • Google Drive
      • Microsoft OneDrive
  • VOIP
    • Facebook Call

Policies Zenarmor

Web Controls

Policies Zenarmor

// Configuration > *

General

  • choose: Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver
  • select your Interfaces Selection
  • define your needs for Deployment
  • set your needs for Logger

Cloud Threat Intel

  • Local Domains Name To Exclude From Cloud Queries: home.local,local

Updates & Health

  • Help Sunny Valley Networks improve its products and services by sharing health and system utilization statistics: unchecked

Reporting & Data

  • set your needs for Reports Data Management
  • activate Scheduled Reports if needed

Privacy

Configuration Zenarmor


\\ Resources & More information

This post is licensed under CC BY 4.0 by the author.