OPNSense - a powerful, open source, network firewall and router.

Подписаться 136 тыс.

Просмотров 110 тыс.

50% 1

=== Links ===
Show Notes
wiki.opensourceisawesome.com/...
OPNSense Download
opnsense.org/download/
Support my Channel and ongoing efforts through Patreon:
www.patreon.com/bePatron?u=23...
=== Timestamps ===
00:00 Beginning
00:09 Introduction to OPNSense
02:20 Thank you to my Patrons at Patreon for all of your continued support!
02:55 Get / Download OPNSense
05:55 Installing OPNSense
13:50 Assign Interfaces
16:20 Checking our IP Address when Connected to OPNSense
17:10 Initial Setup Wizard in OPNSense Web GUI
24:00 Setup our Dashboard
26:40 Setup our System for Homelab access and use
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: mastodon.partecipa.digital/ @MickInTX
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
www.patreon.com/bePatron?u=23...
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest).
=== Attributions ===
Intro and Outro music provided by www.bensound.com

Наука

Опубликовано:

28 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 136

@bradjahnke9906 Месяц назад

I spent 13 hours trying to figure out port forwarding and it only took me until the last few minutes of your video to figure it out. I will be becoming a patreon when I get back to work.

@AwesomeOpenSource Месяц назад

I appreciate it, and am super glad my video could help.

@TheClembo 2 года назад

Looking v good. Thanks for doing all this for us, I for one greatly appreciate your concise knowledge and perseverance. Looking forward to the follow ups. ATB cheers from the UK.

@AwesomeOpenSource 2 года назад

My pleasure, and glad you like the content!

@roadglide100 5 месяцев назад

Great job of simplifying the documentation in the program. I really enjoy your content. Very helpful. Thank you

@AwesomeOpenSource 4 месяца назад

Thanks for watching!

@2008spoonman 2 года назад

at 37:15 you and I had the same thoughts. Now "Destination" makes sense, just a matter of looking at it from another angle. Great video by the way!

@AwesomeOpenSource 2 года назад

Thank you.

@sandtech Год назад

Perfect finally a video that is use full. Thanks :)

@AwesomeOpenSource Год назад

Glad you like it. I'll have more in the future.

@chrisumali9841 2 года назад

Thanks for the demo and info, have a great day

@AwesomeOpenSource 2 года назад

You bet

@80robina 2 года назад

Love it, got a pcengine apu2 board and had opnsense running on it since I can remember, had pfsense before but switched when netgate took over pfsense

@AwesomeOpenSource 2 года назад

I think that both are great options, and I've had great success with pfSense in the past, but definitely got OPNSense to run more quickly this time around.

@CarlTheHaitian 2 года назад

Good overview of OPNsense. As for aliases as mentioned at 34:35 that's a feature in pfSense as well under the "Firewall" menu. It's very similar.

@AwesomeOpenSource 2 года назад

Excellent information. I figured it was there, but just didn't jump out at me at the time.

@medinarick3 2 года назад

You're the best sir! These videos are so helpful.

@AwesomeOpenSource 2 года назад

Glad you are getting something out of them!

@rogermagana5777 2 года назад

This is my go-to since monowall recommends this as their successor

@AwesomeOpenSource 2 года назад

Interesting to know that, thank you for sharing the information.

@thirdenvoqation7735 2 года назад

I use OpnSense (before the box died) over PFSense for two core reasons, better WireGuard support but more importantly it supports 2FA to lock the system down. As mentioned to others OpnSense is easier to set up and I use also use a dedicated LAN port for management out of a four port NIC. I also LAG two ports for internal traffic and leave one for external. I also use it as a RADIUS server alongside malware/ad blocking. I use Unbound for the latter and to use DNSSEC. Currently I'm looking at setting up GeoBlocking and currently figuring out the best method and also figuring out enabling Let's Encrypt certs once the new box arrives.

@AwesomeOpenSource 2 года назад

Very cool. Way beyond me at this point, but I'm learning.

@jeevespreston 2 года назад

For a less technical person like me, OPNSense gives the benefit of PFSense without its UI complxities. I love it!

@AwesomeOpenSource 2 года назад

Yes, I did find the UI to be a bit more helpful in OPNSense.

@edwinkm2016 Год назад

Switched from pfsense to Opnsense. But to be honest the UI is quite similar. Opnsense color scheme looks a bit more modern. The find-your-page using the search field is useless because it does not support aliases for pages (no hits for “ups” for example). And everything is scattered all over the place. But you won’t use the UI daily anyway

@hbhamilton3 4 месяца назад

Thanks, I learned how Aliases work!

@AwesomeOpenSource 4 месяца назад

You bet!

@Glatze603 2 года назад

Hi, the dark-orange-theme has to be installed with the plugin "os-theme-cicada".

@AwesomeOpenSource 2 года назад

I tried to find the themes, but the version I'm on didn't seem to support them, maybe a recent update or something? I did find a github repo with dark themes, and it wasn't too hard to get it put in place to switch things up.

@SavellM 2 года назад

@@AwesomeOpenSource Its under plugins... System -> Firmware -> Plugins: os-theme-cicada Once its downloaded go to System -> Settings -> General: Theme and select cicada

@jeffherdz 2 года назад

It would be interesting to see which countries are trying access your network. Then turning on the firewall and blocking every nation, except for the U.S. of course, and seeing how much of your traffic drops. I tried that and left port 22 exposed to the world. Three days later, I checked to see how thing were going. And had 87 pages of IP address from mostly China, Russia, Brazil and a middle school in Japan. I switched ssh to another port and after 3 months, And had 6 lines of IP addresses trying to access my network. I also use a Open source product called fail2ban software. And when I checked last, the number of attempts is zero. That has been going on for over 3 years now. Keep up the great videos. Much apricated.

@AwesomeOpenSource 2 года назад

It would indeed. Given how much I share my home server URLs I'm sure I get pinged regularly with folks trying to see what they can reach.

@rlwoodlief 2 года назад

Hi Jeff. Newbie here. Spent my last 5 years using UNTANGLE and tired of paying. Where do I go in OPNSense to setup country blocking?

@jeffherdz 2 года назад

@@rlwoodlief Firewall: Aliases, just take a look there...

@KenPryor 2 года назад

This was very helpful! I'm just starting to learn about OPNSense and hope to get it set up on my home network soon. Just installed a VM of it to learn with before putting it in place. I also have an Eero Mesh system currently and was thinking of switching it to bridge mode so I wouldn't have to come up with other AP's. Have you tried doing that or were you most interested in getting rid of the Eero's entirely? Just found your channel while searching for OPNSense information and now am subscribed. Thanks!

@AwesomeOpenSource 2 года назад

For me it was about moving off of eero completely. I may go back to mesh, but I’ll need it to be open source when I do. The new OPNSense and DD-WRT APs I’m using are working great right now, so happy times for me.

@almighty2374 Год назад

Thank you sir 🎉

@AwesomeOpenSource Год назад

Most welcome

@cattips_ Год назад

Great 👍 You are the best 😁

@AwesomeOpenSource Год назад

Thank you.

@DJDashzn 2 года назад

Hi Brianna. Thanks again for a very informative video. Now that you have covered both operating systems which one do you prefer. This one is obviously completely free due to its open source however, how in your opinion does it stack up to PF sence

@AwesomeOpenSource 2 года назад

Well, I was able to get OPNSense to do what I wanted more easily than with pfSense, so for my purposes OPNSense seems more than capable. Mixed with DD-WRT access points (next video coming out), it really makes a great network for my home / office.

@bahadirm 2 года назад

Please make more videos about OPNsense, especially Firewall rules, VLAN and example usecases.

@AwesomeOpenSource 2 года назад

Coming in the future.

@bahadirm 2 года назад

@@AwesomeOpenSource Awesome!

@MrPDC-jr5yl 2 года назад

Great video Brian. Would be nice to see how's your network structured then. This demo is a proxmox vm, how do you run OPNSense in the network? separate pc? what hardware? Thanks

@AwesomeOpenSource 2 года назад

I did do the install through Proxmox, to allow you to see the screen more clearly, but I did the setup the same exact way on my actual physical hardware. Check out my follow up videos on DD-WRT, particularly the one about using it as an AP only, and you'll see a diagram of how I have my network setup using OPNSense and DD-WRT together (even thought in the video I say pfSense).

@camaycama7479 3 месяца назад

👌 awesome!!

@AwesomeOpenSource 2 месяца назад

Thank you! Cheers!

@LampJustin 2 года назад

1. You don't need to change your port to 440, if you port-forward and only use it to access things from outside it will still work on 443. 2. It's a good idea to allow TCP and UDP for web traffic as QUIC uses UDP to make surfing the web faster. Right now in Traefik at least it's an experimental flag, but I've been using it since it got added and it works great!

@LampJustin 2 года назад

The dark mode is a Plugin underneath System -> Firmware -> Plugins and it's called os-theme-vicuna. After installation you'll need to enable it in System -> Settings -> General.

@AwesomeOpenSource 2 года назад

Interesting. When I left it 443, I definitely get redirected to the main login for OPNSense, but maybe it was the NAT Reflection stuff.

@johngelnaw1243 2 года назад

@@AwesomeOpenSource But if you don't want to access the opnSense page from outside your network, why even listen on WAN? Just set the HTTP(S) service for the gui to listen on LAN only. If you want to access the GUI from outside, use whatever nginx proxy setup to connect to the internal address, instead of the external.

@camaycama7479 3 месяца назад

@@johngelnaw1243thx for that

@mohamedatef8424 2 года назад

Nice video, Opensense / pfsense are very similar But what u think which one is better and has good security? 🤔

@AwesomeOpenSource 2 года назад

I think both have great potential for solid security, but it definitely depends on the user to set it up well in order for it to be secure.

@TheLMFAOZ Год назад

Did you try or used the acme / letsencrypt plugin? does it work nicely? Does it allow you to program / script actions like copying the certificates into other systems + custom commands? I might give it a go and try it myself also, but was wondering if you got to that point.

@AwesomeOpenSource Год назад

I haven't tried any of that, but give it a go and see what you can do with it.

@msmithsr01 Год назад

Awesome video, really appreciate it. Can you clarify something for me? You mentioned that you were using an HP T610 computer to run OPNSense on. I searched for that model but only found HP T610 Thin Clients. Could it possibly be a different model number? Thanks

@AwesomeOpenSource Год назад

I think it's technically a thin client, but it has room for a 4 port NIC inside.

@msmithsr01 Год назад

@@AwesomeOpenSource Great, I'll research it a bit more because I love the thin client profile especially to use as a FW. Thanks for your reply and I love your videos especially the series type like this!

@user-ld8zz5jd4d 9 месяцев назад

You actually want to choose dvd for image type if you are choosing to boot OPNSense from a USB stick.

@AwesomeOpenSource 9 месяцев назад

Thanks for the tip.

@RK-ly5qj Год назад

i have had an oportunity to work with opnsense as well as pfsesense and those are just advanced firewalls(routers?) instead of NGF/UTM you can check by yourself lets say fortinet or SoophosXG - for home its free with all goodies i'll see the deference ;)

@AwesomeOpenSource Год назад

Let me know the difference. I don't think OPNSense and PFSense are just advanced routers. They are definitely firewall applications that can do routing.

@jules.marshall 2 года назад

os-theme-rebellion and os-theme-vicuna are two standard dark themes. I moved from pfSense to OPNSense in 2021. pfSense just doesn't scale when you have hundreds of IPSEC tunnels as every change forces a pointless rule reload.

@AwesomeOpenSource 2 года назад

Yeah, my packages / plugins weren't loading properly, but I fixed it. Also found a really nice dark theme on GitHub.

@jjmart5127 Год назад

@@AwesomeOpenSource Can you share/link which dark theme you went with..?

@rafaelg8238 Месяц назад

great video, congrats. a doubt: I have pi-hole vm in the proxmox. In DNS Primary I will put pi-hole ip or not? Currently I do this configuration directly on my router but I have this doubt when I start using opnsense.

@AwesomeOpenSource 29 дней назад

Yes, use your Pi-hole IP for your DNS setting.

@redrock1857 Год назад

How does the setup wizard part change if I am using a vlan2 on my udm-pro to provide internet to a homelab for my son. I have network 2 setup with 192.168.2.1/24 going to his room.

@slcyberking 2 года назад

I am looking for self hosted "warranty management system". Could you make some suggestions or give some advice

@AwesomeOpenSource 2 года назад

Haven't really looked into those, but I'll see what I can find.

@ShiroColdkeyesTheHedgehog Год назад

Can you install malware protection and hips settings? Also can you port trigger in this software?

@AwesomeOpenSource Год назад

malware protection not sure, but I believe you can Port Trigger.

@GauravGupta-eg7cz 2 года назад

sir need help on setup of headscale and dns tunneling

@AwesomeOpenSource 2 года назад

Let me take a look at it and see what I can figure out. I'm planning to do one on netmaker in the future, so that may help as well. Also, I have some older videos on Wireguard that may help.

@aidanbazan7769 4 месяца назад

Are the firewall rules necessary for fireguard traffic or for cloud flare tunnels? I use both. I imagine with wireguard I just need to port forward and with cloud flare I don't need to do anything.

@AwesomeOpenSource 4 месяца назад

I haven't setup anything like that inside my OPNSense, but I think you are on the right track.

@ripper5941 Год назад

What do u think about nftables for encrypting all my Linux systems ?

@AwesomeOpenSource Год назад

nfTables is for packet filtering and mangling (network traffic) - more for firewall. Not sure how it would help for encrypting a system. Maybe I'm misunderstanding the question.

@glyslay4102 2 года назад

On the issues of USB drive. You can always know what disk is usb by it's size. USB size is permanent when hdd/ssd may vary from machine to machine.

@AwesomeOpenSource 2 года назад

True, but in my case, on the physical machine it had a small 32 GB SSD, and when I put int he 32GB USB, I had a hard time determining which was which based on just the naming convention used, and couldn't find anything int he documentation that specified what the SSD / HDD would be called.

@crist0bal Год назад

if you uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN" and want to use custom dns servers, you have to select the right WAN gateway (ipv4 or ipv6) for each dns server under System -> Settings -> General. in my case there are 2 WAN gateways, WAN_DHCP and WAN_DHCP6. Update: I just deactivated WAN_DHCP6! router doesn't get ipv6 from the modem anyway because of bridge mode!

@AwesomeOpenSource Год назад

Great information, thank you.

@filtrefiltre9358 Год назад

Hello I apologize for my bad English I translate with google. I started with opnsense I watched your video which is very interesting, I will have a question to ask you in the video you explain that you have to put a dns in alternate hostnames, this dns is connected from outside? because I have to connect to my home assistant and my cameras from the outside? If I understood correctly just with the 2 dns that I have I connect without anything else to do with your video configuration? THANKS Cordially

@AwesomeOpenSource Год назад

I use a domain name that I own, and I use it to connect to services I run inside my home network. In order for OPNSense to route those requests, I have to enter the domain name that I'm using. If you are just routing directly to an internal IP Address, then you may not need this.

@filtrefiltre9358 Год назад

Thank you for your explanation. Cordially

@Andr0-Zero 2 года назад

Install the plugin "os-theme-rebellion" for dark mode.

@AwesomeOpenSource 2 года назад

@Andr0-Zero 2 года назад

@@AwesomeOpenSource I've had that theme installed since version 18.x, just did a fresh install for a client with the latest version and it's still there. You looking in the right place? System->Firmware->Plugins?

@AwesomeOpenSource 2 года назад

@@Andr0-Zero I went to recheck, and it still didn't show under plug-ins. I started checking the other tabs, just to be sure it was updating, and packages seemed to be full. I then looked under the update settings, and noticed it was set to a mirror, so I changed it to (default), and refreshed the updates, and now those do show up.

@Martin-ot7xj 2 года назад

Hi there , please make a tutorial video about network monitoring free for home & small business. thnx

@AwesomeOpenSource 2 года назад

Depending on what you're trying to see, you might check out my video on NTop-NG. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-sJkLmjaj02E.html

@zparihar 2 года назад

PFsense has Aliases btw

@AwesomeOpenSource 2 года назад

I found that out later. I guess it was just more obvious to me in OPNSense, but great that they both have it.

@apricotcomputers3943 Год назад

Coooooolll

@AwesomeOpenSource Год назад

OPNSense is awsome, and I'm currently working on a new series using ti and OpenWRT together.

@apricotcomputers3943 Год назад

@@AwesomeOpenSource yes please do, because my team is really focusing on openwrt

@yuraprayoga7750 Год назад

which better between pfsense vs opnsense ?

@AwesomeOpenSource Год назад

They both work pretty the same for my uses. it will depend very much on what you need to do with them as to which you would likely want to use. For enterprise / stable use, I would recommend pfSense at this point in time.

@emanbuoy7673 3 месяца назад

Hey, I've had opn sense for over 2 years now.. i use to to have pia vpn through openvpn .. but it cuts my connection speed in more than half.. i have a gb speed but when i have the vpn running sometimes i get like 200-300mb of speed.. so i had to stop using openvpn.. i heard about wireguard being light weight and faster vpn speed but i cant find any video that shows how to properly set up wireguard with pia vpn.. can you please make a video for it.. plsssss?

@AwesomeOpenSource 3 месяца назад

Can't guarantee with PIA, as I'm not a user, but maybe something can help get you there. Let me see what I can figure out.

@medidarmawan5247 2 года назад

hai sir, why you use Cloudflare DNS server ?

@AwesomeOpenSource 2 года назад

You have to put something in for DNS, so I put that. You can use any DNS you want. In production I use a pi-hole machine with unbound, but the idea is you need to provide DNS if you don't want to use your ISPs predefined DNS settings.

@shinjihirako4773 2 года назад

Can we replace pihole with this?

@AwesomeOpenSource 2 года назад

I think OPNSense has a plugin for Ad-Guard home, that essentially does what Pi-Hole does. If you're just looking for the internal DNS portion of Pi-hole, then yes, OPNSense can do all of that.

@shinjihirako4773 2 года назад

@@AwesomeOpenSource really awesome!

@dennisungureanu2171 Год назад

Why not setup your eeros as APs?

@AwesomeOpenSource Год назад

Have read that you can do that, but that they don't do well setup that way...and Eero has no support for VLANs.

@AcidiFy574 2 года назад

Soooooo, how does it fair against PFsense ?

@AwesomeOpenSource 2 года назад

The systems have almost identical capabilities from the perspective of a home user. Professionals may be more discerning, but as far as the major functionality, they are both excellent options.

@Zenobia992 3 месяца назад

i came from LTT

@AwesomeOpenSource 3 месяца назад

Nice.

@seitbekir 2 года назад

Looks like a great alternative to OpenWRT. But, amd64 only is the saddest part

@AwesomeOpenSource 2 года назад

Yeah, if you haven't looked at pfSense, I think they make an ARM version.

@m3l3e Год назад

God I'm such a noob lol I understand nothing of what any of this means I just know I want a better router so here I am lol

@AwesomeOpenSource Год назад

If you have any questions, or just really don't know where to start from a networking standpoint, jump over to discuss.opensourceisawesome.com and feel free to post questions.

@m3l3e Год назад

@@AwesomeOpenSource Thank you very much, I'll try that! 😁

@ericbenjaminjr Год назад

"I just ctr+c'd out of that" 🤭

@kawaiihikari0 9 месяцев назад

Thank you omg everyone videos are trash and don’t even explain.. thank you 🙏 u saved me loll 😂

@AwesomeOpenSource 9 месяцев назад

Glad I could help.

@zyghom 9 месяцев назад

everything here is super nice but you might have emphasised: DON'T virtualize the Firewall - that is very bad idea - the moment your server is down, entire internet is down ;-)

@AwesomeOpenSource 9 месяцев назад

Very true. Of course if your firewall appliance goes down, it's the same story. I have been playing with having a physical firewall appliance, and a virtualized version that is off until the other goes down, and then I kick it on in the VM while I address any issues on the physical device. I suppose you could also do it the other way around.

@mutosanrc1933 2 года назад

i used opnsense for many years but had trouble with many things and decided this year to go fully with ubiquiti as I was sick of try ing to get things running as I wanted too. With ubiquiti it took my about an hour and with firmware v12 I even get a vpn. Which did not work before with opnsense. I dont say its entirely opnsense fault but they need to make it easier for people who have no clue what they do.

@AwesomeOpenSource 2 года назад

I understand the deisre to have something that just works easily. And I think it's great that such options exist, but closed source is a bit scary to me. As I have no idea what they are doing underneath, and no way to learn or find out if I want to.

@glynnetolar4423 Год назад

Not to mention at some point you'll find ubiquiti will limit you in what you want to do. Oh sure, you may be able o do it but you'll have to dive into json and worse yet, get reset at every firmware update. For advanced applications ubiquiti kind of sucks.

@edwinkm2016 Год назад

Ubiquity is infra-as-code. They can make this easy because you need all their hardware to make it work. They also limit your options. Especially the router/firewall part is lacking. fine for consumers with basic requirements. Opnsense & pfsense have really another target base. You should have some networking knowledge.

@justinonimus2916 Год назад

I have been using Ubiquity for over 5 years without a hiccup as long as the cloud key is on a UPS. Problem is, their hardware goes end of life and is no longer updated, or is too slow to run new features. My old USG gateway bogs down trying to run IPS threat management and I can't update my Ubiquity hardware because it's out of stock at reasonable prices. An alternative I've looked at is the TP link Omada hardware that's pretty much a clone of Ubiquity at very good prices and plenty of inventory. From what I've read on the forums and owner reviews though, it's a buggy work in progress that's not reliable yet. So now my plan is to build my own router with a J4125 processor to replace the Unifi USG, and keep the Unifi APs updated with my old cloud key. Bottom line, Ubiquity seems to be concentrating on their commercial full rack sized hardware, and putting their home network development on the back burner, leading to a dead end. Another thing I don't like is the battery and fan in their Dream series routers. The batteries that retain the settings goes dead, and the network won't come back after a power outage. Yes a big UPS would work, but that's a work around for something that should have an easily replacable battery pack like home alarm systems.

@andreasgramfalt 10 месяцев назад

Tips: its best practice not to use so called "well known ports" for your own things. Port 0 to 1023 is "reserved". You should use 8443 or something similar instead of 440.

@AwesomeOpenSource 10 месяцев назад

Great tip! Thanks for that.

@vtreanor 2 года назад

too much chatter, tldr

@AwesomeOpenSource 2 года назад

Yeah, my channel is definitely for those wanting detail.

@TrophysoftCom Год назад

This is FAR too detailed (and time consuming). People installing OPNSense have at least some experience with computers. You really do not have to elaborate on selecting the GUI language or on explaining what Reboot means or on changing the IP address of the GUI. It could and should have been much shorter without losing any relevant information.

@AwesomeOpenSource Год назад

My channel gets most of it's traffic from people who are just starting out in self-hosting, open source, and yes, sometimes even in tech beyond their toasters. So I intentionally give a lot of information for them. There are tons of channels out there that do the more high level stuff, and they are great at it...but it's not they way I cover this stuff.

@julian.morgan Год назад

@@AwesomeOpenSource I've been using computers for over 30 years - for the first 20 years I was focused pretty exclusively on using various creative apps efficiently and effectively. Along the way I picked up snippets of info and understanding about other aspects of computing - but that process always leaves gaps: and you don't know what you don't know! That's why I'll always try to hunt down someone who's taken the time to be thorough, even if that means I'm revising what I already know, it never hurts to consolidate. Thanks for taking the time to be thorough - us viewers ALWAYS have the "tap the right arrow" option!