OpenSense - Deathraymind/StemLabMK2 GitHub Wiki
OPNsense is a FreeBSD firewall operating system. To install the firewall, you will need a USB drive with the ISO from the OPNsense website. Note that this is not pfSense, as pfSense is closed-source and does not perform as well in our environment, although it has almost identical services.
When you boot from the USB drive, allow it to boot completely without interruptions until you reach the login prompt. Log in with the username installer and password opnsense. This will bring you to the install script, which is straightforward. Leave all default settings and set the root password, or leave it as the default opnsense. Once the installation is complete, replicate the install process on the second device, as we will have redundant firewalls with copied configurations.
Next, you will need to determine the MASTER and BACKUP firewalls. On the MASTER firewall, log in with the username root and the password you set earlier. You should see a number of options to configure the interfaces and IP addresses. First, designate the LAN and WAN interfaces. In this case, the WAN will be the em0 interface, which is the interface directly on the motherboard. The LAN interfaces will be igb0, igb1, igb2, and igb3.
Select option 2 to assign the IP addresses to the WAN and LAN interfaces. Set the WAN address to DHCP and ignore all IPv6 options by pressing ENTER. Then, define the LAN address. Set it statically by selecting obtain LAN interface address with DHCP and set its static IPv4 address as 172.16.1.1 with a subnet of 24. When asked to set up a DHCP server on the LAN interface, accept this, as this will be our VLAN 1 or guest network and our temporary means of accessing the router’s web interface. Set the DHCP range from 172.16.1.20 to 172.16.1.200.
Plug the topmost interface into the trunk interface of the switch and connect your laptop to a VLAN1 accessible port so we can do the remainder of the configurations on the web interface.
Interfaces
Log in to the interface at 172.16.1.1 on your browser with the user root and the password you set earlier. This can be tedious, so please read carefully. We will first set the interface of our router by setting up new VLAN interfaces. Navigate to Interface > Other Types > VLAN, click the add button, and set the settings as follows:
- Device:
VLAN0.10 - Parent interface:
LANorigb0interface on the router - VLAN tag: 10
- Description: Cyber
Repeat this configuration format for VLANs 100 and 254, which are our STEMLab and management VLANs, respectively.
Navigate to Interface > Assignments. You should see new interfaces named opt5, opt6, and opt7 or similar. Simply add these interfaces with the add button, save, and apply. Now, set the interfaces’ IP addresses so we can add services such as DHCP to each VLAN. Click on the interface’s orange name, enable the interface with the top box, and set the interface description as igb010, indicating that this is on the physical interface igb0 and is VLAN10. Set the IPv4 configuration to static and scroll to the bottom to set the IPv4 address as 172.16.10.1/24. Save and apply.
For the two other VLANs, set them as follows:
igb0100: address 192.168.100.1igb0254: address 192.168.254.2
DHCP
Next, set the DHCP services for each VLAN. Go to Services > ISC DHCPv4 and select the new igb010 interface we created. Check the box at the top to enable DHCP services on this interface. Set the range from 172.16.10.21 to 172.16.10.200 and set the DNS server to 8.8.8.8. If you have a Windows AD server, set the DNS address to the IP address of that server to resolve the hostname. In this configuration, we have DNS 1 as 172.16.10.20 and DNS 2 as 8.8.8.8. Set the failover IP to 172.16.10.2 (our backup router's VLAN10 interface). Save and apply.
Repeat this for the interfaces igb0100 and igb0254 with the ranges being 192.168.21 - 192.168.100.200 and 172.16.254.101 - 172.16.254.200. Both DNS should be set to 8.8.8.8, and the failover IPs should be 192.168.100.2 and 172.16.254.2, respectively. Save, apply, and reboot the router to allow FreeBSD to start the new VLAN interfaces and their services.
PFsync
Now we will set up PFsync. There is one last interface to create on each router. First, log in to your MASTER router, go to interfaces, and enable opt4 or igb3. Describe it as PFsync and set it to a static IPv4 address of 10.0.0.1/24. Then, log in to your BACKUP router and copy the same configuration but set the address to 10.0.0.2/24. Connect the two interfaces (the bottom interfaces of each router) to each other; they should be able to contact each other, allowing the PFsync application to copy configurations across these interfaces.
Next, we need to add a CARP (Common Address Redundancy Protocol) or virtual IP to enable PFsync and other backup services to work. Navigate to Interfaces > Virtual IPs > Settings and set the type to CARP. Set the interface to LAN and the network address to 172.16.1.3/24. Set the VHID group to 1 and the advbase to 1, but on the BACKUP router, set it to 2. Describe it as LAN.
Add another CARP for the WAN interface. Set the interface to WAN, and the password as desired. The VHID group should be 2 and the advbase set to 1; on the BACKUP router, it should be 2. Describe it as WAN. Save and apply all configurations.
Firewall Rules
Navigate to Firewall > Rules > PFsync. Add a rule, set it to pass on interface PFsync, any for all options, save, and apply. Copy this rule on the second interface of your backup router. Do the same for VLAN10 or the igb010 interface, as that’s where many of our services such as PXE and Windows AD are.
High Availability
Navigate to System > High Availability > Settings on your MASTER router. Check Synchronize States, set the synchronization interface to PFsync, and the synchronization peer IP to 10.0.0.2. The username and password should be set to root and the password of the second router. Select all the services in the XMLRPC Sync. Save and apply.
On the BACKUP router, set the synchronization state as up, the interface as PFsync, and the IP as 10.0.0.1. DO NOT SET ANY XMLRPC sync settings.
Captive Portal
The captive portal section requires an existing AD on the network, in our case, goon.central.lan. First, the router has to resolve this hostname. Go to Services > Unbound DNS > Overrides and add it with the following settings:
- Host:
goon - Domain:
central.lanorcyber.lan, depending on your domain name - IP address: 172.16.10.20 or the appropriate IP address for your AD server
Save, apply, and restart the Unbound DNS service. Now, add your Domain to the router. Go to System > Access > Servers and add an LDAP Server. Give it a name, set the IP address to 172.16.10.20, or your AD server's IP. For the bind credentials, use the admin server. For our domain goon.central.lan, the format will be goon\administrator, and for cyber.lan, it would be cyber\administrator. The password is the administrator’s password. Set the search scope to the entire subtree and the base DN to DC=goon,DC=central,DC=lan or DC=cyber,DC=lan. Select all options in the authentication containers.
Set up a voucher service by adding another Access server. Name it stemlab cafe and set it to voucher. Use simple passwords and set the username and password length to 4. Save.
Go to Services > Captive Portal > Administration, enable it, set the interface to LAN, and authenticate using the voucher server we just created. You can add the AD server, but that is a work in progress. Save and apply.
To create vouchers, go to Services > Captive Portal > Vouchers and create vouchers. Set the validity to the desired period (e.g., 1 week or 1 month). Generate and you will get a CSV file. Parse the data onto a piece of paper with the user and password codes and print it out to hand out to people after they pay.