On a note of "protection on you pc" as extra precaution, as a "last line of defence", have you looked into portmaster on linux? I'm insanely impressed of the simplicity but still being powerful af. I don't know how many times I have uttered "wtf, why does this new scb not connect to my samba share on my computer when ALL the others do", I then remember I have to accept it in portmaster. It even plays nice with my pihole. I cant even ping my pc wo opening the posibility in portmaster, either network wise OR like I do it, full control over every-single-client! No need to get the "pro" features, the basic is enough to make this program a must on my pc. On a side note, wonder why my android tv box keeps sending different weird requests to my computer? xD Well, I don't have to care, because portpaster is not letting it know a god damn thing anyway. xD
@@marcusjohansson668 Thanks for sharing, and reminding me! I actually have heard of it, but I have not tried it out. It sounds like Glasswire for Windows or Little Snitch for MacOS. It looks really nice and seems to have gotten much farther than it was when I saw it last time. There are just more capable host based firewalls that provide alerting and detection than the default firewall these systems come with. I've actually wanted to do a video around this topic, I just haven't gotten around to doing t yet, but its definitely really powerful. I'll have to look into portmaster for linux, and maybe do a video on that and compare them to other systems / software. Happy to hear about you're experience with portmaster and I look forward to trying it out myself!
Thank you for making a clear starter firewall instruction video. Please make a version update with packet sniffing and other advanced security addons for anti-attacks and locks in the system so it cant be changed. The IDS, IPS , telnet, snort and suricata- Also please make an Opnsense to omada since i havent seen anyone make a version of that kind of setup. I am aware that opnsense can be used with omada OC200 and eap225s for a meshed network setup.
Thanks for watching Starshine! Glad I you liked it. I’d love to make other videos on the advanced security add ons as I get around to actually using them. I haven’t had much time to use the IDS, IPS, snort and suricata, and deep oaxket inspection. I’m not familiar with Omada, so I’d have to do some research into that and purchase one to tinker around with, before I can figure out what’s possible with them, and even a meshed network setup. You can use off the shelf software with Omada and should be able to create a mesh setup that way, as it would handle all the wireless and the underlying networking could be handled by OPNsense. Or if you’d like, you could have UniFi devices handle the wireless / mesh for you, and use their UniFi controller. I do have experience there and I would recommend it, as a prosumer platform. I use UniFi access points for my mesh network with my OPNsense setup and it’s worked out well for me.
Thanks for watching Isaac! I really appreciate the compliment 😊. I hope so as well! All I can do is to try and satisfy the algorithm with as much excellent content as possible, and I’d imagine it would be kind to me. Only time will tell.
Thanks for watching @johndroyson7921! Glad you liked it and got something out of it! I try my best to make it as easy to absorb, but also easy to follow along and implement for whoever’s watching.
As usual great explanation. I am trying to understand the ins and outs of the both OpenWrt and sense systems. I am convinced with the OpenWrt because of the ARM architecture and the energy saving nature of it. I always suspect whether I overlooked the sense system. What is your opinion about it. Please don’t give the answer “it depends” 😉.
Thanks for watching Goppinath! While I understand that "it depends" not the answer you're looking for, thats really the only way I can answer it 😉 For me and what I like, I think OPNsense / pfSense are great for deploying in a home network that you want not only good control of your network traffic, but also monitoring. It has a web interface with capabilities that are much more mature than OpenWrt in my opinion. It makes it really easy to track and troubleshoot your firewalls. Let alone, I don't use OPNsense, or OpenWrt, to its fullest capabilities so it can do even more than what I have used it for. So if those things are important, I'd go with OPNsense. Now living where I do, energy prices aren't that expensive, so having this deployed on an x86 architecture that consumes more power than ARM isn't a big deal. If that is important to you, then you might feel OpenWrt suits your needs more. In addition, OpenWrt has much better and hardware support than OPNsense or pfSense. For example, there are many more supported cellular modems for OpenWrt than there are for OPNsense. If additional hardware support is significant, then again, OpenWrt may suit you better. I use both for different purposes. Standing up a home / business network, I'd go with OPNsense. I'm not constrained by power or hardware support here. Creating a travel router with cellular internet, I'd go with OpenWrt. Here, I am constrained more on power consumption (assuming you are using a battery), portability, and hardware support is crucial here, so OpenWrt in this scenario. Depending on your situation, priorities and constraints, one will you better than the other, and thats why I have / use both.
@l4kr thanks for watching! For the extra power draw, x86 definitely has better processing power, especially for stationary setups like desktop PCs. I like using x86 for FreeBSD based setups such as OPNsense, let alone, there technically isn’t a fully supported ARM image of OPNsense, yet. While ARM has certainly made big improvements in processing power while keeping a low power draw, I prefer the power that comes with x86 deployments with OSes like OPNsense or pfSense once I get a chance to play around with it. For my portable network solutions, usually they’re all ARM based so I can only use ARM supported operating systems, such as Linux based ones like OpenWrt. I do have one OpenWrt deployment I use that I’ll probably migrate to OPNsense one day, on the x86 box I used in this video. Monitoring network traffic and firewall rules is much easier in OPNsense than in OpenWrt, which helps me validate my network changes and make sure it’s working as expected.
Thanks for watching! I appreciate the compliment 😊 I'm looking forward to getting my hands on Zenarmor as well. Doing some layer 7 policy rules feels really cool when I think about it, when compared to legacy port based rules. As I've had experience with this, in enterprise systems, app based rules makes lots of sense from a security perspective, so its great to see how technology has advanced to enable features like this, not just for business with deep pockets, but also for prosumers who can't afford the big enterprise network gear, and let alone, probably don't need it either.
not trying to be rude or something, but i kinda expected to see something different, like some tips or w/e, but video is less informative than just opening "full help" right on the rule page.
Thanks for watching @barneybarney3982, and no worries. I'm not taking any offense, I appreciate you sharing your thoughts. This video is really meant to provide the hands on approach that you wouldn't get from click "full help". While the things I say certainly has overlap, the full help won't click through the options for you and show how they are used, in conjunction with different options I have thought about some general "firewall tips" videos about best practices and good rules, that I hope to get to in the future, as I can see that being a very helpful video. I just havent gotten around to it yet.
I tried this. My installation had a default allow ANy to any rule. I removed it and added the first two in this video. My entire network went down. I could not get to anything. ANy idea why
Thanks for watching @chuckcorvec3453! Sorry to hear about your trouble. I'm curious about that rule, I have to look again to check if that's a default rule in my installations. Anyway, these two rules will not be suitable for a all traffic on your home network. Rather, this was merely to show the example of how to create rules, and not all the rules you any home network needs. The rules you need depend on the devices in your environment. What you do want is allow rules for HTTP/HTTPS, for most web and internet based traffic. The way I recommend doing this process is setting up your base rules, all above your default ANY / ANY rule (making sure quick match is checked off). Then, when you feel you have done enough rules, you can disable the ANY / ANY rule, and see what happens. If something breaks, you can turn that rule back on, and begin to troubleshoot to find out how you can make a new rule to fix what broke, since you ideally wouldn't want that ANY / ANY rule in place indefinitely. This ANY / ANY rule is just an easy way to make sure everything works, and if you want the easiest solution, you can leave that on. However, it reduces the control you have over your network traffic. Depends on what you're trying to achieve and what level of control you want to exercise over your network.
Thanks for watching @tzvikawasserman1776! So I'm not sure I completely understand the ask, but my answer would be it depends. Do you want all your VLANs to communicate to all RFC1918 networks? Depends on the purpose of your VLAN. For example, my IoT VLAN doesn't communicate with all RFC1918 networks, because I want to limit its communication to the local subnet, and to the internet, rather than to devices on my other networks, or to my VPN network that I've configured with WireGuard. But you might want to use RFC1918 for a management VLAN to talk to all devices, and therefore would use that rule.
Question. Choosing SSH protocol ONLY opens port 22 correct? Or can I use any port (as long as the server accepts it ofc) as long as I try to connect with the ssh protocol?
Thanks for watching Marcus! In this case, that’s correct. Since these are port based rules, when you chose SSH as the port in the allow rule, it will only open port 22 as its referring to the standard port for SSH defined by its RFC. When setting up as SSH server, you can chose any port you for for the SSH server to listen on, and you can connect to the server via that port using your SSH client (using the SSH protocol of course). In that scenario, this allow rule will not match that traffic since it’s on a different port, and therefore the firewall here would block that traffic. If this were a firewall with app rule capabilities, you could match the rule on the SSH protocol and not on the port, which is much more ideal. This is done via packet inspection, and it’s pretty neat. But not to digress, what you’re asking should work, so long as you have the right rule to account for it, if you’re behind a firewall and connecting out to an SSH server.
Thanks for watching! And sure, Interesting question. If you downloaded it from OPNsense website, it should be legitimate. However, if you have the ISO install file still, you can check its hash / checksum with the one provided by OPNsense on their website, and if they match, then you know its official and not been tampered with. Take a look below and you'll see what I mean. opnsense.org/download/
My entries don't appear on the live view at all. FYI none of this works after the recent update. Also DHCP server totally changed. Seems someone has infiltrated the project. Way too many coincidences.
Thanks for watching @tonysteele3805. So I'm not sure what this is the case for you, but are you sure that each rule you have made is set to log, such as at 11:34? If you haven't, they will never show up in your firewall log. As for working after the recent update, it still works fine for me, so I'm not sure why (or what) you are experiencing this. DHCP has changed to a new backend. It's using a more modern version of DHCP called KEA. You can find more in the link below, but the old version of DHCP is reaching end of life. docs.opnsense.org/manual/dhcp.html I wouldn't say it's infiltrated, there doesn't seem to be any indication that is the case, and would advise to be cautious of those statements without more concrete evidence, since unfortunately this is becoming a thing in modern day supply chain security of open source developed software, and should be taken very seriously, just as with the recent example of the xz backdoor that was created. I digress, but what has been seen so far is normal in software lifecycle.
Thanks for watching @freshnews8538! While I haven’t done a specific port port forwarding video for OPNsense, I have done a basic one for a Linksys router. th-cam.com/video/3RfLn2jcGjA/w-d-xo.htmlsi=Zj1xk9ybZc0VJftU The interface is obviously different, but the premise remains the same.
Thanks for watching @joecook4451! This can be easily done by creating a VLAN for your security cameras. On this VLAN, it would dedicated for only security cameras, and nothing else. Then, you simply make a rule to block traffic to non private IPs, which effectively blocks them from the internet. Now you don't exactly need a VLAN to do this, and if you didnt, you'd have to find the IP of each security camera, and create that same firewall rule. Or give them static IPs, and then use that same rule. But it may mean that other devices will be able to interact with your camera on that same network. Thats why, in my opinion, its better to simply segment all the cameras out into one VLAN. You can find my video below on creating a VLAN in OPNsense. th-cam.com/video/GxTA0b1gAsU/w-d-xo.html
i have mini pc with 2 ports, 1 lan 1wan. i have linksys3200 in wireless bridge mode. i have a 8 port switch, which says it has unmanaged vlan option. if i turn it on nothing connects to each other. so not sure how to use that. another guy on here done a review of it and couldnt figure it out ethier. i ordered a usb to ethernet, to plug into opnsense and give another lan port. then ill plug the bridged wifi router into it. im hoping i can get mac address control at least on those devices. i have all devices in network statically asigned dhcp. i know its overkill but i hope it helps in blocking what needs blocked. i eventually got rid of the allow any line. then created alise for 3 groups. wan-no= devices never gets wan. wan-yes= always needs wan. screentime=devices like firetv tablets cellphone. and created allow for those. this worked great. except it allowed devices on the lan to talk to each other, asuuming mac address level routing... so for example if i disable screentime rule. all those devices wont have internet, which is great. although my media center has emby serving the media so those local devices can still acess it. once i get usb etherent today, i need to find the proper way to make sure its part of the lan. and make sure it gets dhcp from opnsense like the lan port does. i tinkered with making a bridge before but not sure if its whats needed. also thought of doing vlans. not my strong suit btw. but from what i understand it would create another subnet for each vlan group. im not sure if that will work as well. since my suspicion is the switch will still bypass router and use switch to route by mac address.. ill review the vlan video and see what i can do that way as well. but not sure if the devices will still bypass the router acl and switch will route by mac address before it gets there.
Thanks for watching @mrfantasticindian1593! I have heard of VyOS before, but have yet to getting around to trying it out. If I do, then chances are I'd make some videos on what it can do, including firewall rules.
Thanks for watching @nickquik! Did you make sure the enable logging on the ping rule? Thats the first place I'd check if you aren't seeing pings in the live view.
Thanks for watching @kainafita! I'll look into that idea, as that seems like a very useful package to add to an OpenWrt router, given its already central to anyone's network setup, since OpenWrt routers are many users gateway's to the internet, or other locally defined networks. It's been awhile since I've messed with nginx, but this load balancer / reverse proxy has been something I've wanted to understand better, so a video like this would be great for me. Definitely helps with exposing internet based services for anyone who wants to self host a public website, or other internet based services.
Thanks for watching Dale! So I'm not sure how you have your system setup, but if you were running this as your firewall servicing internet for your local network, your local network would not have internet access. Thats because the rules shown here do now allow HTTP or DNS traffic to the internet. In this video, I had this firewall set up on the side to create and test firewall rules before deploying it as my home firewall. This is the process that should be followed so you can create a basic working setup and not run into serious issues like not being able to access the internet. So testing SSH should not have "lost Internet" for you or prevented access to the internet. If you didnt deploy this as your main firewall / router, then I'm not sure why you would have lost internet when testing SSH. Would you be able to elaborate more on what you observed?
@DevOdyssey I have setup my firewall already in my home to the isp and main switch with multiple lans and just the basic any rules in place which I had at the bottom when I tried your settings. I don't have much experience at all with opnsense so I thought I would try your video.
@@dalewhitmore143 Thanks for sharing your setup! From what you mentioned, it doesnt seem like adding the SSH rule to those existing basic any rules should prevent internet access. I would ask as well, do those existing rules have the "quick" checked off? If they do, and you move them to the top, those rules should be hit first and therefore be applied to any internet outbound traffic. I would try that and see how it works. Since this is just an SSH rule (port 22), it should not prevent internet access. Let me know if you have additional questions, and we can talk about other rules setup.
![ง้อ (ALRIGHT) - FOURTH [ TEASER ]](http://i.ytimg.com/vi/ya6MBfo-Wvg/mqdefault.jpg)
How would you setup your firewall rules? Would you use app based rules?
What's your favorite firewall OS?
On a note of "protection on you pc" as extra precaution, as a "last line of defence", have you looked into portmaster on linux?
I'm insanely impressed of the simplicity but still being powerful af. I don't know how many times I have uttered "wtf, why does this new scb not connect to my samba share on my computer when ALL the others do", I then remember I have to accept it in portmaster. It even plays nice with my pihole.
I cant even ping my pc wo opening the posibility in portmaster, either network wise OR like I do it, full control over every-single-client!
No need to get the "pro" features, the basic is enough to make this program a must on my pc.
On a side note, wonder why my android tv box keeps sending different weird requests to my computer? xD
Well, I don't have to care, because portpaster is not letting it know a god damn thing anyway. xD
@@marcusjohansson668 Thanks for sharing, and reminding me! I actually have heard of it, but I have not tried it out. It sounds like Glasswire for Windows or Little Snitch for MacOS. It looks really nice and seems to have gotten much farther than it was when I saw it last time. There are just more capable host based firewalls that provide alerting and detection than the default firewall these systems come with. I've actually wanted to do a video around this topic, I just haven't gotten around to doing t yet, but its definitely really powerful. I'll have to look into portmaster for linux, and maybe do a video on that and compare them to other systems / software. Happy to hear about you're experience with portmaster and I look forward to trying it out myself!
Great video. Clear and concise.
Thanks for watching @PhilipLemon! Appreciate the compliment 😊
Thank you for making a clear starter firewall instruction video. Please make a version update with packet sniffing and other advanced security addons for anti-attacks and locks in the system so it cant be changed. The IDS, IPS , telnet, snort and suricata- Also please make an Opnsense to omada since i havent seen anyone make a version of that kind of setup. I am aware that opnsense can be used with omada OC200 and eap225s for a meshed network setup.
Thanks for watching Starshine!
Glad I you liked it. I’d love to make other videos on the advanced security add ons as I get around to actually using them. I haven’t had much time to use the IDS, IPS, snort and suricata, and deep oaxket inspection.
I’m not familiar with Omada, so I’d have to do some research into that and purchase one to tinker around with, before I can figure out what’s possible with them, and even a meshed network setup.
You can use off the shelf software with Omada and should be able to create a mesh setup that way, as it would handle all the wireless and the underlying networking could be handled by OPNsense. Or if you’d like, you could have UniFi devices handle the wireless / mesh for you, and use their UniFi controller. I do have experience there and I would recommend it, as a prosumer platform. I use UniFi access points for my mesh network with my OPNsense setup and it’s worked out well for me.
Excellent videos Dev, keep up the great work, I hope the algorithm is kind to you.
Thanks for watching Isaac!
I really appreciate the compliment 😊.
I hope so as well! All I can do is to try and satisfy the algorithm with as much excellent content as possible, and I’d imagine it would be kind to me. Only time will tell.
Yeah i really like these. The instructions are easy to follow...like a classroom session
Thanks for watching @johndroyson7921! Glad you liked it and got something out of it! I try my best to make it as easy to absorb, but also easy to follow along and implement for whoever’s watching.
Dude, you saved my @$$. Thank you for such an informative and instructional guide 👍
Thanks for watching @shuaibchoat3425! I appreciate the compliment and happy to have "saved" you haha 😊
As usual great explanation. I am trying to understand the ins and outs of the both OpenWrt and sense systems. I am convinced with the OpenWrt because of the ARM architecture and the energy saving nature of it. I always suspect whether I overlooked the sense system. What is your opinion about it. Please don’t give the answer “it depends” 😉.
Thanks for watching Goppinath!
While I understand that "it depends" not the answer you're looking for, thats really the only way I can answer it 😉
For me and what I like, I think OPNsense / pfSense are great for deploying in a home network that you want not only good control of your network traffic, but also monitoring. It has a web interface with capabilities that are much more mature than OpenWrt in my opinion. It makes it really easy to track and troubleshoot your firewalls. Let alone, I don't use OPNsense, or OpenWrt, to its fullest capabilities so it can do even more than what I have used it for. So if those things are important, I'd go with OPNsense.
Now living where I do, energy prices aren't that expensive, so having this deployed on an x86 architecture that consumes more power than ARM isn't a big deal. If that is important to you, then you might feel OpenWrt suits your needs more.
In addition, OpenWrt has much better and hardware support than OPNsense or pfSense. For example, there are many more supported cellular modems for OpenWrt than there are for OPNsense. If additional hardware support is significant, then again, OpenWrt may suit you better.
I use both for different purposes. Standing up a home / business network, I'd go with OPNsense. I'm not constrained by power or hardware support here. Creating a travel router with cellular internet, I'd go with OpenWrt. Here, I am constrained more on power consumption (assuming you are using a battery), portability, and hardware support is crucial here, so OpenWrt in this scenario.
Depending on your situation, priorities and constraints, one will you better than the other, and thats why I have / use both.
x86 will always be superior to arm. It doesn't depend. Arm is bad unless you have a mobile device. You will barely save any money lol
@l4kr thanks for watching! For the extra power draw, x86 definitely has better processing power, especially for stationary setups like desktop PCs. I like using x86 for FreeBSD based setups such as OPNsense, let alone, there technically isn’t a fully supported ARM image of OPNsense, yet. While ARM has certainly made big improvements in processing power while keeping a low power draw, I prefer the power that comes with x86 deployments with OSes like OPNsense or pfSense once I get a chance to play around with it.
For my portable network solutions, usually they’re all ARM based so I can only use ARM supported operating systems, such as Linux based ones like OpenWrt. I do have one OpenWrt deployment I use that I’ll probably migrate to OPNsense one day, on the x86 box I used in this video. Monitoring network traffic and firewall rules is much easier in OPNsense than in OpenWrt, which helps me validate my network changes and make sure it’s working as expected.
Looking forward for zenarmor 7 layer video :). Thanks for work done
Thanks for watching! I appreciate the compliment 😊
I'm looking forward to getting my hands on Zenarmor as well. Doing some layer 7 policy rules feels really cool when I think about it, when compared to legacy port based rules. As I've had experience with this, in enterprise systems, app based rules makes lots of sense from a security perspective, so its great to see how technology has advanced to enable features like this, not just for business with deep pockets, but also for prosumers who can't afford the big enterprise network gear, and let alone, probably don't need it either.
Pretty nice video thanks 😊
@Liv4IT Your welcome! Thanks for watching 😊
Just started watching!! Thank you!
Awesome! Thanks for watching @starfoxBR77. Hope you enjoy 😊
Great video. Well explained. Thank you. 👍
Thanks for watching @EustisRider!
Really appreciate the compliment, happy you liked the video 😊
not trying to be rude or something, but i kinda expected to see something different, like some tips or w/e, but video is less informative than just opening "full help" right on the rule page.
Thanks for watching @barneybarney3982, and no worries. I'm not taking any offense, I appreciate you sharing your thoughts.
This video is really meant to provide the hands on approach that you wouldn't get from click "full help". While the things I say certainly has overlap, the full help won't click through the options for you and show how they are used, in conjunction with different options
I have thought about some general "firewall tips" videos about best practices and good rules, that I hope to get to in the future, as I can see that being a very helpful video. I just havent gotten around to it yet.
I tried this. My installation had a default allow ANy to any rule. I removed it and added the first two in this video. My entire network went down. I could not get to anything. ANy idea why
Thanks for watching @chuckcorvec3453!
Sorry to hear about your trouble. I'm curious about that rule, I have to look again to check if that's a default rule in my installations.
Anyway, these two rules will not be suitable for a all traffic on your home network. Rather, this was merely to show the example of how to create rules, and not all the rules you any home network needs.
The rules you need depend on the devices in your environment. What you do want is allow rules for HTTP/HTTPS, for most web and internet based traffic.
The way I recommend doing this process is setting up your base rules, all above your default ANY / ANY rule (making sure quick match is checked off). Then, when you feel you have done enough rules, you can disable the ANY / ANY rule, and see what happens. If something breaks, you can turn that rule back on, and begin to troubleshoot to find out how you can make a new rule to fix what broke, since you ideally wouldn't want that ANY / ANY rule in place indefinitely.
This ANY / ANY rule is just an easy way to make sure everything works, and if you want the easiest solution, you can leave that on. However, it reduces the control you have over your network traffic. Depends on what you're trying to achieve and what level of control you want to exercise over your network.
Do I add RFC1918 rules to all my Vlans?
Switch, wireguard, etc?
Thanks for watching @tzvikawasserman1776!
So I'm not sure I completely understand the ask, but my answer would be it depends. Do you want all your VLANs to communicate to all RFC1918 networks? Depends on the purpose of your VLAN. For example, my IoT VLAN doesn't communicate with all RFC1918 networks, because I want to limit its communication to the local subnet, and to the internet, rather than to devices on my other networks, or to my VPN network that I've configured with WireGuard.
But you might want to use RFC1918 for a management VLAN to talk to all devices, and therefore would use that rule.
Question.
Choosing SSH protocol ONLY opens port 22 correct? Or can I use any port (as long as the server accepts it ofc) as long as I try to connect with the ssh protocol?
Thanks for watching Marcus!
In this case, that’s correct. Since these are port based rules, when you chose SSH as the port in the allow rule, it will only open port 22 as its referring to the standard port for SSH defined by its RFC.
When setting up as SSH server, you can chose any port you for for the SSH server to listen on, and you can connect to the server via that port using your SSH client (using the SSH protocol of course).
In that scenario, this allow rule will not match that traffic since it’s on a different port, and therefore the firewall here would block that traffic. If this were a firewall with app rule capabilities, you could match the rule on the SSH protocol and not on the port, which is much more ideal. This is done via packet inspection, and it’s pretty neat.
But not to digress, what you’re asking should work, so long as you have the right rule to account for it, if you’re behind a firewall and connecting out to an SSH server.
@@DevOdyssey You are THE MAN!
Hope all is well with mrs. Odyssey and Odyssey Jr.!!!
Thank you Marcus! You’re very kind. All is well with the family, and I hope the same for you and your family! 😊
may i ask how to verify my install of opnsense is the official one? thanks
Thanks for watching! And sure, Interesting question. If you downloaded it from OPNsense website, it should be legitimate. However, if you have the ISO install file still, you can check its hash / checksum with the one provided by OPNsense on their website, and if they match, then you know its official and not been tampered with. Take a look below and you'll see what I mean.
opnsense.org/download/
@@DevOdyssey thanks
My entries don't appear on the live view at all. FYI none of this works after the recent update. Also DHCP server totally changed. Seems someone has infiltrated the project. Way too many coincidences.
Thanks for watching @tonysteele3805.
So I'm not sure what this is the case for you, but are you sure that each rule you have made is set to log, such as at 11:34? If you haven't, they will never show up in your firewall log. As for working after the recent update, it still works fine for me, so I'm not sure why (or what) you are experiencing this.
DHCP has changed to a new backend. It's using a more modern version of DHCP called KEA. You can find more in the link below, but the old version of DHCP is reaching end of life.
docs.opnsense.org/manual/dhcp.html
I wouldn't say it's infiltrated, there doesn't seem to be any indication that is the case, and would advise to be cautious of those statements without more concrete evidence, since unfortunately this is becoming a thing in modern day supply chain security of open source developed software, and should be taken very seriously, just as with the recent example of the xz backdoor that was created.
I digress, but what has been seen so far is normal in software lifecycle.
Hi can you make a video on port forwarding for hosting website accessible to the internet?
Thanks for watching @freshnews8538! While I haven’t done a specific port port forwarding video for OPNsense, I have done a basic one for a Linksys router.
th-cam.com/video/3RfLn2jcGjA/w-d-xo.htmlsi=Zj1xk9ybZc0VJftU
The interface is obviously different, but the premise remains the same.
what if you just wanted to block sec cameras from internet?
Thanks for watching @joecook4451!
This can be easily done by creating a VLAN for your security cameras. On this VLAN, it would dedicated for only security cameras, and nothing else.
Then, you simply make a rule to block traffic to non private IPs, which effectively blocks them from the internet.
Now you don't exactly need a VLAN to do this, and if you didnt, you'd have to find the IP of each security camera, and create that same firewall rule. Or give them static IPs, and then use that same rule. But it may mean that other devices will be able to interact with your camera on that same network. Thats why, in my opinion, its better to simply segment all the cameras out into one VLAN. You can find my video below on creating a VLAN in OPNsense.
th-cam.com/video/GxTA0b1gAsU/w-d-xo.html
i have mini pc with 2 ports, 1 lan 1wan. i have linksys3200 in wireless bridge mode. i have a 8 port switch, which says it has unmanaged vlan option. if i turn it on nothing connects to each other. so not sure how to use that. another guy on here done a review of it and couldnt figure it out ethier.
i ordered a usb to ethernet, to plug into opnsense and give another lan port. then ill plug the bridged wifi router into it. im hoping i can get mac address control at least on those devices. i have all devices in network statically asigned dhcp. i know its overkill but i hope it helps in blocking what needs blocked. i eventually got rid of the allow any line. then created alise for 3 groups. wan-no= devices never gets wan. wan-yes= always needs wan. screentime=devices like firetv tablets cellphone. and created allow for those. this worked great. except it allowed devices on the lan to talk to each other, asuuming mac address level routing... so for example if i disable screentime rule. all those devices wont have internet, which is great. although my media center has emby serving the media so those local devices can still acess it.
once i get usb etherent today, i need to find the proper way to make sure its part of the lan. and make sure it gets dhcp from opnsense like the lan port does. i tinkered with making a bridge before but not sure if its whats needed.
also thought of doing vlans. not my strong suit btw. but from what i understand it would create another subnet for each vlan group. im not sure if that will work as well. since my suspicion is the switch will still bypass router and use switch to route by mac address..
ill review the vlan video and see what i can do that way as well. but not sure if the devices will still bypass the router acl and switch will route by mac address before it gets there.
Make a video on Vyos firewall its simple and efficient
Thanks for watching @mrfantasticindian1593!
I have heard of VyOS before, but have yet to getting around to trying it out. If I do, then chances are I'd make some videos on what it can do, including firewall rules.
I tried pinging my interface and I got no hits in live view
Thanks for watching @nickquik! Did you make sure the enable logging on the ping rule? Thats the first place I'd check if you aren't seeing pings in the live view.
"Log packets that are handled by this rule"? Yea it's checked.
@DevOdyssey idk what I did differently but it's working now😅😅 thank you!!!
@@nickquik It always seems to workout that way doesn't it 😂. Happy you were able to get it resolved and happy help!
hi, can you make a video of nginx with reverse proxy in openwrt? thanks man, nice channel
Thanks for watching @kainafita!
I'll look into that idea, as that seems like a very useful package to add to an OpenWrt router, given its already central to anyone's network setup, since OpenWrt routers are many users gateway's to the internet, or other locally defined networks.
It's been awhile since I've messed with nginx, but this load balancer / reverse proxy has been something I've wanted to understand better, so a video like this would be great for me. Definitely helps with exposing internet based services for anyone who wants to self host a public website, or other internet based services.
I followed your video and lost internet when testing SSH
Thanks for watching Dale!
So I'm not sure how you have your system setup, but if you were running this as your firewall servicing internet for your local network, your local network would not have internet access. Thats because the rules shown here do now allow HTTP or DNS traffic to the internet.
In this video, I had this firewall set up on the side to create and test firewall rules before deploying it as my home firewall. This is the process that should be followed so you can create a basic working setup and not run into serious issues like not being able to access the internet.
So testing SSH should not have "lost Internet" for you or prevented access to the internet. If you didnt deploy this as your main firewall / router, then I'm not sure why you would have lost internet when testing SSH.
Would you be able to elaborate more on what you observed?
@DevOdyssey I have setup my firewall already in my home to the isp and main switch with multiple lans and just the basic any rules in place which I had at the bottom when I tried your settings.
I don't have much experience at all with opnsense so I thought I would try your video.
@@dalewhitmore143 Thanks for sharing your setup!
From what you mentioned, it doesnt seem like adding the SSH rule to those existing basic any rules should prevent internet access. I would ask as well, do those existing rules have the "quick" checked off? If they do, and you move them to the top, those rules should be hit first and therefore be applied to any internet outbound traffic. I would try that and see how it works.
Since this is just an SSH rule (port 22), it should not prevent internet access.
Let me know if you have additional questions, and we can talk about other rules setup.
I am a robot
You got me 😂