Really a great tutorial for a opnsense beginner like me. Really enjoyed the crystal clear explanation and practicing the same with my homelab. Thank you so much friend.
So, this past month i’ve been experimenting a lot with OPNsense (even bricked it once). The funny thing is, that i kept getting back to this video. Primarily for the VLAN’s, but also for the outbound VPN. This video is truly an all-in-one. Thanks Jim! I wish you all the best!
This is hands down the beat video covering OPNsense virtualized in proxmox. I was really struggling to understand the relationship between VLANs on the switch, the hypervisor, and the virtualized router.
This is some GOLDEN content. Can't wait to watch episode 3! I'm digging through your channel more for anything and everything Proxmox related too. Thank you for the content!
Thanks for the intro to opnsense Jim, good pace and structure, speeding up at the end helped to keep the attention too 😊 very helpfull to get grips on this product. Good luck
@@Jims-Garage :/ not yet. I just have regular Fresh Tomato router/switch/ap (Asus ac66u) which will be downgraded to switch/ap. It is 1G, so I assumed the Zima will suffice to start learning. In the mid (long?) run I will upgrade to 2.5G or maybe 10G and just there will see to upgrade via a PCIe or move to something else. Do you reckon it might be short with this current setup?
Thanks for such a detailed tutorial! I have a noob question. If i set LAN to be 192.168.0.1/16 (so subnet is 255.255.0.0, and if I have WAN ip from my router 192.168.1.15, will there be some kind of conflict?! If I want to separate my LAN in subnets, should I maybe go to 10.0.x.x/16 address range to avoid conflict?! Thank you in advance!
Wow, thank you for the generous tip (not sure why your comment was automatically filtered)... Looks like you're double NAT, are you able to set the ISP router to modem only or use PPPoE? If not, yes, I'd change your subnet to 10.0.0.0/16 to make things simple. You can also use 172 if needed.
In the part one. vmbr0 has CIDR: 192.168.200.75/24 and its gateway is 192.168.200.1. I don't understand why when you assign OpnSenseVM1 (vmbr0 is the Network devices) MAC address to the Firewall, OpnSenseVM1 will have new range of IP (192.168.1.40) as at 7:25 Where did I miss ? Thank you.
I'm thinking the same thing. His OPNsense LAN was set to vmbr7 and he removed vmbr0 from the OPNsense network. How could the OPNsenseVM1 and 2 that are on the vmbr0 connect to the OPNsense? His video is my first video learning OPNsense and I start to confuse. 😿
im still personally having a nightmare getting my opnsense esx install to talk to pppoE with vlan10 tagging... but as soon as thats sussed, i now know how to do all the fun stuff! cheers!
Hi Jim, recent subscriber (from Canada), and really enjoy your content / teaching style. I have two questions: 1) Curious to know why you decided to use OpnSense vs doing this through your existing Unifi Network Infrastructure (maybe this is a topic for future video...if not already done). 2) Did you take a specific OpnSense online course (that you can recommend), or simply learned by experimenting / watching multiple online vids / reading guides, etc? Cheers.
Hey, thanks for subscribing and welcome. 1) A few years back I had a UDM-Pro. It was OK, but pretty basic so I moved onto others (Sophos, OPNSense). Since then the UDM-Pro and subsequent models have improved considerably so my main points are likely no longer valid. 2) No, albeit I'm reasonably technical so most of the concepts are transferable between firewalls. I simply make reference to a lot of the official documentation and forums where possible.
I love your videos; they are so informative! Also, extremely helpful. Any chance you can provide one for setting up openvpn for a vlan? I was successful with applying things from this tutorial but would be intrigued to see how you do it.
I am moving away from Watchguard to OPNsense this video is fab to run though all the basics hopefully you will have more videos to watch after this one.
Congratulations on the video... one question, what is the argument (openvpn connect) for starting automatically and connecting to the task scheduler? Thanks. Hugs from Brazil
Briliant. You earned a sub from this network noob. Wish i did more research with access points. I bought the TP-link deco6e so i could take advantage of 6ghz for my phone and future devices. Only to get frustrated by not being able to connect it to my baremetal Opnsense setup. Back to the drawing board. Lots to learn but it's been fun. Thanks for the educatoinal vids.
Would you be able to cover solutions for folks like me that can't bridge their router or put it into modem only mode? I was going to DMZ from the router to OPNSense of SophosXG but I'm not sure how safe that is. Thanks!
That shouldn't be too big of an issue, you're basically double-NATed. Just pput everything behind Sophos or OpnSense and it's effectively the same thing. You'll need to do any portforwarding twice though on both routers.
What completely throws me off in this guide is the two additional OpnSense VMs appearing out of nowhere at 5:38. Does anyone know what's the deal with them?
hey, Jim.. Could you tell me? The fact is that there are restrictions on the Tail scale side, I can't download from their website and update the application both on Windows and on other devices.For example, an openwrt router. But everything works fine on the installed devices. What would you do if you need to put a package on the openwrt router, but according to the instructions from the site it will not work? The first option that I think is to give to the vpn router, and thus circumvent the restrictions. The second option, as I think, is to do it via the offline method, download the package and manually install it. Could you tell me more about it and show me? I do not know how to connect a vpn router to openwrt. And how to download the package from the website, copy it to the router and install it through the console?
Nice vid Jim. What would be interesting is if you could take the existing Terraform Providers, convert what you did manually (pressing/toggling buttons and configuring using typed in values), and convert it to follow standard IaC principles. While I do appreciate the amount of content you provided, I sat here reading through what the public Terraform providers for Opnsense provided and honestly, it'd be easier to take the entire manual config, set values in a .tf file, and just apply to an Opnsense deployment within seconds. It'd also be a template all your viewers could use to configure their labs with whatever values they'd like to use.
I agree, once you understand it that's the way to go. I wanted to introduce it and hopefully explain what things do though. It's definitely a great idea for a future video.
Hi Jim, no IP address in host aliases (field "content")? No hostname in reservations? So you don´t have a firewall defind relation between reserved hosts and aliases. I would recommend it!
Great tutorial! Please do explain how to access modem web gui on bridge mode. Many tutorials I found use PPPoE and I have a DHCP connection. I tried unblocking bogon networks with no luck.
Wrt to the NordVpn setup, what would one have to do to restrict selected devices to use NordVpn, while the rest use the regular ISP and provided network.
Do you have a video for outbound VPN only one on specific LAN/VLAN? For example, say I want my trusted network to use my WAN gateway, and my guest network to route out via OpenVPN to Switzerland? I think I followed this enough to understand how to do it myself, but any help you can offer would be appreciated.
I really appreciate the methodology you use-your videos are fantastic! However, for beginners, the two existing OPNsense VMs can be a bit confusing. Part 1 was easy to follow, but I’m concerned that Part 2 might not be as straightforward. Still, congrats for your amazing work developing these tutorials.
@@JoelFabiani thanks. IMO there's a point at which you need to know the basics. You shouldn't be dabbling with firewalls etc if you are completely green, you'll likely do more damage 😂
which one is better? , to put opnsense before mikrotik or to put opnsense after mikrotik, the purpose is to protect Local Area Network and server, thanks before
Great content! However, for some reason my LAN clients don't have internet access anymore when wireguard is enabled and a peer has the allowed IPs set as 0.0.0.0/0.... When allowed IPs contains any other values, there is no issue. Any thoughts? "DNS Probe started" is the error message I get in the Chrome browsers.
Might be completely obvious, but maybe it helps someone: Port tagging appears to be only a thing on managed switches. Question: Is there a way to set this up with an unmanaged switch? Managed switches seem to be fairly expensive and I'm not quite sure whether I want to make that investment yet.
@@FredoLunivar it's a double edged sword. Might be better to invest in something more reputable. If you simply need basic 1Gb managed switch I recommend the Netgear ones.
Im wanting to follow this but i havent been able to get order a wireless Ap for wifi yeat i am going with Unifi though. Holidays made me broke so i just havent been able to purchase one yeat. But any chance have you made a video on how to integrate unfi AP to opnsense to have wifi because i almost did this setup but then i forgot how would i have wifi?
Hey, simply plugging the AP into the switch is all you need for it to "work". You then control it via the unifi controller. I'm going to do a video on this later. Just needs to be able to reach it.
Why do you use VLANS if you create a rule to allow the VLANs to speak to each other? Isn't the point of VLANS to separate traffic and improve security? Would subnetting be a better solution?
Because with routing rules you can limit what that device can or cannot access on a separate network. If they're all on the same network, then that device has access to everything.
Any chance you would know how to setup multi wan failover or load balancing using unbound dns. I want to use unbound for its better security, but can't seem to get it to work. After setup, when I pull the main wan cable and it never switches over to the secondary wan connection even though I have, system ---> settings ---> general ---> "Allow default gateway switching". checked. Any help would be greatly appreciated.
question, for the opn vpn settimgs,i see that ypu are routung your lan network via nordvpn so ypu arw protected, how would ypu configure it ir you had say 2-3 vlan. how woule you aet that up so all of the vlan+lan also use openvpn when assessimg the internet.. also how do ypu configure it so that you retain communication bettween the vlan while routing over vpn.. i am currently trying to archive above but with wireguard+mullvad vpn but i keep gettimg stuck and alot of thw guides ate lowkey outdated... i ill really appreciate your help.. ty
Hope it's not rude to ask, but do you use a script? It doesn't look like you are reading from a script as your voice tempo is so natural but on the other hand I'm genuinely impressed at how densely packed (i.e. waffle-free) and how well-planned your topics are. Also there's a wealth of background understanding of networks behind what you are saying and it seems to underpin all you say / do / advise - I recognise a lot of this as I'm relatively experienced in network management / planning, but you are very good at communicating that. I'm sure it's possible to just freestyle like this, but if that's what you are doing then that's even more impressive. (It's what I tend to do as I'm lazy, but I end up being far more waffly.) Also - quick note to acknowledge what many people here probably already know: there are tonnes of stupid American videos on OpnSense. I have watched a lot of them and literally not a single one (bar Dave's Garage channel) touches on any of the technical detail I'm actually wanting to learn about. Maybe they just assume people will learn themselves, and they basically just bang on about getting the best hardware etc., maybe they are mostly sponsored? It's annoying. Also why do Americans always shout at the camera, it's so tiring to listen to. Your videos are far more peaceful and enjoyable, really. I found myself watching your first OpnSense video after I'd already installed it on Proxmox myself (and questioning whether it was even a sensible idea to do this as a VM at all) and laughed at every detail which I had already done the same, down to the exact amount of virtual memory 4096 and disk 32GB I had assigned... uncanny!)
@@Jims-Garage thanks , and is it better to run like opensence on old pc witj network card installed than use my isp router in accespoint mode plugged in my switch ?
I changed the pattern matcher to hyperscan, and that improved my up/down speeds to what is was without IPS enabled! Is there any downside to hyperscan?
Thanks for the videos, great stuff, I haven't got past the VLANs on this tutorial yet. I must be doing something wrong as I can't get the VLAN DHCP server to give out any IPs. Since I'm not setting up a cluster I didn't give my OPNsense VM a static IP, I didn't understand why it would need one, as I thought it's IP is already the gateway IP? But I did the rest of the VLAN setup and have my Cisco router trunked for VLAN 1 and my VLAN 66 on 2 ports to 2 Unifi AC Pro APs, but it can't use the vlan. I also tried to set the Cisco vlan 66 only on one port and hard wired to it with a laptop, it that didn't work either. So DHCP doesn't seem to be working. Does anyone have any thoughts?
For anyone having the troubles as me, I figured it out. I didn't have my Cisco port that the opnlan cable connects to trunked for the vlan, I just had the ports for the APs. Once I setup the port trunking for the new vlan for the lan port, then all went well!
As you can see, the allowed IPs section is wrong 31:31 and corrected it at 31:43. There are so many mistakes in this section, including the way he used the private and public keys. He ultimately got it to work but never bothered to show us the right way to do it or the final configuration for it which resulted in a huge waste of time for me personally. Do yourself a favor and look for how to set up an inbound Wireguard server on OPNsense somewhere else.
super nice but setting the vpn client on opnsense is kind of... sophisticated. Yes, I know, such firewall is sophisticated by itself, but still, it could have been a bit easier to get more people on board. Btw both are very useful: vpn server on opnsense and vpn client on opnsense. Let me try both with wireguard. btw you picked up "wrong" port of wireguard because: "It is scheduled to be removed on or after 2023-12-31."
Thanks for sharing. I agree it's quite involved, would be great if there was a NordVPN plugin (perhaps there is somewhere on GitHub) that had a web GUI.
@@Jims-Garage no, NordVPN is only one of many - I think the issue is: configuration in too many places. If all parameters were on one card...? It would be easier. No, NordVPN plugin would make it biased. ;-)
It's ok, he put it on the wrong interface anyway. Putting it on the WAN just causes a lot of headache managing attacks that will never make it past your firewall anyway. Put your IDS on the LAN so it only detects an actual intrusion.
I appreciate your work, but the WireGuard configuration is unfortunaltely wrong. 1) You need to copy the public key of the WireGuard CLIENT (windows, android, etc...) to the public key field of the peer in OPNsense, not the servers (instance). 2) If you configure a WireGuard interface (which you do not need necessarily), you can spare the outbound nat rule. Firewall rules are sufficient to reach e.g. the internet. 3) The allowed IPs field at the peer, has nothing to do which ip the clients can reach. It relates to the clients ip address (which client is allowed to connect).
I have another issue with the Wireguard setup from this walk-through: when I configured it this way up to creating a peer, all outbound trafic form LAN to WAN stopped working. It took me some time to find out why that was happening and when I deleted the wireguard setup and wireguard interface everything worked fine again.
Yeah this is so frustrating. Copying the instance's public key into the only peer's public key field is just wrong and someone new to wireguard are just going to have a miserable time setting things up if they watch this video. There's just so much confusing and wrong information about wireguard. Why even make a video if you're just going to add to the confusion.
Good video overall but you skipped over some key parts during setup, you assumed knowledge of Wireguard client AND you didnt show in YOUR Nord setup what values you were inputting. Like you said it was taken from the NORD config, yeah sick but WHAT was taken!! Took me so long so try and figure out what lines I needed to use. Try not to gloss over small stuff, video is 50mins long anyway, another 2 mins cant hurt :)
Thanks for the tips! I have already covered VPNs extensively in the past and people can find them. Unlike most others my videos are somewhat sequential.
@@kazadori164 usually you need to put the ISP router in modem mode or bridge it. It's rare that you can fully remove it (even if you replace it with your own).
@@Jims-Garage so , i can't replace a failing Best Buy router with the Opnsense box? I'm not referring to the modem that connects a router to the internet, whether it's cable dsl or fiber.
Lol. When port forwarding, you said its dead easy... Thats not dead easy in my opinion. My old router was easy, this is hard, but doable. I guess it all depends on what once skill lvl is on..
Thank you mate, this is by far one of the best content for setting up OPNsense out there
Thanks, I really appreciate the feedback and donation.
Really a great tutorial for a opnsense beginner like me. Really enjoyed the crystal clear explanation and practicing the same with my homelab. Thank you so much friend.
Wow, that's extremely generous. Thank you!
Very thorough. Glad I bought my Firewalla.
@@andykrull9297 thanks. Still something I need to trial.
Thanks! I've been struggling to put this together with proxmox and unifi. This was exactly what I needed.
Thanks, that's very kind
So, this past month i’ve been experimenting a lot with OPNsense (even bricked it once). The funny thing is, that i kept getting back to this video. Primarily for the VLAN’s, but also for the outbound VPN.
This video is truly an all-in-one. Thanks Jim! I wish you all the best!
Much appreciated 👍
50 minutes(!)
Gonna enjoy this one later tonight. Thanks for all the videos recently :)
Sorry about that. I did put chapters to help out with the bits you care about.
@@Jims-Garage It's a good thing. More through :)
Extremely helpful.... You got me past some things that others clearly missed or overlooked or took for granted as known to everyone....
@@mikeburton6449 thanks, appreciate the comment.
This is hands down the beat video covering OPNsense virtualized in proxmox. I was really struggling to understand the relationship between VLANs on the switch, the hypervisor, and the virtualized router.
Thanks, John , appreciate the feedback
Thank you for doing this series. It's very helpful!
You're very welcome!
Tremendous work mate, I can only imagine what will episode 3 be 😊
thank you
Thanks a ton! As mentioned, high availability!
This is some GOLDEN content. Can't wait to watch episode 3! I'm digging through your channel more for anything and everything Proxmox related too. Thank you for the content!
Welcome aboard! I use Proxmox for the majority of my videos with some specific features like GPU passthrough, SDN, backup server
Thanks for the intro to opnsense Jim, good pace and structure, speeding up at the end helped to keep the attention too 😊 very helpfull to get grips on this product. Good luck
Glad you enjoyed it
I watched it in 3 sessions, so I was sharp all the way.
Nice! Just in time. Have ordered a Zimaboard. Waiting for it to arrive and have some fun installing OpenSense.
Enjoy! Assume you have a PCIe NIC?
@@Jims-Garage :/ not yet.
I just have regular Fresh Tomato router/switch/ap (Asus ac66u) which will be downgraded to switch/ap. It is 1G, so I assumed the Zima will suffice to start learning.
In the mid (long?) run I will upgrade to 2.5G or maybe 10G and just there will see to upgrade via a PCIe or move to something else.
Do you reckon it might be short with this current setup?
Solid run through as always Jim. Thanks :)
Thanks again!
Awesome series! Thanks again for all your videos.
My pleasure!
Fantastic video! This helped a lot, Jim. One note, at 27:48, I think you meant OpenVPN, not OPNsense.
Yes, think so. This one was a tough one to record, sent me a bit mad 😂
Thanks for such a detailed tutorial! I have a noob question. If i set LAN to be 192.168.0.1/16 (so subnet is 255.255.0.0, and if I have WAN ip from my router 192.168.1.15, will there be some kind of conflict?! If I want to separate my LAN in subnets, should I maybe go to 10.0.x.x/16 address range to avoid conflict?! Thank you in advance!
Wow, thank you for the generous tip (not sure why your comment was automatically filtered)... Looks like you're double NAT, are you able to set the ISP router to modem only or use PPPoE? If not, yes, I'd change your subnet to 10.0.0.0/16 to make things simple. You can also use 172 if needed.
In the part one. vmbr0 has CIDR: 192.168.200.75/24 and its gateway is 192.168.200.1.
I don't understand why when you assign OpnSenseVM1 (vmbr0 is the Network devices) MAC address to the Firewall, OpnSenseVM1 will have new range of IP (192.168.1.40) as at 7:25
Where did I miss ?
Thank you.
I'm thinking the same thing. His OPNsense LAN was set to vmbr7 and he removed vmbr0 from the OPNsense network. How could the OPNsenseVM1 and 2 that are on the vmbr0 connect to the OPNsense? His video is my first video learning OPNsense and I start to confuse. 😿
I enjoy your OPNsense content. Very helpful!
Awesome, thank you!
Danke!
Thanks, that's very kind
im still personally having a nightmare getting my opnsense esx install to talk to pppoE with vlan10 tagging... but as soon as thats sussed, i now know how to do all the fun stuff! cheers!
@@davidhine8870 I've no experience with esxi but make sure that the NIC is vLAN aware
Hi Jim, recent subscriber (from Canada), and really enjoy your content / teaching style. I have two questions:
1) Curious to know why you decided to use OpnSense vs doing this through your existing Unifi Network Infrastructure (maybe this is a topic for future video...if not already done).
2) Did you take a specific OpnSense online course (that you can recommend), or simply learned by experimenting / watching multiple online vids / reading guides, etc? Cheers.
Hey, thanks for subscribing and welcome.
1) A few years back I had a UDM-Pro. It was OK, but pretty basic so I moved onto others (Sophos, OPNSense). Since then the UDM-Pro and subsequent models have improved considerably so my main points are likely no longer valid.
2) No, albeit I'm reasonably technical so most of the concepts are transferable between firewalls. I simply make reference to a lot of the official documentation and forums where possible.
Спасибо! Изучаю возможности OpnSense и Ваше видео очень помогает!
Great, glad it helped.
Thanks for the vid! I ordered bare metal and ap(EPA610). I will be trying hard to get out of deco mesh and control my network!
Awesome, that's great 👍
I switched to NordVPN and used the guide. Works well.
How can I incorporate my Pi-Hole into OPnSense using NordVPN at a router level?
I think the 47:43 "Exploit Cisco Telnet Buffer Overflow" and others is unnecessary when you don´t have a Cisco switch etc. I am right?
I love your videos; they are so informative! Also, extremely helpful. Any chance you can provide one for setting up openvpn for a vlan?
I was successful with applying things from this tutorial but would be intrigued to see how you do it.
@@NorthVegas thanks, I'll look into it.
Thank you so much for making this lovely video!!.....👍
Glad you liked it!
Thanks Jim, awesome video!!! Well explained. BTW my OPNsense is running in proxmox with q35 and OVMF. so far no issues with that configuration
Great to hear! Thanks for confirming
I am moving away from Watchguard to OPNsense this video is fab to run though all the basics hopefully you will have more videos to watch after this one.
Thanks, I will likely do more OPNSense content in the future as I'm now using it.
Congratulations on the video... one question, what is the argument (openvpn connect) for starting automatically and connecting to the task scheduler? Thanks. Hugs from Brazil
I liked the video, but I got stuck at 36:11 when I tried to fill out the android Wireguard client details. Thanks again!
Which bit were you stuck on? I assume which parts go where?
Hi James, thank you specially for great, neat and commented repos. 👌
You're welcome, and please submit PRs if you see any errors. Thanks
The amount of config for NordVPN was a bit overwhelming for me. But yeah I'm learning, great video!
Straight over to dark mode. Thank you thank you
@technotim would be proud
Briliant. You earned a sub from this network noob. Wish i did more research with access points. I bought the TP-link deco6e so i could take advantage of 6ghz for my phone and future devices. Only to get frustrated by not being able to connect it to my baremetal Opnsense setup. Back to the drawing board. Lots to learn but it's been fun. Thanks for the educatoinal vids.
Thanks, you're welcome. Why can't you connect it to OpnSense?
@@Jims-Garage I was able to figure it out and got it working. It just gets more complicated from here … lol. But fun.
@@JasonEala great 👍 if it's easy, you're not trying 😂
So on 35:52 you set the firewall rule to accept ports 0 (any) through 51580. Shouldnt this be 51580-51580?
You could do that, and then make sure that the client only uses those ports. However, the source port could be anything (typically).
Would you be able to cover solutions for folks like me that can't bridge their router or put it into modem only mode? I was going to DMZ from the router to OPNSense of SophosXG but I'm not sure how safe that is. Thanks!
That shouldn't be too big of an issue, you're basically double-NATed. Just pput everything behind Sophos or OpnSense and it's effectively the same thing. You'll need to do any portforwarding twice though on both routers.
impressive tutorial, thanks.
Is possible to use a LAN dns in Wireguard client ? because it seems to accept only public DNS
Yes, just make sure you have the right firewall rules. When connected via WireGuard I use my PiHole.
Great video Jim. What is the reason for using Wireguard and NordVPN? Wouldn't is be easier to have just one?
Thanks. Check the video carefully. WireGuard is for connecting home, NordVPN is for routing entire subnets over a VPN.
What completely throws me off in this guide is the two additional OpnSense VMs appearing out of nowhere at 5:38. Does anyone know what's the deal with them?
They're simply 2 VMs I created for the video to demonstrate DHCP, vLANs, firewall rules etc.
@@Jims-Garage Ah, I see! Thank you for clarifying!
hey, Jim.. Could you tell me? The fact is that there are restrictions on the Tail scale side, I can't download from their website and update the application both on Windows and on other devices.For example, an openwrt router.
But everything works fine on the installed devices. What would you do if you need to put a package on the openwrt router, but according to the instructions from the site it will not work?
The first option that I think is to give to the vpn router, and thus circumvent the restrictions. The second option, as I think, is to do it via the offline method, download the package and manually install it. Could you tell me more about it and show me? I do not know how to connect a vpn router to openwrt. And how to download the package from the website, copy it to the router and install it through the console?
Sorry, I'm not sure off-hand. I'll need to look into that. OpenWRT is something I want to cover in the future.
Nice vid Jim. What would be interesting is if you could take the existing Terraform Providers, convert what you did manually (pressing/toggling buttons and configuring using typed in values), and convert it to follow standard IaC principles. While I do appreciate the amount of content you provided, I sat here reading through what the public Terraform providers for Opnsense provided and honestly, it'd be easier to take the entire manual config, set values in a .tf file, and just apply to an Opnsense deployment within seconds. It'd also be a template all your viewers could use to configure their labs with whatever values they'd like to use.
I agree, once you understand it that's the way to go. I wanted to introduce it and hopefully explain what things do though. It's definitely a great idea for a future video.
Amen to that! Doing the clicky click-through definitely has its educational value. Looking forward to future vids mate!
Hi Jim, no IP address in host aliases (field "content")? No hostname in reservations? So you don´t have a firewall defind relation between reserved hosts and aliases. I would recommend it!
Thanks for pointing out, that makes sense. Must have missed it when recording!
Great tutorial! Please do explain how to access modem web gui on bridge mode. Many tutorials I found use PPPoE and I have a DHCP connection. I tried unblocking bogon networks with no luck.
Is your OpnSense connected to the ISP in bridge mode? What is the internal IP address of the ISP router (likely on its own subnet)?
@@Jims-Garage Yes to bridge mode. ISP is on 192.168.1.1 and Opnsense is on 10.0.1.1
Wrt to the NordVpn setup, what would one have to do to restrict selected devices to use NordVpn, while the rest use the regular ISP and provided network.
Use a vLAN and put the device exclusively on that.
Do you have a video for outbound VPN only one on specific LAN/VLAN? For example, say I want my trusted network to use my WAN gateway, and my guest network to route out via OpenVPN to Switzerland? I think I followed this enough to understand how to do it myself, but any help you can offer would be appreciated.
Wonderful videos, keep it up!!!
@@chrischausse7232 thanks
I really appreciate the methodology you use-your videos are fantastic! However, for beginners, the two existing OPNsense VMs can be a bit confusing. Part 1 was easy to follow, but I’m concerned that Part 2 might not be as straightforward. Still, congrats for your amazing work developing these tutorials.
@@JoelFabiani thanks. IMO there's a point at which you need to know the basics. You shouldn't be dabbling with firewalls etc if you are completely green, you'll likely do more damage 😂
@Jims-Garage makes sense. Thanks again Jim.
which one is better? , to put opnsense before mikrotik or to put opnsense after mikrotik, the purpose is to protect Local Area Network and server, thanks before
@@faisaltaufiqAbdi OPNSense before, unless you're doing HA in which you plug the wan into a vLAN on the switch.
@@Jims-Garage Thank you brother
I just subscribed because of the Rebellion tip.
Haha, thank you 🌙
lol
Great content! However, for some reason my LAN clients don't have internet access anymore when wireguard is enabled and a peer has the allowed IPs set as 0.0.0.0/0.... When allowed IPs contains any other values, there is no issue. Any thoughts? "DNS Probe started" is the error message I get in the Chrome browsers.
Me too. So what should we enter in the Allowed IPs field?
Might be completely obvious, but maybe it helps someone: Port tagging appears to be only a thing on managed switches.
Question: Is there a way to set this up with an unmanaged switch? Managed switches seem to be fairly expensive and I'm not quite sure whether I want to make that investment yet.
No, sadly not, that's why they're more expensive.
@@Jims-Garage I see, thank you Jim! AliExpress to the rescue then! 😅
@@FredoLunivar it's a double edged sword. Might be better to invest in something more reputable. If you simply need basic 1Gb managed switch I recommend the Netgear ones.
@@Jims-Garage Wondering if I can simply skip the port tagging, I'm on an unmanaged switch, Great content though.
Im wanting to follow this but i havent been able to get order a wireless Ap for wifi yeat i am going with Unifi though. Holidays made me broke so i just havent been able to purchase one yeat. But any chance have you made a video on how to integrate unfi AP to opnsense to have wifi because i almost did this setup but then i forgot how would i have wifi?
Hey, simply plugging the AP into the switch is all you need for it to "work". You then control it via the unifi controller. I'm going to do a video on this later. Just needs to be able to reach it.
Why do you use VLANS if you create a rule to allow the VLANs to speak to each other? Isn't the point of VLANS to separate traffic and improve security? Would subnetting be a better solution?
It's more a demonstration of how to create them. You can add whichever rules makes sense for your setup.
Because with routing rules you can limit what that device can or cannot access on a separate network. If they're all on the same network, then that device has access to everything.
Any chance you would know how to setup multi wan failover or load balancing using unbound dns. I want to use unbound for its better security, but can't seem to get it to work. After setup, when I pull the main wan cable and it never switches over to the secondary wan connection even though I have, system ---> settings ---> general ---> "Allow default gateway switching". checked. Any help would be greatly appreciated.
Are there any disadvantages of running opensense as a proxmox vm?
If you're running more than 10Gb you might see a small performance loss, otherwise everything is a bonus over physical IMO.
Thanks! And could you use only one physical network adapter for both lan and wan?
Sophos vs OpnSense - which one do you recommend for a home environment?
They're both great, I use Sophos XG
question, for the opn vpn settimgs,i see that ypu are routung your lan network via nordvpn so ypu arw protected, how would ypu configure it ir you had say 2-3 vlan. how woule you aet that up so all of the vlan+lan also use openvpn when assessimg the internet.. also how do ypu configure it so that you retain communication bettween the vlan while routing over vpn..
i am currently trying to archive above but with wireguard+mullvad vpn but i keep gettimg stuck and alot of thw guides ate lowkey outdated... i ill really appreciate your help.. ty
When I try to portforward I have to change the destination to wan address to get it to work, otherwise the port remains closed for me.. is this right?
Yes, that's correct.
@@Jims-Garage Ah alright, was confused because in the video it was lan address.
Thanks, love your content!
Hope it's not rude to ask, but do you use a script? It doesn't look like you are reading from a script as your voice tempo is so natural but on the other hand I'm genuinely impressed at how densely packed (i.e. waffle-free) and how well-planned your topics are. Also there's a wealth of background understanding of networks behind what you are saying and it seems to underpin all you say / do / advise - I recognise a lot of this as I'm relatively experienced in network management / planning, but you are very good at communicating that. I'm sure it's possible to just freestyle like this, but if that's what you are doing then that's even more impressive. (It's what I tend to do as I'm lazy, but I end up being far more waffly.)
Also - quick note to acknowledge what many people here probably already know: there are tonnes of stupid American videos on OpnSense. I have watched a lot of them and literally not a single one (bar Dave's Garage channel) touches on any of the technical detail I'm actually wanting to learn about. Maybe they just assume people will learn themselves, and they basically just bang on about getting the best hardware etc., maybe they are mostly sponsored? It's annoying. Also why do Americans always shout at the camera, it's so tiring to listen to. Your videos are far more peaceful and enjoyable, really.
I found myself watching your first OpnSense video after I'd already installed it on Proxmox myself (and questioning whether it was even a sensible idea to do this as a VM at all) and laughed at every detail which I had already done the same, down to the exact amount of virtual memory 4096 and disk 32GB I had assigned... uncanny!)
Hey, really appreciate the feedback. I do not script any of my videos, just have a few bullet points in my head of what I'm setting out to do.
Flashbang warning at 2:07 🤣
Haha, so true 😉
Nice video and Merry Christmas can you create also a opensense waf naxsi?
Thanks for this nice video. It might be helpful to share the Google Backup link to docs opnsense at 49:49. Tested, works! 😉
Thanks, I'll look to add!
I have Adguard Home using port 53. What do I need to do to have them both working?
Can you run entire subnet thru a proxy ? To get static ip ?
Yes, you should be able to.
@@Jims-Garage thanks , and is it better to run like opensence on old pc witj network card installed than use my isp router in accespoint mode plugged in my switch ?
When I checked Enable WireGuard, my LAN network stops working, like the DNS resolution.
Is it normal that my upload/download speed drops to almost half when IPS mode is enabled?
Yes, unfortunately. I believe suricata is single threaded. Only way to boost is likely a faster core clock but it won't work miracles.
I changed the pattern matcher to hyperscan, and that improved my up/down speeds to what is was without IPS enabled! Is there any downside to hyperscan?
@@raylab77 I'm not familiar with it, I suspect it's either using some hardware acceleration, or it's not doing as thorough scan.
Thank you so much for this Video
You're welcome 😁
could you run through ipv6?
Thanks, I'll cover that in the future
what is the aliases for?
@@aselolelole7267 a friendly name instead of a port or IP number
Really good one! Almost feel like trying it out.. if only I didn't join the ecosystem ^^
You're sucked in now... You belong to Ubiquiti ;)
We both know who is to blame for that @@Jims-Garage ....Jeffrey!!!!!!!!
Thanks for the videos, great stuff, I haven't got past the VLANs on this tutorial yet. I must be doing something wrong as I can't get the VLAN DHCP server to give out any IPs. Since I'm not setting up a cluster I didn't give my OPNsense VM a static IP, I didn't understand why it would need one, as I thought it's IP is already the gateway IP? But I did the rest of the VLAN setup and have my Cisco router trunked for VLAN 1 and my VLAN 66 on 2 ports to 2 Unifi AC Pro APs, but it can't use the vlan. I also tried to set the Cisco vlan 66 only on one port and hard wired to it with a laptop, it that didn't work either. So DHCP doesn't seem to be working. Does anyone have any thoughts?
For anyone having the troubles as me, I figured it out. I didn't have my Cisco port that the opnlan cable connects to trunked for the vlan, I just had the ports for the APs. Once I setup the port trunking for the new vlan for the lan port, then all went well!
As you can see, the allowed IPs section is wrong 31:31 and corrected it at 31:43. There are so many mistakes in this section, including the way he used the private and public keys. He ultimately got it to work but never bothered to show us the right way to do it or the final configuration for it which resulted in a huge waste of time for me personally. Do yourself a favor and look for how to set up an inbound Wireguard server on OPNsense somewhere else.
super nice but setting the vpn client on opnsense is kind of... sophisticated. Yes, I know, such firewall is sophisticated by itself, but still, it could have been a bit easier to get more people on board.
Btw both are very useful: vpn server on opnsense and vpn client on opnsense. Let me try both with wireguard.
btw you picked up "wrong" port of wireguard because:
"It is scheduled to be removed on or after 2023-12-31."
Thanks for sharing. I agree it's quite involved, would be great if there was a NordVPN plugin (perhaps there is somewhere on GitHub) that had a web GUI.
@@Jims-Garage no, NordVPN is only one of many - I think the issue is: configuration in too many places. If all parameters were on one card...? It would be easier. No, NordVPN plugin would make it biased. ;-)
Hey man, don't leave out ipv6.
More ipv6 please
You're right, something I want to play with later.
I was expecting the IDS to be explained in detail but sadly you overlooked most of it. What a shame. For the rest of the video... Great job!
It's ok, he put it on the wrong interface anyway. Putting it on the WAN just causes a lot of headache managing attacks that will never make it past your firewall anyway. Put your IDS on the LAN so it only detects an actual intrusion.
I appreciate your work, but the WireGuard configuration is unfortunaltely wrong.
1) You need to copy the public key of the WireGuard CLIENT (windows, android, etc...) to the public key field of the peer in OPNsense, not the servers (instance).
2) If you configure a WireGuard interface (which you do not need necessarily), you can spare the outbound nat rule. Firewall rules are sufficient to reach e.g. the internet.
3) The allowed IPs field at the peer, has nothing to do which ip the clients can reach. It relates to the clients ip address (which client is allowed to connect).
I have another issue with the Wireguard setup from this walk-through: when I configured it this way up to creating a peer, all outbound trafic form LAN to WAN stopped working. It took me some time to find out why that was happening and when I deleted the wireguard setup and wireguard interface everything worked fine again.
Yeah this is so frustrating. Copying the instance's public key into the only peer's public key field is just wrong and someone new to wireguard are just going to have a miserable time setting things up if they watch this video. There's just so much confusing and wrong information about wireguard. Why even make a video if you're just going to add to the confusion.
WHere is part 3?
Maybe you start numbering the videos better..
Good video overall but you skipped over some key parts during setup, you assumed knowledge of Wireguard client AND you didnt show in YOUR Nord setup what values you were inputting. Like you said it was taken from the NORD config, yeah sick but WHAT was taken!! Took me so long so try and figure out what lines I needed to use. Try not to gloss over small stuff, video is 50mins long anyway, another 2 mins cant hurt :)
Thanks for the tips! I have already covered VPNs extensively in the past and people can find them. Unlike most others my videos are somewhat sequential.
@Jims-Garage valid point, then when you mention the other video, please put a link on screen.
I appreciate your hard work!
hol up........i thaught the whole point was to REMOVE and REPLACE the isp router with the opnsnese box.
@@kazadori164 usually you need to put the ISP router in modem mode or bridge it. It's rare that you can fully remove it (even if you replace it with your own).
@@Jims-Garage so , i can't replace a failing Best Buy router with the Opnsense box? I'm not referring to the modem that connects a router to the internet, whether it's cable dsl or fiber.
@@kazadori164 yes, you can. That's what this video is doing. I've installed it in a VM here, but you can also install bare metal on a new pc etc.
It really depends. ATT requires their router to auth on their network. It's a significant hassle to emulate the auth step. Google is easier.
Lol. When port forwarding, you said its dead easy... Thats not dead easy in my opinion. My old router was easy, this is hard, but doable. I guess it all depends on what once skill lvl is on..
If you're just starting out I recommend Sophos XG - it's much simpler and most things are done with a wizard.
@@Jims-Garage oh, i hoped this was a plugin.
🙈You keep saying excetera, but it's literally Et cetera
@@moortu I know, I remember from Latin. Perhaps my pronunciation is problematic.
I thought this was supposed to be a beginner video.
It is, it's the second part. There's a minimum level of knowledge you should have before thinking about running your own firewall.
@@Jims-Garage I already run a Mikrotik Hex with 4 VLans; I appreciate your efforts, but couldn’t find what I was looking for.
+1