This chapter will introduce you to the OPNsense project, tell you about its history, license, and fork motivations, and where you can find help if you need it. Before installing and configuring your own OPNsense installation, it is essential to learn about some concepts and how the OPNsense project was started. We will also learn about FreeBSD, and its fork, HardenedBSD, exploring OPNsense features and the typical deployments scenarios that we can use it.
In this chapter, we're going to cover the following main topics:
To introduce you to the OPNsense project, I'll first need to tell a bit of my story and how I fell in love with it.
To tell the OPNsense story, we need to go back to 2003, when the initial release of m0n0wall was released. The main goal of this project was to have FreeBSD-based firewall software with an easy-to-use web interface (based on PHP) that worked on embedded PCs and old hardware with a good performance but that was just focused on Layer 3 and Layer 4 firewalling. m0n0wall was a good achievement. Still, picky network and security admins were claiming for other features such as web proxying, intrusion detection and prevention systems, and some other features that commercial firewalls were delivering as a default Unified Threat Management Solution (UTM). So, in 2004 a new project began, a m0n0wall fork, with its first public released in 2006. The fork's name? pfSense, and, as the name suggests, it used Packet Filter (PF) as a firewall-based system instead of the ipfilter (another FreeBSD packet filter)of its predecessor. For a long time, pfSense was a unique open source firewall solution, with a big active community and constant improvements. Many network and security administrators that only accepted Linux-based firewalls (yes, I was one of them too!) started to migrate to this FreeBSD-based firewall. These two projects coexisted until 2015, when m0n0wall was discontinued. There were signs of discontent back then; part of the pfSense community was not happy with some things such as changes in licenses and the direction the project was heading in.
Back in 2014, a brave group of developers decided to fork from pfSense and m0n0wall and started the OPNsense project. The first official release was in January 2015, inheriting a lot of code from its predecessors. Still, with a very ambitious plan to change how a lot of things were being done, OPNsense quickly rose as a pfSense alternative and received an important recommendation from the m0n0wall founder, Manuel Kasper, encouraging users from his project to migrate to OPNsense. It was the start of one of the best open source firewall projects.
The following are some of the key features that OPNsense came with:
Talking about versions, we need to introduce you to the flavor available:
If you don't have any reason to choose LibreSSL, I'll advise you to pick the default one, OpenSSL. We will talk more about versions and installation media in the next chapter.
Talking about improvements, we must speak of the project architecture, starting with the frontend, the Phalcon PHP framework. This framework is used to implement webGUI and its APIs (another considerable improvement compared with its predecessors). It will do the work to render and control all that you can see and do using your web browser to manage your OPNsense.
The OPNsense framework also contains a backend, which is a Python-based service, also known as configd. This backend service will be in charge of controlling services, generating daemons and service config files from Jinja2 templates, and applying these configurations to an operating system.
With this architecture, OPNsense has a significant advantage – a secure way to manage and apply configurations to an operating system without executing root commands directly from the PHP web interface (as pfSense did, for example), reducing the risk of a flaw in webGUI compromising the whole firewall system.
So, now that we know how OPNsense evolved and its benefits, let's take a look at the operating system that serves as the base to this incredible firewall platform – FreeBSD's fork, HardenedBSD. It's essential to understand how the whole system and its components work to become a good OPNsense administrator. Let's go!
Before exploring OPNsense, let's look at its kernel: the almighty FreeBSD, the operating system that has the power to serve!
First, FreeBSD isn't Linux! If you are a long-time FreeBSD user, don't be mad with me, as you probably have heard this statement before! If not and you thought that FreeBSD and Linux were the same, no problem! That is a common mistake people make. Let's first find out what FreeBSD is in a short introduction.
FreeBSD is a free and open source operating system. It is a Unix-like system but different from Linux; it is a complete operating system, including the kernel, drivers, and other user utilities and applications. Linux only includes the kernel and drivers, and everything else is built as the distribution or just distro. The FreeBSD project has an outstanding security reputation, and it has a dedicated team taking care of this at the code level. This has built a well-known reputation for a very secure operating system!
If you have never installed FreeBSD before, you must be thinking that you will use it for the first time on OPNsense, right? Not necessarily! You have probably used FreeBSD a lot already. Don't believe me? One of the strong points of the FreeBSD project is its licensing model, which is considered permissive. Add to that the system liability, robust security, and good hardware support and you have a lot of reasons to choose FreeBSD as your new product base operating system. Many companies have – Apple's macOS, iOS, and other OSes are based on FreeBSD code, Sony PlayStations 3 and 4 use it, and many network appliances make use of it too! If you have an iPhone, that also runs a FreeBSD-based operating system!
Now that we are introduced to OPNsense's operating system, let's explore why we should consider it for our network firewall.
To give a short answer – because it is the best genuinely open source firewall project currently available!
Not satisfied with this answer? Fair enough! Let's go to the long one!
Back in 2009, I was a pfSense user and enthusiast when I decided to move from Linux-based firewalls to FreeBSD. Back then, I created a managed firewall service for small and medium businesses using Linux firewall distros. At that time, I was using IPCop and SmoothWall Express, two Linux-based distros. I started this project with IPCop, but I decided to move to Smoothwall Express later, from which IPCop was forked. Both were good options to run in an embedded firewall appliance with limited resources. As a long-time Linux user, I was very comfortable using something based on this operating system. I am from a time when we built firewalls using ipchains and, later, iptables scripts, without any GUI help. I know – I'm getting old! Changes were happening and the service grew, with customers demanding bigger firewall appliances with high availability capability. At this point, Linux had a problem; there was no good support for this feature, so I needed to go back to the drawing board.
From research, I have found two possible alternatives – OpenBSD and FreeBSD. The first one was a well-known security-focused operating system with a strong reputation, which looked like a great option to run as a firewall solution. However, there were some hardware compatibility limitations and a lack of a GUI to manage it. It was a crucial need that customers were asking for. I couldn't find any firewall GUI option available back then, and developing a new one as a one-person development team was not a suitable option. It was time to look at the FreeBSD choices.
By doing a quick Google search, I found a good option – m0n0wall. So, I downloaded it and started the tests! It impressed me! It was a light operating system with a good WebGUI running on a solid operating system. But at the very beginning, I found a problem – reading the official documentation, specifically on the topic of what m0n0wall is not, I discovered that it wasn't a proxy server, an Intrusion Detection System (IDS), or an Intrusion Prevention System (IPS), and losing these features was not an option! So, it was back to square one!
Googling again, I found a m0n0wall fork – a project called pfSense. It looked like a promising one, with everything I needed to implement at that time – WebGUI, high availability, and some plugins such as Squid/SquidGuard for proxying and web filtering, Snort for IDS/IPS, pf as the packet filter. Bingo! I had found what I was looking for! My first impression when testing on the PC engine-based hardware was disappointing! The performance was too low compared with the Linux options and even with m0n0wall. There were too many features for a hardware platform with few resources. Another problem to solve was that even the more powerful hardware I was testing on used a compact flash disk as mass storage, and enabling a service such as Squid for proxying and web filtering with a lot of disk writing meant that the Compact Flash (CF) card got damaged very quickly. But there was another option – installing the NanoBSD flavor of pfSense made things easier for the embedded hardware to run more smoothly, and with some coding, I was able to bypass the CF card limitations. So, I ran this solution as a firewall to many customers until 2015. That was the year I became a little bit frustrated with how the project was being driven; a lot of ideas were popping into my head, but the project community was not the same anymore. It was time for a fresh start. I even talked with some project contributors about starting a new fork, but the idea was not accepted by most of them. It was time to go back to Google to look for a good open source firewall project.
On one of these rainy days, when your creativity is low and you have no intention to code or think of a new solution, I decided to google for some open source firewall alternatives, and the results surprised me! I found something, a project called OPNsense, and it was a pfSense fork! At that moment, the sun shined on my keyboard, and I thought, that's it!! The more I read about the project history, the more convinced I became that I had found the perfect solution backing!
So, I started the tests, and it was fascinating! It was pretty easy to convert pfSense's XML configuration file to OPNsense, so my first labs were based on production systems, and the results were very satisfying. It was time to migrate the first customers to this new firewall platform. However, it had a limitation – web filtering. We had developed a custom SquidGuard plugin for pfSense, but it wasn't easy to convert it, as the webGUI was different. Fortunately, our first customers didn't need this feature. The first migration to OPNsense was a success! So, it was decided that OPNsense was the new option for our firewall appliances! Later, I developed a SquidGuard-based plugin for OPNsense, and we were able to migrate all the customers. Since then, I have moved from this company to a new one, CloudFence, and we have decided to support the OPNsense project as much as possible.
Some of the key features that led me to dive into the OPNsense project were: genuine open source motivations with the freedom that an actual open-sourced project must have – an MVC-based webGUI without direct root access to the operating system (except for legacy components), IDS and IPS with netmap support, excellent available plugins, two-factor authentication for VPN, and cloud backups, to mention just a few! The list is increasing with each new version; later, we will see each feature in detail, so don't worry about it for now!
Okay, so this book isn't a novel, but I had to tell my personal history with OPNsense because choosing an open source project as a contributor and user isn't like buying a product. It is about personal life decisions; it's about what you want to support and are passionate about, and that project was right for me. I tried to help it! This is a little bit of my personal story with OPNsense; I hope it can inspire you somehow! The whole story might need an entire book, and it isn't the purpose of this one to tell stories but rather to improve your OPNsense skills, so let's move on to OPNsense's features!
Let's dive into OPNsense's core features and the most common scenarios to deploy it.
What are the core features? The OPNsense core features all come with the default OPNsense installation, without any additional plugins.
The core features are as follows:
Important Note
Dynamic DNS is a plugin installed by default on OPNsense.
Captive portal: Talking about guest networks and controlling users to join a network, this also applies to the captive portal in OPNsense. This feature can be used with the web proxy to authorize users to use the internet and has widespread usage in hotels, airports, shopping centers, and so on.
Here are some of the other great OPNsense features:
There are many other features that can be added in OPNsense through plugins, and we will see in detail each core function and some plugins later in this book.
Note
You can obtain a full list of features at https://opnsense.org/about/features//.
OPNsense is very powerful and versatile and can be used in many ways. I'll try to cover the most common deployments, as follows:
There are other possible deployments, such as a web application firewall, a next-generation firewall, an advanced network router, a DNS filtering appliance, and Software Defined WAN (SD-WAN). It's not possible to cover all the possibilities in one book, but we will explore the most common ones in the following chapters.
Have you had trouble or don't know how to use a feature? Didn't understand what the official documentation says? Take it easy! We are a big and strong community, and someone in it will try to help you for sure!
While selling OPNsense-based firewall solutions in comparison to commercial firewall closed-source solutions, customers commonly ask us a question such as, "Okay! It seems that this open source solution you are offering in your service can do anything that other closed source commercials listed in the 'some magic geometrical guide' (which I will not mention the name of here) solution can do, but what about support? When we need support or an urgent security fix, who are we going to call?" Our answer? "Not the Ghostbusters!"
Okay, just kidding – but let me tell you about some of the myths that the closed source firewall vendors teach customers about open source support and how to answer them!
So, after this introduction, let's see where else we can find help:
This brings us to the end of the chapter, which has provided an overview of OPNsense.
In this chapter, you were introduced to OPNsense, its project history, versions, and the improvements made by pfSense and m0n0wall. I also shared a little bit of my history with you and why I decided to use it, with some examples. We learned about FreeBSD and what it is and is not, and about its hardened fork, HardenedBSD. We explored the OPNsense core features and typical deployments, with some examples of how you can deploy them in your network environment. Finally, we dived into support options and how to use each of them. Now that we know how OPNsense works, we can find help if needed, which versions are available, and the most common scenarios to deploy it. We will now move on to the following chapters, which will help you better understand some of the concepts discussed in this chapter more practically. In the next chapter, we will see how to install OPNsense and explore some of its features!
18.117.81.240