In this chapter, we will learn more about some hardware considerations concerning networking and how to configure a network interface using the OPNsense WebGUI, and we will explore the network interface types available to configure in it. We will also learn about the virtual IPs and the differences between them, and finally we will look at some common troubleshooting scenarios and how to solve issues using the diagnostics tools available in OPNsense.
In this chapter, we will cover the following topics:
This chapter requires that you have a clear understanding of the TCP/IP network stack, OSI model concepts, and some experience of using a command shell, or CLI. You will need a running OPNsense to practice some of the exercises proposed in this chapter. If you have followed all the steps from the previous chapters of this book, you can use your newly configured OPNsense virtual machine.
It is crucial to choose the right hardware for your OPNsense, so that it functions well as a firewall, and the most important components are the CPU and the network interface cards (NICs). For example, choosing the right NIC for the network environment can make the difference between a successful deployment and a complete disaster. Of course, the high-quality code of OPNsense can do an outstanding job while securing networks, but without a good hardware bundle, it won't make any magic.
As we discussed in the last chapter, the kernel OPNsense runs on has the netmap framework implemented in it, which can be used by network IPS and Sunny Valley's Sensei plugin, for example, to process network packets with better performance and low CPU usage. If one of your OPNsense installation tasks uses one or maybe both of these (network IPS and Sensei plugin in different NICs), then you should choose a network card with a driver that is supported by netmap to get the job done; otherwise, the whole system will suffer from high CPU load when processing network packets while using these components.
Before starting your OPNsense firewall implementation, let's take into account the following considerations:
These are some examples of possibilities you may consider in your OPNsense deployment. It is not within the book's scope to give you basic recipes on how to deploy each one; however, I will show you the right path to know what to look for before building your OPNsense firewall.
FreeBSD uses the network interface driver to name each installed card followed by a number, starting at 0. For example, if you install two Intel PRO/1000 network cards, they will be identified as igb0 and igb1; the igb part is from the driver used by FreeBSD to manage this type of Intel Gigabit network card, followed by the number to identify each one: in this example, 0 for the first network card and 1 for the second one.
Here is a reference: https://docs.freebsd.org/doc/7.3-RELEASE/usr/share/doc/en/articles/linux-users/network.html.
The ifconfig command is a native FreeBSD network tool that can help you in managing network interfaces in the CLI. This tool can be considered as the Swiss army knife of network managing tools in CLI.
Important Note
Changes made using the ifconfig command will not survive a reboot!
In the CLI, an easy way to list the installed network interfaces is using the ifconfig command:
root@bluebox:~ # ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>
ether 00:90:0b:4d:25:b0
inet6 fe80::290:bff:fe4d:25b0%igb0 prefixlen 64 scopeid 0x1
groups: LAN
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>
ether 00:90:0b:4d:25:b1
inet6 fe80::290:bff:fe4d:25b1%igb1 prefixlen 64 scopeid 0x2
inet 192.168.15.9 netmask 0xffffff00 broadcast 192.168.15.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
To list a specific network interface, just type ifconfig followed by the interface name:
root@bluebox:~ # ifconfig igb1
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>
ether 00:90:0b:4d:25:b1
inet6 fe80::290:bff:fe4d:25b1%igb1 prefixlen 64 scopeid 0x2
inet 192.168.15.9 netmask 0xffffff00 broadcast 192.168.15.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
In the preceding example, you selected the igb1 network interface, and as we can see, the IPv4-configured IP address is 192.168.15.9 with a 24-bit netmask (0xffffff00) and a network broadcast address of 192.168.15.255. But wait a moment! A 24-bit netmask? Where?! Don't worry! Let's understand this part. If you came from the Linux world, like me, you are probably wondering why on earth this netmask is in hexadecimal format.
Well, the default option in the ifconfig command in FreeBSD is hex notation, but we can change that with some parameters, but before we change it in ifconfig, let's remember some concepts.
If you convert the value 0xffffff00 to binary notation, you will get the following:
11111111 11111111 11111111 00000000
Counting the 1 bit, you have 24 bits, right? Remembering the network basic classes, the IPv4 address has 4 octets. Converting that to decimal, we get the following:
This equals 255.255.255.0 decimal.
Important Note
This chapter requires that you have a basic IPv4 understanding: how to convert hex numbers to binary and decimal will not be detailed here. If you don't know how exactly to do that, I strongly recommend you read some Packt books about network basics before moving on with firewalling. It's just advice, but you can always make use of calculators to convert these numbers too.
Now that we have remembered some of the basics of IPv4 concepts, we can try to convert a hex to a decimal using ifconfig:
root@bluebox:~ # ifconfig -f inet:dotted igb1
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>
ether 00:90:0b:4d:25:b1
inet6 fe80::290:bff:fe4d:25b1%igb1 prefixlen 64 scopeid 0x2
inet 192.168.15.9 netmask 255.255.255.0 broadcast 192.168.15.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Adding the -f inet:dotted parameter to the ifconfig command, now we can see the netmask in decimal notation: 255.255.255.0.
Better? But you want more? OK! Let's try now with CIDR notation. For that, just change the ifconfig parameter to -f inet:cidr:
root@bluebox:~ # ifconfig -f inet:cidr igb1
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>
ether 00:90:0b:4d:25:b1
inet6 fe80::290:bff:fe4d:25b1%igb1 prefixlen 64 scopeid 0x2
inet 192.168.15.9/24 broadcast 192.168.15.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Now we can see the IP address followed by CIDR notation:
inet 192.168.15.9/24 broadcast 192.168.15.255
Here are some other important parts of the output of the ifconfig command as regards hardware:
Want to learn more about the ifconfig command? Take a look at FreeBSD's ifconfig man page: https://www.freebsd.org/cgi/man.cgi?ifconfig(8).
Now that we have explored the NIC considerations and learned how to get some information about the NIC in the CLI, we can move on to configuring a basic network in OPNsense.
Local network configuration begins with a good IP addressing plan! Always try to follow the RFC1918 reserved address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) for local networks, using private IP addresses. In this way, you avoid future issues with local addresses overlapping with public addresses on the internet. I have seen many times network administrators not paying attention to this rule of thumb and creating problems for themselves.
Another good practice is not using huge broadcast domains. If you are projecting a small network, then why use a 10.0.0.0/8 network? Avoid doing that! This can save you time in the future; for example, while connecting two or more networks using a VPN tunnel, there will be a smaller chance of network addresses overlapping with other connected networks. If you choose 10.10.10.0/24, which means 254 usable IP addresses, instead of choosing 10.0.0.0/8, which has more than 16 million IP addresses, which one do you think has more chances of conflict with another 10.x.x.x address networks? Smaller broadcast domains means smaller chances of conflicts happening.
Some good tools to start your firewall and network project are a piece of paper and a pencil. Draw your network plan and discuss it with your work buddies before starting to set IP addresses for network devices.
After these brief considerations, let's go to the network configuration.
Everything that we need to configure a network interface is in the Interfaces menu. OPNsense will set the LAN and WAN interfaces by default, as we explored in Chapter 2, Installing OPNsense, where we already configured both, so let's explore the available network configuration options in WebGUI.
The following options are available both in LAN and WAN interface configuration or in any new network interface you may add later in your OPNsense.
To explore the network interface configuration options, head to the Interfaces | LAN menu (you can also try Interfaces | WAN; the options are the same):
The available basic configuration options are as follows:
Here are the generic configuration options:
After configuring the network interfaces, let's proceed to assign network interfaces.
If you want to add more NICs to your OPNsense, you can do this by heading over to the Interfaces | Assignments menu.
To practice adding more network interfaces using WebGUI, you can follow the steps in this exercise:
Applying a New Network Configuration to Your OPNsense Virtual Machine
You must first shut down your virtual machine (VM) to apply the new network settings. Remember to note down the new IP address assigned in your new network interface on VirtualBox to use a different one in your new OPNsense interface configuration.
Interface added! Let's practice a little bit now.
Now you have added a new network interface, let's add a static IPv4 to it:
Enable: Checked.
Description: Name your interface as you wish.
Block private networks and Block bogon networks: Unchecked.
IPv4 Configuration Type: Select Static IPv4.
IPv6 Configuration Type: Select None.
IPv4 address: Fill with an address that is in the network range you noted down when you created the network interface on VirtualBox Network Manager. Pay attention to the network CIDR.
IPv4 Upstream Gateway: Leave as the default: Auto-detect.
Now that you have your new network interface configured in your OPNsense, let's take a closer look at it in our next section.
Go to Interfaces | Overview and click on the interface you just configured. You should see something like this:
As we can see, there is some information in Interfaces | Overview that is quite similar to the ifconfig output, but with a much better look! We can check here, for example, whether the network interface is up, which IP address is configured in it, the MTU size, the MAC address, and a lot more useful information.
What about your interface overview configuration? Is it the same as the one you just configured in the previous exercises? If yes, congratulations! If no, then no problem, repeat the exercise, paying attention to the details, and I'm sure you will find the mistake and fix it!
Now that we have concluded the basic network configuration steps, we can continue our networking saga and head to the next section to explore the different types of network interfaces you can configure in OPNsense.
As a complete firewall solution, OPNsense supports many different types of network interfaces. We will explore each one available for configuration in WebGUI next.
A bridge can connect two different network interfaces in the same network segment. For example, you can connect a LAN interface connected by cable to a Wi-Fi interface using a bridge. In this way, the devices connected in both interfaces will rely on the same broadcast domain or the same network segment.
The Generic Tunnel Interface, or just GIF, is a type of interface configuration that can be used to tunnel IPv6 via IPv4. An example of its usage is configuring it with the IPv6 tunnel broker from Hurricane Electric, with which you can reach IPv6 internet using an existing IPv4 connection. If you want to learn more about this service, you can access it at https://tunnelbroker.net/.
The Generic Routing Encapsulation (GRE) is a network configuration that allows two hosts to tunnel traffic without encryption. An example of its usage is when you need to traverse some protocols that aren't supported by the intermediate systems.
Link aggregation, also known as port-channel sometimes, can provide, as the name suggests, aggregation using multiple network interfaces. It can be used to increase bandwidth in local networks with the prerequisite of a compatible device, such as a switch, for example. It can support failover since at least one interface is up. To perform these functions, LAGG will need to be configured on both sides of the connection, with the same protocol. The current protocols supported by OPNsense are as follows:
Before starting LAGG configuration, check whether your switch supports one of these protocols. This feature is awesome when combined with VLANs, so that you can have a reliable trunk with a lot of networks passing through it.
The loopback is a virtual interface that is commonly used to test local communications in a host. You can easily test it by trying to ping the 127.0.0.1 address (or ::1 for IPv6); this is supported in most modern operating systems, and FreeBSD is no different. In OPNsense, we can create additional loopback interfaces for different applications; for example, configuring a service only locally with the port listening in a loopback interface address.
With VLANs, you can make better network segmentation, dividing one big network or broadcast domain into many smaller ones. By doing so, you can save your network from issues such as traffic flowing between all the hosts without any packet filtering, making it difficult for malware to spread to the whole network and preventing lateral movement, for example. Another example is to use a single network port to configure multiple network segments. OPNsense supports VLAN 802.1Q standard permitting VLAN tagging and priority code point, which can be used for Quality of Service (QoS). For extra protection, you may add network ports authentication using 802.1x. To learn more about 802.1X, please refer to https://en.wikipedia.org/wiki/IEEE_802.1X.
To learn more about network lateral movement, refer to https://en.wikipedia.org/wiki/Network_Lateral_Movement.
The Virtual Extensible Lan (VXLAN) was created to overcome VLAN limitations in this era of the cloud. It can address up to 16 million logical networks, while VLANs can do only 4,096. Most modern virtualization technologies support it, and its usage is more common in cloud scenarios. Now that we have seen the different types of interfaces, let's go ahead and create one of them, for example, the loopback interface.
To practice how to configure another type of network interface, we will configure a new loopback interface using WebGUI:
Adding a New Interface to OPNsense
You can review the steps on how to add a new network interface by looking at the Proposed exercise – adding a new network interface to OPNsense section in Chapter 2, Installing OPNsense.
Congratulations, you have created your first loopback network interface! You can repeat this exercise with other types of interfaces if you wish; the only difference is that each type will demand its specific configurations. I proposed using the loopback type to save your time to repeat all the required steps for creating a new network interface on VirtualBox, but it's up to you! You can repeat this exercise, creating as many types of network interfaces as you want!
As we explored in this topic, OPNsense can support a variety of types of network interface configurations. Now that you know about each one, let's dive into IP addressing, starting with how to add extra IPs in network interfaces.
A virtual IP address can be used for a high-availability configuration, such as creating a Network Address Translation (NAT) in many different services on the same network port, or just for adding more than one IP address in the same network interface. In this section, we'll dive into each type of virtual IP that is supported by OPNsense and when to choose which virtual IP configuration type.
An IP alias can be used as an additional IP address in a configured network interface. It will behave like the address configured in the interface, replying to ICMP requests (ping) and generating ARP packets on the network. The netmask must match with the network interface the IP alias will be created on; otherwise, you can set it as a single address (/32 CIDR for IPv4). You can even set an IP address from another network. There are some special cases, such as when the ISP delivers a small network (/30 CIDR) and you need to set up a high-availability installation. Instead, you should consider using VLANs, which will isolate the packets from the different networks configured within the same network interface.
Loopback Interfaces
An IP alias is the only type of address accepted to be used as a virtual IP address on loopback interfaces.
The Common Address Redundancy Protocol (CARP), as its name suggests, is a protocol used for network redundancy, and in OPNsense, we use it for high-availability deployments. We will explore this protocol and the high-availability configuration in detail later in Chapter 17, Firewall High Availability.
Wikipedia defines ARP as follows: “The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.” A proxy ARP uses this protocol (ARP) to reply to queries for an IP address set in the network interface using this configuration. The IP address will not be added to the interface. OPNsense will use the cheap and omitted proxy ARP daemon (choparp –https://www.freebsd.org/cgi/man.cgi?query=choparp) to reply to requests to the configured proxy ARP IP address.
Proxy ARP – Important Notes
To configure a single IP address, you must use /32 CIDR. Only network addresses will be accepted with smaller CIDR numbers.
When a proxy ARP IP address is configured, it will not be shown in Interfaces | Overview or in the ifconfig command output.
It does not respond to ICMP requests.
The exclusive usage for this type of virtual IP is in NAT, since it will respond neither to ICMP nor ARP requests.
The Interfaces | Virtual IPs | Status page is exclusively used to show the status of CARP virtual IPs; hence, we will explore it later in Chapter 17, Firewall High Availability.
Let's practice how to create a virtual IP address by adding an extra IP to our previously created network interface, using the following steps:
If the ping replies, you just created a new IP alias successfully! Otherwise, repeat the exercise by reviewing each step carefully to get it working.
Now that we have learned about the OPNsense networking configuration, it's important to see how to troubleshoot some common issues involving network and connectivity. Let's explore some common issues in the next section.
It's important to know how to configure network interfaces in OPNsense, but it is more important to know how to solve problems related to it. In this section, we'll explore the common issues and see how to solve each one.
First of all, let's see what diagnostic tools are available in WebGUI.
All of the following options can be accessed from Interfaces | [tool name]:
Let's now explore troubleshooting examples.
Someone calls you and complains that the firewall stopped working. You ask about the symptoms that made this person believe that. Immediately the person tells you that all the local network hosts lost connectivity with the firewall, but they can access the firewall from another network interface, a WAN interface, for example, and it appears to be working as it was meant to be.
Well, based on a true story, I can tell you that it is a good prompt to start looking at the ARP table – why? Because if you look at it, you will probably find the possible reasons and see whether they are related to OPNsense, or you can call the network infrastructure team to check the switch connected to this firewall.
If the ARP table isn't showing the amount of entries that you expected, the next step will be to check whether the LAN interface is up; if it's not, it is probably a problem with the network cable or switch. Otherwise, the LAN interface port may be damaged, and you will need a new one; only a physical test will help in this case. Even if the LAN interface is up, it's a good idea to ask for help from the network infrastructure team, if there is a high chance that it's a problem with network connectivity.
These are some possible solutions:
The DNS Lookup page will resolve DNS names to IP addresses; you can use it to find issues with DNS resolution.
After the initial tests, such as pinging the firewall and other internet IP addresses, the users are still complaining that they can't access websites or receive emails on their Outlook. Is this another true story? Most of the stories in this book are!
As you are not using a web proxy (because we haven't got there in this book yet), you can start trying to resolve the internet DNS names in the DNS Lookup page. If the DNS Lookup did not succeed, then ask a friendly user to try to do the same on their computer, you're probably dealing with a DNS issue. This page can be more useful than a command-line ping because it shows the query time for each DNS server configured in OPNsense; sometimes, the issue is related to slow responses from one of the configured DNS servers.
Here are some possible solutions:
Let's go back to the diagnostics tools:
Since this topic is focused on troubleshooting, let's use the netstat command in the CLI instead of using WebGUI page.
Some examples of the netstat command usage are as follows:
root@OPNsense:~ # netstat -ap tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 OPNsense.ssh 192.168.56.1.58376 ESTABLISHED
tcp4 0 0 localhost.rndc *.* LISTEN
tcp4 0 0 *.domain *.* LISTEN
tcp6 0 0 *.domain *.* LISTEN
tcp6 0 0 *.http *.* LISTEN
tcp4 0 0 *.http *.* LISTEN
tcp6 0 0 *.https *.* LISTEN
tcp4 0 0 *.https *.* LISTEN
tcp4 0 0 *.ssh *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
root@OPNsense:~ # netstat -ap udp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
udp4 0 0 127.0.0.20.ntp *.*
udp6 0 0 fe80::1%lo1.ntp *.*
udp4 0 0 OPNsense.ntp *.*
udp4 0 0 localhost.ntp *.*
udp6 0 0 fe80::1%lo0.ntp *.*
udp6 0 0 localhost.ntp *.*
udp6 0 0 fe80::a00:27ff:f.ntp *.*
udp4 0 0 OPNsense.ntp *.*
udp4 0 0 OPNsense.ntp *.*
udp6 0 0 fe80::a00:27ff:f.ntp *.*
udp4 0 0 OPNsense.ntp *.*
udp6 0 0 fe80::a00:27ff:f.ntp *.*
udp4 0 0 *.ntp *.*
udp6 0 0 *.ntp *.*
udp4 0 0 *.domain *.*
udp6 0 0 *.domain *.*
udp6 0 0 *.dhcpv6-client *.*
When you are not sure of whether a configured service is listening at the correct port, you can use the preceding commands.
root@OPNsense:~ # netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
10.0.2.0/24 link#1 U em0
10.0.2.15 link#1 UHS lo0
127.0.0.1 link#5 UH lo0
127.0.0.10 link#8 UH lo1
127.0.0.20 link#8 UH lo1
Internet6:
Destination Gateway Flags Netif Expire
::1 link#5 UH lo0
fe80::%em0/64 link#1 U em0
fe80::a00:27ff:feeb:a6ff%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
If you want to know whether an added route or the correct default gateway is active, this command can help you!
If you want to know whether a packet is flowing in some specific interface, with Packet Capture, you can find out.
If you need to test whether a remote host is online or not, a good starting point is trying to ping it.
Note
Windows' default configuration blocks ICMP packets. If you are testing against Windows machines, be sure that they are allowing ICMP packets.
Say your users are complaining about a single website that isn't accessible. One good starting point is trying to reach it using traceroute. We already saw cases where changing the WAN, or the network route, solved the problem. Sometimes the ISP's cloud can be very tricky, and when you have another ISP available, changing the route to a second one is worth trying! Another good example is when the traceroute output shows the same IP multiple times; in this case, we have a routing loop.
We'll explore some of these diagnostic tools in depth in later chapters, which will present you with some examples of how to use them practically, so don't worry – we have a long journey ahead of us!
In this chapter, we learned how to design an OPNsense firewall for a production environment, considering which hardware and network card to use depending on the features that will be enabled. We learned about the FreeBSD network interfaces and practiced some CLI network commands. We also saw how to add new IP addresses to OPNsense using virtual IPs, choosing the right type depending on its usage. In the last section, on diagnostics and troubleshooting, I tried to share with you a little bit of my experience, telling you some true stories about network issues with some examples of how to solve them.
In the next chapter, we'll learn how to manage our OPNsense system configuration using WebGUI.
3.17.154.139