OPNsense is an open source and easy-to-use FreeBSD based firewall and routing platform. 2018 – three years after OPNsense started as a fork of pfSense® and m0n0wall – OPNsense brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. A strong focus on security and code quality drives the development of the project. The modern and intuitive web interface makes configuring firewall rules funny  In this talk, Thomas will outline OPNsense’s FreeBSD-based architecture and how you can take advantage of additional features using OPNsense plugins. He will also show how to initially setup an OPNsense firewall, and how you use datacenter-features like High Availability & Hardware Failover or Dual Uplinks. Open (source) makes sense – also for your firewall 

1. OPNsense:
the “open” firewall for your
datacenter
@tk_tniedermeier
Thomas Niedermeier, Thomas-Krenn.AG
Open Source Data Center Conference, 2018/06/12

2. Have you already tested a Open Source firewall?

3. If yes, which?

4. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

5. OPNsense started as a fork of pfSense® (Copyright © 2004-2014 Electric Sheep Fencing, LLC. All rights reserved.)
a fork from m0n0wall® (Copyright © 2002-2013 Manuel Kasper).

7. IPFire 2.19 pfSense®
2.4 OPNsense®
18.1
Based on Linux®
Kernel 3.14 FreeBSD®
11.1 FreeBSD®
11.1
Stateful firewall ✔ ✔ ✔
Proxy cache ✔ ✔ ✔
VPN ✔ ✔ ✔
IDS ✔ ✔ ✔
HA cluster ✔ ✔
Multi-WAN ✔ ✔
Layer 2 (transparent) ✔ ✔
Two-factor auth. ( )✔ ✔

8. IPFire 2.19 pfSense®
2.4 OPNsense®
18.1
Based on Linux®
Kernel 3.14 FreeBSD®
11.1 FreeBSD®
11.1
Stateful firewall ✔ ✔ ✔
Proxy cache ✔ ✔ ✔
VPN ✔ ✔ ✔
IDS ✔ ✔ ✔
HA cluster ✔ ✔
Multi-WAN ✔ ✔
Layer 2 (transparent) ✔ ✔
Two-factor auth. ( )✔ ✔
Also for mobile
LTE backup
with 4G modem
Also for VPN
roadwarrior
(eg. Google Auth.)

9. Comparison OPNsense and pfSense
OPNsense pfSense
License BSD Clause-2 Apache License 2.0
IPS Native via Suricata
best performance
Snort
no real inline mode
available
2FA Native integrated via TOTP mOTP available via plugin
AES-NI CPU feature
required
No, never Yes, beginning with
version 2.5 in community
edition
Source: https://techcorner.max-it.de/wiki/OPNsense_vs._pfSense_-_Im_Vergleich

11. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

13. OpenServer
6.x
UnixWare
7.x
(System V
R5)
HP-UX
11i+
1969
1971 to 1973
1974 to 1975
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
Open source
Mixed/shared source
Closed source
HP-UX
1.0 to 1.2
OpenSolaris
& derivatives
(illumos, etc.)
System III
System V
R1 to R2
OpenServer
5.0.5 to 5.0.7
OpenServer
5.0 to 5.04
SCO UNIX
3.2.4
SCO Xenix
V/386
SCO Xenix
V/386
SCO Xenix
V/286
SCO Xenix
Xenix
3.0
Xenix
1.0 to 2.3
PWB/Unix
AIX
1.0
AIX
3.0-7.2
OpenBSD
2.3-6.1
OpenBSD
1.0 to 2.2
SunOS
1.2 to 3.0
SunOS
1 to 1.1
Unix/32V
Unix
Version 1 to 4
Unix
Version 5 to 6
Unix
Version 7
Unnamed PDP-7 operating system
BSD
1.0 to 2.0
BSD
3.0 to 4.1
BSD 4.2
Unix
Version 8
Unix
9 and 10
(last versions
from
Bell Labs)
NexTSTEP/
OPENSTEP
1.0 to 4.0
Mac OS X
Server
Mac OS X,
OS X,
macOS
10.0 to 10.12
(Darwin
1.2.1 to 17)
Minix
1.x
Minix
2.x
Minix
3.1.0-3.4.0
Linux
2.x
Linux
0.95 to 1.2.x
Linux 0.0.1
BSD
4.4-Lite
&
Lite Release 2
NetBSD
0.8 to 1.0
NetBSD
1.1 to 1.2
NetBSD 1.3
NetBSD
1.3-7.1
FreeBSD
1.0 to
2.2.x
386BSD
BSD Net/2
Solaris
10
Solaris
11.0-11.3
System V
R4
Solaris
2.1 to 9
BSD 4.3
SunOS
4
HP-UX
2.0 to 3.0
HP-UX
6 to 11
System V
R3
UnixWare
1.x to 2.x
(System V
R4.2)
BSD 4.3
Tahoe
BSD 4.3
Reno
FreeBSD
3.0 to 3.2
FreeBSD
3.3-11.x
Linux
3.x
Linux
4.x OpenServer
10.x
1969
1971 to 1973
1974 to 1975
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
DragonFly
BSD
1.0 to 4.8
BSD Net/1
Unix-like systems

14. OpenServer
6.x
UnixWare
7.x
(System V
R5)
HP-UX
11i+
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
OpenSolaris
& derivatives
(illumos, etc.)
OpenServer
5.0.5 to 5.0.7
OpenServer
5.0 to 5.04
SCO UNIX
3.2.4
V/386
AIX
3.0-7.2
OpenBSD
2.3-6.1
OpenBSD
1.0 to 2.2
NexTSTEP/
OPENSTEP
1.0 to 4.0
Mac OS X
Server
Mac OS X,
OS X,
macOS
10.0 to 10.12
(Darwin
1.2.1 to 17)
Minix
1.x
Minix
2.x
Minix
3.1.0-3.4.0
Linux
2.x
Linux
0.95 to 1.2.x
Linux 0.0.1
BSD
4.4-Lite
&
Lite Release 2
NetBSD
0.8 to 1.0
NetBSD
1.1 to 1.2
NetBSD 1.3
NetBSD
1.3-7.1
FreeBSD
1.0 to
2.2.x
386BSD
BSD Net/2
Solaris
10
Solaris
11.0-11.3
Solaris
2.1 to 9
SunOS
4
HP-UX
6 to 11
UnixWare
1.x to 2.x
(System V
R4.2)
BSD 4.3
Reno
FreeBSD
3.0 to 3.2
FreeBSD
3.3-11.x
Linux
3.x
Linux
4.x OpenServer
10.x
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
DragonFly
BSD
1.0 to 4.8
BSD Net/1
m0n0wall
pfSense
OPNsense

15. FreeBSD
_ Originally a fork from 386BSD
_ Originated in 1993
_ Since version 2.0 a fork from BSD 4.4-Lite
_ Free software, open source
_ Under BSD license (Berkeley Software Distribution)

16. FreeBSD
_ Relies on two development branches
_ CURRENT
_ „bleeding edge“ code
_ For developers and testers
_ Code probably contains lots of bugs
_ STABLE
_ Major-releases are built from this branch
_ After successful tests in the CURRENT branch
_ But also a development branch
_ Not suitable for general use

17. FreeBSD
_ Supported (current) versions
_ 10.4 (Legacy Release) → EOL: 31.10.2018
_ 11.1 (Production Release) → EOL: 11.2-RELEASE + 3 months (about August 2018)
_ Future versions
_ 11.2
_ Release in the end of June 2018 planned
_ 12.0
_ Release in November 2018 planned

18. FreeBSD
_ New support model
_ New since FreeBSD 11.0
_ Major versions now supported 5 years
_ Minor versions supported 3 months onlymore (if next minor version is released)
_ Released in February 2015
_ Previous support model (up to FreeBSD 10.*)
_ Normal
_ At least 12 months maintenance
_ Extended
_ At least 24 months maintenance
_ Every second and the last release of a STABLE version
Link: https://www.freebsd.org/de/security/security.html#model

19. HardenedBSD
_ Focus on higher security with layers
_ Fork from FreeBSD
_ Since 2014
_ Function ASLR implemented with project start
_ Address Space Layout Randomization
_ Goal: Mitigation of exploits
Link: https://hardenedbsd.org/content/freebsd-and-hardenedbsd-feature-comparisons

20. ASLR
_ Address Space Layout Randomization (ASLR)
_ Address space randomly allocated for programs, no longer predictable
_ Increases protection against buffer overflows

21. SEGVGUARD
_ Blind Return Oriented Programming (BROP)
_ ASLR can be leveraged under certain circumstances
_ BROP can generate ROP malicious code
_ Needs several attempts
_ Application crashes if BROP is not successful and then restarts
_ SEGVGUARD
_ Fixes the above mentioned brute force method of BROP
_ Prevents the restart of the attacked application
_ Inspired by the Linux PaX patch
Link: https://hardenedbsd.org/content/projects

22. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

23. Initial configuration and secure system
_ Default firewall rule settings
_ LAN→WAN: all allowed
_ WAN→LAN: all denied
_ Create firewall aliases (for IP lists)
_ FireHOL list
_ Spamhaus
_ Threat from inside
_ Restrict LAN→WAN
_ Enable FireHOL list or Spamhaus

24. STEP 1
Default settings
all allowed
LAN→ WAN

25. Initial configuration and secure system
_ Create firewall aliases
_ Placeholders for real hosts, networks or ports
_ FireHOL list
_ level1: Includes fullbogons, Spamhaus DROP & EDROP, dshield, malware lists
_ level2: Addition to level1
_ level3: Addition to level1+2
_ level4: Addition to level1+2+3
_ Spamhaus
_ DROP: Don't route or peer, includes direct allocated networks
_ EDROP: Extension to DROP, includes also suballocated networks
STEP 2
The more
levels applied
= higher risk of
false positives

26. click

28. STEP 3

29. First rule match
Move rules up

30. Initial configuration and secure system
_ Intrusion Prevention System (IPS) Suricata
_ Multi-threaded (Snort is single-threaded)
_ Performance impact
_ at least 2 GB RAM
_ at least 10 GB disk for logging
_ Disable offloading → then Suricata can inspect packets
_ Impact on the throughput performance
_ Benchmarks RI1102D
STEP 4

31. Disable offloading

33. Only for CPUs with
SSE3 support
(Intel only)

34. Scan on WAN or LAN

41. IPS Suricata
_ Additional filtering examples
_ Allow only DACH traffic
_ Block specific SSL fingerprints
(for „fake certs“ from mal. CAs)

43. Only if IPS mode
is activated
SHA1 sum

46. Schedule via cron
update and reload
rules

49. Initial configuration and secure system
_ Proxy
_ Virus scanner via ICAP (Internet Content Adaption Protocol – RFC 3507)
_ Remote Access Control Lists (similar to IP lists, for domains)
STEP 5

61. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

62. Mobile WAN (LTE/4G modem)
_ Example Huawei ME909u-521 (device cuaUx.0)

63. How-to: https://www.thomas-krenn.com/de/wiki/OPNsense_LTE_Verbindung

64. MultiWAN, WAN failover and load balancing
_ eg. Ethernet and LTE uplinks

66. Occasion when
the backup WAN
steps in

67. Select Tier 1 for both
if you want
load balancing

70. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

71. High availability
_ Based on the CARP protocol
„Common Address Redundancy Protocol“
_ Active-passive configuration
_ Advantages
_ If the active firewall fails, the passive one takes over
_ No intervention by users needed
_ Minimal interruption of services
_ Tip: Configure HA beforehand, configure the system, rules and
plugins afterwards

72. High availability
_ Components
_ CARP
_ IP protocol 112
_ Multicast packets for status updates
_ OR: Direct to a specific IP
_ Unique Virtual Host ID (vhid) for every virtual interface
_ pfSync
_ Dedicated interface
_ Direct cabling between the two firewalls
_ Increases security and performance
_ XMLRPC sync
_ Ensures that the configuration of the backup server is in sync

73. High availability
_ Setup and configuration
_ System → High Availability → Settings
_ Master
_ Setup WAN, LAN and pfSync IP
_ Virtual IPs
– Type carp
– For LAN and WAN
_ Slave
_ Setup WAN, LAN and pfSync IP (different IPs to the master!)
_ Outbound NAT → Use virtual IP
_ Config samples: OPNsense Wiki - Configure CARP

74. High availability - Sample configuration
Source: https://wiki.opnsense.org/_images/900px-Carp_setup_example.png

76. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

77. Plugins
_ A vast variety of plugins
_ Easy to install
_ Path: System → Firmware → Plugins

80. Modularity!

81. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?

85. Open source
No license fee
Development in NL + DE
Modern design

86. Hands on webinar (runtime 75 minutes,
german language)
_ www.thomas-krenn.com/opnsense-webinar
_ Speaker Michael Münz
Senior Network Engineer
m.a.x. Informationstechnologie AG
OPNsense Plugin-Developer

88. Have fun with OPNsense!
“Real” Open Source rocks ;-)