OPNSense: Protect Your Home LAN With a Transparent Filtering Bridge with Step by Step Instructions
Vložit
- čas přidán 31. 03. 2024
- Dave details how to set up OPNSense on a miniPC and how to configure it as a transparent filtering bridge. He also sets up IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) via Suricata and deploys the ClamAV antivirus solution on the router. For my book on life on the Spectrum: amzn.to/49sCbbJ
Any requests to contact me on Telegram, etc, are scams...
Errata: OPNSense is FreeBSD, not Linux!
If you do not have a management interface (third port), don't set the LAN interface IP4 config to None - set a static IP for it so you can still reach it later. Sorry for this oversight!
Follow me on Facebook at davepl for daily shenanigans!
Follow me on Twitter at @davepl1968
Great pfSense tutorial by Network Chuck: • your home router SUCKS...
How virtualize a firewall by Techno Tim: • How to Virtualize Your...
Protectli Valut: protectli.com/
Dual NIC Mini PC: amzn.to/3xkgM6q
Elite MiniPC: shop.azulle.com/products/byte...
$65 Mini PC: www.aliexpress.us/item/325680...
Recipe for Configuring OPNSense as a Transparent Filtering Bridge:
www.zenarmor.com/docs/network...
Download OPNSense: opnsense.org/download/ - Věda a technologie
![tattoo printer tutorial[제품단순선물]](http://i.ytimg.com/vi/g40_GwEJak0/mqdefault.jpg)
Love the one-liners. @0:57 "The order in which you do things doesn't really matter," said with a completely straight face. CCNA dig pretty funny too!
Technically, the order DOESN'T matter if you perform them as a single atomic operation, right? :-)
Critical Care Nursing Assistant 😆
Love the fact that I could follow your step-by-step without getting lost. Yes! Do more OPNsense stuff. Add a segment on using a machine with built-in Wi-Fi so I don’t have to go down the add a separate access point gadget to complicate matters.
My Arris router is a cable + wifi router, pretty rare nowadays tp find one of those
pf/opnsense suck at wifi, don't do this, that's not what they're for. look into openwrt
Built-in Wi-Fi won't work as well as a dedicated AP but more importantly very few chipsets work properly in FreeBSD in AP mode.
Sadly, I COMPLETELY agree with you. THAT is why I’m hoping that people MUCH SMARTER than me (like Dave here) can suggest solutions so we can get that “built into the router” AP without needing that “extra/separate” AP gadget, it’s software and another layer of complexity.
@@eDoc2020 it works from 300' feet away, thats good enough for me
Your opnsense box is several magnitudes more powerful than my desktop, lol.
I was thinking the same thing 😂 I’m overdue for an upgrade 😬
That makes 3 of us.
Oh no! Get new pants and shoes when they get worn!
@@Tony-xc5sk- up that 1 to 4 of us!
@@CiscoWes I have i3 10100 lol
In my professional life I must have done setup of OPNsense / pfSense more than 300 + times. But, I swear, never heard or imagined transparent filtering bridge. Thank you Dave for enlightening me and the world about it. Will surely put in to practice.
Glad I could bring something new to the table!
Have had it on my todo to figure out how to set up transparent filtering on a naked Linux system. But too many other tasks taking time.
In my case, I want an existing firewall to believe an external box with modem should look like a local interface so the firewall sees (and thinks it owns) the public IP.
yeah he reach Saudi Arabia also , i will do as he advice, thanks dave
Me neither and i still dont rly see what the Point of it is. It doesnt come clear to me in this video.
@@SpriGgEx Transparent here means it looks like a layer 2 switch. No changes to any IP numbers. So it isn't visible. Until one of the firewall rules decides to block something. Then it's just a magic cable that blocks the bad connections.
So the computer on the inside can still believe that it owns the public IP number and runs without firewall.
Love everything you do Dave! As someone who will be doing the same thing when my new rack mount server arrives I do hope you make more videos on this and similar topics. You're experience and teaching style "works" for me - and I am thankful to have found your channel!
This is exactly the sort of opnsense configuration I was looking for to implement for home clients. Beautiful, clear and concise video. Much appreciated. Looking forward to more content!
Like the no ads at the start... Easy to settle into the video. 👍🏼👍🏼
get premium, seriously, it makes youtube everything you want it to be
@@thaphreak really? it will filter sponsor messages that creators include in their videos?! sign me up!
@@pete3897no it won't
@@pete3897 There is an extension that does this called "SponsorBlock For CZcams". It's a game changer.
@@pete3897
Almost really, however you can scrub past that stuff, so yeah…really is worth the cost of admission.
Thanks Dave. You had me up till 3am as a spur of the moment setting up a new router. My boss said to tell you not to do it again. Thanks 😅
_"Errata: OPNSense is FreeBSD, not Linux!"_ I'm an old, grey-bearded Unix sys admin, and that makes me like it even more.
That is what I was wondering, I remember pfsense was unix and I thought maybe they ported it over to Linux? Thanks for the clarification.
why do you hate linux?
If you are oldd... like me you like for sure the documentation "Nerds 2.0.1: A Brief History of the Internet" // It is by Robert X. Cringely, he did make some really great docus about the beginning. A much watch :) :)
You mean there are other *nix based OSs than Linux? FreeBSD is one of the OG versions of Unix. It is horrible what AT&T (or whatever their name was at the time) did to this *nix branch!
Which severely limits it in wifi support, for example. I'd love it to be based on Linux. I guess this "ex-MS" guy doesn't see the difference, because he said "Linux" at least twice. Geez...
I jumped off the slow moving Ubiquiti ship and landed on a Firewalla Gold life raft. So impressed with this little setup after testing that I'm putting them in client offices now.
Set it up takes less than two minutes and further desired segregation/isolation changes are so easy I don't have to bring my networking knowledge.
So easy to setup a mess of these around the state and control them from one browser tab at home office.
First time here and I particularly like the straight forward approach to "like, subscribe, and join". Sharing valuable information is what brings me to CZcams and keeps me coming back. Step by step instructions make the difference.
This looks like a simple way for most of us to add security and avoid the headaches of having to mess with the rest of our network. Every time I've looked at setting up something like this I've worried about just what you said, ending up with my network down and no understanding of how to get it back up. This set up doesn't leave you facing that prospect. Thanks so much for sharing this with us all. I'll be giving this a try.
I appreciate the straight forward approach Dave, and I've noticed quite a few experts nit-picking, I haven't seen anything significant enough to disregard the video. Thanks for this.
If you Google for Suricata there's plenty of people talking about how often it blocks things due to false positives and it wont see most malware as its delivered over SSL. The best you can really do is region and IP blocklists which require much less CPU power.
Experts who needlessly nit-pick are just being difficult. Source, I work in the industry and listen to it daily. From a big-picture standpoint the video is great.
a grown up man advocating for a youtuber.
You dont need to defend him, he is old enough and probably accepts his mistakes. Gotta love Fans of youtubers, DONT BE a fan of a youtuber.
@@ICEMANZIDANEYawn. I got bored after grown up.
@@ICEMANZIDANEAssumption much? Maybe he’s just offering a fellow human being some kindness and support. Even grownups appreciate an attaboy from time to time. If you think that’s only for kids, then I’m sorry for you.
Man, when this guy posts you know its going to be a good video!!! Very Excited for this one!!!! Thanks Dave!
This video was linked in a forum post so I watched out of curiosity especially regarding the transparent bridge since I already use OPNsense. Getting to the end, I decided I would subscribe (was watching it on the forum site) and arriving at CZcams discovered I already had, so changed my alerts to 'all' and tapped the like. Very well done video, clear and easy to follow, thank you.
Appreciate the straight forward approach you use. Would love to see more content like this.
Yeah this is perfect. Would love a deeper episode digging into the experience.
Back in the days we called it ”bump in the wire”. Have set up a few cisco ASA with transparent filtering. Love your videos ❤ / retired CCNP-R/S, CCNP-S 😅
I appreciate your no nonsense approach to narration. Then add just a bit of humour to fill the time as needed. 👍
Same. I can't stand modern CZcams and their rewarding of crap filler content to meet a certain video length.
Thanks Dave!
Wow you’re such a good explainer! I just got a Lenovo tiny pc to make my own router and I love the fact that you said all the pros and cons of keeping your isp router. We need more of this content! You’re great keep it up
Thank you for delving deeper into this subject, please keep this type of content coming! I'm also on the spectrum and as an AuDHDer I find your presentation suits me better than most CZcams creators as it's to the point! I need all go and low show to get through tutorials and can follow along with you without losing interest waiting for the next step! Keep up the great videos and thank you for all you have done for us geeks on the spectrum!
Wow. Love seeing these type of videos. Your presentation is great. I need to do this to my setup!!!
Actually just updated my firewall at the beginning of 2024. Using a "Qotom Q20332G9-S10" 4 x 10gbps SFP+ ports, 5 x 2.5gbps rj45 ports, 64 GB Ram, 2TB NVMe m.2. Running Proxmox on the bare metal with OPNSense as VM, as well as PiHole as another, and my Cloud Backup as a third. Works very well. About $500 USD all in. Love your content Dave!
This episode was interesting and entertaining, Dave. More, please!
OPNSense is what I use for a lot of BGP edge routers. It works great for sub-10Gig networks. There's also a lot of ISP modem/router combos that mess up IPv6 in bridge mode. So there's a decent chance you may no longer have IPv6 when not using their router.
You're tempting me into trying this out. I have a 1Gbps connection which my Unifi UDR can't pass fully when running the on board IDS & IPS so this transparent filter makes a lot of sense to me. Thanks for the guidance and will try this out soon when I have found a suitable box to load it onto.
Thank you.
Well Done.
Your presentation style makes it a pleasure to revisit old times (Tech, in my case) and still tinker with the house set up!
Thanks Dave, I didn't even know this was out there. The whole reason I come here.
Thanks for the demo. I really enjoy the content you make and have learned alot of great tips from your channel
This is my first hearing of a transparent filtering bridge, thanks for sharing. 👍
me too and im in the internet biz lol
firsttime hearings
This all works nicely provided that the router supplied by your ISP is not doing your Wi-Fi. If it is then anything connected to the Wi-Fi will simply bypasses the OPNSense filtering bridge.
I could just hug you Dave! Thank you.
Thanks Dave -- just about the best content yet among all your vids I have watched.
Dive deeper! You make great videos explaining things so good.
Thanks Dave, I was just looking at getting a physical firewall and your video is really great for getting started.
Just here for the thumbnail. Dave epic videos slam dunks inspiring to us who are trying to break into and get a glimpse of IT
Dave... More Please!! Thanks for the great video today as well.
Thanks for this. Now my next network project!
Hi Dave. You are both brilliant & a genius at these essential, practical IT video tutorials. Magnificent content. Bravo!
Great straightforward approach Dave. Very interesting video.
Thank you, Dave. I'm the go to "network admin" for many in my family as well as a few business/organizations. I've used PiHoles, which are ok for light or low traffic networks, but i've found that I need a lot more power. Thank you for showing us this. I will start tinkering with it myself and then see if I can apply this to (especially) the businesses and organizations whose networks I help keep up to date. Please share more OPNSense stuff.
The Unbound DNS plugin dose a good job for DNS filtering, Pi-Hole is hard to beat from an admin and stats standpoint though.
Love your videos, because it give me some ideas, what to do in the near future on my home network. I'm now so far, as having VLANS to seperate any kind of critical stuff, IoT(rash), Wifi etc. But your videos give an inspiration to my next further steps. Thank you so far.
Dave I love your approach ..All killer, no filler. Got a new sub!
Awesome video Dave, very educational and helpful for home protection. Easy to follow along as well! Much appreciated!
While I probably won’t go the transparent bridge route (pun intended), seeing OpnSense being run through like this makes me want to dive in. Been running MikroTik gear for over decade and have been curious about OpnSense but often ended up overwhelming myself with info and putting it on the back burner. Great video!
MikroTik makes cool stuff too... there's always a trade off as things become more hardware-focused or software-defined. They seem to be a good mix in between.
cheap mikrotik router + their winbox ui is quick and simple , swiss knife for the network
What is (or is there) the equivalent for transparent filtering bridge for MikroTik, seems pretty CPU intensive so thinking it’s not something a 750 series would offer..
Great video on a subject we all need. I love the direct, fast and no bull crap delivery. Please keep up with this type of content. Now subscribed and looking forward to more.....
Good video! I might try to put this in front of my Firewalla box as a transparent bridge with protection rules as you showed and see how it goes. 😁
Bravo! Great content, would like to see more of a deep dive in this and more similar content. Thank you Dave!
MORE PLEASE! This was awesome!
As always, I can't get enough! More please!
Great video, Dave. Transparent bridging is a jewel that often gets overlooked. You can also do it with the Synology routers -- which IMO have the best parental and content filters available in their price class.
Upgraded from Subbed to "Notify All" This is EXCELLENT content!
He's a "solid bell" for me too.
the momment his stle sunk in , i did the same. Straight to the nitty gritt . love it
Just upgraded to subscribe. Notify all loading
I loved this video! And I would also love to see a deeper dive into opensense!!
Thanks for this video. It's not the first video from the channel I've seen, but it's the one that made me subscribe. I'm looking forward to more OPNsense videos since I'm looking at setting it up as my main router\fw.
Me too, same here
Been using pfsense for years as a secondary firewall device on a backup network service, but never seen anything like this. Thanks for the new information and will put it to use very shortly. Need to get a device for home.
Been running pfsense as my main router for 17 years. Love your videos. One thing I would add. If people are using the Internet Provider' box, they usually include WiFi, and your setup with the transparent filtering it won't see wifi packets.
I plan to disable the wifi from the ISP box and implement a much better managed wifi router behind the OPNSENSE bridge that has full capabilities compared to most ISP boxes these days that limit what you can and can't do
hmm this would be only if they're not using the ISP's box only as a bridge?
@@johnnygolden7401which did you order
In grade school my parents got me an Atari 2400, and it was so cool. That got me into electronics. Then I mowed a lot of lawns and bought a TI 99/4a, and that got me on a route towards computer science. Now I am a cofounder of a shop that makes software that has helped change the world.
Don’t discount consoles, but understand the power of a fully customizable computer.
OK Dave -- show us an OPNSense install on a TI99 ! Definitely not comparable to the Intel Atom, so it should work pretty good, right?
As a 5th grader in 1967, I would occasionally help my father transcribe his handwritten FORTRAN programs into something an IBM 1130 could read, using, you guessed it, an IBM29 80 Column Card Puncher. (He was getting his BSEE via night classes compliments of his employer.)
@@IBM29 oh god, I remember once helping my dad and dropping a whole stack of punchcards. I don’t remember anything after that.
@@michaeldeloatch7461 lmao!!!
@@michaeldeloatch7461 It’d actually be really fun to see that happen. I’d imagine you’d get close to 309K baud, if not less.
Great quality tutorial! Subscribed! Maybe in the future dive into more network segmentation and combining routers and switches.
I liked the way you explained things! Very clear and easy to follow.
enjoyed that, and love that we average Jo's can take back some control at little expense. Thank you Dave!
BTW I paused and went to google for a win.ini file example to remember what I used to do, I think it was there that I did dual booting back in the 90's :)
Great rapid fire information on OPNSense. I would to see a deep dive.
More opnsense videos please. You make it so easy!
Thank You! The sooner the better the deeper dive!
Great Video, Dave! I love the direct-to-the-point instruction. The dead-pan humor is great as well!
This is a great start, but unfortunately IDS/IPS is severely limited to being almost useless because of HTTPS/TLS. A PKI can help quite a bit but is more advanced configuration and introduces issues itself with certificate pinning. I would recommend a video on EDR or even something like Crowdsec, which is more effective than an IDS transparent bridge.
Yeah, I was wondering about that. Surely it wouldn't be able to inspect HTTPS/TLS packets...?
is it possible to test downloading the test virus from antiviurs site and seeing if ids/ips catches it?
I asked AU - Certainly! Detecting viruses over HTTPS (encrypted) delivery is a crucial aspect of network security. Here’s how Intrusion Prevention Systems (IPS) handle this:
Traffic Inspection:
HTTPS traffic is encrypted using TLS/SSL protocols, making it challenging to inspect the payload directly.
However, modern IPS solutions can perform deep packet inspection even on encrypted traffic.
They achieve this by:
Decrypting the encrypted traffic temporarily.
Analyzing the decrypted content for malicious patterns.
Re-encrypting the traffic before forwarding it to the destination.
Challenges:
Performance Impact: Decrypting and re-encrypting traffic adds computational overhead, affecting system performance.
False Positives: Decrypting traffic may lead to false positives if the IPS misinterprets benign content as malicious.
Privacy Concerns: Decrypting user data raises privacy concerns, especially in enterprise environments.
TLS Inspection:
Some IPS systems support Transport Layer Security (TLS) inspection.
They maintain a database of trusted certificate authorities (CAs) and use it to validate server certificates during decryption.
If a server certificate is not trusted or revoked, the IPS can block or alert on the traffic.
Signature-Based Detection:
IPS systems use signature-based detection to identify known malware patterns.
They maintain a database of signatures for various threats.
When inspecting decrypted traffic, they compare it against these signatures.
Behavioral Analysis:
Advanced IPS solutions employ behavioral analysis.
They learn normal traffic patterns and detect anomalies.
For example, if an encrypted connection suddenly transfers large files, it might raise suspicion.
Heuristics and Machine Learning:
Some IPS systems use heuristics and machine learning.
They analyze traffic behavior and adaptively learn to identify new threats.
Evasion Techniques:
Malicious actors use evasion techniques to bypass IPS inspection.
They split payloads across multiple packets or use obfuscation.
Modern IPS solutions continuously evolve to counter these techniques.
In summary, while detecting viruses over HTTPS is challenging due to encryption, modern IPS systems employ various techniques to inspect and protect against threats even within encrypted traffic
@@DaveGamesVT - it can still tell domains/IPs and block known-bad or known-compromised sites. But, yes, to really inspect, it would need to MitM the HTTPS traffic to decrypt, inspect, and then encrypt it again. But it can still detect many types of traffic without decryption, just not payload inspection.
@@jroysdon I'm a newbie to this topic but wouldn't that make the virus scanning option for this completely useless?
Nice one Dave! just what I've been looking for.......
Wow, thanks for sharing your knowledge Dave! I went on an epic learning journey but finally got it all working. I used what I had, an older gaming PC and installed a dual 10-Gig NIC from an out of commission NAS. Of course OPNsense didn't support that particular card natively, so I got to learn how to compile a driver in a FreeBSD environment and how to patch it so that the interface survives a boot cycle. I learned how to designate a LAN and a WAN. The SATA M.2 I had on hand had FreeNAS installed on it, so I got to learn how to use Diskpart to clean it. My At&t modem doesn't have bridge mode, so I got to learn how to set up IP passthrough. So I also got to learn how to change the default LAN IP and change the listen interface settings so the webGUI would be accessible after setting up the bridge. It was a lot, but I learned a lot and had fun in the process! Thanks again!
This is like the worst video thumbnail in the history of youtube, but i cant help but love it 😊. Great video and content as always
I use PFsense myself. An excellent product.
Quick edit: gigabit only needs a reasonably new Atom, or a Sandy Bridge era pentium... Dave is right, faster needs more horsepower, especially with IDS/IPS. Also: PF and OPN sense are BSD based, not Linux. Not that it matters.
It can matter for hardware support. Linux supported Intel i226 NICs before FreeBSD. I use pfSense CE, but I'm thinking of switching to OPNsense. I'm worried that pfSense CE could become paid software like pfSense Plus.
BSD\UNIX\LINUX same thing.
Regarding being BSD based and not Linux, it does matter.
The reason I stopped using PFSense, was essentially due to the extremely out of date Intel drivers.
Switched to Linux (using VyOS), the exact same box, had a 4x performance improvement doing the same thing.
Me too, got a Netgate 4100, mounts in my rack. pfsense, lots of packages to choose from.
I run pfSense+ with Snort (inline)and pfBlockerNG on a Netgate SG-4860 appliance. I rarely see CPU usage over 20%... and that is only an Atom 4 core C2558. I really like having the ZFS Boot environments.
amazing been running OPNsense for about a year now, when i got my Fiber in at the home
That’s the solution I was looking for my network! Looking forward for diving deeper videos! Thanks!
I've been running pfsense since 2018 with version 2.4.3. Currently running 23.09.1. It's been very solid for me. I have the AV, IPS, IDS, etc all enabled and route at 10Gbps over Multimode Fiber and SFP+. I went with an AMD Ryzen 7 5700GE as the CPU for it with 16GB of RAM. It's enough for my 10Gbps FTTH Internet connection and multiple users as well as a VPN.
To me, it's a solid system and I don't know how I ever did before by buying proprietary Cisco Meraki stuff that cost an arm and a leg in licensing. I really like pfsense and I recommend it.
Cool man. What do you use for your VPN client? I tried setting up a native W10 client but didn’t have much luck. Planning to try again and do more searching on best options.
That is one fat pipe!
I used to do the UniFi stack and ripped it all out. I went for microtek, cheap 2.5G switch and a NAS using an amd 4600GE and a stack of cheap nvmes. SMB 3 can combine 2.5G so NAS has 5G and so does my main PC. I have a WiFi 6E ap 2.5G uplink that covers the whole house with 2.4GHz switched off for everything else except my media pc which is on 2.5. It's works ok. Sometimes the microtek router crashes so i added a fan to it and set it to reboot once a week (2 different issues). The NAS uses no raiding and backs up to a pair of 10Tb WD gold on external caddy. I can literrally grab them and have everything. Photos and docs sync to Google drive. 1G symmetric ftth is the fastest i csn get.
pfSense is epic
@@bdlii I use OpenVPN still. Old habbit. There is WireGuard now also available but haven't configured it yet.
Would love to see more in-depth configuration follow up.
Nice explanation David. Another project placed on my "To Do List".
Fantastic video Dave, I´m a noob in opnsense and this is a good begining to make it work, thanks a lot
Critical Care Nursing Assistant... lol.
I was wondering if he was joking or not.
But, it 4/1 is it not?
it went past me for a moment then i was wait a min... what?!
😂 brilliant.
Still beats MCSA :)
Made me actually laugh out loud 😂
Incredibly helpful. I'm typically over cautious whenever touching my OPNsense configuration, having caused some self inflicted outages - due to ignorance & an inherent rtfm aversion.
Dave, thank you for vetting IDS & IPS and ClamAV and showing us how to implement. I am hopeful that you will decide to help us with more OPNsense configuration help.
I'm using my implementation for: VLAN segregation (tv, cams, laptops, iot, printers, guests), DHCP, firewall (internet, no internet, and port filtering). How would I implement country filtering?
Back around 2000 we implemented a filtering bridge (we called it a Fridge since it was an appliance lol).
IIRC it was built on one of the BSDs which had the quirky feature at the time of being able to inspect IP packets with the interfaces bridged and no IP address bound.
It was the outside firewall on a DMZ for a large law firm. One of the selling points was you physically had to walk up to it to do anything to it!
I can so relate with your sense of humor! I enjoy your explanations and recommendation. Please keep at 'em!
14:57 Dave's book helps you understand autism, how to adapt, childhood, parenting, relationships. It's good for anyone who might be or might interact with those on the autism spectrum (and anyone working in tech). I recommend his book without hesitation. I had my local library buy a copy.
Shoutout to Chuck!
Yes, the Critical Care Nurses Assistant
FYI -- small technical note - OPNsense is based on freeBSD based, not Linux - big difference to guys like me who nitpick about the differences...lol...but in the *nix world these days, it hardly matters :). I currently run pfSense and for some reason, it doesn't want to update to the latest version. Some plugins, I use (especially pfBlocker) can't be upgraded because they require the updated pfSense OS, which means those plugins are no longer the latest version. Since I'm looking at a reload/rebuild to get to the latest pfSense version, I may opt for OPNsense, thanks to this video. :)
OPNsense is great. Deciso also offer commercial support but don't seem to be mega cash grabby yet. There's also a third party add on (Zenarmor) available that gives you ngfw features like content filtering and other fancy crap. I'd use it for customers, no problem.
If your pfsense is failing to upgrade, here is the super secret sauce to correct the situation. Just run it into pfsense shell [ press f8 on pfsense console or ssh it ]
certctl rehash
pkg-static update -f
pkg-static install -fy pkg pfSense-repo pfSense-upgrade
once completed, just visit upgrade, you will get latest updates.
The use of FreeBSD as a base platform is great from a stability perspective - it is pretty much bombproof as far as *nix is concerned but the community is very slow to add new device drivers and then it takes an extra age for the drivers to trickle down into pfsense and opnsense. Opnsense seem to be more responsive to adding new PHY support than pfsense but it is still a lengthy process. It's a stability vs new shiny thing support tradeoff. Not that we don't need support for new shiny things.
I've been running pfsesne for a few years and I'm comfortable with it. But it comes down to what you prefer and get used to. Both forks are great.
This reminds me of the old Smooth Wall I had setup years ago. I had 3 NICs in it, so I can have an in, out and a DMZ.
I've been running OPNSense for about 7 years now. Minor correction, OPNSense is FreeBSD/Unix not Linux. Great video Dave!
I came here for direction on Critical Care Nursing Assistant training, and I got it. Subscribed.
Thanks for this. I've been using OPNSense for a while and didn't realize I wasn't getting the most I could out of it.
And Chuck's a smart guy, but thanks for making content that's easier to digest.
Love it Dave ! You should make your own fork of this. “DaveSense” 😀
Your previous video was so popular a Telegram scammer reached out to me pretending to be you. This person told me I had won a Macbook pro and iPhone pro... all for being a such a great subscriber.
You are!😊
Same thing happened to meet with Explaining Computers - they should leave our teachers alone!
I always ask them to send me their Credit Card Number, SS number and Mothers maiden name before any further communication from them!
Great video, informative and straightforward configuration description - just how it should be done!
You've got my vote for additional videos. My suggestion is a video to dive into more detail of the transparent filtering bridge in operation, such as: what does a client see when packets are rejected due to geo-ip or virus detection, etc., how to setup log monitors and notifications, backing up the configuration and any other operational suggestions.
Thanks Dave, we need more fun and exciting cyber security videos and other ways of protecting us and our families online
Great content.
1) As a slightly paranoid person, the option to have a separate LAN-interface as the only access to control OPNSense would be interesting.
2) A deeper dive to settings would be great
3) Perhaps a word about using "privacy VPN's" with this setup (to my understanding would prevent this from functioning as intended) and same question about HTTPS and other "secure" protocols - can this setup scan/check that type of content?
#3 correct, this can't understand encrypted traffic. The benefits this device offers are things like blocking countries.
Interesting video, nice to watch as well. I would 100% use a dedicated management interface (on a 3rd interface). That way you don’t pollute your wan traffic with local management traffic. You also don’t have the risk of making the box unmanagable. Anwyay, transparant bridges are cool ❤ I first used one 22 years ago, on redhat linux with iptables. Bridging was just new in the kernel, exciting times 😂
Thank you, Dave! I appreciate your simple to follow videos. :)
Glad you like them!
Love the money shot of the heat sink in slow rotation.
Hi Dave,
Definitely would like to hear more from you about OPNSense. It's something that I've been thinking of putting on my network. Hello from Australia!
If we're talking ISP all-in-one device (modem, router, switch, and possibly wifi) but connect the transparent bridge downstream of the ISP device, then you're loosing the switch and wifi functionality (or the IDS/IPS/AV capability on those other interfaces). You'd want to put the bridge between the modem and the router (like you did with your DMP), but that isn't possible with ISP provided all-in-one devices.
Already a subscriber, and I really liked what you're puttin' down in this video, sir!
Awesome, thank you!
This is probably one of the best PF Sense videos out there. Thanks Dave!
Thanks for this, quite interested in doing this. The $109 PC (with case, 8GB ram, 128GB SSD) should be fine for Starlink I would think.
Great video. Would be interesting to see it in action, e.g. examples of some of the IDS/IPS logs and some of the 'nasties' it's blocking.
I'd like to know how many IDS rules it has and when all that security gets updated and by whom. As for Clam AV, no thanks, Each PC has a better handle on that.
I'd like to see him purposefully go to many bad places to see it effectiveness.
Please do more OPNSense stuff. I already had a box setup between my modem and switch using an old Dell Optiplex Micro but I hadn't been aware of the Clam AV service, now that I am and have it setup, I'm wondering what else I've missed in there. Fantastic video!