OPNSense: Protect Your Home LAN With a Transparent Filtering Bridge with Step by Step Instructions

Introduction

This tutorial provides a comprehensive guide to setting up OPNSense as a transparent filtering bridge for your home network. By following these steps, you can enhance your network security without making significant changes to your existing setup. This guide is particularly useful for defending against cyber threats using Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and antivirus solutions.

Step 1: Gather Your Hardware and Software

• Hardware Requirements:
  • A mini PC or a device with at least two network ports (e.g., Intel i3 or i5).
  • An SSD for installing OPNSense.
• Software Requirements:
  • Download the OPNSense installation image from OPNSense Downloads.
  • Use tools like Rufus (Windows) or Balena Etcher (Mac) to create a bootable USB stick with the OPNSense image.

Step 2: Install OPNSense

1. Boot the mini PC from the USB installation stick.
2. When prompted, log in with:
   • Username: installer
   • Password: opnsense
3. Follow these installation steps:
   • Accept the default keymap.
   • Select the UFS file system for installation.
   • Choose your SSD and set a swap size of 8 GB.
   • Confirm formatting the drive.
   • Set a root password when prompted.
4. Once the installation is complete, reboot the system.

Step 3: Access the OPNSense Web Interface

• After rebooting, note the DHCP IP address shown on the console.
• Open a web browser and enter the IP address to access the OPNSense dashboard.
• Log in using the root username and the password you set during installation.

Step 4: Configure OPNSense as a Transparent Filtering Bridge

1. Disable Outbound NAT Rule Generation:

   • Navigate to Firewall > NAT > Outbound and select "Disable outbound NAT rule generation."

2. Set System Tunables:

   • Go to System > Settings > Tunables.
   • Create the following entries:
     • net.link.bridge.pfil_bridge = 1
     • net.link.bridge.pfil_member = 0

3. Create a Bridge:

   • Go to Interfaces > Other Types > Bridge.
   • Click the plus button to create a new bridge using the WAN and LAN interfaces.

4. Interface Assignment:

   • Navigate to Interfaces > Assignments.
   • Click the plus button to create a new interface assignment for the bridge.
   • Enable IPv4 configuration (set to DHCP) and disable IPv6.

5. Adjust WAN Interface Settings:

   • Go to Interfaces > WAN.
   • Uncheck the options for blocking private and bogon networks.

6. Disable the DHCP Server:

   • Go to Services > DHCPv4 > LAN.
   • Uncheck the "Enable" box to deactivate the DHCP server.

7. Create Pass All Rules:

   • For each interface (WAN, LAN, and bridge), add a firewall rule:
     • Set the action to "Pass" and provide a descriptive name (e.g., "Pass All").

8. Disable Anti-Lockout Rule:

   • Under Firewall settings > Advanced, ensure the anti-lockout rule is disabled.

9. Remove IP Addresses from Interfaces:

   • Go to Interfaces > LAN and Interfaces > WAN.
   • Set the IP type to "None" for both interfaces.

Step 5: Enable IDS and IPS

1. Navigate to Services > Intrusion Detection > Administration.
2. Enable the Intrusion Detection System and, if your hardware supports it, also enable IPS mode.
3. Wait for Suricata to start running, indicating that your protections are active.

Step 6: Install ClamAV for Antivirus Protection

1. Go to System > Firmware > Plugins.
2. Search for the ClamAV plugin and click the plus button to install.
3. After installation, enable the ClamAV service under Services > ClamAV Configuration.
4. Update signatures, which may take some time.

Conclusion

By completing these steps, you have successfully configured OPNSense as a transparent filtering bridge to enhance your home network's security. You can further customize firewall rules and explore additional OPNSense features as needed. For more advanced configurations or features, consider diving deeper into OPNSense's capabilities. Stay proactive about your network security and keep your systems updated for ongoing protection.