Basic configuration of the OPNsense v.19.1.4 operating system in SIM-Cloud¶
Important
After installing the virtual OPNsense OS we recommend that you carry out its basic configuration. This will configure the network interfaces, security settings and other factors that will contribute to correct and trouble-free operation of the OS.
- Preliminary actions
- Define the WAN (external) and LAN (internal) interfaces
- Setting up IP addresses on the interfaces
- Final configuration of OPNsense via web interface
- Permitted address pairs
Preliminary actions
To accurately identify the internal and external network interfaces of the created OPNsense instance, define their MAC addresses from the SIM-Cloud side.For this, use the instructions available in our documentationDefine the WAN (external) and LAN (internal) interfaces
- VLANs will not be used
Do you want to configure VLANs now[y|N]? n
- On the basis of the information previously noted about the MAC addresses, check which interface is in fact the external (should correspond to the network 172.16.0.0/20) and specify it:
Enter the WAN interface name or 'a' for auto-detection: vtnet0
- The other interface remaining can be defined as local:
Enter the LAN interface name or 'a' for auto-detection NOTE: this enables full Firewalling/NAT mode. (or nothing if finished): vtnet1
- In the next step, press ‘Enter’
Enter the Optional interface 1 name or 'a' for for auto-detection (or nothing if finished):
- Now a window displays the final details. If everything is correct, save the settings:
WAN -> vtnet0 LAN -> vtnet1 Do you want to proceed [y|N]? y
- Setting up IP addresses on the interfaces
LAN (vtnet1) -> v4: 192.168.1.1/24
WAN (vtnet0) -> v4/DHCP4: 172.16.0.8/20
- To set the IP address for the interface, use option no. 2 (Set interface IP address):
Enter an option: 2
Available interfaces:
1 - LAN (vtnet1 - static, track6)
2 - WAN (vtnet0 - dhcp, dhcp6)
- Enter the number of the LAN interface:
Enter the number of the interface to configure: 1
- Decline to receive the address via DHCP and enter the local address shown on the dashboard and the subnet mask:
Configure IPv4 address LAN interface via DHCP? [y/N] n
Enter the new LAN IPv4 address. Press <enter> for none:
> 192.168.1.12
Subnet masks are entered as bit counts (like CIDR notation).
e.g. 255.255.255.0 = 24
255.255.0.0 = 16
255.0.0.0 = 8
Enter the new LAN IPv4 subnet bit count (1 to 31):
> 24
- In the next step, simply press ‘Enter’:
For a WAN, enter the new LAN IPv4 upstream gateway address.
For a LAN, press for none:
>
- Decline IPv6 for the LAN interface:
Configure IPv6 address LAN interface via WAN tracking? [Y/n] n
Configure IPv6 address LAN interface via DHCP6? [y/N] n
Enter the new LAN IPv6 address. Press <ENTER> for none:
> press enter
- Disable the DHCP server on the LAN:
Do you want to enable the DHCP server on LAN? [y/N] n
- Permit access to the web interface by the HTTPS protocol only:
Do you want to revert to HTTP as the web GUI protocol? (y/N) n
- Now it can be seen that the LAN interface has the required IP address:
LAN (vtnet1) -> v4: 192.168.1.12/24
WAN (vtnet0) -> v4/DHCP4: 172.16.0.8/20
- Final configuration of OPNsense via web interface
By default, access to OPNsense is permitted only via a LAN interface. Therefore enter the OPNsense web interface from the instance situated in the local network. In the present case this is the host from 192.168.1.0/24.
Change of password for user ‘root’
Go to the ‘System > Access > Users’ section.Click the button ‘Edit user’ (with pencil icon) for the ‘root’ user. A window opens with the properties for this user.In the ‘Password’ field, enter the new password, confirm it and save changes by clicking the ‘Save’ button at the bottom.Give access to the OPNsense web interface from the defined IP
To do this, go to the ‘Firewall > Rules > WAN’ section and add the rule according to the table:
Action Pass Interface WAN Address Family IPv4 Protocol TCP Source Single host or Network Here specify the IP address from which access is required to the OPNsense web interface Destination WAN address Destination Port Range HTTPS Allow access by https only Save the rule by clicking Save and adopt it by clicking ‘Apply changes’.
By default, access to the web interface via the WAN interface is blocked. Thus after entering the user name and password, an error message appears:
The HTTP_REFERER "https://<плавающий-IP>/" does not match the predefined settings. You can disable this check if needed under System: Settings: Administration.
To correct this, go to the ‘System > Settings > Administration’ sectionTick the checkbox beside ‘Disable HTTP_REFERER enforcement check’.Save changes by clicking the ‘Save’ button.
Permitted address pairs
It now remains to specify the permitted address pair for the LAN interface from the side of SIM-Cloud.This is necessary to allow network traffic to pass from the local network via OPNsense.This process is described in detail in our article.