Basic configuration of the OPNsense v.19.1.4 operating system in SIM-Cloud

Important

After installing the virtual OPNsense OS we recommend that you carry out its basic configuration. This will configure the network interfaces, security settings and other factors that will contribute to correct and trouble-free operation of the OS.

• Preliminary actions
• Define the WAN (external) and LAN (internal) interfaces
• Setting up IP addresses on the interfaces
• Final configuration of OPNsense via web interface
• Permitted address pairs

1. Preliminary actions

   To accurately identify the internal and external network interfaces of the created OPNsense instance, define their MAC addresses from the SIM-Cloud side.

   For this, use the instructions available in our documentation

2. Define the WAN (external) and LAN (internal) interfaces

After the first launch of the OPNsense v.19.1.4 instance, go to its console (INSTANCE CONSOLE) and enter its default user name and password (root / opnsense).

Next, use option no. 1 (Assign interfaces) and respond to the following series of questions:

• VLANs will not be used

Do you want to configure VLANs now[y|N]? n

• On the basis of the information previously noted about the MAC addresses, check which interface is in fact the external (should correspond to the network 172.16.0.0/20) and specify it:

Enter the WAN interface name or 'a' for auto-detection: vtnet0

• The other interface remaining can be defined as local:

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(or nothing if finished): vtnet1

• In the next step, press ‘Enter’

Enter the Optional interface 1 name or 'a' for for auto-detection
(or nothing if finished):

• Now a window displays the final details. If everything is correct, save the settings:

WAN  -> vtnet0
LAN  -> vtnet1

Do you want to proceed [y|N]? y

3. Setting up IP addresses on the interfaces

After applying the settings from the previous step, a welcome message appears that displays the current interface settings - their IP addresses and means of reception.

For the current example this is:

LAN (vtnet1)       -> v4: 192.168.1.1/24
WAN (vtnet0)       -> v4/DHCP4: 172.16.0.8/20

Here, for the WAN interface the settings are received via the DHCP protocol and match the IP address displayed in the instance configuration information.

For the LAN interface a default IP address is automatically set up, and this needs to be changed.

• To set the IP address for the interface, use option no. 2 (Set interface IP address):

Enter an option: 2

Available interfaces:

1 - LAN (vtnet1 - static, track6)
2 - WAN (vtnet0 - dhcp, dhcp6)

• Enter the number of the LAN interface:

Enter the number of the interface to configure: 1

• Decline to receive the address via DHCP and enter the local address shown on the dashboard and the subnet mask:

Configure IPv4 address LAN interface via DHCP? [y/N] n

Enter the new LAN IPv4 address. Press <enter> for none:
> 192.168.1.12

Subnet masks are entered as bit counts (like CIDR notation).
e.g. 255.255.255.0 = 24
     255.255.0.0   = 16
     255.0.0.0     = 8

Enter the new LAN IPv4 subnet bit count (1 to 31):
> 24

• In the next step, simply press ‘Enter’:

For a WAN, enter the new LAN IPv4 upstream gateway address.
For a LAN, press for none:
>

• Decline IPv6 for the LAN interface:

Configure IPv6 address LAN interface via WAN tracking? [Y/n] n

Configure IPv6 address LAN interface via DHCP6? [y/N] n

Enter the new LAN IPv6 address. Press <ENTER> for none:
> press enter

• Disable the DHCP server on the LAN:

Do you want to enable the DHCP server on LAN? [y/N] n

• Permit access to the web interface by the HTTPS protocol only:

Do you want to revert to HTTP as the web GUI protocol? (y/N) n

• Now it can be seen that the LAN interface has the required IP address:

LAN (vtnet1)       -> v4: 192.168.1.12/24
WAN (vtnet0)       -> v4/DHCP4: 172.16.0.8/20

4. Final configuration of OPNsense via web interface

By default, access to OPNsense is permitted only via a LAN interface. Therefore enter the OPNsense web interface from the instance situated in the local network. In the present case this is the host from 192.168.1.0/24.

• Change of password for user ‘root’

  Go to the ‘System > Access > Users’ section.

  Click the button ‘Edit user’ (with pencil icon) for the ‘root’ user. A window opens with the properties for this user.

  In the ‘Password’ field, enter the new password, confirm it and save changes by clicking the ‘Save’ button at the bottom.

• Give access to the OPNsense web interface from the defined IP

  To do this, go to the ‘Firewall > Rules > WAN’ section and add the rule according to the table:

  Action	Pass
  Interface	WAN
  Address Family	IPv4
  Protocol	TCP
  Source	Single host or Network	Here specify the IP address from which access is required to the OPNsense web interface
  Destination	WAN address
  Destination Port Range	HTTPS	Allow access by https only

  Save the rule by clicking Save and adopt it by clicking ‘Apply changes’.

• By default, access to the web interface via the WAN interface is blocked. Thus after entering the user name and password, an error message appears:

  The HTTP_REFERER "https://<плавающий-IP>/" does not match the predefined settings. You can disable this check if needed under System: Settings: Administration.
  

  To correct this, go to the ‘System > Settings > Administration’ section

  Tick the checkbox beside ‘Disable HTTP_REFERER enforcement check’.

  Save changes by clicking the ‘Save’ button.

5. Permitted address pairs

   It now remains to specify the permitted address pair for the LAN interface from the side of SIM-Cloud.

   This is necessary to allow network traffic to pass from the local network via OPNsense.

   This process is described in detail in our article.