GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → dmauser → opnazure

dmauser / opnazure

Licence: MIT license
This template allows you to deploy an OPNsense Firewall Azure VM using the opnsense-bootsrtap installation method

Programming Languages

Bicep
55 projects
shell
77523 projects
powershell
5483 projects
python
139335 projects - #7 most used programming language

Labels

azureopnsense-firewall

Projects that are alternatives of or similar to opnazure

pf-azure-sentinel
Parse pfSense/OPNSense logs using Logstash, GeoIP tag entities, add additional context to logs, then send to Azure Sentinel for analysis.
Stars: ✭ 24 (-66.2%)
Mutual labels:  opnsense-firewall

OPNsense Firewall on FreeBSD VM

CI Name Actions Workflow CI Status
BicepBuild bicepBuild.yml bicepBuildCI
Deployment Checker - Active Active deploymentCheker-active-active.yml deploymentChekeractiveactiveactiveCI
Deployment Checker - two nics deploymentCheker-two-nics.yml deploymentChekertwonicsCI
Deployment Checker - single nic deploymentCheker-sing-nic.yml deploymentChekersingnicCI
Deployment Checker - new vnet Active Active deploymentCheker-newvnet-active-active.yml deploymentChekeractivenewvnetactiveactiveCI
Deployment Checker - new vnet two nics deploymentCheker-newvnet-two-nics.yml deploymentChekernewvnettwonicsCI
Deployment Checker - new vnet single nic deploymentCheker-newvnet-sing-nic.yml deploymentChekernewvnetsingnicCI

Deployment Wizard

Deploy To Azure

The template allows you to deploy an OPNsense Firewall VM using the opnsense-bootsrtap installation method. It creates an FreeBSD VM, does a silent install of OPNsense using a modified version of opnsense-bootstrap.sh with the settings provided.

The login credentials are set during the installation process to:

  • Username: root
  • Password: opnsense (lowercase)

*** Please *** Change default password!!! (In case of using Active-Active scenario the password must be changed in both Firewalls and under Highavailability settings)

After deployment, you can go to https://PublicIP, then input the user and password, to configure the OPNsense firewall. In case of Active-Active the URL should be https://PublicIP:50443 for Primary server and https://PublicIP:50444 for Secondary server.

Updates

April-2022

  • Updated FreeBSD 13 and OPNSense 22.1
  • Added support for Floating IPs in External Load Balance Rules to allow Port Forwarding without causing assymetric issues.
  • Enabled session Sync between Firewalls.
  • Add Virtual IP of the External Load Balancer to support Floating Rules.
  • Add support for a Windows Management VM in a management network.
  • Create a new simplified deployment wizard.
  • Bicep template refactory to support the new UI deployment wizard.

Nov-2021

  • Added Active-Active deployment option (using Azure Internal and External Loadbalancer and OPNsense HA settings).
  • Templates are now auto-generated under the folder ARM from a Bicep template using Github Actions.

Overview

This OPNsense solution is installed in FreeBSD 12.0 (Azure Image). Here is what you will see when you deploy this Template:

There are 3 different deployment scenarios:

  • Active-Active:

    1. VNET with Two Subnets and OPNsense VM with two NICs.
    2. VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that).
    3. External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24).
    4. Internal NIC named Trusted Linked to Trusted-Subnet (10.0.1.0/24).
    5. It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS. Same NSG is associated to both Subnets.
    6. Active-Active a Internal and External loadbalancer will be created.
    7. Two OPNsense firewalls will be created.
    8. OPNsense will be configured to allow loadbalancer probe connection.
    9. OPNsense HA settings will be configured to sync rules changed between both Firewalls.
    10. Option to deploy Windows management VM. (This option requires a management subnet to be created)

  • TwoNics:

    1. VNET with Two Subnets and OPNsense VM with two NICs.
    2. VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that).
    3. External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24).
    4. Internal NIC named Trusted Linked to Trusted-Subnet (10.0.1.0/24).
    5. It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS. Same NSG is associated to both Subnets.
    6. Option to deploy Windows management VM. (This option requires a management subnet to be created)

  • SingleNic:

    1. VNET with single Subnet and OPNsense VM with single NIC.
    2. VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that).
    3. External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24).
    4. It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS.
    5. Option to deploy Windows management VM. (This option requires a management subnet to be created)

Design

Design of two Nic deployment Design of Active-Active deployment
opnsense design opnsense design

Deployment

Here are few considerations to deploy this solution correctly:

  • When you deploy this template, it will leave only TCP 22 listening to Internet while OPNsense gets installed.
  • To monitor the installation process during template deployment you can just probe the port 22 on OPNsense VM public IP (psping or tcping).
  • When port is down which means OPNsense is installed and VM will get restarted automatically. At this point you will have only TCP 443.

Note: It takes about 10 min to complete the whole process when VM is created and a new VM CustomScript is started to install OPNsense.

Usage

  • First access can be done using HTTPS://PublicIP. Please ignore SSL/TLS errors and proceed. In case of Active-Active the URL should be https://PublicIP:50443 for Primary server and https://PublicIP:50444 for Secondary server.
  • Your first login is going to be username "root" and password "opnsense" (PLEASE change your password right the way).
  • To access SSH you can either deploy a Jumpbox VM on Trusted Subnet or create a Firewall Rule to allow SSH to Internet.
  • To send traffic to OPNsense you need to create UDR 0.0.0.0 and set IP of trusted NIC IP (10.0.1.4) as next hop. Associate that NVA to Trusted-Subnet.
  • Note: It is necessary to create appropriate Firewall rules inside OPNsense to desired traffic to work properly.

Roadmap

Build custom deployment form

Feedbacks

Please use Github issues tab to provide feedback.

Credits

Thanks for direct feedbacks and contributions from: Adam Torkar, Brian Wurzbacher, Victor Santana and Brady Sondreal.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].