OPNSense – Zevenet Fusion: Open Source Firewall and Load Balancer Trial Case

Related to my previous posting, I just want to share another lab experience here. This tutorial will show you a basic topology and configuration of OPNSense  as firewall to allow client-server communication. OPSense is an open source FreeBSD based Firewall and Routing platform. It’s a enhancement of previous open source firewall, pfSense. You can find the feature details from their website here.

As usual, I prefer to use virtual environment (VirtualBox) to install all my appliances. These are list of appliances that was installed in my laptop:

  1. OPNSense  You can download the OPSense OS from this link. This is my virtual machine’s specification:
    • HDD: 8 GB
    • RAM: 1 GB
    • Network Interface Card: 1 Host-Only interface for remote management, 1 Internal Network for communicating with other virtual machines.
  2. ZEN load balancer – please refer to my previous post.
  3. Servers –  I have two Ubuntu servers that will be running a HTTP server application. Each server has the same specification as listed below:
    • HDD: 3 GB
    • RAM: 512 KB
    • Network Interface Card: 1 NAT interface to connect with internet (just in case need to install/update the applications), 1 Host-Only interface for remote management, 1 Internal Network for communicating with other virtual machines.
  4. Client – I use Kali linux as a client because it has multi-feature and function in the future. This is the specification:
    • HDD: 40 GB
    • RAM: 2 GB
    • Network Interface Card: 1 NAT interface to connect with internet (just in case need to install/update the applications), 1 Host-Only interface for remote management, 1 Internal Network for communicating with other virtual machines.

That’s all requirements which are need to prepare before doing this basic lab testing. OK, to make you clear about the connection setup among each appliance, please refer to this topology:

TOPOLOGY

I have two servers (Miniserver-01 and Miniserver-02) inside an internal network (192.168.56.0/24) that are running a HTTP service using Python script. The client (Kali linux) is accessing those two HTTP servers from external network (123.123.123.0/24). The OPNSense role is just basic firewall to allow HTTP access from client to internal virtual-IP of the servers (that’s handled by ZEN load balancer), there’s no NAT rule in this scenario (I will discuss it in another session). Instead of installed as Inline mode, the ZEN load balancer is installed as promiscuous, or single arm, or one leg mode because I want to keep has an access to the server just in case the load balancer is down.

So now, let me show you one by one the configuration that I have done:

OPNSense Firewall

I won’t explain how to do the installation and initial setup of OPNSense firewall, but you can refer to Reference link below. As an introduction, I will show you the OPNSense dashboard:

It’s looked nice for an open source application, isn’t it? Then, you can configure the access rule under Firewall -> Rules -> Select WAN Tab. Then in this case, I just permit two accesses from external to internal, HTTP (tcp:12380) and ICMP packets:

By default, OPNSense permit any IPv4/IPv6 access from LAN to any destinations.

Permitting HTTP (port:12380) from any network to IP address 192.168.56.99 (Virtual IP/Floating IP of ZEN Load Balancer). Make sure all servers, load balancer, and client are reachable or connected to this firewall, you can see the ARP Table on the left menu under Interface:

ZEN Load Balancer

Please refer to my previous posting for ZEN load balancer detail configuration!

HTTP Server Application

Thanks to Python for providing me SimpleHTTPServer module, if you’re using Python3.x please using http.server instead. I have created an index.html file on each server, then under the same folder just type this following command in your Ubuntu server console:

Python 2.x

#HTTP Service at Server 1
sysadmin@miniserver-00#python -m SimpleHTTPServer 8080

#HTTP Service at Server 2
sysadmin@miniserver-01#python -m SimpleHTTPServer 8081

Python 3.x

#HTTP Service at Server 1
sysadmin@miniserver-00#python3 -m http.server 8080

#HTTP Service at Server 2
sysadmin@miniserver-01#python3 -m http.server 8081

Port 8080 and 8081 is the real TCP port that are running on the server, these two TCP ports are mapped to TCP:12380 in the load balancer. This is my screenshot for those two servers:

Let’s try to access it from client side:

Based on the capture above, the Client has been pointed to Server-1 automatically by ZEN load balancer as I configured less priority value to Server-00 (it means, traffic will prioritize to Server-00 first). You can try to refresh your client browser and sometimes it will be pointed to Server-01.

Now you can verify in the OPNSense firewall whether the traffic is flowing or not by accessing this menu:

N-Top Traffic is flowing through the Firewall

OPNSense Traffic Graph to show interface utilization

CONCLUSION

OPNSense is a good solution for you who’s looking for alternative firewall product. It’s an easy-to-use and user friendly interface for practical engineer like me. Moreover, It can support most of the commercial firewall features for FREE! I believe there are a bunch of firewall solutions outside there, but this is the one that I can recommend at this time.

 

Reference:

https://linoxide.com/firewall/install-opnsense-virtualbox/
https://www.unixmen.com/install-opnsense-firewall/
https://docs.opnsense.org/intro.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s