Skip to content

Installing OPNsense on Astaro/Sophos UTM SG210

This page is in DRAFT and is just formative notetaking at the moment, it will however contain the full breakdown of how to get an Astaro/Sophos SG210 to run OPNsense with comparative features and a much lower running cost.

Since the SG210 has a MTBF of about 12 years, it makes sense to extend its lifetime beyond that of which Sophos is allowing, also, this post is intended to be an option for anyone who is looking to go a “cheapier” route without compromizing on quality of security.

Setting up the SG210 Front panel LCD :

https://forum.opnsense.org/index.php?topic=9781.0

Referenced paths :
/usr/local/etc/LCDd-sdeclcd.conf

The review so far

  1. OPNSense
    • https://opnsense.org/
    • https://opnsense.org/about/features/
  2. Generally, this guy has a great site :
    • https://ls111.me/
  3. Features :
    • Firewall Rules
    • DHCP/DNS
    • NTP
    • IPS
    • HTTP Proxy
    • Open VPN
    • IPSec VPN
    • Active directory single sign-on
    • Web Application Firewall (Plugin)
  4. Missing :
    • SMTP Proxy
      • Intend to utilize Proxmox
  5. Plugins on github :
    • https://github.com/opnsense/plugins
  6. Pricing :
    • Offer 1 yr @ $175/yr and 3 year @ $420/3yr
  7. How to install on vmware :
    • https://protectli.com/kb/how-to-install-opnsense-in-esxi7-0-on-the-vault/
  8. Zenarmor addon
    Cloud-based central management console & some extra addons to the OPNSense
    • https://www.sunnyvalley.io/free-edition-plan
      • Offer home version at $10/month
  9. Crowdsec addon
    • Install the plugin, create an account, add the firewall instance via ssh, subscribe to some block lists with ban/captcha action.
  10. ET Pro Telemetry Rules
    • ! Need to sign up for free to get a token
    • Then put the token in IDS>download>te_telemetry.token
      • https://youtu.be/_yIq3GM4gjA
    • Need to create rules :
      • ! TBD – investigate
  11. DNS – use Unbound DNS with TLS dns servers from quad9.com
    • Note, if you are using more than 1 WAN and load-balancing/failover then you need to setup DNS for each interface
  12. IPSEC
    • Working on default plus :
    • Access rules :
      • For traffic from inside (behind the firewall) > OUT
        • Already automatic with the default “LAN to anywhere rule” (might want to restrict that)
      • For traffic coming from outside (opposite firewall) > IN
        • At least 2 rules need to be made on the IPSEC to allow all traffic into the WAN Address & LAN Networks
    • Note :
      • If it loses the route, restart the service
      • ! Investigate setting up a “monit” action to ping other firewalls and restart the service if needed
  13. CLAMAV setup
    • Need to enable all the extra signatures
      • Add Malware Expert Signatures
      • Add BLURL Signatures
      • Add JURLBLA Signatures
      • Add BOFHLand Signatures
  14. Dyndns
    • ddclient works, need to set interval to 900
    • No display on screen/GUI for the status, need to enable verbose logging to see SUCCESS
  15. Unbound DNS
    • Decide if you want secure or regular DNS resolution
      • If you want standard DNS > set the dns server settings for each gateway > system > settings > general
      • Use quad9 all entries on port > 53
        • 9.9.9.9
        • 149.112.112.112
        • 2620:fe::fe
        • 2620:fe::9
    • If you want secure DNS > use unbound dns > dns over tls
      • use quad9 all entries on port > 853 > hostname dns.quad9.net
      • 9.9.9.9
      • 149.112.112.112
      • 2620:fe::fe
      • 2620:fe::9
    • Set the block lists ON, and enable the default
  16. NGINX – Web application Firewall
    • Very finicky, and needs to be like in the default setup
    • Needs to have port forwarding setup to itself!
  17. Maltrail
    A very 80’s like interface for monitoring possible malicious traffic
    • Used for monitoring only
    • Set as per default system and create additional firewall rules :
      • Check – Add Blocklist Alias
      • Create a block rule on WAN from source: BlocklistMaltrail to anyport/antdest
    • Set the SHA password via :
      • https://emn178.github.io/online-tools/sha256.html
      • Default:
        • 9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc
      • Set it to be “easy” such as user : admin password : admin
        • 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
  18. Web Proxy
    • ! Signup with Zenamor
    • Setup with AD SSO & Group management
    • https://www.youtube.com/watch?v=o67NaMbjwaE
    • ! Looking for an alternative solution that offers “Profiles” that can be linked to AD groups and has single sign-on
      • Endian firewall looks promising for multiple profiles and AD integration plus it has a mail proxy to explore
  19. Postfix
    • ! TBD – likely will not use this and use Proxmox or Endian
  20. Remote Access :
    • ! plan on using Cloudflare Zerotier with Azure AD.
  21. Tor
    A very nice addon (hopefully) that will enable all your traffic to be sent over the Tor network and thereby anonymously
    • ! TBD
Tags:

Join the conversation

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.