9.0 KiB
Protectli
The Protectli Vault can be used in a number of different applications. For example the Protectli is deployed as Windows client, roll-your-own Linux desktops, hypervisors, and of course Firewall. The Madrigal Industrial Solutions GmbH is used the Protectli to create multiple subnetworks for different user and services. To do that the protectli is deployed as a firewall, a gateway, vpn (wireguard). As software application opnsense is used.
Installing
Setup
At initialisation you can log into the protectcli using the credentials: root and opensense as password
Assigning Interfaces
The first interface is the LAN interface. Type the appropriate interface name, for example “em0”. The second interface is the WAN interface. Type the appropriate interface name, eg. “em1” . Possible additional interfaces can be assigned as OPT interfaces. If you assigned all your interfaces you can press [ENTER] and confirm the settings. OPNsense will configure your system and present the login prompt when finished.
Press [1] "Assign Interfaces" to assign Interfaces. Follow the instructions from there, don*t use laggs and skip the vlan assignments. You can choose autodetect to configure LAN and WAN names automatically. Before you do that disconnect any cables from the interfaces. If you set it manually: The WAN interface should be set to igc0; the LAN interface to igc1 and set the opt interfaces to igc2 and igc3
If you completed the assignment, connect the LAN! port to your router.
Assign Interface IP address
Look into your Router Network information which IP the router wants to give your Opnsense firewall and note it down. Go into your opnsense Installation and click the Set Interface IP Adress. Choose the WAN Interface and select DHCP. Choose yes to IPV4 and IPV6 and stay with https as protocol additionaly you can let the opnsense use its own certificate for that.
After you completed the steps the protectcli gives you hios dhcp adress on which you can log into the web GUI
Configuring the web interface
After logging in create a new user and set a password (Access Tab). Go to the "System" Tab and select Wizard, Select the Time Zone of your choice and input the LAN IP your router has given to you. After that set the root password.
After that Update The System (System>Firmware>Updates). Install the wireguard plugin from the plugins menu (System>Firmware>Plugins)
If system installation does not work, Check the internet connectivity by pinging 8.8.8.8 in the command line of your opnsense (Keyboard and monitor on the hardware unit)
If there is no connection to the internet, try pinging the gateway (192.168.178.1 for standard fritzbox) if the ping connects, check if a gateway on your LAN interface is present (GUI) If not go to to System>Gateway>configuration and add a new gateway. there you specify a name and set the Interface to LAN. Set the IP adress of your gateway terminal (e.g. 192.168.178.1). The network gateway is usually at the first address in the IP Range.
If you have a stable connection and still can't update because of a broken package system, go into the command-line of your protectcli and insert the command:
opnsense-bootstrapAfter the process is done you have to set up a gateway as described above
Vlans
create vlan and vlan tag
To Set up a vlan go Interfaces>other types>Vlan. Add A vlan by pressing the plus button. Give the vlan interface a Device name that includes 'vlan0' e.g. vlan0.11. Set the interface device you want to use as a parent device. If you want to setup the LAN interface as a Network device select the igc1 (in this example). Set the vlan tag number you want to use. In the end it does not matter which tag number you choose, as long as you youse that number in your switch or vlan ready devices. Usually the tag nr. one is reserved for maintenance in the switch devices so it could be smart to set a different number. If you have more than one vlan it is wise to set a description of the network.
Assign cour vlan to an Interface on your protectli
To do that got to Interface> assignments and setup a new software inmterface for the hardware device or use an existing one. We like to create a new interface for every vlan we create but you can also choose an existing one. If you created a vlan beforehand, there is the option to add a new interface with the new vlan device you created. If you skipped the first step or did not save your configuration properly, that option is missing and there is a note: 'No devices availiable'. You name your new interface by adding a description to it. Add the description, select the vlan you want to use for that and click on add. save the interface assignment. After saving, you have to enable the interface.
Enabling and configuring the interface
If you set the interface up correctly, it will show up in the Interface Tab. click on the interface you created. This will lead to the basic configuration of your interface. click on 'Enable interface' to, you guessed it, enable the interface. If your Interface is facing to the Internet, you should block private and bogon networks, just check the corresponding boxes. If you want to setup a private subnetwork you let those boxes be unchecked. If you want to activate dhcp on your private network, select static IPv4 as 'IPv4 configuration type'. this looks counter intuitive as you want to have a dynamic IP lease enabled. But this configuration just lets you set up a static IP Range that your dhcp can choose IP addresses from. If you select 'DHCP' there it just leases out any IP. after that change the IPv4 address under 'static IPv4 configuration' to the first address in the address range you want to use. So if you want to have the standard IP range for private networks (for us that is 192.168.178.0) so you would set the Interface IP to 192.168.178.1 (usually for the gateway, see above) and select 24 instead of 32 as Ip-Bit of the netmask (denoting IPv4). After that click on save.
Enabling DHCP service
To do that click on the tab Services>ISC DHCPv4. Select the interfacewere you want the dhcp service enabled and check the box. If you enabled dhcp you need to set the range in which the IP adresses can be leased out by client machines. The availiable range given above denotes how much adresses are availiable in the corresponding range. The subnet and the subnet mask are also given above. Excluding the first entry you can choose 255 Adresses out of your subnet, denoted by your subnet mask entry (2-254, so the first and the last entry of your 255 adresses are reserved). For example you can choose a range of 11 availiable IPs by setting the range to 192.168.178.20 - 192.168.178.30. That means, that 11 IPs are ready to be leased out so that 11 clients can be present in the vlan. You can set up a addiational pool of IPs or use fixed IP for special clients using the static ARP entries and their MAC adress. If you are finished with the configuration click on save and apply the changes.
Watching the lease
Connect a PC to the hardware interface for testing out the dhcp. In tab Services>ISC DHCP>leases the PC with its MAC Adress and the leased IP. Here you can set the IP fix for the connected PC or delete the dhcp lease. Imortant You can configure the length of a dhcp lease. In the standard configuration a dhcp lease does not run out and a lease length in another router might not as well. As long as the PC connected already has saved an IP adress it might not let go of it. So if your pc was connected to another Router beforehand it might not automatically contact your dhcp server for a new one immdiately. So either you wait for that to happen or you restart the connected PC. after that it should get a new lease.
configuring the Firwall
Route IN : Source (here) –> This interface –> allowance Check by this interface –>Destination Interface –> Destination (other) The mother allows a child to go to an open park Route OUT: Destination (here) <-x– Check by this interface for block <– This interface <– Source interface <– Source (other) your mother allows you to come to my house to play but my mother does not approve of you coming over