# OPNsense

I was a pfSense guy for years, but OPNsense is pretty rad.

I use a Hetzner server for installing GOAD - Game of Active Directory. The key OPNsense config bits that I found necessary to make my OPNsense network of 192.168.1.x be able to SSH/RDP/etc. over into the GOAD network was as follows:

I added a new network virtual NIC (at the Proxmox level) to the OPNsense VM. I used vmbr1000 which was listed in Datacenter > Ludus > Network as a Linux bridge with CIDR 192.0.2.254/24.

In the Interfaces > Assignments menu, I took the new interface, called it GOADNET and then assigned it a static address of 192.0.2.49/24.

Under System > Gateways > Configuration I added a new gateway with this info:

• Name: GOADNET
• Interface: GOADNET
• Address family: IPv4
• Priority: 255
• IP address 192.0.2.103 (this is from the ip addr output of the GOAD Debian router)
• Disable gateway monitoring: checked
• Description: GOADNET

Under System > Routes > Configuration I created a new route as follows:

• Network address: 10.3.0.0/16
• Gateway: [GOADNET-192.0.2.103]
• Description: ROUTE2GOAD

Then I punched in the necessary iptables rules for the GOAD router (look at "Debian router config" section).

If you give your firewall a DNS record like yourfw.yourdomain.com, if you try to login to it with https://yourfw.yourdomain.com you might get a warning about a DNS rebind attack. Login to it by IP, then go to System > Settings > Administration and put the FQDN in the Alternate Hostnames field.

I mean, I would never forget my root password, but if you did, follow this article which has you boot into single user mode and then (assuming ZFS):

/sbin/mount -u /
/sbin/zfs mount -a
opnsense-shell password
# enter new password twice
reboot