OPNsense: Configuración Avanzada de Firewall Empresarial
OPNsense es una solución de firewall open source de nivel empresarial basada en FreeBSD. Esta guía completa cubre desde la instalación hasta configuraciones avanzadas de seguridad.
Instalación y Configuración Inicial
Requisitos del Sistema
# Especificaciones recomendadas para OPNsense
# Hardware mínimo:
- CPU: 64-bit x86 (AMD64)
- RAM: 1 GB (mínimo), 4 GB (recomendado)
- Storage: 8 GB (mínimo), 40 GB (recomendado)
- Interfaces de red: Mínimo 2 (WAN/LAN)
# Para entornos empresariales:
- CPU: Multi-core 2.0+ GHz
- RAM: 8-16 GB
- Storage: 120 GB SSD
- Interfaces: 4+ puertos Gigabit EthernetConfiguración de Interfaces de Red
# Configuración inicial via consola
# 1) Assign interfaces
WAN -> em0 (conexión a Internet)
LAN -> em1 (red interna)
DMZ -> em2 (zona desmilitarizada)
MGMT -> em3 (gestión administrativa)
# 2) Set interface IP address
LAN: 192.168.1.1/24
DMZ: 192.168.100.1/24
MGMT: 10.0.0.1/24
# 3) Reset webConfigurator password
Username: root
Password: [nueva_contraseña_segura]Configuración de Firewall Rules
Reglas Básicas de LAN
# Interfaces > LAN > Rules
# Permitir acceso a servicios internos
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source: LAN net
Destination: LAN net
Ports: 80, 443, 22, 53
# Permitir acceso a Internet
Action: Pass
Interface: LAN
Protocol: Any
Source: LAN net
Destination: Any
Description: "Permitir navegación web"
# Bloquear acceso a redes privadas externas
Action: Block
Interface: LAN
Protocol: Any
Source: LAN net
Destination: RFC1918 networks
Description: "Bloquear acceso a otras redes RFC1918"Reglas DMZ (Zona Desmilitarizada)
# Interfaces > DMZ > Rules
# Permitir tráfico HTTP/HTTPS desde Internet
Action: Pass
Interface: DMZ
Protocol: TCP
Source: Any
Destination: DMZ net
Ports: 80, 443
Description: "Servicios web públicos"
# Permitir DNS queries
Action: Pass
Interface: DMZ
Protocol: UDP
Source: DMZ net
Destination: Any
Port: 53
Description: "Consultas DNS"
# Bloquear acceso a LAN
Action: Block
Interface: DMZ
Protocol: Any
Source: DMZ net
Destination: LAN net
Description: "Bloquear acceso DMZ a LAN"NAT y Port Forwarding
Configuración de Port Forwarding
# Firewall > NAT > Port Forward
# Servidor web en DMZ
Interface: WAN
Protocol: TCP
Destination: WAN address
Destination port range: 80 to 80
Redirect target IP: 192.168.100.10
Redirect target port: 80
Description: "Web Server DMZ"
# Servidor SSH (puerto no estándar)
Interface: WAN
Protocol: TCP
Destination: WAN address
Destination port range: 2222 to 2222
Redirect target IP: 192.168.1.100
Redirect target port: 22
Description: "SSH Management Server"
# Mail server (SMTP/IMAP)
Interface: WAN
Protocol: TCP
Destination: WAN address
Destination port range: 25,587,993,995
Redirect target IP: 192.168.100.20
Redirect target port: 25,587,993,995
Description: "Mail Server Services"Outbound NAT Configuration
# Firewall > NAT > Outbound > Manual
# NAT para red LAN
Interface: WAN
Source: 192.168.1.0/24
Translation: Interface address
Description: "LAN to Internet"
# NAT para DMZ con IP fija
Interface: WAN
Source: 192.168.100.0/24
Translation: [IP_publica_especifica]
Description: "DMZ to Internet with fixed IP"VPN Configuration
OpenVPN Server Setup
# VPN > OpenVPN > Servers
# Configuración del servidor
Server Mode: Remote Access (SSL/TLS)
Protocol: UDP
Local Port: 1194
TLS Configuration:
- Peer Certificate Authority: [CA_certificate]
- Server Certificate: [server_certificate]
- DH Parameter: 2048 bit
- Encryption Algorithm: AES-256-GCM
- Auth Digest Algorithm: SHA256
# Network settings
IPv4 Tunnel Network: 10.8.0.0/24
IPv4 Local Network: 192.168.1.0/24
IPv4 Remote Network: [client_networks]
# Advanced options
Compression: Adaptive LZO
Topology: SubnetIPsec Site-to-Site VPN
# VPN > IPsec > Connections
# Phase 1 (IKE)
Connection method: Default
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Remote gateway: [remote_public_ip]
Authentication method: Mutual PSK
Pre-Shared Key: [secure_psk]
Encryption Algorithm: AES 256
Hash Algorithm: SHA256
DH key group: 14 (2048 bit)
# Phase 2 (IPsec)
Mode: Tunnel IPv4
Local Network: 192.168.1.0/24
Remote Network: 192.168.10.0/24
Protocol: ESP
Encryption algorithms: AES 256
Hash algorithms: SHA256
PFS key group: 14 (2048 bit)Intrusion Detection System (IDS)
Suricata Configuration
# Services > Intrusion Detection > Administration
# General Settings
Enabled: ✓
Interfaces: WAN, DMZ
Pattern matcher: Hyperscan
Promiscuous mode: ✓
# Detection/Prevention
IPS mode: ✓ (Intrusion Prevention)
Enable syslog alerts: ✓
Enable eve syslog output: ✓
# Rules Configuration
Rulesets to download:
- ET Open ruleset
- Snort VRT ruleset (con licencia)
- Abuse.ch ruleset
# Custom rules
/usr/local/etc/suricata/rules/custom.rules:
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; \
flow:to_server,established; content:"SSH-"; detection_filter: \
track by_src, count 5, seconds 60; sid:1000001; rev:1;)Fail2Ban Integration
# System > Access > Fail2Ban
# SSH Protection
Enabled: ✓
Max retry: 3
Find time: 600
Ban time: 3600
Action: pf
# Web GUI Protection
Jail: nginx-http-auth
Enabled: ✓
Max retry: 5
Find time: 600
Ban time: 1800
# Custom filter for OPNsense
Filter: opnsense-auth
Log path: /var/log/system.log
Fail regex: authentication error.*from (\S+)High Availability (HA)
CARP Configuration
# System > High Availability > Settings
# Synchronize Config to IP: [secondary_firewall_ip]
# Remote System Username: admin
# Remote System Password: [password]
# Synchronize the following:
- ✓ Firewall Rules
- ✓ NAT
- ✓ Schedules
- ✓ Aliases
- ✓ Virtual IPs
- ✓ IPsec
- ✓ OpenVPN
# CARP Settings (Virtual IPs)
Type: CARP
Interface: LAN
Address: 192.168.1.254/24
Virtual IP Password: [carp_password]
VHID Group: 1
Advertising Base: 1
Advertising Skew: 0 (primary), 100 (secondary)State Synchronization (pfsync)
# System > High Availability > Settings
# State Synchronization Settings (pfsync)
Synchronize Interface: LAN
pfsync Synchronize Peer IP: [secondary_firewall_lan_ip]Web Proxy y Content Filtering
Squid Proxy Configuration
# Services > Web Proxy > Administration
# General Proxy Settings
Enable proxy: ✓
Proxy interface: LAN
Proxy port: 3128
Transparent proxy: ✓
Enable access logging: ✓
# Cache Management
Memory cache size: 512 MB
Hard disk cache size: 2048 MB
Cache directory: /var/squid/cache
# Authentication
Authentication method: Local Users
Require authentication: ✓
Authentication processes: 5
Authentication TTL: 2 hoursSquidGuard Content Filter
# Services > Web Proxy > Content Filter
# General Settings
Enable: ✓
Enable log: ✓
Enable log rotation: ✓
# Blacklists
Download: Shalla Secure Services
Categories to block:
- adv (Advertisement)
- aggressive
- drugs
- porn
- violence
- warez
# Target Rules
Target: students
Domain list: allow_domains.txt
URL list: allow_urls.txt
Expression list: allow_expressions.txt
Redirect mode: Redirect to URLMonitoring y Logging
System Logs Configuration
# System > Logging > Settings
# General Logging Options
Log to disk: ✓
Log to remote syslog server: ✓
Remote syslog server: 192.168.1.50:514
Log certificate validation: ✓
# Specific log settings
Firewall log entries: 50000
DHCP log entries: 1000
System log entries: 50000SNMP Monitoring
# Services > SNMP
# General
Enable: ✓
Polling: ✓
SNMP version: v3
Community: [community_string]
# SNMP v3 Authentication
Username: monitoring
Authentication Type: SHA
Authentication Passphrase: [auth_password]
Privacy Type: AES
Privacy Passphrase: [priv_password]
# Monitoring targets
Interface statistics: ✓
CPU load: ✓
Memory usage: ✓
Disk usage: ✓Backup y Disaster Recovery
Configuration Backup
# System > Configuration > Backups
# Automatic Backup
Enable: ✓
Backup count: 10
Backup location: /conf/backup/
# Scheduled backup script
#!/bin/sh
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/conf/backup"
CONFIG_FILE="/conf/config.xml"
# Create backup
cp $CONFIG_FILE $BACKUP_DIR/config_backup_$DATE.xml
# Compress old backups
find $BACKUP_DIR -name "*.xml" -mtime +7 -exec gzip {} \;
# Clean old backups (keep 30 days)
find $BACKUP_DIR -name "*.gz" -mtime +30 -delete
# Send to remote location
scp $BACKUP_DIR/config_backup_$DATE.xml backup@192.168.1.200:/backups/opnsense/Remote Backup Strategy
# Crontab entry for automated backups
0 2 * * * /usr/local/bin/config_backup.sh
# Remote sync script
#!/bin/sh
rsync -avz --delete /conf/backup/ backup@192.168.1.200:/backups/opnsense/
# Database backup for additional data
sqlite3 /conf/captiveportal.db .dump > /conf/backup/captiveportal_$(date +%Y%m%d).sqlPerformance Optimization
Network Optimization
# System > Tunables
# Network performance tunables
net.inet.tcp.sendspace: 65536
net.inet.tcp.recvspace: 65536
net.inet.udp.maxdgram: 57344
net.inet.ip.fastforwarding: 1
# Buffer sizes
kern.ipc.maxsockbuf: 16777216
net.inet.tcp.sendbuf_max: 16777216
net.inet.tcp.recvbuf_max: 16777216
# Connection limits
kern.maxfiles: 65536
kern.maxfilesperproc: 32768Firewall Optimization
# System > Tunables > Firewall
# State table optimization
net.pf.states_hashsize: 32768
net.pf.src_nodes_hashsize: 32768
net.pf.frags_hashsize: 8192
# Timeout optimization
net.pf.timeout.tcp.first: 120
net.pf.timeout.tcp.opening: 30
net.pf.timeout.tcp.established: 86400
net.pf.timeout.tcp.closing: 900Conclusión
Una configuración robusta de OPNsense incluye:
- Segmentación de red apropiada con DMZ
- Reglas de firewall granulares y bien documentadas
- VPN seguras para acceso remoto y site-to-site
- IDS/IPS activo para detección de amenazas
- Alta disponibilidad con CARP y pfsync
- Monitoreo completo con logs centralizados
- Backups automatizados y estrategia de recuperación
- Optimización de performance para el entorno
Esta configuración proporciona una base sólida para la seguridad perimetral empresarial.