Objective:

Manage and configure OPNsense to enhance network security and infrastructure management, install two TP-Link access points, and set up a NGINX reverse proxy.

Primary Goal:

Replace consumer-grade wireless routers with more reliable, upgradeable hardware to improve network security, reliability, and speed.

Hardware and Software Selection

Hardware Needs:

• Reliability & Resources: Replace frequent consumer-grade routers with durable, upgradeable hardware.

• Separate Wireless from Router: Use multiple APs for better coverage and resource management.

• SSID Management: Add separate SSIDs for home automation devices and guest access.

Software Requirements:

• Router OS: Must support gigabit speeds, simplify server exposure to the internet, and maintain security.

• pfSense: Chosen to repurpose old desktop hardware, installed with Intel gigabit dual NIC.

• Network Upgrades: Later switched to OPNsense for better support and additional features.

Configuration and Implementation

Router Setup:

• Hardware: Quad-core processor, 8GB RAM, dependable NICs, fast SSD.

• DHCP & DNS: Configured DHCP for 254 addresses, 50 reserved for static; primary DNS server with reliable public DNS forwarding.

TP-Link Access Points:

• Configuration: Set up via Omada Controller software.

• SSIDs:

• Primary SSID: For secured LAN access.

• Automation SSID: For 2.4GHz home automation devices.

• Guest SSID: For guests with no internal network access.

NGINX Reverse Proxy:

• Virtual Machine: Ubuntu Server on XCP-ng host.

• SSL Certificates: Issued by Certbot from Let's Encrypt.

• Security Configuration: Limited SSL ciphers for compatibility and security; configured CAA records.

Remote Management:

• OpenVPN Setup: Managed remotely with certificate and password authentication.

• Wireguard Upgrade: Replaced OpenVPN with Wireguard for efficiency and integration into OPNsense.

Final Outcome and Benefits

Performance:

• Network easily handles 1 Gbps.

• Security and Reliability: Confident in the setup after continuous operation without issues for two years.

Upgrades & Improvements:

• Unbound DNS & CrowdSec: Added for enhanced security with blocklists for malicious traffic.

• DNSSEC & DNS over TLS: Implemented for secure DNS queries.

Future Plans

• Further Hardware Upgrades: Continuously evaluate hardware needs as technology evolves.

• Network Expansion: Explore additional APs or switches as network demands increase.

This project involved managing and configuring OPNsense to improve network security and infrastructure management, as well as installing two TP-Link access points and an NGINX reverse proxy. The primary goal was to improve the security, reliability, and speed of network with the equipment I would use to replace the consumer-grade wireless routers that I had previously used.

I set out to find a replacement that would not require purchasing another consumer-grade router every year or two. I needed a way to use more reliable hardware with more resources, as well as hardware that could be repaired or upgraded. I also wanted to separate the wireless from the router so that multiple APs could provide more coverage throughout the house while keeping those resources separate from the router. I had added a lot more Wi-Fi-enabled home automation devices, such as smart bulbs and plugs, and I wanted to easily separate them with a separate SSID. For the router software, I needed to find an OS that would allow all of my internet-connected devices and servers to connect to the internet at gigabit speeds, simplify how I exposed internal servers to the internet, and secure the network while maintaining that speed.

I discovered that pfSense would be the software I needed! It would allow me to repurpose the hardware I had leftover from upgrading my old desktop. I could get a rack mountable case for the new router and only need to install an Intel gigabit dual NIC in an empty PCIe slot. I burned the most recent pfSense ISO to a DVD and used an external DVD drive to install the OS on a spare SSD in the newly built router. The new router featured a quad-core processor, 8GB of RAM, dependable NICs, and a fast SSD with ample storage for logs and other reports.

I configured a DHCP range of 254 addresses, with 50 reserved for static addresses. I set up the router as the primary DNS server for all DHCP leases, with DNS forwarding to some reliable public DNS servers with low latency for my location. For the price, I discovered that the business-class TP-Link APs received positive reviews for reliability, configuration, and availability of firmware updates, as well as ease of configuration. They could also use PoE, as I intend to add a PoE switch to my network later. I connected both TP-Link APs and configured them from my desktop using the Omada Controller software. I created a primary SSID for all secured LAN access, a separate SSID for automation devices that only used the 2.4GHz radio, and another SSID for guests who would not connect to the internal network.

Now that the network was configured, I created a new virtual machine with the Ubuntu Server operating system on my XCP-ng host. I set up an NGINX server and began configuring it as a reverse proxy for all of the subdomains on my network. I configured the firewall to forward all incoming connections from ports 80 and 443 to the reverse proxy, and the proxy was used to convert all incoming insecure connections to secure connections. I installed Certbot, which issued SSL certificates from Let's Encrypt for each domain and subdomain on the proxy. I also added a CAA record to my DNS for all domains on the proxy.To balance compatibility and security, I limited the SSL ciphers (ssllabs.com should give all of my sites an "A"). I configured this on a per-server basis, so if there was a need to change these settings, I could do so only for that server.

I created another Ubuntu Server virtual machine and installed OpenVPN so that I could manage my network remotely from anywhere. I set up the server to use both certificate and password authentication. I was able to connect and manage my servers and network using clients on both my phone and laptop, and with the proper routing, I was able to use the VPN to secure all of my internet traffic across these devices.

My network could easily handle 1 Gbps, and I was confident in the new setup's security and reliability. Around two years later, after no problems, I discovered that some security patches were not being issued to pfSense, so I reinstalled using OPNsense. I also upgraded to my recently retired desktop hardware, which provided even more resources. During the upgrade, I made some additional configuration changes. I configured Unbound DNS and CrowdSec to enable blocklists for malware IPs, tracking domains, botnets, and other unwanted network traffic. I enabled DNSSEC and DNS over TLS on the public Cloudflare DNS servers to help secure DNS queries from the network. I also removed the OpenVPN virtual machine in favor of Wireguard, which runs directly on the OPNsense OS.