• Stars
    star
    137
  • Rank 266,121 (Top 6 %)
  • Language Bicep
  • License
    MIT License
  • Created over 5 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This template allows you to deploy an OPNsense Firewall Azure VM using the opnsense-bootsrtap installation method

OPNsense Firewall on FreeBSD VM

CI Name Actions Workflow CI Status
BicepBuild bicepBuild.yml bicepBuildCI
Deployment Checker - Active Active deploymentChecker-active-active.yml deploymentCheckeractiveactiveactiveCI
Deployment Checker - two nics deploymentChecker-two-nics.yml deploymentCheckertwonicsCI
Deployment Checker - single nic deploymentChecker-sing-nic.yml deploymentCheckersingnicCI
Deployment Checker - new vnet Active Active deploymentChecker-newvnet-active-active.yml deploymentCheckeractivenewvnetactiveactiveCI
Deployment Checker - new vnet two nics deploymentChecker-newvnet-two-nics.yml deploymentCheckernewvnettwonicsCI
Deployment Checker - new vnet single nic deploymentChecker-newvnet-sing-nic.yml deploymentCheckernewvnetsingnicCI

Deployment Wizard

Deploy To Azure

The template allows you to deploy an OPNsense Firewall VM using the opnsense-bootsrtap installation method. It creates an FreeBSD VM, does a silent install of OPNsense using a modified version of opnsense-bootstrap.sh with the settings provided.

OPNSense is based in FreeBSD what is the official OS image publisher in Azure. This template deploys a FreeBSD 13.1 VM and installs OPNSense using the opnsense-bootstrap installation method. For the first deployment in an Azure Subscription it's required to accept the legal terms of the Offer with PublisherId: 'thefreebsdfoundation', OfferId: 'freebsd-13_1'.

You can accept it using either Azure CLI or Azure PowerShell as follow:

az vm image terms accept --urn thefreebsdfoundation:freebsd-13_1:13_1-release:13.1.0 -o none
Get-AzMarketplaceTerms -Publisher 'thefreebsdfoundation' -Product 'freebsd-13_1' -Name '13_1-release' -OfferType 'latest' | Set-AzMarketplaceTerms -Accept

The login credentials are set during the installation process to:

  • Username: root
  • Password: opnsense (lowercase)

*** Please *** Change default password!!! (In case of using Active-Active scenario the password must be changed in both Firewalls and under Highavailability settings)

After deployment, you can go to https://PublicIP, then input the user and password, to configure the OPNsense firewall. In case of Active-Active the URL should be https://PublicIP:50443 for Primary server and https://PublicIP:50444 for Secondary server.

Updates

Feb-2023

  • Added support to OPNsense 23.1
  • Added support to select versions (22.7, 23.1)

October-2022

  • Updated FreeBSD to 13.1
  • Updated OPNSense to 22.7
  • Updated Azure Linux Agent to 2.8.0
  • Updated Python symbolic link to 3.9

April-2022

  • Updated FreeBSD 13 and OPNSense 22.1
  • Added support for Floating IPs in External Load Balance Rules to allow Port Forwarding without causing assymetric issues.
  • Enabled session Sync between Firewalls.
  • Add Virtual IP of the External Load Balancer to support Floating Rules.
  • Add support for a Windows Management VM in a management network.
  • Create a new simplified deployment wizard.
  • Bicep template refactory to support the new UI deployment wizard.

Nov-2021

  • Added Active-Active deployment option (using Azure Internal and External Loadbalancer and OPNsense HA settings).
  • Templates are now auto-generated under the folder ARM from a Bicep template using Github Actions.

Overview

This OPNsense solution is installed in FreeBSD 12.0 (Azure Image). Here is what you will see when you deploy this Template:

There are 3 different deployment scenarios:

  • Active-Active:

    1. VNET with Two Subnets and OPNsense VM with two NICs.
    2. VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that).
    3. External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24).
    4. Internal NIC named Trusted Linked to Trusted-Subnet (10.0.1.0/24).
    5. It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS. Same NSG is associated to both Subnets.
    6. Active-Active a Internal and External loadbalancer will be created.
    7. Two OPNsense firewalls will be created.
    8. OPNsense will be configured to allow loadbalancer probe connection.
    9. OPNsense HA settings will be configured to sync rules changed between both Firewalls.
    10. Option to deploy Windows management VM. (This option requires a management subnet to be created)
  • TwoNics:

    1. VNET with Two Subnets and OPNsense VM with two NICs.
    2. VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that).
    3. External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24).
    4. Internal NIC named Trusted Linked to Trusted-Subnet (10.0.1.0/24).
    5. It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS. Same NSG is associated to both Subnets.
    6. Option to deploy Windows management VM. (This option requires a management subnet to be created)
  • SingleNic:

    1. VNET with single Subnet and OPNsense VM with single NIC.
    2. VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that).
    3. External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24).
    4. It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS.
    5. Option to deploy Windows management VM. (This option requires a management subnet to be created)

Design

Design of two Nic deployment Design of Active-Active deployment
opnsense design opnsense design

Deployment

Here are few considerations to deploy this solution correctly:

  • When you deploy this template, it will leave only TCP 22 listening to Internet while OPNsense gets installed.
  • To monitor the installation process during template deployment you can just probe the port 22 on OPNsense VM public IP (psping or tcping).
  • When port is down which means OPNsense is installed and VM will get restarted automatically. At this point you will have only TCP 443.

Note: It takes about 10 min to complete the whole process when VM is created and a new VM CustomScript is started to install OPNsense.

Usage

  • First access can be done using HTTPS://PublicIP. Please ignore SSL/TLS errors and proceed. In case of Active-Active the URL should be https://PublicIP:50443 for Primary server and https://PublicIP:50444 for Secondary server.
  • Your first login is going to be username "root" and password "opnsense" (PLEASE change your password right the way).
  • To access SSH you can either deploy a Jumpbox VM on Trusted Subnet or create a Firewall Rule to allow SSH to Internet.
  • To send traffic to OPNsense you need to create UDR 0.0.0.0 and set IP of trusted NIC IP (10.0.1.4) as next hop. Associate that NVA to Trusted-Subnet.
  • Note: It is necessary to create appropriate Firewall rules inside OPNsense to desired traffic to work properly.

Roadmap

Build custom deployment form

Feedbacks

Please use Github issues tab to provide feedback.

Credits

Thanks for direct feedbacks and contributions from: Adam Torkar, Brian Wurzbacher, Victor Santana and Brady Sondreal.

More Repositories

1

PrivateLink

Content and Labs on Azure Private Link
274
star
2

Lab

Networking labs, content and sample scripts.
PowerShell
56
star
3

azure-virtualwan

Azure Virtual WAN articles and LABs
Shell
43
star
4

azure-dns-private-resolver

Resources related to Azure Private DNS Resolver
Shell
24
star
5

azure-gateway-lb

Azure Gateway Load Balancer using OPNSense Firewalls in HA
Bicep
23
star
6

AzureVM-Router

Deploy Azure VM (Linux or Windows) with IP forwarding enabled to be used as Router
Shell
12
star
7

azure-expressroute

Shell
11
star
8

azure-routeserver

Shell
9
star
9

PS-Network-Capture

Network Capture via Powershell
PowerShell
8
star
10

azure-vpn-s2s-nat

7
star
11

dmauser

7
star
12

azure-hub-spoke-base-lab

6
star
13

azure-vm-net-tools

How to get popular networking tools installed on Azure Linux or Windows VMs.
PowerShell
4
star
14

gcp-network-base-lab

This repo helps you build a simple Lab environment in GCP with a single VPC, an Ubuntu VM, Cloud Router for Interconnect, and VPN.
Shell
4
star
15

azure-firewall

Content related to Azure Firewall
3
star
16

azure-vpn-s2s

Bicep
3
star
17

azure-vmware-solution

Shell
3
star
18

azure-expressroute-deploy

Provision ExpressRoute with Private peering config pre-populated
Bicep
3
star
19

azure-loadbalancer

Articles /references related to Azure Load Balancer
Shell
2
star
20

DHCPServer-On-Azure

PoC on How to Run Windows DHCP Servers on Azure
2
star
21

azure-p2s-er-issue-repro

This a lab to repro an issue with P2S VPN Gateway and ExpressRoute
Shell
2
star
22

azure-hub-spoke

Labs and articles related to Hub and Spoke
Shell
2
star
23

pfsense-azure

1
star
24

dmauser.github.io

Mauser Blog
CSS
1
star
25

azure-vpn-p2s

Azure P2S VPN lab and articles
1
star
26

azure-er-vpn-coexistence

1
star
27

azure-subnet-ext

1
star
28

azure-files-netperf

1
star