{
  "title": "OPNsense 在 Proxmox VE 內安裝筆記",
  "slug": "opnsense-virtualization-in-proxmox-ve",
  "tags": [
    "Linux",
    "Apps - 軟體"
  ],
  "published_at": "2023-01-29T10:46:00.000Z",
  "type": "post",
  "ghost_id": "67e4d4f6c5a22a0001354611",
  "status": "published",
  "visibility": "public",
  "featured": false,
  "created_at": "2025-03-27T04:32:54.000Z",
  "updated_at": "2025-03-27T04:38:57.000Z",
  "custom_excerpt": "更換了軟路由硬體故順便更新了筆記",
  "authors": [
    "Gbanyan"
  ],
  "feature_image": "../assets/photo-1520869562399-e772f042f422.jpg",
  "body": {
    "raw": "\n## 前言\n\n* 更換了軟路由硬體故順便更新了筆記\n* 此篇繼承了 [Proxmox VE + PfSense 安裝](__GHOST_URL__/proxmox-ve-pfsense-installation-note/)\n  + 在 Proxmox VE 內的網路安裝架構仍然類似，皆採用半虛擬化網卡 Virtio Net 的架構\n  + 經過測試，Intel J4125 搭配 Intel i225v 網卡， 不用設定網卡直通，也可以跑滿 300M / 100M\n* 更換成 OPNsense 原因有以下考量：\n  + PfSense 需要訂閱 (PfSense Plus) 才會獲得較積極的更新，雖然個人用戶目前免費，但不排除未來需付費可能\n  + OPNsense 的更新策略較為積極，安全性更新週期較短\n  + 可安裝 Zenarmor 以及其他第三方套件來源，雖然後面還是把 Zenarmor 移除了\n  + OPNsense 的 UI 比較人性化一些，可以善用搜尋快速跳到自己想要的設定欄位\n\n## 初始安裝 Installation\n\n* Assign the Port vmbr0 to WAN and vmbr1 to LAN (參見 PfSense 筆記內圖片)\n* Skip the lagg and vlan configuration\n* Default account and password for enter installation\n  + account: installer\n  + pass; opnsense\n* Proxmox VE 內 VM 的設定\n  + machine type: Q35\n  + processors type: host\n  + OS type: other\n  + 其他 CPU, memory 視需求調整\n\n## 設定 Configuration\n\n### PPPoE settings with IPv6 (適用 Hinet)\n\n* Fill out PPPoE info to establish connection\n* Tick \"Use IPv4 connectivity option\"\n* at LAN IPv6 section, IPv6 configuration type -> Track Interface, and the options below interface select \"WAN\"\n* In the Firewall options, Tick \"allow IPv6\"\n* Add IPv6 ICMP allow rule in WAN firewall rule\n* 如果想指定自架的 DNS (Adguard Home or Pi-Hole) 且想要應用到 IPv6:\n  + Tick the \"Manual Router announcement management\"\n  + Fill the DNS IPv4 settings in the \"Router announcement\"\n  + Hinet IPv6 is Stateless (Stateless DHCPv6 + SLAAC)\n  + Disable the DHCPv6 service in the LAN\n  + 這樣做的邏輯是，IPv6 DNS 可以只向 IPv4 位址的 DNS 伺服器請求，還是會回傳 IPv6 的解析位址\n\n### 安全性設定 Security\n\n#### System\n\n* Disable the listen service including WebUI, ssh, Unbound on WAN surface\n* Install the CrowdSec, and enable Intrusion Detection\n  + Disable hardware net acceleration related \"Interfaces\" > \"Settings\"\n* Configure the SSH Key, disable the password login\n\n#### Intrusion Detection (Suricata) (IPS/IDS)\n\n* Download rule sets based on service used\n* Rule set with using sites name (p2p, Facebook, Youtube) do not apply\n* ET Pro rule set need suscription\n\n#### Crowdesc\n\n* Connected to the cloud database to detect the attackers IPs and block\n* Collection for different scenarios (windows, nginx, ...)can only be added through shell command\n* The hub for adding the scenario rule [Hub |](https://hub.crowdsec.net)\n\n#### Firehol IP list subscription\n\n* [FireHOL Block List ( Botnets, Attacks, Malware....)](https://forum.opnsense.org/index.php?topic=17596.0)\n* Follow the guide to add alias of Firehol level 2\n* Add the Cron tab to update the Firewall alias\n\n#### VLAN Configuration (適用於建立訪客網路或者 IoT 專用網路)\n\n* Add VLAN, assign Tag, and make Proxmox VE vtnet aware vlan\n* Assign DHCP server\n* Add Firewall rule to make the VLAN network unable to access the LAN\n\n#### GeoIP and Ailases for Firewall Block (如果想擋特定區域國家的話)\n\n* Register the Maxmind GeoIP database\n* Follow the guide to add Firewall aliases\n* Configure to block the specific countries\n\n### Cron (安全性設定完成後，記得設定各列表的更新)\n\n* System and packages update\n* Suricata blocklist update\n* Firewall aliases updates (FireHol, GeoIP)\n\n### Others Packages\n\n* Netdata: 另外一種監控服務\n* Wake-On-LAN: 遠端喚醒機器用\n* UPNP: 有安全疑慮者慎用，給 LAN 內服務打洞用的\n* Tailscale [OPNsense安装配置Tailscale | 鐵血男兒的BLOG](https://pfschina.org/wp/?p=9163)\n* Wireguard [How to Set Up WireGuard in OPNsense in 2023 - WunderTech](<https://www.wundertech.net/>\n",
    "html": "<h2 id=\"前言\"><a href=\"#前言\">前言</a></h2>\n<ul>\n<li>更換了軟路由硬體故順便更新了筆記</li>\n<li>此篇繼承了 <a href=\"__GHOST_URL__/proxmox-ve-pfsense-installation-note/\">Proxmox VE + PfSense 安裝</a>\n<ul>\n<li>在 Proxmox VE 內的網路安裝架構仍然類似，皆採用半虛擬化網卡 Virtio Net 的架構</li>\n<li>經過測試，Intel J4125 搭配 Intel i225v 網卡， 不用設定網卡直通，也可以跑滿 300M / 100M</li>\n</ul>\n</li>\n<li>更換成 OPNsense 原因有以下考量：\n<ul>\n<li>PfSense 需要訂閱 (PfSense Plus) 才會獲得較積極的更新，雖然個人用戶目前免費，但不排除未來需付費可能</li>\n<li>OPNsense 的更新策略較為積極，安全性更新週期較短</li>\n<li>可安裝 Zenarmor 以及其他第三方套件來源，雖然後面還是把 Zenarmor 移除了</li>\n<li>OPNsense 的 UI 比較人性化一些，可以善用搜尋快速跳到自己想要的設定欄位</li>\n</ul>\n</li>\n</ul>\n<h2 id=\"初始安裝-installation\"><a href=\"#初始安裝-installation\">初始安裝 Installation</a></h2>\n<ul>\n<li>Assign the Port vmbr0 to WAN and vmbr1 to LAN (參見 PfSense 筆記內圖片)</li>\n<li>Skip the lagg and vlan configuration</li>\n<li>Default account and password for enter installation\n<ul>\n<li>account: installer</li>\n<li>pass; opnsense</li>\n</ul>\n</li>\n<li>Proxmox VE 內 VM 的設定\n<ul>\n<li>machine type: Q35</li>\n<li>processors type: host</li>\n<li>OS type: other</li>\n<li>其他 CPU, memory 視需求調整</li>\n</ul>\n</li>\n</ul>\n<h2 id=\"設定-configuration\"><a href=\"#設定-configuration\">設定 Configuration</a></h2>\n<h3 id=\"pppoe-settings-with-ipv6-適用-hinet\"><a href=\"#pppoe-settings-with-ipv6-適用-hinet\">PPPoE settings with IPv6 (適用 Hinet)</a></h3>\n<ul>\n<li>Fill out PPPoE info to establish connection</li>\n<li>Tick \"Use IPv4 connectivity option\"</li>\n<li>at LAN IPv6 section, IPv6 configuration type -> Track Interface, and the options below interface select \"WAN\"</li>\n<li>In the Firewall options, Tick \"allow IPv6\"</li>\n<li>Add IPv6 ICMP allow rule in WAN firewall rule</li>\n<li>如果想指定自架的 DNS (Adguard Home or Pi-Hole) 且想要應用到 IPv6:\n<ul>\n<li>Tick the \"Manual Router announcement management\"</li>\n<li>Fill the DNS IPv4 settings in the \"Router announcement\"</li>\n<li>Hinet IPv6 is Stateless (Stateless DHCPv6 + SLAAC)</li>\n<li>Disable the DHCPv6 service in the LAN</li>\n<li>這樣做的邏輯是，IPv6 DNS 可以只向 IPv4 位址的 DNS 伺服器請求，還是會回傳 IPv6 的解析位址</li>\n</ul>\n</li>\n</ul>\n<h3 id=\"安全性設定-security\"><a href=\"#安全性設定-security\">安全性設定 Security</a></h3>\n<h4 id=\"system\"><a href=\"#system\">System</a></h4>\n<ul>\n<li>Disable the listen service including WebUI, ssh, Unbound on WAN surface</li>\n<li>Install the CrowdSec, and enable Intrusion Detection\n<ul>\n<li>Disable hardware net acceleration related \"Interfaces\" > \"Settings\"</li>\n</ul>\n</li>\n<li>Configure the SSH Key, disable the password login</li>\n</ul>\n<h4 id=\"intrusion-detection-suricata-ipsids\"><a href=\"#intrusion-detection-suricata-ipsids\">Intrusion Detection (Suricata) (IPS/IDS)</a></h4>\n<ul>\n<li>Download rule sets based on service used</li>\n<li>Rule set with using sites name (p2p, Facebook, Youtube) do not apply</li>\n<li>ET Pro rule set need suscription</li>\n</ul>\n<h4 id=\"crowdesc\"><a href=\"#crowdesc\">Crowdesc</a></h4>\n<ul>\n<li>Connected to the cloud database to detect the attackers IPs and block</li>\n<li>Collection for different scenarios (windows, nginx, ...)can only be added through shell command</li>\n<li>The hub for adding the scenario rule <a href=\"https://hub.crowdsec.net\">Hub |</a></li>\n</ul>\n<h4 id=\"firehol-ip-list-subscription\"><a href=\"#firehol-ip-list-subscription\">Firehol IP list subscription</a></h4>\n<ul>\n<li><a href=\"https://forum.opnsense.org/index.php?topic=17596.0\">FireHOL Block List ( Botnets, Attacks, Malware....)</a></li>\n<li>Follow the guide to add alias of Firehol level 2</li>\n<li>Add the Cron tab to update the Firewall alias</li>\n</ul>\n<h4 id=\"vlan-configuration-適用於建立訪客網路或者-iot-專用網路\"><a href=\"#vlan-configuration-適用於建立訪客網路或者-iot-專用網路\">VLAN Configuration (適用於建立訪客網路或者 IoT 專用網路)</a></h4>\n<ul>\n<li>Add VLAN, assign Tag, and make Proxmox VE vtnet aware vlan</li>\n<li>Assign DHCP server</li>\n<li>Add Firewall rule to make the VLAN network unable to access the LAN</li>\n</ul>\n<h4 id=\"geoip-and-ailases-for-firewall-block-如果想擋特定區域國家的話\"><a href=\"#geoip-and-ailases-for-firewall-block-如果想擋特定區域國家的話\">GeoIP and Ailases for Firewall Block (如果想擋特定區域國家的話)</a></h4>\n<ul>\n<li>Register the Maxmind GeoIP database</li>\n<li>Follow the guide to add Firewall aliases</li>\n<li>Configure to block the specific countries</li>\n</ul>\n<h3 id=\"cron-安全性設定完成後記得設定各列表的更新\"><a href=\"#cron-安全性設定完成後記得設定各列表的更新\">Cron (安全性設定完成後，記得設定各列表的更新)</a></h3>\n<ul>\n<li>System and packages update</li>\n<li>Suricata blocklist update</li>\n<li>Firewall aliases updates (FireHol, GeoIP)</li>\n</ul>\n<h3 id=\"others-packages\"><a href=\"#others-packages\">Others Packages</a></h3>\n<ul>\n<li>Netdata: 另外一種監控服務</li>\n<li>Wake-On-LAN: 遠端喚醒機器用</li>\n<li>UPNP: 有安全疑慮者慎用，給 LAN 內服務打洞用的</li>\n<li>Tailscale <a href=\"https://pfschina.org/wp/?p=9163\">OPNsense安装配置Tailscale | 鐵血男兒的BLOG</a></li>\n<li>Wireguard [How to Set Up WireGuard in OPNsense in 2023 - WunderTech](<a href=\"https://www.wundertech.net/\">https://www.wundertech.net/</a></li>\n</ul>"
  },
  "_id": "posts/OPNsense 在 Proxmox VE 內安裝筆記.md",
  "_raw": {
    "sourceFilePath": "posts/OPNsense 在 Proxmox VE 內安裝筆記.md",
    "sourceFileName": "OPNsense 在 Proxmox VE 內安裝筆記.md",
    "sourceFileDir": "posts",
    "contentType": "markdown",
    "flattenedPath": "posts/OPNsense 在 Proxmox VE 內安裝筆記"
  },
  "__ignoredType": "Post",
  "url": "/blog/opnsense-virtualization-in-proxmox-ve",
  "flattenedPath": "OPNsense 在 Proxmox VE 內安裝筆記"
}