gbanyan/blog-nextjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34e64b34280fe44be6d1971beaee5c1eaec0e14f
blog-nextjs/.contentlayer/generated/Post/posts__OPNsense 在 Proxmox VE 內安裝筆記.md.json
gbanyan 0c64279e34 Initial commit
2025-11-17 15:28:20 +08:00

36 lines
11 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"title": "OPNsense 在 Proxmox VE 內安裝筆記",
"slug": "opnsense-virtualization-in-proxmox-ve",
"tags": [
"Linux",
"Apps - 軟體"
],
"published_at": "2023-01-29T10:46:00.000Z",
"type": "post",
"ghost_id": "67e4d4f6c5a22a0001354611",
"status": "published",
"visibility": "public",
"featured": false,
"created_at": "2025-03-27T04:32:54.000Z",
"updated_at": "2025-03-27T04:38:57.000Z",
"custom_excerpt": "更換了軟路由硬體故順便更新了筆記",
"authors": [
"Gbanyan"
],
"feature_image": "../assets/photo-1520869562399-e772f042f422.jpg",
"body": {
"raw": "\n## 前言\n\n* 更換了軟路由硬體故順便更新了筆記\n* 此篇繼承了 [Proxmox VE + PfSense 安裝](__GHOST_URL__/proxmox-ve-pfsense-installation-note/)\n + 在 Proxmox VE 內的網路安裝架構仍然類似,皆採用半虛擬化網卡 Virtio Net 的架構\n + 經過測試Intel J4125 搭配 Intel i225v 網卡, 不用設定網卡直通,也可以跑滿 300M / 100M\n* 更換成 OPNsense 原因有以下考量:\n + PfSense 需要訂閱 (PfSense Plus) 才會獲得較積極的更新,雖然個人用戶目前免費,但不排除未來需付費可能\n + OPNsense 的更新策略較為積極,安全性更新週期較短\n + 可安裝 Zenarmor 以及其他第三方套件來源,雖然後面還是把 Zenarmor 移除了\n + OPNsense 的 UI 比較人性化一些,可以善用搜尋快速跳到自己想要的設定欄位\n\n## 初始安裝 Installation\n\n* Assign the Port vmbr0 to WAN and vmbr1 to LAN (參見 PfSense 筆記內圖片)\n* Skip the lagg and vlan configuration\n* Default account and password for enter installation\n + account: installer\n + pass; opnsense\n* Proxmox VE 內 VM 的設定\n + machine type: Q35\n + processors type: host\n + OS type: other\n + 其他 CPU, memory 視需求調整\n\n## 設定 Configuration\n\n### PPPoE settings with IPv6 (適用 Hinet)\n\n* Fill out PPPoE info to establish connection\n* Tick \"Use IPv4 connectivity option\"\n* at LAN IPv6 section, IPv6 configuration type -> Track Interface, and the options below interface select \"WAN\"\n* In the Firewall options, Tick \"allow IPv6\"\n* Add IPv6 ICMP allow rule in WAN firewall rule\n* 如果想指定自架的 DNS (Adguard Home or Pi-Hole) 且想要應用到 IPv6:\n + Tick the \"Manual Router announcement management\"\n + Fill the DNS IPv4 settings in the \"Router announcement\"\n + Hinet IPv6 is Stateless (Stateless DHCPv6 + SLAAC)\n + Disable the DHCPv6 service in the LAN\n + 這樣做的邏輯是IPv6 DNS 可以只向 IPv4 位址的 DNS 伺服器請求,還是會回傳 IPv6 的解析位址\n\n### 安全性設定 Security\n\n#### System\n\n* Disable the listen service including WebUI, ssh, Unbound on WAN surface\n* Install the CrowdSec, and enable Intrusion Detection\n + Disable hardware net acceleration related \"Interfaces\" > \"Settings\"\n* Configure the SSH Key, disable the password login\n\n#### Intrusion Detection (Suricata) (IPS/IDS)\n\n* Download rule sets based on service used\n* Rule set with using sites name (p2p, Facebook, Youtube) do not apply\n* ET Pro rule set need suscription\n\n#### Crowdesc\n\n* Connected to the cloud database to detect the attackers IPs and block\n* Collection for different scenarios (windows, nginx, ...)can only be added through shell command\n* The hub for adding the scenario rule [Hub |](https://hub.crowdsec.net)\n\n#### Firehol IP list subscription\n\n* [FireHOL Block List ( Botnets, Attacks, Malware....)](https://forum.opnsense.org/index.php?topic=17596.0)\n* Follow the guide to add alias of Firehol level 2\n* Add the Cron tab to update the Firewall alias\n\n#### VLAN Configuration (適用於建立訪客網路或者 IoT 專用網路)\n\n* Add VLAN, assign Tag, and make Proxmox VE vtnet aware vlan\n* Assign DHCP server\n* Add Firewall rule to make the VLAN network unable to access the LAN\n\n#### GeoIP and Ailases for Firewall Block (如果想擋特定區域國家的話)\n\n* Register the Maxmind GeoIP database\n* Follow the guide to add Firewall aliases\n* Configure to block the specific countries\n\n### Cron (安全性設定完成後,記得設定各列表的更新)\n\n* System and packages update\n* Suricata blocklist update\n* Firewall aliases updates (FireHol, GeoIP)\n\n### Others Packages\n\n* Netdata: 另外一種監控服務\n* Wake-On-LAN: 遠端喚醒機器用\n* UPNP: 有安全疑慮者慎用,給 LAN 內服務打洞用的\n* Tailscale [OPNsense安装配置Tailscale | 鐵血男兒的BLOG](https://pfschina.org/wp/?p=9163)\n* Wireguard [How to Set Up WireGuard in OPNsense in 2023 - WunderTech](<https://www.wundertech.net/>\n",
"html": "<h2 id=\"前言\"><a href=\"#前言\">前言</a></h2>\n<ul>\n<li>更換了軟路由硬體故順便更新了筆記</li>\n<li>此篇繼承了 <a href=\"__GHOST_URL__/proxmox-ve-pfsense-installation-note/\">Proxmox VE + PfSense 安裝</a>\n<ul>\n<li>在 Proxmox VE 內的網路安裝架構仍然類似,皆採用半虛擬化網卡 Virtio Net 的架構</li>\n<li>經過測試Intel J4125 搭配 Intel i225v 網卡, 不用設定網卡直通,也可以跑滿 300M / 100M</li>\n</ul>\n</li>\n<li>更換成 OPNsense 原因有以下考量:\n<ul>\n<li>PfSense 需要訂閱 (PfSense Plus) 才會獲得較積極的更新,雖然個人用戶目前免費,但不排除未來需付費可能</li>\n<li>OPNsense 的更新策略較為積極,安全性更新週期較短</li>\n<li>可安裝 Zenarmor 以及其他第三方套件來源,雖然後面還是把 Zenarmor 移除了</li>\n<li>OPNsense 的 UI 比較人性化一些,可以善用搜尋快速跳到自己想要的設定欄位</li>\n</ul>\n</li>\n</ul>\n<h2 id=\"初始安裝-installation\"><a href=\"#初始安裝-installation\">初始安裝 Installation</a></h2>\n<ul>\n<li>Assign the Port vmbr0 to WAN and vmbr1 to LAN (參見 PfSense 筆記內圖片)</li>\n<li>Skip the lagg and vlan configuration</li>\n<li>Default account and password for enter installation\n<ul>\n<li>account: installer</li>\n<li>pass; opnsense</li>\n</ul>\n</li>\n<li>Proxmox VE 內 VM 的設定\n<ul>\n<li>machine type: Q35</li>\n<li>processors type: host</li>\n<li>OS type: other</li>\n<li>其他 CPU, memory 視需求調整</li>\n</ul>\n</li>\n</ul>\n<h2 id=\"設定-configuration\"><a href=\"#設定-configuration\">設定 Configuration</a></h2>\n<h3 id=\"pppoe-settings-with-ipv6-適用-hinet\"><a href=\"#pppoe-settings-with-ipv6-適用-hinet\">PPPoE settings with IPv6 (適用 Hinet)</a></h3>\n<ul>\n<li>Fill out PPPoE info to establish connection</li>\n<li>Tick \"Use IPv4 connectivity option\"</li>\n<li>at LAN IPv6 section, IPv6 configuration type -> Track Interface, and the options below interface select \"WAN\"</li>\n<li>In the Firewall options, Tick \"allow IPv6\"</li>\n<li>Add IPv6 ICMP allow rule in WAN firewall rule</li>\n<li>如果想指定自架的 DNS (Adguard Home or Pi-Hole) 且想要應用到 IPv6:\n<ul>\n<li>Tick the \"Manual Router announcement management\"</li>\n<li>Fill the DNS IPv4 settings in the \"Router announcement\"</li>\n<li>Hinet IPv6 is Stateless (Stateless DHCPv6 + SLAAC)</li>\n<li>Disable the DHCPv6 service in the LAN</li>\n<li>這樣做的邏輯是IPv6 DNS 可以只向 IPv4 位址的 DNS 伺服器請求,還是會回傳 IPv6 的解析位址</li>\n</ul>\n</li>\n</ul>\n<h3 id=\"安全性設定-security\"><a href=\"#安全性設定-security\">安全性設定 Security</a></h3>\n<h4 id=\"system\"><a href=\"#system\">System</a></h4>\n<ul>\n<li>Disable the listen service including WebUI, ssh, Unbound on WAN surface</li>\n<li>Install the CrowdSec, and enable Intrusion Detection\n<ul>\n<li>Disable hardware net acceleration related \"Interfaces\" > \"Settings\"</li>\n</ul>\n</li>\n<li>Configure the SSH Key, disable the password login</li>\n</ul>\n<h4 id=\"intrusion-detection-suricata-ipsids\"><a href=\"#intrusion-detection-suricata-ipsids\">Intrusion Detection (Suricata) (IPS/IDS)</a></h4>\n<ul>\n<li>Download rule sets based on service used</li>\n<li>Rule set with using sites name (p2p, Facebook, Youtube) do not apply</li>\n<li>ET Pro rule set need suscription</li>\n</ul>\n<h4 id=\"crowdesc\"><a href=\"#crowdesc\">Crowdesc</a></h4>\n<ul>\n<li>Connected to the cloud database to detect the attackers IPs and block</li>\n<li>Collection for different scenarios (windows, nginx, ...)can only be added through shell command</li>\n<li>The hub for adding the scenario rule <a href=\"https://hub.crowdsec.net\">Hub |</a></li>\n</ul>\n<h4 id=\"firehol-ip-list-subscription\"><a href=\"#firehol-ip-list-subscription\">Firehol IP list subscription</a></h4>\n<ul>\n<li><a href=\"https://forum.opnsense.org/index.php?topic=17596.0\">FireHOL Block List ( Botnets, Attacks, Malware....)</a></li>\n<li>Follow the guide to add alias of Firehol level 2</li>\n<li>Add the Cron tab to update the Firewall alias</li>\n</ul>\n<h4 id=\"vlan-configuration-適用於建立訪客網路或者-iot-專用網路\"><a href=\"#vlan-configuration-適用於建立訪客網路或者-iot-專用網路\">VLAN Configuration (適用於建立訪客網路或者 IoT 專用網路)</a></h4>\n<ul>\n<li>Add VLAN, assign Tag, and make Proxmox VE vtnet aware vlan</li>\n<li>Assign DHCP server</li>\n<li>Add Firewall rule to make the VLAN network unable to access the LAN</li>\n</ul>\n<h4 id=\"geoip-and-ailases-for-firewall-block-如果想擋特定區域國家的話\"><a href=\"#geoip-and-ailases-for-firewall-block-如果想擋特定區域國家的話\">GeoIP and Ailases for Firewall Block (如果想擋特定區域國家的話)</a></h4>\n<ul>\n<li>Register the Maxmind GeoIP database</li>\n<li>Follow the guide to add Firewall aliases</li>\n<li>Configure to block the specific countries</li>\n</ul>\n<h3 id=\"cron-安全性設定完成後記得設定各列表的更新\"><a href=\"#cron-安全性設定完成後記得設定各列表的更新\">Cron (安全性設定完成後,記得設定各列表的更新)</a></h3>\n<ul>\n<li>System and packages update</li>\n<li>Suricata blocklist update</li>\n<li>Firewall aliases updates (FireHol, GeoIP)</li>\n</ul>\n<h3 id=\"others-packages\"><a href=\"#others-packages\">Others Packages</a></h3>\n<ul>\n<li>Netdata: 另外一種監控服務</li>\n<li>Wake-On-LAN: 遠端喚醒機器用</li>\n<li>UPNP: 有安全疑慮者慎用,給 LAN 內服務打洞用的</li>\n<li>Tailscale <a href=\"https://pfschina.org/wp/?p=9163\">OPNsense安装配置Tailscale | 鐵血男兒的BLOG</a></li>\n<li>Wireguard [How to Set Up WireGuard in OPNsense in 2023 - WunderTech](<a href=\"https://www.wundertech.net/\">https://www.wundertech.net/</a></li>\n</ul>"
},
"_id": "posts/OPNsense 在 Proxmox VE 內安裝筆記.md",
"_raw": {
"sourceFilePath": "posts/OPNsense 在 Proxmox VE 內安裝筆記.md",
"sourceFileName": "OPNsense 在 Proxmox VE 內安裝筆記.md",
"sourceFileDir": "posts",
"contentType": "markdown",
"flattenedPath": "posts/OPNsense 在 Proxmox VE 內安裝筆記"
},
"__ignoredType": "Post",
"url": "/blog/opnsense-virtualization-in-proxmox-ve",
"flattenedPath": "OPNsense 在 Proxmox VE 內安裝筆記"
}
Reference in New Issue View Git Blame Copy Permalink