Greetings all,

 

The firewall replacement and other related work was successfully completed today.

 

There was actually very little disruption on the HECNET side of things. It was only down a few times while I was hooking up the new hardware and restarting again it a bit later.

 

In case anyone is curious, I pulled out an old Cisco ASA I was using and I’ve replaced it with a machine running OPNsense.

OPNsense is a BSD based firewall, originally forked from the PFsense project a very long time ago.

 

I decided on using OPNsense for a few reasons. The first is the ability to implement intrusion blocking based on automatically updating rules from sources such as Proofpoint.

The second was a requirement for me to stack 802.1q VLANS inside another 802.1q VLAN through to my ISP so I could gain access to both the internet and also some private networks that run to other locations.

I didn’t have the ability to stack VLAN’s like this on the Cisco ASA and other firewall products often force the parent VLAN to be 802.1ad. I can’t have this, because my carriage provider (Telstra) will strip any 802.1ad tagged packets.

 

In any event, I’ve been working with OPNsense in my lab for the past two weeks and I’m quite impressed by it. I had to perform the firewall migration manually in terms of the existing rules on my Cisco ASA.

There were quite a lot, but it was much easier setting them up by hand on OPNsense then I typically experience with most other vendor products.

 

While I have OPNsense running on commodity hardware at this stage, my next plan is to purchase a nice rackmount server (perhaps something from the OPNsense store, but more likely a cheaper alternative from elsewhere).

 

It has made me interested, however, in setting up a small firewall box at home to run OPNsense here as well to replace my existing Ubiquiti Edgerouter.

 

Anyway – if anyone notices anything strange in relation to Area 35 just let me know.

 

Cheers, Wiz!!