# OPNsense
I was a pfSense guy for years, but [OPNsense](https://opnsense.org/) is pretty rad.

## Configure for GOAD (Game of Active Directory)
I use a [Hetzner](/software/hetzner) server for installing [GOAD - Game of Active Directory](/software/goad).  The key OPNsense config bits that I found necessary to make my OPNsense network of 192.168.1.x be able to SSH/RDP/etc. over into the GOAD network was as follows:

### Add GOAD NIC to Proxmox
I added a new network virtual NIC (at the Proxmox level) to the OPNsense VM.  I used vmbr1000 which was listed in **Datacenter > Ludus > Network** as a Linux bridge with CIDR 192.0.2.254/24.

### Edit the GOAD interface in OPNsense
In the **Interfaces > Assignments** menu, I took the new interface, called it *GOADNET* and then assigned it a static address of *192.0.2.49/24*.

### Add new gateway
Under **System > Gateways > Configuration** I added a new gateway with this info:

* Name: GOADNET
* Interface: GOADNET
* Address family: IPv4
* Priority: 255
* IP address 192.0.2.103 (this is from the `ip addr` output of the GOAD Debian router)
* Disable gateway monitoring: checked
* Description: GOADNET

### Add static route to GOAD network
Under **System > Routes > Configuration** I created a new route as follows:

* Network address: 10.3.0.0/16
* Gateway: [GOADNET-192.0.2.103]
* Description: ROUTE2GOAD

Then I punched in the necessary `iptables` rules for the [GOAD](/software/goad/) router (look at "Debian router config" section).

## Fix DNS rebind attack warnings
If you give your firewall a DNS record like `yourfw.yourdomain.com`, if you try to login to it with `https://yourfw.yourdomain.com` you might get a warning about a DNS rebind attack.  Login to it by IP, then go to **System > Settings > Administration** and put the FQDN in the **Alternate Hostnames** field.

## Reset root password
I mean, *I* would never forget my root password, but if *you* did, follow [this article](https://kb.protectli.com/kb/how-to-reset-the-opnsense-root-password/) which has you boot into single user mode and then (assuming ZFS):

```
/sbin/mount -u /
/sbin/zfs mount -a
opnsense-shell password
# enter new password twice
reboot
```