Skip to main content

OPNsense Firewall Installation

OPNsense is a FreeBSD-based open source firewall distribution. OPNsense, a fork of Pfsense, was released in 2015. In addition to the Firewall, there are DHCP servers, DNS servers, VPNs, and other services available. Especially Sensei (ZENARMOR) plugin which provides application control and web filtering features is very useful for the administrators to protect their networks against cyberattacks. It can be installed on a physical server as well as a virtual machine. For more information about OPNsense, you can read our Best Open Source Firewalls article.

Proxmox VE is an excellent open-source enterprise virtualization platform built on Debian Linux.

You can easily manage VMs and containers, highly available clusters, and integrated disaster recovery tools using the integrated web-based user interface. PVE has a significant advantage over other virtualization solutions in terms of simplicity. Even inexperienced users can set it up and install it in minutes. Most importantly, because it runs on Debian, all Linux experience is required.

OPNsense runs well in a KVM-based VM running on a Proxmox VE server. In this OPNsense installation on the Proxmox VE tutorial, we will walk you through a basic installation of OPNsense 21.1 to get you started by following the next steps given below.

  • Why you should install OPNsense
  • Checking hardware requirements of OPNsense firewall
  • Downloading OPNsense image
  • Uploading OPNsense ISO File to Proxmox VE
  • Creating a Virtual Machine on Proxmox VE
  • Setting Network Configuration of the OPNsense Virtual Machine on Proxmox VE
    • Creating Linux Bridge
    • Adding Network Devices to OPNsense VM on Proxmox
  • Installing OPNsense
    • Network Device Assignments for OPNsense Firewall
    • IP Address Settings for OPNsense Firewall
    • Updating OPNsense Firewall on CLI
    • Accessing the OPNsense Web GUI
    • Initial Configuration of the OPNsense Firewall
    • Disable Network Hardware Off-loading on OPNsense Firewall

Why You Should Install OPNsense#

By installing the OPNsense firewall to protect your network, you will get the following benefits of the OPNsense.

  • OPNsense has significant advantages over competitors, such as forward caching proxy, traffic shaping, intrusion detection, and simple OpenVPN client setup.
  • The emphasis on security in OPNsense results in unique features such as the ability to use LibreSSL instead of OpenSSL (selectable in the GUI) and a custom version based on HardenedBSD.
  • OPNsense's robust and dependable update mechanism enables it to provide critical security updates on time.

For more information about the OPNsense features, please refer to the Best Open Source Firewalls article.

Hardware Requirements of OPNsense#

Before installing the OPNsense firewall, you should verify the hardware requirements for the installation. You can review the requirements located on the official website. OPNsense is available for x86-64 (amd64) bit microprocessor architectures. Although OPNsense supports a wide range of devices from embedded systems to rack-mounted servers, the hardware must be capable of running 64-bit operating systems.

Minimum hardware requirements of OPNsense#

At the time of the writing, minimum requirements are given as below. If you install OPNsense on a device with these specifications, you can not use features that require disk writes, e.g. a caching proxy (cache) or intrusion detection and prevention.

TypeDescription
Processor1 GHz dual-core CPU
RAM2 GB
Install methodSerial console or video (VGA)
Install targetSD or CF card with a minimum of 4 GB, use nano images for installation.

Table 1: Minimum hardware requirements

Reasonable hardware requirements of OPNsense#

If you install OPNsense on a device with these specifications, you can use every standard feature of the OPNsense. However, you may encounter some problems with high loads or lots of users.

TypeDescription
Processor1 GHz dual-core CPU
RAM4 GB
Install methodSerial console or video (VGA)
Install target40 GB SSD, a minimum of 2 GB memory is needed for the installer to run.

Table 2: Reasonable hardware requirements

Recommended hardware requirements of OPNsense#

If you install OPNsense on a device with these specifications, you can use every standard feature of the OPNsense without any problem.

TypeDescription
Processor1.5 GHz multi-core CPU
RAM8 GB
Install methodSerial console or video (VGA)
Install target120 GB SSD

Table 3: Recommended hardware requirements

Virtual environment requirements#

To install the OPNsense on a virtual environment such as Proxmox VE or Virtual Box, minimum hardware requirements are given below:

TypeDescription
Processor1 or more virtual cores
RAMThe minimum required RAM is 2 GB
Install methodISO
Install targetMinimum recommended virtual disk size of 8GB

Table 4: Minimum hardware requirements for virtual environment

caution

Beware that some features have a massive impact on hardware dimensioning. For example, Captive Portal features is a CPU-intensive feature and Squid is heavily reliant on CPU load and disk-cache writes.

Now that you've checked if your system is compatible with OPNsense, let's get started with the OPNsense setup guide.

Downloading OPNsense image#

Now, you can go to the official OPNsense Download page. Installing OPNsense on a virtual machine can be done by using the DVD ISO image. So, download the DVD ISO image from the OPNsense mirror site which is closest to you.

Downloading OPNsense DVD ISO file

Figure 1. Downloading OPNsense DVD ISO file

After downloading the bzip compressed ISO file (OPNsense-21.1-OpenSSL-DVD-amd64.iso.iso.bz2), uncompress it to your local disk.

Upload OPNsense ISO File to Proxmox VE#

To start the installation of the OPNsense on the Proxmox environment, you must upload the OPNsense ISO image from your local disk to the Proxmox node. You can easily upload the ISO file to your Proxmox VE system by following the next instructions.

  1. Connect your Proxmox VE Web interface(such as https://192.168.0.100:8006) using your favorite browser and log in as root.
  2. Navigate to Datacenter -> pve/node -> local disk (pve) -> ISO Images

Uploading IPFire ISO image to Proxmox node

Figure 2. Uploading OPNsense ISO image to Proxmox VE node

  1. Click the Upload button.
  2. Select the OPNsense ISO image from your local disk to upload.

Selecting IPFire ISO image from local disk to upload Proxmox

Figure 3. Selecting OPNsense ISO image from local disk to upload Proxmox VE

  1. Click the Uploadbutton.
tip

You can also copy the OPNsense ISO image to your Proxmox environment by using an SCP/SFTP client application. You should upload the ISO file into the /var/lib/vz/template/iso directory on the Proxmox VE server.

Creating a Virtual Machine on Proxmox VE#

After uploading the OPNsense ISO image to the Proxmox VE, we will create a Virtual Machine for our OPNsense firewall. To create a virtual machine on Proxmox, you should follow the next steps given below.

  1. Click on the blue Create VM button in the upper right-hand corner of the Proxmox VE web UI.
  1. Enter a name for your virtual machine, such as OPNsensefw. Then, click Next

Naming the IPFire VM on Proxmox

Figure 4. Naming the OPNsense VM on Proxmox

  1. Select the OPNsense ISO image under the OS tab, and then click Next.

Selecting OPNsense ISO to install on Proxmox as an OS

Figure 5. Selecting OPNsense ISO to install on Proxmox VE as an OS

  1. You may accept the default settings on the System tab by clicking Next.

System settings of the OPNsense VM on Proxmox

Figure 6. System settings of the OPNsense VM on Proxmox

  1. Set the Hard Disk size as you wish. We recommend enabling the IO threadwhich should improve IO performance by giving the disk its Datacenter worker thread.

Setting Hard disk size as 32 GB for OPNsense on Proxmox VE

Figure 7. Setting Hard disk size as 32 GB for OPNsense on Proxmox VE

  1. Set the CPU configuration as you wish.

CPU settings for OPNsense firewall on Proxmox

Figure 8. CPU settings for OPNsense firewall on Proxmox VE

  1. Set the Memorysize as you wish.

Setting Memory size to 8 GB for OPNsense firewall on Proxmox

Figure 9. Setting Memory size 8 GB for OPNsense firewall on Proxmox

  1. Set Multiqueue to 8 which will allow the BSD kernel to negotiate the optimal value with Proxmox VE in the Network configuration. We will cover this configuration for our topology deeply later.

Network configuration of OPNsense VM on Proxmox VE

Figure 10. Network configuration of OPNsense VM on Proxmox VE

  1. Confirm the OPNsense virtual machine configuration by clicking on the Finish button.

Confirming the OPNsense virtual machine configuration

Figure 11. Confirming the OPNsense virtual machine configuration

Setting Network Configuration of the OPNsense Virtual Machine on Proxmox VE#

In this tutorial, we will configure two physical NICs for our OPNsense firewall. These NICs will be used and configured for the following purposes

  • WAN Connection: Internet connection/Untrusted zone.
  • LAN Connection: Clients and servers are placed in this trusted zone.

Creating Linux Bridge#

To be able to define 2 network interfaces for the OPNsense virtual machine, firstly we must create Linux bridge devices on the Proxmox device.

To create a Network Bridge follow the next steps.

  1. Navigate to Data center -> pve -> Network.

Viewing the network devices of the Proxmox VE

Figure 12. Viewing the network devices of the Proxmox VE

  1. Click on the Create button. This will pop up the Linux Bridge configuration window.
  2. You may leave the name as default such as vmbr1. Enter IPv4/CIDR address and Bridge ports (Network devices name seen on Network configuration window, such as ens3f0). Then, click on the Create button.

Creating a Linux bridge on the Proxmox VE

Figure 13. Creating a Linux bridge on the Proxmox VE

  1. Click on the Apply Configuration button or Reboot the Proxbox device to start to use new Linux bridges.

Now, you have two Linux Bridges as seen in the Figure below.

Viewing the network devices of the Proxmox VE

Figure 14. Viewing the network devices of the Proxmox VE

Adding Network Devices to OPNsense VM on Proxmox#

It is time to add a network device that will be used for LAN connections.

To add a new network interface to the OPNsense virtual machine on Proxmox you can follow these steps.

  1. Navigate to the Data center -> pve -> OPNsensefw VM -> Hardware -> Add/
  2. Click on Network Device.

Adding an additional NIC to OPNsense VM on Proxmox VE

Figure 15. Adding NIC to OPNsense VM on Proxmox VE

  1. Select the Linux Bridge such as vmbr1.

Selecting Linux bridge

Figure 16. Selecting Linux bridge for a NIC

  1. Select Model as VirtlO(paravirtualized).

Setting model for a network device of OPNsense VM on Proxmox VE

Figure 17. Setting model for a network device of OPNsense VM on Proxmox VE

  1. Uncheck Firewall option.
  2. Set Multiqueue to 8.
  3. Click the Add button

After finishing the network configuration of the OPNsense virtual machine on Proxmox, you should see the Hardware configuration for the OPNsense VM similar to the following figure.

Hardware configuration of the OPNsense VM on Proxmox VE

Figure 18. Hardware configuration of the OPNsense VM on Proxmox VE

Now, your OPNsense firewall has 2 different physical interfaces ready to connect to different networks, Internet and LAN respectively.

tip

It is recommended that you should note the MAC address of the network devices used by OPNsense VM. You will need them to complete the network settings of the firewall after installing the OPNsense software.

Installing OPNsense#

To start the installation of the OPNsense on your Proxmox environment, first, you should start the OPNsense virtual machine. To start the machine,

  1. Click on the OPNsensefw virtual machine on the node list.

  2. Click on the Start button.

To continue the installation of the OPNsense, you should connect the virtual machine from the Proxmox console by clicking on the Console.

Connecting OPNsense VM console on Proxmox

Figure 19. Connecting OPNsense VM console on Proxmox VE

And then, you may follow the steps listed below.

  1. While the system is booting do not press any key and wait for the login prompt.

OPNsense boot menu

Figure 20. OPNsense boot menu

  1. Login: Login as installer and the default password is opnsense. This will start the installation process.
    info

    On OPNsense, default installer password is opnsense.

OPNsense installation login prompt

Figure 21. OPNsense installation login prompt

  1. Confirmation: To confirm the installation press Ok, let's go.

Confirming the OPNsense installation

Figure 22. Confirming the OPNsense installation

  1. Console configuration: Click on the Accept these settings for the console. The installer likely will detect the proper keymap by default. Or you may change Keymap and Video Font as you wish.

Configuring console

Figure 23. Configuring console

  1. Select Task: Click on the Guided Installation. If you wish to do advanced partitioning or import a configuration from another OpnSense firewall, you can accomplish these settings at this step.

Selecting Guided installation

Figure 24. Selecting Guided installation

  1. Select a Disk: Select the hard disk on which OPNsense will be installed. Be careful that all files on this disk will be deleted.

Selecting disk to install OPNsense

Figure 25. Selecting disk to install OPNsense

  1. Selecting Install Mode: Select GBT/UEFI as an installation mode. Most modern-day systems support GPT/EFI but if you are using an older computer, MBR may be the only option supported. You may check within the BIOS settings of your system to see if it supports EFI/GPT.

Selecting installation mode for OPNsense installation

Figure 26. Selecting installation mode for OPNsense installation on Proxmox VE

  1. Swap Size: Accept the recommended partition swap size by pressing Yes.

Setting swap partition size

Figure 27. Setting swap partition size

  1. Package Installation: Packages are installed in your system for up to ten minutes.

Installing OPNsense packages

Figure 28. Installing OPNsense packages

  1. Setting root password: You may set your root password or left as default which is opnsense for now.

Figure 29. Setting root password

  1. Reboot: By pressing the Reboot, you should reboot your system.
  2. Unmount ISO image: Exit from the console and return to the Proxmox GUI.
  • Navigate to the OPNsensefw VM node -> Hardware -> CD/DVD Drive.
  • Click on the Remove.
  • Confirm removing the CD/DVD Drive by clicking on Yes.
  1. Return to the Console of the OPNsense firewall in Proxmox VE. After the OPNsense reboot is completed, you will see the login prompt.

 OPNsense CLI login prompt

Figure 30. OPNsense CLI login prompt

Network Device Assignments for OPNsense Firewall#

By default, the system will be configured with 2 interfaces LAN & WAN. The first network port found will be configured as LAN and the second will be WAN. However, OPNsense may not assign the network interface cards to the proper networks correctly. Then, you must assign the network devices to the proper networks manually.

For example, in our installation, OPNsense assigned the vtnet0 device to the LAN, and vtnet1 device to the WAN. But, the correct configuration is vice versa. While the vtnet0 device should be assigned to the WAN, vtnet1 device should be assigned to the LAN. Let's correct the network device configuration for our OPNsense.

caution

Default DHCP configuration of the networks interfaces on OPNsense firewall are as follows:

  • The WAN interface works as a DHCP client and expects to be assigned an IP address.
  • The LAN interface works as a DHCP server, has a static IP of 192.168.1.1/24, and offers IP addresses in the range of 192.168.1.100-200.

For network device assignments on your OPNsense firewall, you may follow the next steps given below:

  1. Log in as root. Then, the Options menu will be displayed on the screen.

Options menu on OPNsense CLI

Figure 31. Options menu on OPNsense CLI

  1. Press 1 to Assign interfaces.
  2. VLAN configuration. Wizard will ask for the VLAN configuration. You may also configure VLAN settings on OPNsense GUI later. Since we will not configure any VLAN now, Press n to continue.

VLAN configuration for network interfaces of OPNsense on CLI

Figure 32. VLAN configuration for network interfaces of OPNsense on CLI

  1. Setting WAN interface. Wizard will ask for the WAN interface name. Enter the name of the WAN interface and then press enter. For example, in our OPNsense system, the WAN interface name is vtnet0.

WAN interface assignment on OPNsense CLI

Figure 33. WAN interface assignment on OPNsense CLI

  1. Setting LAN interface. Wizard will ask for the LAN interface name. Enter the name of the LAN interface and then press enter. For example, in our OPNsense system, the nterface name is vtnet1.

LAN interface assignment on OPNsense CLI

Figure 34. LAN interface assignment on OPNsense CLI

  1. Setting Optional interface: Since we do not have any other network interface press enter to continue.

Figure 35. Optional interface assignment on OPNsense CLI

  1. Confirmation: Network interface assignments will be listed. Press y to proceed.

Confirming the network interface assignments on OPNsense CLI

Figure 36. Confirming the network interface assignments on OPNsense CLI

All of the network interfaces on your OPNsense firewall are assigned to the proper networks.

IP Address Settings for OPNsense Firewall#

After assigning the network interfaces to the corresponding networks (WAN and LAN), you should configure the IP address for the network interfaces of your OPNsense firewall.

In our OPNsense firewall, we will configure the WAN and LAN interfaces as given below.

NetworkInterface nameIP assignment methodIP address
WANvtnet0Automatic via DHCP server-
LANvtnet1static10.10.10.1/24

We will also enable a DHCP server for LAN on our OPNsense firewall. The DHCP server assigns the IP address in range 10.10.10.11-200/24 for our clients in LAN.

For IP address settings of the OPNsense firewall you can follow the next steps:

  1. Select 2 in the OPNsense options menu to Set interface IP address.

Setting IP address for network interface of OPNsense on CLI

Figure 37. Setting IP address for network interface of OPNsense on CLI

  1. Selecting interface to configure: Available interfaces will be displayed. Press 1 to configure the LAN interface.

Selecting LAN interface to configure on OPNsense CLI

Figure 38. Selecting LAN interface to configure on OPNsense CLI

  1. IP assignment method. Wizard will ask to configure the IPv4 via the DHCP server. Since we will assign a static IP address manually Press n.

Selecting IP assignment for LAN interface on OPNsense CLI

Figure 39. Selecting IP assignment for LAN interface on OPNsense CLI

  1. Setting IP address: Enter the IPv4 address for the LAN interface. For example, 10.10.10.1.

Setting IP address for LAN interface on OPNsense CLI

Figure 40. Setting IP address for LAN interface on OPNsense CLI

  1. Setting subnet mask: Enter the subnet mask for the LAN interface. For example, 24.

Setting subnet mask for LAN interface on OPNsense CLI

Figure 41. Setting subnet mask for LAN interface on OPNsense CLI

  1. Setting gateway: Press enter.

Setting gateway for LAN interface on OPNsense CLI

Figure 42. Setting gateway for LAN interface on OPNsense CLI

  1. Setting IPv6 via WAN tracking: You may press n.
  2. Setting IPv6 via DHCPv6: You may press n.

IPv6 settings of LAN interface on OPNsense CLI

Figure 43. IPv6 settings of LAN interface on OPNsense CLI

  1. Setting IPv6: You may press enter.
  2. Enable DHCP server: To enable DHCP server on your LAN, press y.
  3. Setting start address of the IPv4 client address range: Enter the start address of the IPv4 client address range such as 10.10.10.11.
  4. Setting end address of the IPv4 client address range: Enter the end address of the IPv4 client address range such as 10.10.10.200.

Configuring DHCP server on LAN interface of OPNsense

Figure 44. Configuring DHCP server on LAN interface of OPNsense

  1. Enabling HTTP: pressing n you may access the OPNsense GUI via HTTPS protocol which is secure. If you wish to use the web interface with HTTP you may press y.

 http setting for the OPNsense web GUI

Figure 45. HTTP setting for the OPNsense web GUI

  1. Restore web GUI defaults. Press n. By pressing y you can access the OPNsense GUI with default user and password.
note

Default OPNsense user: root

Default OPNsense password: opnsense

Updating OPNsense Firewall on CLI#

After completing the OPNsense firewall installation on Proxmox VE, you should update your firewall. You can easily update the OPNsense system by selecting 12) Update from console in the options menu on CLI.

Updating OPNsense firewall from console

Figure 46. Updating OPNsense firewall from the console

caution

Beware that some critical updates require your system to reboot.

Accessing the OPNsense Web GUI#

Congratulations! You have successfully completed the installation of the OPNsense firewall. You can access the web GUI of your OPNsense firewall from a client in LAN using a browser. https://10.10.10.1 or http://10.10.10.1.

Login OPNsense GUI

Figure 47. Login OPNsense GUI

tip

For security reasons ssh is disabled by default and the console access is password protected on the OPNsense firewall.

When you log in OPNsense GUI, the Dashboard page will be displayed.

OPNsense dashboard

Figure 48. OPNsense dashboard

Initial Configuration of the OPNsense Firewall#

To complete the initial configuration of your OPNsense firewall, you can follow the given steps below:

  1. Navigate to the System -> Wizard on OPNsense Web GUI.
  2. This wizard will guide you through the initial system configuration. Click the Next button.
  3. You may set your hostname and domain name for your device. You may leave the Override DNS option selected. This will enable the OpnSense firewall to obtain DNS information from the ISP over the WAN interface. Then, click the Next button.

Initial configuration of OPNsense

Figure 49. Initial configuration of OPNsense

  1. Set NTP server and timezone for your OPNsense firewall. If you do not have your own NTP systems, OpnSense will provide a default set of NTP server pools. Then, click the Next button.

Setting NTP server and Timezone on OPNsense GUI

Figure 50. Setting NTP server and Timezone on OPNsense GUI

  1. You may change the WAN interface configurations or leave them as default. You should leave RFC1918 Networks settings as checked for security reasons.

WAN interface configuration on OPNsense GUI

Figure 51. WAN interface configuration on OPNsense GUI

Figure 52. RFC1918 Networks settings for WAN interface on OPNsense GUI

  1. You may change the LAN interface configurations or leave it as default.

LAN interface configuration on OPNsense GUI

Figure 53. LAN interface configuration on OPNsense GUI

  1. You may change the root password or leave it as before.

Setting root password on OPNsense GUI

Figure 54. Setting root password on OPNsense GUI

  1. Click Reload to apply the changes.
  2. When everything is completed successfully, OpnSense will welcome the user. You can get back to the main dashboard, by clicking Dashboard in the upper left corner of the web browser window.

Finished initial configuration of OPNsense firewall

Figure 55. Finished initial configuration of OPNsense firewall

Disable Network Hardware Off-loading on OPNsense Firewall#

Disabling hardware offloading on OPNsense GUI

Figure 56. Disabling hardware offloading on OPNsense GUI

After finishing the installation of the OPNsense, you should ensure that hardware offload features are disabled on the network interfaces. Because VirtIO interfaces have problems with NAT. To disable the hardware offloading on the network interface,

  • Navigate to Interfaces -> Settings on OPNsense GUI.
  • Set Hardware CRC, Hardware TSO, and Hardware LRO to Disable.
  • Click Save.
  • Reboot the firewall.