How to Setup OPNsense
4 simple steps to get you setup OPNsense
Step 1 – Hardware Selection & Sizing
How can you select the right hardware configuration and appropriate sizing for OPNsense?
Select the suitable hardware configuration to get reasonable OPNsense performance for your setup before you install the OPNsense.
OPNsense® is available for x86-32 (i386) and x86-64 (amd64) bit microprocessor architectures. Full installs on SD memory cards, solid-state disks (SSD) or hard disk drives (HDD) are intended for OPNsense. While the range of supported devices are from embedded systems to rack-mounted servers, we recommend to use a 64-bit versions of OPNsense, if the hardware is capable of running 64-bit operating systems. It is possible to install and run 32-bit (x86-32, i386) versions of OPNsense® on 64-bit (x86-64, amd64) PC hardware, but we do not recommend it, especially not for new deployments.
If you are using a VM machine, at least you can use minimal configuration as shown below, but more resources are always good.
For VM
| Type | Descrition |
|---|---|
| Processor | 1 or more virtual cores |
| RAM | Minimum required RAM is 1 GB |
| Install method | ISO |
| Install target | Minimum recommended virtual disk size of 8GB |
For bare-metal HW (minimum requirements)
| Type | Description |
|---|---|
| Processor | 500 MHz single core CPU |
| RAM | 512 Mb |
| Installed Method | Serial console or video (vga) |
| Install Target | SD or CF card with a minimum of 4GB, use nano images for installation. |
Reasonable
The reasonable specification to run all OPNsense standard features, means every feature is opened, but perhaps not with lots of users or high loads. High loads may caused by users or malicious activities.
| Type | Description |
|---|---|
| Processor | 1 GHz dual core cpu |
| RAM | 1 GB |
| Install method | Serial console or video (vga) |
| Install target | 40 GB SSD, a minimum of 1GB memory is needed for the installer to run. |
Recommended Hardware for OPNsense
The recommended specification to run all OPNsense standard features, means every feature is functional and fits most use cases. More features need to have more system resources as well.
| Type | Description |
|---|---|
| Processor | 1.5 GHz multi core cpu |
| RAM | 4 GB |
| Install method | Serial console or video (vga) |
| Install target | 120 GB SSD |
Installation Files
Depending on your hardware and use case different installation files are provided to Install and setup OPNsense:
| Type | Description |
|---|---|
| Dvd | ISO installer image with live system capabilities running in VGA-only mode |
| Vga | USB installer image with live system capabilities running in VGA-only mode |
| Serial | USB installer image with live system capabilities running in serial console (115200) mode with secondary VGA support |
| Nano | A preinstalled serial image for 4GB USB sticks, SD or CF cards for use with low-end embedded devices |
Throughput
The main hardware-factors of the OPNsense setup involved are CPU, RAM, mass storage (disc), the number and quality of network interfaces.
| Throughput (Mbps) | OPNsense Hardware requirements |
Feature set | Users / Networks |
|---|---|---|---|
| 1-10 | Basic spec. | Narrowed | Few (1-10) |
| 11-150 | Minimum spec. | Reduced | Adjusted (10-30) |
| 151-350 | Reasonable spec. | All | Substantial (30-50) |
| 351-750+ | Recommended spec | All | Substantial+ (50-150+) |
| Mbps (Mbit/s or Mb/s) – Megabit per second – 1,000,000 bits per second | |||
Network Interface Cards
As the FreeBSD hardware-lists and -recommendations say, Intel® network interface cards (NIC) for LAN connections are reliable, fast and not error-prone. Intel chipset NICs deliver higher throughput at a reduced CPU load.
Supported Hardware
The HardenedBSD 11.2-RELEASE is the base of OPNsense. All HardenedBSD drivers are included in the OPNsense kernel, and the hardware compatibility is the same.
TIP
If you are looking to buy new hardware then take a look at OPNsense partner page as these partners contribute back to OPNsense and sell hardware that is know to work well.
Step 2 – Download & Prepare Installation Media
Where can you from download OPNsense?
You can download OPNsense which is the official website. You can select system architecture according your system’s CPU architecture, and also specifiy image type and mirror location as well.
Depending on your hardware and use case different installation files are provided to Install OPNsense:
| Type | Description |
|---|---|
| Dvd | ISO installer image with live system capabilities running in VGA-only mode |
| Vga | USB installer image with live system capabilities running in VGA-only mode |
| Serial | USB installer image with live system capabilities running in serial console (115200) mode with secondary VGA support |
| Nano | A preinstalled serial image for 4GB USB sticks, SD or CF cards for use with low-end embedded devices |
32bit = i386
64bit = amd64
Sample file listing
- OPNsense-16.x.x-OpenSSL-cdrom-amd64.iso.bz2
- OPNsense-16.x.x-OpenSSL-nano-amd64.img.bz2
- OPNsense-16.x.x-OpenSSL-serial-amd64.img.bz2
- OPNsense-16.x.x-OpenSSL-vga-amd64.img.bz2
Writing to Installation Media
The easiest method of installation is the USB-memstick installer. If your target platform has a serial interface choose the “serial image. 64-bit and 32-bit install images are provided. The following examples apply to both.
Write the image to a USB flash drive (>= 1GB), either with dd under FreeBSD or under Windows with physdiskwrite (or Rufus).
Before writing an (iso) image you need to unpack it first (use bunzip2).
FreeBSD
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/daX bs=16kWhere X = the device number of your USB flash drive (check dmesg)
Linux
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/sdX bs=16kWhere X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage – it’s because of the digital signature)
OpenBSD
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rsd6c bs=16kThe device must be the ENTIRE device (in Windows/DOS language: the ‘C’ partition), and a raw I/O device (the ‘r’ in front of the device “sd6”), not a block mode device.
Mac OS X
sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rdiskX bs=64kWhere r = raw device, and where X = the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage – it’s because of the digital signature)
Windows
physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].[img|iso].imgA simple alternative for writing image under windows is Rufus a tool to create bootable USB sticks with a nice GUI.
Step 3 – Install OPNsense from USB to Target Device
Using the USB Installer & Quickly Install OPNsense
Install OPNsense to target system
Configure your system to boot from USB. Default behaviour is to start the Live environment, to install log in with user installer and password opnsense
The installation process involves a few simple steps.
- Configure console – The default configuration should be fine for most occasions.
- Select task – The Quick/Easy Install option should be fine for most occasions. For installations on embedded systems or systems with minimal diskspace choose Custom Installation and do not create a swap slice. Continue with default settings.
- Are you SURE? – When proceeding OPNsense will be installed on the first hard disk in the system.
- Reboot – The system is now installed and needs to be rebooted to continue with configuration.
WARNING: You will lose all files on the installation disk. If another disk is to be used then choose a Custom installation instead of the Quick/Easy Install.
VMware or XEN virtual Installations
After installation go to firmware page in the GUI and install the vmware-tools or xen-tools plugin for maximum performance and compatibility.
Step 4 – Initial Setup OPNsense & Configuration
Defaults
Port Assignments
By default the system will be configured with 2 interfaces LAN & WAN. The first network port found will be configured as LAN and the second will be WAN.
IP ranges & DHCP
The WAN port will have a dhcp client and expects to be assigned an IP adress.
The LAN port will have a dhcp server, a static ip of 192.168.1.1/24 and offers ip adresses in the range of 192.168.1.100-200.
Users & Passwords
Default user: root
password: opnsense
Also good to know
For security reasons ssh is disabled by default and the console access is password protected.
Online Documentation
An extensive manual is provided online with many up-to-date examples for making the most out of your newly setup security platform. Go to: OPNsense documentation page
Get Free Edition of Sensei: Sensei installation
