Introduction
OPNsense is a powerful, open-source firewall and routing platform based on FreeBSD. It provides enterprise-grade security features, intuitive web interface, and extensive plugin ecosystem. This comprehensive guide will walk you through installing, configuring, and managing OPNsense with hands-on labs.
Prerequisites
Before starting, ensure you have:
- Compatible hardware (minimum 1GB RAM, 8GB storage)
- USB drive (4GB minimum) for installation media
- Network cables and switches
- Basic understanding of networking concepts
- Access to another computer for configuration
Part 1: Installation
Lab 1: Creating Installation Media
Objective: Create a bootable OPNsense installer
Steps:
- Download OPNsense
- Visit the official OPNsense website
- Download the latest stable release (DVD image)
- Verify the checksum for integrity
- Create Bootable USB
- Use tools like Rufus (Windows) or dd (Linux/macOS)
- Flash the ISO to your USB drive
- Ensure UEFI compatibility if needed
- Prepare Target Hardware
- Configure BIOS/UEFI settings
- Set boot priority to USB
- Disable Secure Boot if necessary
Lab 2: OPNsense Installation Process
Objective: Install OPNsense on target hardware
Installation Steps:
- Boot from Installation Media
- Select “Boot Multi User” from the menu
- Wait for the system to load completely
- Login and Start Installation
Username: installer Password: opnsense
- Guided Installation
- Select “Guided installation”
- Choose target disk
- Configure disk partitioning (UFS recommended for beginners)
- Set root password
- Complete installation and reboot
- Post-Installation Boot
- Remove installation media
- Boot from hard drive
- Verify successful installation
Expected Outcome: OPNsense successfully installed and booting from local storage
Part 2: Initial Configuration
Lab 3: Interface Assignment
Objective: Assign network interfaces and configure basic networking
Scenario: Setting up a typical home/small office configuration with WAN and LAN interfaces
Steps:
- Access Console Menu
- After boot, you’ll see the OPNsense console menu
- Login with root and your configured password
- Assign Interfaces (Option 1)
Valid interfaces are: em0 (WAN candidate) em1 (LAN candidate)
- Assign WAN interface (typically connected to internet)
- Assign LAN interface (internal network)
- Configure VLANs if needed
- Verify Interface Assignment
- Check interface status in console
- Note assigned IP addresses
- Verify link status
Configuration Example:
WAN (em0): DHCP from ISP
LAN (em1): 192.168.1.1/24 (default)
Lab 4: Web Interface Access
Objective: Access and secure the web management interface
Steps:
- Connect to LAN Interface
- Connect computer to LAN port
- Configure computer IP in same subnet (192.168.1.0/24)
- Access Web Interface
- Open browser and navigate to:
https://192.168.1.1
- Accept security certificate warning
- Login with default credentials:
- Username:
root
- Password:
opnsense
- Username:
- Open browser and navigate to:
- Initial Setup Wizard
- Follow the setup wizard
- Configure basic settings:
- Hostname:
firewall.local
- Domain:
home.local
- DNS servers:
8.8.8.8, 8.8.4.4
- Time zone: Select appropriate zone
- Hostname:
- Secure Admin Access
- Change default password
- Consider changing default admin port
- Configure admin interface restrictions
Security Note: Always change default credentials immediately after installation.
Part 3: Core Configuration
Lab 5: Network Interface Configuration
Objective: Configure WAN and LAN interfaces properly
WAN Configuration:
- Navigate to Interfaces > WAN
- Configure WAN Settings:
- IPv4 Configuration Type: DHCP (for most ISPs)
- Block RFC1918 Networks: Checked
- Block bogon networks: Checked
- Advanced WAN Options:
- MTU: Auto (or 1500)
- MSS: Auto
- Hostname: Leave blank unless required by ISP
LAN Configuration:
- Navigate to Interfaces > LAN
- Configure LAN Settings:
- IPv4 Configuration Type: Static IPv4
- IPv4 address:
192.168.1.1/24
- IPv4 Upstream gateway: None
- DHCP Server Configuration:
- Navigate to Services > DHCP Server
- Enable DHCP server on LAN
- Range:
192.168.1.100
to192.168.1.200
- DNS servers:
192.168.1.1
(firewall IP)
Lab 6: Firewall Rules Configuration
Objective: Configure basic firewall rules for security and functionality
Understanding Rule Processing:
- Rules are processed top to bottom
- First match wins
- Default deny at the end
Basic LAN Rules:
- Navigate to Firewall > Rules > LAN
- Default LAN Rules:
- Allow LAN to any: Permits all outbound traffic
- Modify as needed for security
- Create Custom Rules:
Example Rule: Block Social Media
Action: Block
Interface: LAN
Protocol: TCP/UDP
Source: LAN subnets
Destination: Alias (Social_Media_Sites)
Destination Port: 80, 443
Description: Block social media during work hours
WAN Rules:
- Generally restrictive
- Only allow specific inbound services
- Block all by default
Rule Best Practices:
- Use aliases for common destinations
- Document rules with descriptions
- Regular rule review and cleanup
- Test rules thoroughly
Lab 7: NAT Configuration
Objective: Configure Network Address Translation for internet access
Outbound NAT:
- Navigate to Firewall > NAT > Outbound
- Mode Selection:
- Automatic: Suitable for most scenarios
- Manual: For advanced configurations
- Manual NAT Rules (if needed):
Interface: WAN Source: 192.168.1.0/24 Translation: Interface address
Port Forwarding:
- Navigate to Firewall > NAT > Port Forward
- Example: Web Server:
Interface: WAN Protocol: TCP Destination port: 80 Redirect target IP: 192.168.1.10 Redirect target port: 80 Description: Web server port forward
- Associated Firewall Rule:
- Automatically created
- Allows traffic to forwarded service
Part 4: Advanced Configuration
Lab 8: VLAN Configuration
Objective: Implement network segmentation using VLANs
Scenario: Separate guest network from main network
VLAN Setup:
- Create VLANs:
- Navigate to Interfaces > Other Types > VLAN
- Add VLAN 10 (Main network)
- Add VLAN 20 (Guest network)
- Interface Assignment:
- Assign VLAN interfaces
- Configure IP addressing:
- VLAN 10:
192.168.10.1/24
- VLAN 20:
192.168.20.1/24
- VLAN 10:
- DHCP Configuration:
- Enable DHCP on each VLAN
- Configure appropriate ranges
- Firewall Rules:
VLAN 10 Rules: - Allow to any (full access) VLAN 20 Rules: - Allow to WAN only - Block to VLAN 10 - Block to LAN
Lab 9: VPN Configuration
Objective: Set up secure remote access using OpenVPN
OpenVPN Server Setup:
- Certificate Authority:
- Navigate to System > Trust > Authorities
- Create new CA for VPN
- Server Certificate:
- Navigate to System > Trust > Certificates
- Create server certificate
- OpenVPN Server:
- Navigate to VPN > OpenVPN > Servers
- Create new server:
Protocol: UDPPort: 1194Tunnel Network: 192.168.100.0/24Local Network: 192.168.1.0/24
- Client Configuration:
- Export client certificates
- Generate client configuration files
- Test connectivity
Lab 10: Intrusion Detection System (IDS)
Objective: Implement network monitoring and threat detection
Suricata Configuration:
- Install Suricata Plugin:
- Navigate to System > Firmware > Plugins
- Install os-suricata plugin
- Configure Suricata:
- Navigate to Services > Intrusion Detection
- Enable on WAN interface
- Configure rule sources:
- ET Open rules
- Suricata rules
- Rule Management:
- Enable automatic updates
- Configure rule categories
- Set up alerting
- Monitoring:
- View alerts in web interface
- Configure log retention
- Set up notifications
Part 5: Monitoring and Maintenance
Lab 11: System Monitoring
Objective: Implement comprehensive system monitoring
Built-in Monitoring:
- System Dashboard:
- CPU and memory usage
- Network interface statistics
- System load averages
- Traffic Monitoring:
- Navigate to Interfaces > Diagnostics > Traffic
- Real-time traffic analysis
- Bandwidth utilization
- Log Analysis:
- System logs: System > Log Files > General
- Firewall logs: Firewall > Log Files > Live View
- Filter and search capabilities
External Monitoring:
- SNMP Configuration:
- Navigate to Services > SNMP
- Enable SNMP service
- Configure community strings
- Syslog Configuration:
- Navigate to System > Settings > Logging
- Configure remote syslog server
- Set log levels appropriately
Lab 12: Backup and Recovery
Objective: Implement proper backup and recovery procedures
Configuration Backup:
- Manual Backup:
- Navigate to System > Configuration > Backups
- Download configuration backup
- Store securely offsite
- Automated Backup:
- Configure automatic backups
- Set retention policies
- Test backup integrity
- Recovery Procedures:
- Factory reset process
- Configuration restore
- Recovery from backup
Disaster Recovery Planning:
- Documentation:
- Network diagrams
- Configuration details
- Recovery procedures
- Testing:
- Regular backup testing
- Recovery simulation
- Update procedures
Part 6: Performance Optimization
Lab 13: Performance Tuning
Objective: Optimize OPNsense for maximum performance
Hardware Optimization:
- Network Interface Tuning:
- Enable hardware offloading
- Configure interrupt handling
- Optimize buffer sizes
- System Tuning:
- Navigate to System > Settings > Tunables
- Key parameters:
net.inet.ip.forwarding=1net.inet.tcp.syncookies=1net.inet.tcp.blackhole=2
Traffic Shaping:
- Configure Traffic Shaping:
- Navigate to Firewall > Traffic Shaper
- Set bandwidth limits
- Configure queue priorities
- Quality of Service (QoS):
- Prioritize critical traffic
- Limit bandwidth-heavy applications
- Monitor effectiveness
Troubleshooting Guide
Common Issues and Solutions
Network Connectivity:
- Check interface status
- Verify IP configuration
- Test with ping/traceroute
Firewall Issues:
- Review firewall logs
- Check rule order
- Verify NAT configuration
Performance Problems:
- Monitor system resources
- Check for hardware limitations
- Review configuration settings
VPN Connectivity:
- Verify certificates
- Check firewall rules
- Review VPN logs
Best Practices
Security Hardening
- Access Control:
- Use strong passwords
- Implement two-factor authentication
- Restrict admin access
- Network Security:
- Regular rule review
- Enable IDS/IPS
- Monitor logs actively
- System Maintenance:
- Regular updates
- Configuration backups
- Security audits
Operational Excellence
- Documentation:
- Maintain configuration records
- Document changes
- Keep network diagrams current
- Monitoring:
- Implement comprehensive monitoring
- Set up alerting
- Regular performance reviews
- Change Management:
- Test changes in lab environment
- Implement gradually
- Maintain rollback procedures
Conclusion
OPNsense provides a robust, feature-rich firewall platform suitable for home users and enterprises alike. This guide covered installation, basic configuration, advanced features, and best practices. Regular practice with these labs will build confidence in managing OPNsense deployments.
Key takeaways:
- Start with basic configuration and gradually add features
- Always maintain current backups
- Monitor system performance and security regularly
- Keep documentation current
- Stay updated with security patches
For ongoing learning, explore the OPNsense documentation, community forums, and consider advanced topics like high availability, load balancing, and enterprise integration.
This guide provides a foundation for OPNsense deployment. Always refer to official documentation for the latest procedures and security recommendations.