Introduction

OPNsense is a powerful, open-source firewall and routing platform based on FreeBSD. It provides enterprise-grade security features, intuitive web interface, and extensive plugin ecosystem. This comprehensive guide will walk you through installing, configuring, and managing OPNsense with hands-on labs.

Prerequisites

Before starting, ensure you have:

• Compatible hardware (minimum 1GB RAM, 8GB storage)
• USB drive (4GB minimum) for installation media
• Network cables and switches
• Basic understanding of networking concepts
• Access to another computer for configuration

Part 1: Installation

Lab 1: Creating Installation Media

Objective: Create a bootable OPNsense installer

Steps:

1. Download OPNsense
   • Visit the official OPNsense website
   • Download the latest stable release (DVD image)
   • Verify the checksum for integrity
2. Create Bootable USB
   • Use tools like Rufus (Windows) or dd (Linux/macOS)
   • Flash the ISO to your USB drive
   • Ensure UEFI compatibility if needed
3. Prepare Target Hardware
   • Configure BIOS/UEFI settings
   • Set boot priority to USB
   • Disable Secure Boot if necessary

Lab 2: OPNsense Installation Process

Objective: Install OPNsense on target hardware

Installation Steps:

1. Boot from Installation Media
   • Select “Boot Multi User” from the menu
   • Wait for the system to load completely
2. Login and Start Installation Username: installer Password: opnsense
3. Guided Installation
   • Select “Guided installation”
   • Choose target disk
   • Configure disk partitioning (UFS recommended for beginners)
   • Set root password
   • Complete installation and reboot
4. Post-Installation Boot
   • Remove installation media
   • Boot from hard drive
   • Verify successful installation

Expected Outcome: OPNsense successfully installed and booting from local storage

Part 2: Initial Configuration

Lab 3: Interface Assignment

Objective: Assign network interfaces and configure basic networking

Scenario: Setting up a typical home/small office configuration with WAN and LAN interfaces

Steps:

1. Access Console Menu
   • After boot, you’ll see the OPNsense console menu
   • Login with root and your configured password
2. Assign Interfaces (Option 1)Valid interfaces are: em0 (WAN candidate) em1 (LAN candidate)
   • Assign WAN interface (typically connected to internet)
   • Assign LAN interface (internal network)
   • Configure VLANs if needed
3. Verify Interface Assignment
   • Check interface status in console
   • Note assigned IP addresses
   • Verify link status

Configuration Example:

WAN (em0): DHCP from ISP
LAN (em1): 192.168.1.1/24 (default)

Lab 4: Web Interface Access

Objective: Access and secure the web management interface

Steps:

1. Connect to LAN Interface
   • Connect computer to LAN port
   • Configure computer IP in same subnet (192.168.1.0/24)
2. Access Web Interface
   • Open browser and navigate to: https://192.168.1.1
   • Accept security certificate warning
   • Login with default credentials:
     • Username: root
     • Password: opnsense
3. Initial Setup Wizard
   • Follow the setup wizard
   • Configure basic settings:
     • Hostname: firewall.local
     • Domain: home.local
     • DNS servers: 8.8.8.8, 8.8.4.4
     • Time zone: Select appropriate zone
4. Secure Admin Access
   • Change default password
   • Consider changing default admin port
   • Configure admin interface restrictions

Security Note: Always change default credentials immediately after installation.

Part 3: Core Configuration

Lab 5: Network Interface Configuration

Objective: Configure WAN and LAN interfaces properly

WAN Configuration:

1. Navigate to Interfaces > WAN
2. Configure WAN Settings:
   • IPv4 Configuration Type: DHCP (for most ISPs)
   • Block RFC1918 Networks: Checked
   • Block bogon networks: Checked
3. Advanced WAN Options:
   • MTU: Auto (or 1500)
   • MSS: Auto
   • Hostname: Leave blank unless required by ISP

LAN Configuration:

1. Navigate to Interfaces > LAN
2. Configure LAN Settings:
   • IPv4 Configuration Type: Static IPv4
   • IPv4 address: 192.168.1.1/24
   • IPv4 Upstream gateway: None
3. DHCP Server Configuration:
   • Navigate to Services > DHCP Server
   • Enable DHCP server on LAN
   • Range: 192.168.1.100 to 192.168.1.200
   • DNS servers: 192.168.1.1 (firewall IP)

Lab 6: Firewall Rules Configuration

Objective: Configure basic firewall rules for security and functionality

Understanding Rule Processing:

• Rules are processed top to bottom
• First match wins
• Default deny at the end

Basic LAN Rules:

1. Navigate to Firewall > Rules > LAN
2. Default LAN Rules:
   • Allow LAN to any: Permits all outbound traffic
   • Modify as needed for security
3. Create Custom Rules:

Example Rule: Block Social Media

Action: Block
Interface: LAN
Protocol: TCP/UDP
Source: LAN subnets
Destination: Alias (Social_Media_Sites)
Destination Port: 80, 443
Description: Block social media during work hours

WAN Rules:

• Generally restrictive
• Only allow specific inbound services
• Block all by default

Rule Best Practices:

• Use aliases for common destinations
• Document rules with descriptions
• Regular rule review and cleanup
• Test rules thoroughly

Lab 7: NAT Configuration

Objective: Configure Network Address Translation for internet access

Outbound NAT:

1. Navigate to Firewall > NAT > Outbound
2. Mode Selection:
   • Automatic: Suitable for most scenarios
   • Manual: For advanced configurations
3. Manual NAT Rules (if needed): Interface: WAN Source: 192.168.1.0/24 Translation: Interface address

Port Forwarding:

1. Navigate to Firewall > NAT > Port Forward
2. Example: Web Server: Interface: WAN Protocol: TCP Destination port: 80 Redirect target IP: 192.168.1.10 Redirect target port: 80 Description: Web server port forward
3. Associated Firewall Rule:
   • Automatically created
   • Allows traffic to forwarded service

Part 4: Advanced Configuration

Lab 8: VLAN Configuration

Objective: Implement network segmentation using VLANs

Scenario: Separate guest network from main network

VLAN Setup:

1. Create VLANs:
   • Navigate to Interfaces > Other Types > VLAN
   • Add VLAN 10 (Main network)
   • Add VLAN 20 (Guest network)
2. Interface Assignment:
   • Assign VLAN interfaces
   • Configure IP addressing:
     • VLAN 10: 192.168.10.1/24
     • VLAN 20: 192.168.20.1/24
3. DHCP Configuration:
   • Enable DHCP on each VLAN
   • Configure appropriate ranges
4. Firewall Rules: VLAN 10 Rules: - Allow to any (full access) VLAN 20 Rules: - Allow to WAN only - Block to VLAN 10 - Block to LAN

Lab 9: VPN Configuration

Objective: Set up secure remote access using OpenVPN

OpenVPN Server Setup:

1. Certificate Authority:
   • Navigate to System > Trust > Authorities
   • Create new CA for VPN
2. Server Certificate:
   • Navigate to System > Trust > Certificates
   • Create server certificate
3. OpenVPN Server:
   • Navigate to VPN > OpenVPN > Servers
   • Create new server: Protocol: UDPPort: 1194Tunnel Network: 192.168.100.0/24Local Network: 192.168.1.0/24
4. Client Configuration:
   • Export client certificates
   • Generate client configuration files
   • Test connectivity

Lab 10: Intrusion Detection System (IDS)

Objective: Implement network monitoring and threat detection

Suricata Configuration:

1. Install Suricata Plugin:
   • Navigate to System > Firmware > Plugins
   • Install os-suricata plugin
2. Configure Suricata:
   • Navigate to Services > Intrusion Detection
   • Enable on WAN interface
   • Configure rule sources:
     • ET Open rules
     • Suricata rules
3. Rule Management:
   • Enable automatic updates
   • Configure rule categories
   • Set up alerting
4. Monitoring:
   • View alerts in web interface
   • Configure log retention
   • Set up notifications

Part 5: Monitoring and Maintenance

Lab 11: System Monitoring

Objective: Implement comprehensive system monitoring

Built-in Monitoring:

1. System Dashboard:
   • CPU and memory usage
   • Network interface statistics
   • System load averages
2. Traffic Monitoring:
   • Navigate to Interfaces > Diagnostics > Traffic
   • Real-time traffic analysis
   • Bandwidth utilization
3. Log Analysis:
   • System logs: System > Log Files > General
   • Firewall logs: Firewall > Log Files > Live View
   • Filter and search capabilities

External Monitoring:

1. SNMP Configuration:
   • Navigate to Services > SNMP
   • Enable SNMP service
   • Configure community strings
2. Syslog Configuration:
   • Navigate to System > Settings > Logging
   • Configure remote syslog server
   • Set log levels appropriately

Lab 12: Backup and Recovery

Objective: Implement proper backup and recovery procedures

Configuration Backup:

1. Manual Backup:
   • Navigate to System > Configuration > Backups
   • Download configuration backup
   • Store securely offsite
2. Automated Backup:
   • Configure automatic backups
   • Set retention policies
   • Test backup integrity
3. Recovery Procedures:
   • Factory reset process
   • Configuration restore
   • Recovery from backup

Disaster Recovery Planning:

1. Documentation:
   • Network diagrams
   • Configuration details
   • Recovery procedures
2. Testing:
   • Regular backup testing
   • Recovery simulation
   • Update procedures

Part 6: Performance Optimization

Lab 13: Performance Tuning

Objective: Optimize OPNsense for maximum performance

Hardware Optimization:

1. Network Interface Tuning:
   • Enable hardware offloading
   • Configure interrupt handling
   • Optimize buffer sizes
2. System Tuning:
   • Navigate to System > Settings > Tunables
   • Key parameters: net.inet.ip.forwarding=1net.inet.tcp.syncookies=1net.inet.tcp.blackhole=2

Traffic Shaping:

1. Configure Traffic Shaping:
   • Navigate to Firewall > Traffic Shaper
   • Set bandwidth limits
   • Configure queue priorities
2. Quality of Service (QoS):
   • Prioritize critical traffic
   • Limit bandwidth-heavy applications
   • Monitor effectiveness

Troubleshooting Guide

Common Issues and Solutions

Network Connectivity:

• Check interface status
• Verify IP configuration
• Test with ping/traceroute

Firewall Issues:

• Review firewall logs
• Check rule order
• Verify NAT configuration

Performance Problems:

• Monitor system resources
• Check for hardware limitations
• Review configuration settings

VPN Connectivity:

• Verify certificates
• Check firewall rules
• Review VPN logs

Best Practices

Security Hardening

1. Access Control:
   • Use strong passwords
   • Implement two-factor authentication
   • Restrict admin access
2. Network Security:
   • Regular rule review
   • Enable IDS/IPS
   • Monitor logs actively
3. System Maintenance:
   • Regular updates
   • Configuration backups
   • Security audits

Operational Excellence

1. Documentation:
   • Maintain configuration records
   • Document changes
   • Keep network diagrams current
2. Monitoring:
   • Implement comprehensive monitoring
   • Set up alerting
   • Regular performance reviews
3. Change Management:
   • Test changes in lab environment
   • Implement gradually
   • Maintain rollback procedures

Conclusion

OPNsense provides a robust, feature-rich firewall platform suitable for home users and enterprises alike. This guide covered installation, basic configuration, advanced features, and best practices. Regular practice with these labs will build confidence in managing OPNsense deployments.

Key takeaways:

• Start with basic configuration and gradually add features
• Always maintain current backups
• Monitor system performance and security regularly
• Keep documentation current
• Stay updated with security patches

For ongoing learning, explore the OPNsense documentation, community forums, and consider advanced topics like high availability, load balancing, and enterprise integration.

---

This guide provides a foundation for OPNsense deployment. Always refer to official documentation for the latest procedures and security recommendations.