OPNsense Installation Guide

 

OPNsense Installation Guide (ISO)

If you're looking to take control of your network with enterprise-grade tools, installing OPNsense is a powerful first step. Whether you're setting up a home lab, securing a small business network, or just want better visibility and filtering, this guide walks you through the full installation process; from hardware prep to post-install configuration. With just a few components and a bit of time, you’ll be ready to deploy a firewall and DNS solution that rivals commercial offerings.

What is OPNsense? What Can It Do?

OPNsense is an open-source firewall and routing platform based on FreeBSD, designed for advanced network management and security. It offers a wide range of features including:

• Firewall & NAT: Powerful rule-based traffic control
• DNS Services: Ad-blocking, malware filtering, DNSSEC, and custom overrides
• VPN Support: Site-to-site and remote access via OpenVPN, IPsec, and WireGuard
• Traffic Monitoring: Real-time bandwidth graphs, NetFlow, and logging
• Content Filtering: Block categories, domains, and file types
• Intrusion Detection & Prevention: Snort/Suricata integration
• High Availability: CARP failover and load balancing
• Web Proxy & Caching: Transparent proxy with filtering
• Plugin System: Extend functionality with packages like Sensei, ntopng, and more

Whether you're deploying it on bare metal or in a virtual machine, OPNsense gives you granular control over your network with a user-friendly web interface and robust backend.

OPNsense System Requirements

Hardware Requirements

• Architecture: amd64 (64-bit Intel/AMD)
• Minimum:
  2-Core CPU, 1GB RAM, 40GB storage, 2 network interface
• Recommended:
  4-Core CPU, 4GB+ RAM, 100GB+ SSD, 2+ network interfaces

Download OPNsense ISO

1. Visit https://opnsense.org/download/
2. Select "dvd" image (full installer)
3. Choose your architecture (usually amd64)
4. Download the .iso.bz2 file
5. Extract to get the .iso file

Installation Methods

Method 1: Bare Metal Installation

Step 1: Create Bootable Media

Using Rufus (Windows):

1. Download Rufus from https://rufus.ie/
2. Insert USB drive (8GB minimum)
3. Select OPNsense ISO file
4. Choose "DD Image" mode
5. Click Start

Using dd (Linux/macOS):

# Find USB device
lsblk  # Linux
diskutil list  # macOS

# Write ISO (replace /dev/sdX with your USB device)
sudo dd if=OPNsense-XX.X-amd64-dvd.iso of=/dev/sdX bs=4M status=progress

Step 2: Boot from USB

1. Insert USB drive into target machine
2. Boot and access BIOS/UEFI settings (F2, F12, DEL)
3. Set USB drive as first boot device
4. Enable UEFI boot if available
5. Save and restart

Step 3: Installation Process

1. Boot Menu: Select "Boot Multi User [Enter]"
2. Live System: OPNsense loads into live environment
3. Start Installer: Choose "Install (UFS)" from menu
4. Keymap: Select your keyboard layout
5. Installation Target: Choose destination disk
6. Partitioning:
   • Auto (UFS): Recommended for most users
   • Auto (ZFS): Advanced, better for larger installations
7. Root Password: Set strong password
8. Complete: Remove USB and reboot

Method 2: Virtual Machine Installation

VMware/VirtualBox Settings

VM Configuration:

• OS Type: FreeBSD 64-bit
• RAM: 2-4GB minimum
• Disk: 20GB+ (thin provisioned)
• Network Adapters: 2 minimum (WAN/LAN)
• Boot: Mount OPNsense ISO to CD/DVD

Network Setup:

• Adapter 1: NAT or Bridged (WAN)
• Adapter 2: Internal Network (LAN)

Hyper-V Settings

• Generation: 1 (better compatibility)
• Memory: 2048MB minimum
• Network: Add multiple network adapters
• Security: Disable Secure Boot

Post-Installation Configuration

Initial Console Setup

After first boot, you'll see the OPNsense console menu:

*** OPNsense.localdomain: OPNsense 24.X ***

VGA console

FreeBSD/amd64 (OPNsense.localdomain) (ttyv0)

login: root

Console Menu Options

0) Logout
1) Assign Interfaces
2) Set interface(s) IP address
3) Reset webConfigurator password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
8) Shell

Step-by-Step Initial Configuration

1. Assign Network Interfaces (Menu Option 1)

Enter the WAN interface name: em0
Enter the LAN interface name: em1

Common Interface Names:

• em0, em1: Intel adapters
• re0, re1: Realtek adapters
• igb0, igb1: Intel Gigabit
• vtnet0, vtnet1: VirtIO (VMs)

2. Configure LAN IP Address (Menu Option 2)

Available interfaces:
1 - WAN (em0)
2 - LAN (em1)

Enter the number of the interface to configure: 2
Configure IPv4 address LAN interface via DHCP? (y/n) n
Enter the new LAN IPv4 address: 192.168.1.1
Enter the new LAN IPv4 subnet bit count: 24
Enter the new LAN IPv4 upstream gateway address: [Enter for none]
Configure IPv6 address LAN interface via DHCP6? (y/n) n
Do you want to enable the DHCP server on LAN? (y/n) y
Enter the start address of the IPv4 client address range: 192.168.1.100
Enter the end address of the IPv4 client address range: 192.168.1.199
Do you want to revert to HTTP as the webConfigurator protocol? (y/n) n

Web Interface Access

After LAN configuration:

1. Connect computer to LAN interface
2. Access: https://192.168.1.1 (or configured LAN IP)
3. Default Login:
   • Username: root
   • Password: [password set during installation]

Initial Web Configuration Wizard

Step 1: General Information

• Hostname: opnsense
• Domain: localdomain
• Primary DNS: 8.8.8.8
• Secondary DNS: 1.1.1.1

Step 2: Time Server Information

• Timezone: Select your timezone
• Timeservers: pool.ntp.org

Step 3: Configure WAN Interface

DHCP (most common):

• IPv4 Configuration Type: DHCP
• Block RFC1918 Networks: Uncheck if behind router
• Block bogon networks: Keep checked

Static IP:

• IPv4 Configuration Type: Static IPv4
• IPv4 Address: Your static IP
• Subnet Mask: Network subnet
• Gateway: Network gateway

Step 4: Configure LAN Interface

• LAN IP Address: 192.168.1.1 (or as configured)
• Subnet Mask: 24

Step 5: Set Root Password

• Root Password: Set strong password
• Confirm: Re-enter password

Step 6: Reload Configuration

• Click "Reload" to apply all settings

Verification Steps

1. Check Interface Status

System → Interfaces → Overview

• WAN: Should show assigned IP
• LAN: Should show configured IP
• Status: Both should be "up"

2. Test Internet Connectivity

Diagnostics → Ping

• Target: 8.8.8.8
• Should show successful responses

3. Test DNS Resolution

Diagnostics → DNS Lookup

• Hostname: google.com
• Should return IP address

4. Check Gateway Status

System → Gateways → Single

• WAN_DHCP: Should show "Online"

Common Installation Issues

Boot Problems

Symptoms: Won't boot from USB Solutions:

• Verify BIOS boot order
• Try different USB port
• Use DD image mode in Rufus
• Disable Secure Boot

Network Interface Issues

Symptoms: Interfaces not detected Solutions:

• Check network adapter compatibility
• Update VM network adapter drivers
• Use Intel E1000 adapter type in VMs

Web Interface Access Issues

Symptoms: Cannot reach web interface Solutions:

• Verify LAN IP configuration
• Check firewall rules (should auto-create)
• Ensure computer on same network
• Try HTTP instead of HTTPS initially

Performance Issues

Symptoms: Slow operation Solutions:

• Increase VM RAM allocation
• Use SSD for storage
• Enable VirtIO drivers in VMs

Post-Installation Security

Immediate Steps

1. Change default password
2. Enable automatic updates
3. Configure backup schedule
4. Review firewall rules
5. Enable logging

Access Security

• Change SSH port if enabled
• Use key-based authentication
• Limit administrative access
• Enable two-factor authentication

Next Steps

After successful installation:

1. Configure firewall rules for your network
2. Set up VPN if needed
3. Configure DNS filtering (Unbound)
4. Enable intrusion detection
5. Set up monitoring and logging
6. Configure backups

Installation Command Reference

Console Commands:

# View network interfaces
ifconfig

# Check routing table  
netstat -rn

# View system logs
clog /var/log/system.log

# Restart network services
/etc/rc.restart_webgui

# Factory reset
/etc/rc.initial.defaults

Backup Configuration

Always backup after configuration:

• System → Configuration → Backups
• Download config.xml file
• Store safely for disaster recovery

Once your OPNsense system is installed and configured, you’ve laid the foundation for a secure, intelligent, and highly customizable network. But this is just the beginning. From here, you can explore advanced setups like:

• VPN tunnels for remote access or site-to-site connectivity
• Intrusion Detection Systems (IDS) to monitor and block threats
• Multi-WAN failover for internet redundancy
• Captive portals for guest networks
• Dynamic DNS, Geo-blocking, and custom firewall automation

Created & Maintained by Pacific Northwest Computers

Pacific NW Computers

www.linktr.ee/pnwcomputers

www.pacificnwcomputers.com

📞 Pacific Northwest Computers offers remote and onsite support across: 
Vancouver WA, Battle Ground WA, Camas WA, Washougal WA, Longview WA, Kelso WA, and Portland OR