Install OPNsense

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

OPNsense is an Open Source Firewall Distribution based on the FreeBSD operating system and its packet filter pf. In this article we will show you how to install OPNsense and perform an initial configuration.

OPNSense Firewalls from Thomas-Krenn

Download

The OPNsense download is available as 64-bit variant ('amd64 architecture) on the following page:

In this manual we describe the installation in VGA mode. Therefore, download the appropriate package on the download page.

Installation

Use an empty USB stick for the installation.

Prepare USB stick

Unpack the installation image and transfer it to the USB stick using dd under Linux/BSD/MacOS or using balenaEtcher under Windows.[1] Under Linux, for example, execute the following commands (use the appropriate release name (e.g. 23.7) and the device name of your USB stick instead of /dev/sdX): 

bunzip2 OPNsense-23.7-vga-amd64.img.bz2
sudo dd if=OPNsense-23.7-vga-amd64.img of=/dev/sdb bs=1M
sync

Perform installation

Then start your desired firewall server from this USB stick. OPNsense loads automatically as a live system. You can now start the installation either on the local console or via SSH. Since OPNsense 21.7 the installer now officially supports native ZFS installation.

  • Warning message, because OPNsense has a self-signed certificate. Click on Advanced.

    Warning message, because OPNsense has a self-signed certificate. Click on Advanced.

  • Accept self-signed certificate.

    Accept self-signed certificate.

  • Select the USB stick in the BIOS via boot override.

    Select the USB stick in the BIOS via boot override.

  • OPNsense boot screen is displayed, OPNsense loads automatically as a live system.

    OPNsense boot screen is displayed, OPNsense loads automatically as a live system.

  • OPNsense is loaded. To start the installation, log in with the username installer and the password opnsense.

    OPNsense is loaded. To start the installation, log in with the username installer and the password opnsense.

  • Confirm keymap selection.

    Confirm keymap selection.

  • Select Install (UFS) to install on a single disk. Alternatively, select Install (ZFS) for one volume. For two disks, a mirrored installation via ZFS Mirror is recommended, also via the menu item Install (ZFS).

    Select Install (UFS) to install on a single disk. Alternatively, select Install (ZFS) for one volume. For two disks, a mirrored installation via ZFS Mirror is recommended, also via the menu item Install (ZFS).

  • Select the target drive.

    Select the target drive.

  • Adjust swap setting if necessary and confirm.

    Adjust swap setting if necessary and confirm.

  • Check disk and confirm.

    Check disk and confirm.

  • Initialize the medium.

    Initialize the medium.

  • Installation is running.

    Installation is running.

  • Verification successful, target system is being prepared.

    Verification successful, target system is being prepared.

  • Final configuration, now change the password.

    Final configuration, now change the password.

  • Enter a secure password.

    Enter a secure password.

  • Confirm the new password.

    Confirm the new password.

  • The installation is now finished, the system will be restarted afterwards.

    The installation is now finished, the system will be restarted afterwards.

Configuration

After installation, you can easily configure OPNsense via a web browser:

  • Login in the web interface (username root, password you have chosen before).

    Login in the web interface (username root, password you have chosen before).

  • Click on Next.

    Click on Next.

  • Make general settings.

    Make general settings.

  • Configure the NTP time server.

    Configure the NTP time server.

  • Configure WAN Interface (upper part).

    Configure WAN Interface (upper part).

  • Configure WAN Interface (lower part). If as WAN IP a Private IP is used, disable the option to RFC1918. This is the case in our example.

    Configure WAN Interface (lower part). If as WAN IP a Private IP is used, disable the option to RFC1918. This is the case in our example.

  • Configure LAN Interface.

    Configure LAN Interface.

  • Set new password.

    Set new password.

  • Reload configuration.

    Reload configuration.

  • Configuration is finished.

    Configuration is finished.

  • Dashboard view after configuration. If DHCPv6 is shown in red and is not needed, Disable IPv6.

    Dashboard view after configuration. If DHCPv6 is shown in red and is not needed, Disable IPv6.

  • If needed, you can change the configuration under Interfaces -> Assignments' additional interfaces can be configured.

    If needed, you can change the configuration under Interfaces -> Assignments' additional interfaces can be configured.

  • If required, you can configure additional interfaces under Services -> DHCPv4 -> [LAN] the IP range of the DHCP server can be adjusted.

    If required, you can configure additional interfaces under Services -> DHCPv4 -> [LAN] the IP range of the DHCP server can be adjusted.

Backup configuration

We recommend to backup the configuration after installation:

  • Under System -> Configuration -> Backups you will find options for saving the configuration.

    Under System -> Configuration -> Backups you will find options for saving the configuration.

  • Click on Download configuration and save the configuration file locally.

    Click on Download configuration and save the configuration file locally.

References

  1. Initial Installation & Configuration (docs.opnsense.org)


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Foto Thomas Niedermeier.jpg

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Related articles

OPNsense does not boot without monitor
Show article
OPNsense LTE connection
Show article
Reduce OPNsense boot time
Show article