OPNsense FAQ

In this article, you will find answers on frequently asked questions about the Open Source firewall OPNsense.

FAQ

This paragraph lists answers on different questions about OPNsense.

1. Which servers are suitable for OPNsense?
   • You will find compatible and tested servers in the Thomas-Krenn online shop in the area OPNsense Firewalls.
2. Where can I find an overview about the most important data of Thomas-Krenn devices that are compatible with OPNsense?
   • Low Energy Systems (LES) Firewall Server
   • Intel based Thomas-Krenn Firewall Server
   • AMD based Thomas-Krenn Firewall Server
3. Where can I find performance data on different Thomas-Krenn firewall servers?
   • The article Thomas-Krenn OPNsense Firewall Performance shows the systems tested on performance.
   • Additional systems are being added on an ongoing basis.
4. The category OPNsense can be found in the Thomas-Krenn-Wiki.
   • Webinars on the OPNsense topic can be found on our Thomas-Krenn Youtube channel: ThomasKrenn
   • In our company blog TKmag, there is also a lot of information on OPNsense: TKmag | The expert magazine covering servers, storage, virtualization, and more.
5. How are network cables properly connected? Standard WAN and LAN port assignments
   • The article Thomas-Krenn OPNsense Firewalls network interfaces shows the correct cabling.
6. How can additional interfaces be configured in the OPNsense web interface?
   • The article OPNsense add interface shows the required steps.
7. How to install OPNsense?
   • Information can be found in the article Install OPNsense.
8. How to perform the basic configuration?
   • Basic configuration after installation
9. How to secure the configuration?
   • The configuration can be secured as XML file.
   • The XML-file can be encrypted, too.
10. How to recreate the configuration.
    • Option 1: Via the web interface under System -> Configuration -> Backups, under the "Restore" heading.
    • Option 2: Via the console of the OPNsense firewall.
11. Which OPNsense version ist the current version?
    • Information on the releases with the most important renewals can be found in the article OPNsense.
12. What options does OPNsense offer for VPN connections?
    • With an OPNsense firewall, you can set up VPNs using OpenVPN, IPsec, and WireGuard (via plugin), among others; additional VPN technologies can also be added as plugins, just like WireGuard.
    • The VPN-techniques can be used for site-to-site and also for Roadwarrior.
    • Setup for OPNsense OpenVPN for Road Warrior
    • Installation of OPNsense OpenVPN instances site-to-site
    • OpenVPN Site-to-Site settings between two OPNsense firewalls
    • OPNsense WireGuard VPN for Road Warrior configuration
    • OPNsense OpenVPN performance tests and results
    • IPsec Site-to-Site settings between two OPNsense firewalls
    • A concrete configuration recommendation for a IPsec Roadwarrior configuration does not exist. It is important to always take the end device into account. A Windows 10 client requires different settings than an Android or iOS device.
13. Are Chelsio, Mellanox, and Broadcom network cards supported by OPNsense?
    • Yes, but the driver must be activated manually: Activation of OPNsense Chelsio Mellanox Broadcom network cards driver
    • Hint: Broadcom cards are activated automatically with the release of the OPNsense 24.7 version.
14. Is it possible to connect two OPNsense firewalls to form a cluster?
    • Yes, you will also find an article on how to OPNsense HA Cluster configuration.
    • Requirements for hardware
15. The dashboard of the OPNsense firewall shows no CPU temperatures.
    • There is an article on how to Display CPU temperatures in OPNsense

Selection of suitable hardware

When making your selection, please keep the following points in mind:

• Location (fanless system for office or 19" rack server)
• Front-IO system or classic rack server
• One or two power supplies
• Number of required 1 GBit, 10 GBit or >25 Gbit network interfaces
• Required CPU performance
  • OpenVPN: high-clock-speed CPU, for example Xeon-E or Xeon Silver: RI1101-SMXEFH
  • IPsec VPN Tunnel: If you need a throughput of 1 Gbps or more, choose a Xeon-E CPU or Xeon Silver: RI1101-SMXEFH
  • Proxy: Number of cores is more important than clock speed
• Required size of RAM
  • Operation of firewall with basic funtions and VPN services: 4GB RAM (50 or more users: 8 GB RAM)
  • In addition with Intrusion Detection (IDS), Intrusion Prevention (IPS) or Proxy: 8GB RAM (50 or more users: 16GB RAM)
  • When operating Zenarmor: 16GB RAM (250 or more users: 32GB RAM)
• Hardware compatibility with the firewall solution's operating system (FreeBSD for OPNsense or pfSense, Linux for ipFire)
• Recommendation of manufacturer, see for example Hardware requirements for OPNsense

Commissioning of Pre-Installed OPNsense firewalls

You can also purchase pre-installed OPNsense firewalls from Thomas-Krenn. In the article Commissioning of pre-installed Thomas-Krenn OPNsense firewalls, you will find information how to properly set up and further configure pre-installed systems.

OPNsense Business Edition

In this paragraph, you will find important information on OPNsense Business edition.

1. Which additional functions are offered by the OPNsense business edition?
   • Information on OPNsense Business Edition
2. Where can I buy the OPNsense Business Edition subscription?
   • You can add the Business Edition subscription to your order when purchasing an OPNsense-compatible server.
   • You can also buy Business Edition subscriptions separately via Configurator - OPNsense Business Edition subscription (Ver. 1.*)
3. How can I activate OPNsense Business Edition?
   • The Business Edition can be easily activated using the activation key after purchasing a subscription: Activate OPNsense Business Edition license
4. Is there a specific timeline for when the new OPNsense Business Edition will be released?
   • Yes, on April 12, 2021, a time table has been defined that is valid for all future business edition releases. It is now published every April and October as a separate issue.^[1]
   • Be sure to check the OPNsense interface regularly for available updates.
5. Is there a notification when the business edition subscription expires or is there a function to extend it automatically.
   • No, this fuction is not available. The subscriptions expire automatically.
   • In the OPNsense dashboard, you will find an entry called Licensed until DATE in the System Information widget in the Version line.
6. What happens, when you forget to extend the Business Edition? Will updates still work?
   • Of course, you can always switch back to the regular OPNsense update mirror and continue to receive updates through it.
7. Is there a separate extension of the subscription and if so, how are they different?
   • No, there are no separate extensions of the subscription.
8. Are two OPNsense Business Edition subscriptions required when using an HA cluster?
   • Yes, one subscription is required per machine.

Questions from the Webinar Q&A: Open Source Firewall OPNsense (with m.a.x. it) (as of June 5, 2024)

Here, you will find all questions from the Q&A that have not been answered yet: Open Source Firewall OPNsense (mit m.a.x. it) listed with the answers:

1. Are there experiences with updates of the community version?
   • Wait for the release upgrade to the .4 or .5 point release
   • There have been a lot of hotfix updates for the Community Edition lately, as issues have kept cropping up.
   • In a corporate environment, it’s best to use the OPNsense Business Edition, as this provides three major update packages per release instead of about 10.
2. If not solved in the current version: Problems with DHCP-Relay over a site-to-site VPN-connection?
   • This should be possible with the Kea-DHCP.
3. How suitable is the OPNsense firewall for the use of, for example, Sophos UTM solutions?
   • In general, a lot of functions can be represented with OPNsense and plugins.
   • It depends on the use application case, an additional software (for example Zenarmor) is required for some functions.
   • WLAN, SD-RED, Userportal and email quarantine is not available for OPNsense
4. What are the general costs associated with purchase and operation?
   • The hardware costs depend on the size of the network, the desired throughput, and the required features (IDS/IPS or VPNs).
     • The cost of an OPNsense appliance starts at under 400 euros for a LES device; robust rack servers cost around 1,500 euros, but prices for a high-end HA cluster with two devices can exceed 10,000 euros. For a suitable sizing, it is best to directly contact our experts.
     • The price depends on a lot of factors, for example performant CPUs or additional network cards.
   • Software costs either free of charge with the Community Edition or 149 per year with the business edition.
   • Other ongoing costs include maintenance or support contracts; these costs vary depending on your needs.
5. What resources are available for those new to the subject?
   • Webinars on the OPNsense topic, for example: OPNsense for applicators – How to use and secure the firewall correctly
   • OPNsense Forum
   • OPNsense Documentation
   • Zenarmor User Guide
   • Thomas-Krenn-Wiki category OPNsense

Questions from the OPNsense Q&A webinar - with m.a.x. it (as of March 25, 2021)

Here, you will find all questions that have not been answered yet from Large OPNsense Q&A webinar – with m.a.x. it listed with answers:

Questions about VPN topics

1. Which setup is recommended if you want to connect 10 sites with the same IP subnet per VPN? In the past, this was resolved in pfSense using a Transfer NAT network with OpenVPN certificates.
   • 10 locations on the same subnet—you shouldn't do that; alternatively, renumber them. Otherwise, it is also possible with NAT, but quite complicated. Our recommendation is to renew the subnets.
2. What is the best practice when setting up a default gateway and multiple gateways for specific networks? Should you select the default gateway as the “IPv4 Upstream Gateway” for the interface? Or is it better to use auto-detect and then check the box for "Upstream Gateway" (or, depending on the version: "Default Gateway") under System -> Gateways -> Single? What if you have multiple uplinks (System/Gateways/Group)? Do you then select the upstream gateway for all interfaces? And how do you specify which gateway OpnSense’s own services (WireGuard, OpenVPN, etc.) should use?
   • Allowing the upstream gateway on the interface enables true multi-WAN. PF rules are set so that a package so that a packet that comes in on Line B also goes out on that line. Upstream gateway checkbox in gateways simply means that this gateway can also be used as the default gateway if Default GW Switching is active in System -> Settings -> General. For more details, feel free to ask about this on the OPNsense forum.
3. How suitable is OPNsense as a central server for VPN road warriors for installations? Is there any way to automate the deployment of the client configuration here?
   • The OPNsense export feature can be accessed via the API, so you could write a script for it; there isn't anything off-the-shelf available at the moment.
4. How to set a WireGuard connection as interface?
   • Once you have configured and enabled the WireGuard service, you can assign an interface to wg0, for example, in the Interfaces -> Assign Interfaces section.
5. Is it possible to NAT for IPSec connections? For IPsec, no corresponding interface is available when selecting NAT rules.
   • Yes, you have to look for BINAT in the documentation. The company m.a.x. it has also sponsored the development for more P2 with NAT together with OPNsense 21.1.
6. Is there the opportunity in IPsec, to allocate SPD policies to several phase 2 tunnels? (source NAT, multiple internal nets)
   • Yes, this has been sponsored by m.a.x. it with OPNsense 21.1.
   • Is it known that WireGuard occasionally stops the traffic. Turning the service off and then back on will restore everything to normal.
   • Which plugins are a must have? Which client-VPN is advantageous for OPNsense? IPsec (Cisco-NCP-bintec-lancom), Wireguard or OpenVPN?
   • The fewer plugins, the better. OpenVPN is best for ClientVPN.

Questions on firewall topics

1. Is there the option "were used" in the Firewall -> Alias section to find out, which rules are used by the Alias?
   • No, as soon as the firewall rules and NAT are migrated on API, it would be worth a feature request for OPNsense. This function is known by Cisco ASA and Sophos systems.
2. Does an OPNsense-firewall help with a recent exchange attack?
   • No, that would be too late. The Nginx plugin has a WAF ( Web Application Firewall). In our opinion, however, that would not have worked here.
3. How is an additional filter in the firewall live log activated?
   • In the firewall live log, an additional filter gets active, when it is created and added with +.
4. Blocker for malicious hosts in the Internet can be set up on different levels. When and where should you use a blocker: DNS, pf-Rule, Suricata?
   • DNS blacklisting and the FireHOL is sufficient.
5. Use OPNsense as a gateway to the Internet for specific applications and monitor data traffic: Create FW-rules with, for example, *.teamviewer.com? Evaluate data traffic and generate alerts?
   • *. DNS Alias does not work. For this, the proxy is needed.

Performance questions

1. A performance comparison between pfSense and OPNsense (Internal firewalling without IPS to isolate/protect services yielded the following results: 3Gbit/s were reached with pfSense and 900Mbit with OPNsense. The tests have been performed on the identical hardware, each as a VMware VM. Have there been any improvements to OPNsense in the meantime?
   • Yes and no, pfSense uses better default settings. So, the settings in OPNsense need to be adjusted accordingly. However, one customer is achieving throughput speeds of 6 Gbps using a VMware VM (OPNsense 20.1)—could the problem actually be with the VM?

General questions

1. Is it possible to rebuild the webfilter reporting of a Sophos UTM with OPNsense?
   • Yes, but it would take a lot of effort; you're better off checking out the Sensei plugin.
2. Is there a graphic mail log as with Sophos UTM?
   • Yes, Rspamd has a web console that can be accessed via port forwarding to localhost on port 11334.
3. Is it possible to setup a watchdog function for OPNsense services via Monit? Is there a documentation on all relevant services?
   • Yes, but only manually. In the comprehensive OPNsense documentation covering all relevant services, you will also find a section on Monit.
4. Is there something like a Packet Tracer Policy Lookup in OPNsense?
   • No, this is not available.
5. When will ZFS as a file system option finally be available during installation?
   • Eventually with OPNsense 22.1.

Questions on high availability cluster

1. In a HA-compound (currently 2 cores), Squid should always appear to the outside world with the same source IP, regardless of the node (VIP from a /27 net). How can this be configured?
   • This should function with outbound NAT.
2. In a test setup, I set up two OPNsense firewalls in a VMware environment and created a high-availability cluster following the Thomas-Krenn instructions. "Disable preempt" has been activated. However, in the event of a failover (when a NIC is disconnected), only that one IP address is moved to Firewall 2, not all IP addresses. Is this the desired behaviour?
   • Never click on disable preempt! HA in VMware requires adjustments on ESX via CLI.

Hardware and hypervisor-related questions

1. How can you determine whether a NIC is suitable for Suricata in IPS mode with VLANs (keyword: netmap)? The driver groups listed by FreeBSD are not really helpful (em, re, etc.). In practice, many NICs prove to be unstable.
   • This was explained in the webinar.
2. Which procedure (also with regard to performance) would be more recommendable: VLANs on fewer NICs or for every VLAN an individual dedicated NIC?
   • This was explained in the webinar.
3. Is OPNsense compatible with AMD Ryzen CPUs?
   • Yes, take a look at our AMD-based servers in the Thomas-Krenn online shop.
4. Are there any experiences with OPNsense and VXLAN?
   • It's possible, but unfortunately we don't have any experience with it. It's usually done at the hypervisor level.
5. How can I add multiple LAN interfaces in a virtual OPNsense environment?
   • Once they're added via the hypervisor, they'll also appear in the system. Attention: This messes up all existing interfaces, and they must be corrected via the console.

Questions on OPNsense Business Edition

1. We operate a OPNsense-HA-cluster (V. 20.7.8) on a dedicated Thomas-Krenn hardware including an activated Business Edition. Should we already upgrade to version 21.x?
   • OPNsense 21.1 is not yet available for business edition users.
2. What is next for centralized management of multiple OPNsense firewalls? As far as we know, this feature is only available in the Business Edition; I haven't used it yet. Is it useful, and what can you tell us about central management?
   • Only the LITE features, such as upgrades and the WebUI, are available. Policy rollouts are not supported.

Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.