Your questions about the OPNsense webinar for users with Michael Münz of m.a.x. it on September 9th, 2025

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

This article shows a selection of the asked questions of the webinar OPNsense for users with Michael Münz of m.a.x. it. You can find the video on Youtube on the channel of Thomas-Krenn Video.

What should be considered when installing OPNsense in VirtualBox with tagged VLAN interfaces so that the interface reaches maximum throughput?

  • Unfortunately, we do not have hacks or information due to little experience with VirtualBox in combination with OPNsense.

Is it possible to use the same blocklists in OPNsense like in pihole?

  • There are blocklists in Unbound DNS service which should be similar to them.

What if you previously had Legacy VPN and it is no longer available in the new version? Will it be automatically transferred?

  • Legacy and the new implementation run in parallel.
  • If you configure a Legacy VPN version and update OPNsense, it will remain available.

Can the snapshot also be set to automatically restore the system if an update fails?

  • No, it is not possible.
  • The user must reset it himself if anything does not function

Is WireGuard in combination with Captive Portal a good choice for User-VPN or are there any concerns regarding security? We use that for multiple customers and it functions very well. With WireGuard + Passwort + Token, you have three factors for the authentification.

  • Yes, that is correct. With the new Netbird Plugin, there will probably be a lot more to come.

Is there a recommendation for the configuration if a Failover (HA) should be used for both OPNsense and WAN. This was the case at pfSense.

  • It is important that both devices are in all WANs???

Where can i set fixed DNS entries or assign hostnames to IP addresses?

  • This is possible in Unbound under Overrides
  • Please state host, domain and IP-address
  • Only functions if the firewall uses itself as DNS server.
  • System -> Settings -> General and the line "DNS Servers" must be empty.

I have heard that OPNsense is not quite performant as VM on Proxmox VE (FreeBSD/virtual network card). Is this correct?

  • You should not expect more than Gigabit in terms of throughput. It something could still happen with FreeBSD 15 (OPNsense 26.7)

We use the PFBlockerNG on our PFSense. Is it possible to install it on OPNsense?

  • No, this is not possible.
  • It was attempted to build a plugin.
  • OPNsense's approach to offering everything in a modular format.
  • Define DNS filter in Unbound
  • Geoblocking via Firewall -> Aliases -> Reiter GeoIP settings
  • Firehol Blacklists via Firewall -> Aliases -> URL Table (IPs)
  • The most important features of PFBlockerNG are covered

Is it possible to "roll back" the versions in System: Firmware if, for example, an update causes problems? Then you wouldn't have to restore a backup and roll back the entire server with a snapshot..

  • This is possible with the command line tool "opnsense-revert"
  • only within a Major Branch
  • You can only jump back to major branches using ZFS snapshots.

Can HA be added/set up later if FW1 is already set up and FW2 is newly installed?

  • maintenance windows necessary
  • configure firewall 2 as it should be
  • change IP address of firewall 1
  • set up HA mechanism and CARP IPs, then set up and synchronize live IPs.

I would also be interested in the following: in the event of WAN failover in CARP mode, what is the best way to handle a PPPoE line (e.g., Gbit Fiber Telekom WAN with a fixed IP) so that the second firewall then establishes PPPoE (pfSense is supposed to be able to do this). What would be best practice here? To my knowledge, the second HA firewall does not then re-establish PPPoE.

  • System -> High Availability -> Settings
  • Check the box for Disconnect dialup interfaces
  • use with caution

The BSD packet filter does not make a stateless unconditional NAT like every 40 € Mediamarket router (necessary for some SIP accounts behind NAT on prem.) so-called Full Cone NAT. I had to learn this the hard way after purchasing expensive hardware, and I think it's worth mentioning that it doesn't work. In hindsight, this would have influenced my purchase decision. (We are currently migrating from Sophos UTM to OPNsense, and this is really a pitfall.) Now I have to completely migrate my PBX system to the WAN because of this. (The thread in the BSD forum, i.e., the discussion among the developers, is really interesting. They don't see any point in unconditional NAT, but probably every other firewall does it.)

  • Please contact us

Will there ever be WireGuard with a password, optional?

  • Yes, with Captive Portal or with the new Netbird Plugin.

Which hardware do you recommend for OPNsense?

  • Thomas-Krenn systems with the intended use for OPNsense (for example OPNsense 25.7) are recommended.
  • Depends on the requirements. Please contact us in this case.

From which size is it recommended to use KEA DHCP?

  • Dnsmasq DNS for smaller environments below 500 IPs
  • KEA DNS from 500 IPs are recommended

What hardware do you primarily use, especially when coming from Sophos UTM?

  • It depends on the purpose. Thomas-Krenn LES devices and Front-IO server with Intel Xeon-E are very popular.

How can i migrate from IPsec tunnel settings [legacy] into connections. We use IPsec for Mobile Warriors with Pre-Shared-Keys.

  • There is no better way, as there are too many uncertainties.

If possible, the following may be interesting Backup-Gateway if A fails switch to B

  • There is a video on the Thomas-Krenn Youtube channel for this.
  • The Multi-WAN opportunities of OPNsense are described in Thomas-Krenn-Wiki.

Is there an option for the FW to dial into an OpenVPN server as a client? If so, with automatic reconnect?

  • Yes, that is possible.
  • State instances in client mode and multiple server IPs.

We tried to switch from Sophos to OPNsense. The routing rules were not accepted by IPsec.

  • Because OPNsense gives users the freedom to do things themselves.
  • With IPsec Legacy, many steps are performed manually, e.g., setting automatic firewall rules.
  • With IPsec connections, you have to do this manually.
  • read documentation

Is this webinar recorded for a review in the future?

  • Yes, this webinar is recorded.
  • You will receive an E-Mail with the corresponding link
  • It will be published in Youtube.

Do you offer a full service for selection, installation, configuration and further support? We currently use Sophos. Who can I contact?

  • Yes, we offer this service. You can contact our team at Thomas-Krenn or our partner m.a.x. IT.

Is it possible that OPNsense contacts me (for example via email) that new updates are available or do I always have to click on "check for updates"?

  • verify RSS feed on dashboard
  • Cronjob verfies updates and creates with Monti a notification.

How do I know that "dhcp service" is active on the LAN interface?

  • it depends on the DHCP service
  • You can see the green play-button of the "ISC DHCP" legacy service.
  • Interfaces Diagnostics for sockets
  • Diagnostics Packet Capture for port 67 and 68

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Intel based Thomas-Krenn Firewall Server
Show article
Update Intel Microcode via plugin under OPNsense
Show article
Updating Broadcom network card firmware with niccli under OPNsense
Show article