OPNsense is an open-source firewall distribution based on FreeBSD. There are also DHCP servers, DNS servers, VPNs, and other services available in addition to the firewall. OPNsense has a number of advantages over competitors, including forward caching proxy, traffic shaping, intrusion detection, and a simple OpenVPN client setup. The Zenarmor plugin, in particular, which provides application control and web filtering features, is extremely useful for administrators in protecting their networks from cyberattacks. OPNsense's dependable update mechanism allows it to deliver critical security updates on time.
For more information about the OPNsense features, please refer to the Best Open Source Firewalls article written by Zenarmor.
Best Practice
Zenarmor NGFW Plug-in for OPNsense is one of the most popular OPNsense plug-ins and allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.
Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.
Zenarmor Free Edition is available at no cost for all OPNsense users.
In this OPNsense installation guide, we will cover how to install OPNsense from a USB stick by describing the following topics.
What are the System Requirements for OPNSense Setup?
Where to Download OPNSense?
How to Install OPNSense Files?
Step 1: Selecting Hardware
Step 2: Downloading OPNSense ISO
Step 3: Writing OPNsense Image to Installation Media
Step 4: Installing OPNSense from USB to Target Device
Step 5: Completing OPNSense Initial Configuration
What are the System Requirements for OPNSense Setup?
You should check the hardware requirements for the installation before installing the OPNsense firewall. Up-to-date requirements can be found on the official website.
OPNsense supports a variety of devices ranging from embedded systems to rack-mounted servers. But, the hardware must be capable of running 64-bit operating systems. Since only x86-64 (amd64)bit microprocessor architectures are supported by OPNsense.
Full installs can run on solid-state disks (SSD), hard disk drives (HDD), or SD memory cards.
The option to install an embedded OPNsense image has been supported since version 15.1.10 (04 May 2015).
Embedded images (nano) only keep logging and cache data in memory, whereas full image versions keep the data on the local drive. By enabling RAM disks, a full version can mimic the behavior of an embedded version, which is especially useful for SD memory card installations.
OPNsense is built on HardenedBSD 11.2-RELEASE
. The OPNsense kernel includes all HardenedBSD drivers, and hardware compatibility is the same.
The hardware requirements of the OPNsense may be constrained for its functionality. There are minimum, reasonable, and recommended system requirements for the full functionality of OPNsense. At the time of the writing, the hardware requirements of the OPNsense are given as below.
1. Minimum System Requirements
If you install OPNsense on a device that meets these requirements, you will be unable to use features that require disks writes, such as a caching proxy (cache) or intrusion detection and prevention.
Type | Description |
---|---|
Processor | 1 GHz dual-core CPU |
RAM | 2 GB |
Install method | Serial console or video (VGA) |
Install target | SD or CF card with a minimum of 4 GB, use nano images for installation. |
Table 1: Minimum system requirements
2. Reasonable System Requirements
If you install OPNsense on a device that meets these requirements, you will be able to use all of the standard features of the OPNsense. However, if you have a large number of users or a high load, you may run into some issues.
Type | Description |
---|---|
Processor | 1 GHz dual-core CPU |
RAM | 4 GB |
Install method | Serial console or video (VGA) |
Install target | 40 GB SSD, a minimum of 2 GB memory is needed for the installer to run. |
Table 2: Reasonable system requirements
3. Recommended System Requirements
If you install OPNsense on a device that meets these requirements, you will be able to use all of the OPNsense's standard features without issue.
Type | Description |
---|---|
Processor | 1.5 GHz multi-core CPU |
RAM | 8 GB |
Install method | Serial console or video (VGA) |
Install target | 120 GB SSD |
Table 3: Recommended system requirements
Where to Download OPNSense?
Depending on your hardware and use case different installation files are provided to download and install OPNsense:
dvd
: ISO installer image with live system capabilities running in VGA mode. On amd64, UEFI boot is supported as well.vga
: USB installer image with live system capabilities running in VGA mode as GPT boot. On amd64, UEFI boot is supported as well.serial
: USB installer image with live system capabilities running in serial console (115200) mode as MBR boot.nano
: a preinstalled serial image for USB sticks, SD or CF cards as MBR boot. These images are 3G in size and automatically adapt to the installed media size after first boot.
Sample file listing
OPNsense-21.7.1-OpenSSL-cdrom-amd64.iso.bz2
OPNsense-21.7.1-OpenSSL-nano-amd64.img.bz2
OPNsense-21.7.1-OpenSSL-serial-amd64.img.bz2
OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2
The USB-memstick installer is the simplest way to install OPNsense. If your target platform has a serial interface, download the serial image. If not, you should select vga
for the image type. You may choose any mirror for your liking.
How to Install OPNSense Files?
You may easily install the OPNsense firewall by following the 5 steps given below.
Step 1: Selecting Hardware
While the majority of features have no effect on hardware dimensioning, a few do. The candidates are as follows:
Squid: A caching web proxy that is used for web-content control, and so on. These packages are heavily reliant on CPU load and disk-cache writes.
Captive Portal: Settings with hundreds of concurrently served captive portal users will necessitate high CPU power
State transition tables: Each state table entry requires approximately 1 kB (kilobytes) of RAM. A typical state table with 1000 entries will take up about 10 MB (megabytes) of RAM. OPNsense usage settings with hundreds of thousands of connections will necessitate additional memory.
You should select the hardware according to the system requirements given above.
Step 2: Downloading OPNsense ISO
You may download the OPNsense installation file from the official OPNsense download page. You may select system architecture according to your system's CPU architecture, and also specify image type and mirror location as well. OPNsense ISO
Download steps are given below.
Select
vga
image type for USB installationSelect the fastest mirror for your location
Click
Download
button.
Figure 1. Downloading OPNsense vga ISO file
Step 3: Writing OPNsense Image to Installation Media
After downloading the OPNsense image, you may easily create bootable USB for OPNsense installation. First, you need to unpack OPNsense ISO filw by running the following command:
bunzip2 OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2
Then, you may write the image to a USB flash drive (>= 1GB), either with dd
under FreeBSD or under Windows with physdiskwrite
(or Rufus
).
Writing an OPNsense image to a USB is explained in detail below for various platforms.
1. FreeBSD
To write the OPNsense image to a USB drive on FreeBSD system, run the following command.
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/daX bs=16k
note
Where X
= the device number of your USB flash drive (check dmesg
)
For example,
dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/da1 bs=16k
2. Linux
To write the OPNsense image to a USB drive on a Linux system, run the following command.
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/sdX bs=16k
note
Where X
= the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX
) (ignore the warning about trailing garbage, it's because of the digital signature)
For example,
dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/da1 bs=16k
3. OpenBSD
To write the OPNsense image to a USB drive on an OpenBSD system, run the following command.
dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rsd6c bs=16k
note
The device must be the ENTIRE device (in Windows/DOS language: the 'C' partition), and a raw I/O device (the 'r' in front of the device "sd6"), not a block mode device.
For example,
dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/rsd6c bs=16k
4. Mac OS X
To write the OPNsense image to a USB drive on a Mac OS X system, run the following command.
sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rdiskX bs=64k
note
Where r
= raw device, and where X
= the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage, it's because of the digital signature)
For example,
sudo dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/rdiskX bs=64k
5. Windows
To write the OPNsense image to a USB drive on a Windows system, run the following command.
physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].[img|iso].img
For example,
physdiskwrite -u OPNsense-21.7.1-OpenSSL-vga-amd64.img
note
A simple alternative for writing images under Windows is Rufus a tool to create bootable USB sticks with a nice GUI.
Step 4: Installing OPNSense from USB to Target Device
After configuring your system to boot from a USB device, place the USB stick into the one of USB slots and boot your system. The default behavior is to start the Live environment. Therefore, to start the installation login with user installer
and password opnsense
.
Default OPNsense username: installer
Default OPNsense installer password: opnsense
You can connect either on the local console or via SSH.
Keymap selection: Select the keymap as you wish. The default configuration is a US keyboard map. You may continue with default settings.
Figure 2. Keymap Selection
Installation Selection. The native ZFS installation is officially supported by the installer with the release of OPNsense 21.7. You may select one of the following installation tasks.
- UFS
- ZFS
- Other Modes (Extended Installation)
Figure 3 . Installation Selection
Task Selection: You may select one of the Guided Disk Setup, such as UFS and ZFS or Manual Disk Setup.
Figure 4 . Selecting Disk Setup
Select Disk: Select the disk on which you want to install the OPNsense.
Figure 5. Select the disk to install the OPNsense
Select Entire Disk. You may select
Entire Disk
for partitioningFigure 6. Selecting Entire Disk for partitioning
Partition Confirmation. Confirm the disk partitioning. Beware that this will erase all the data on the disk.
Figure 7. Partition Confirmation
Selecting Partition Scheme. You may select
GPT
.Figure 8. Selecting Partition Scheme
Review Partition Setup. After reviewing the disk partitioning setup, select
Finish
.Figure 9. Review Partition Setup
Confirm Partitioning. To confirm the disk partitioning, select
Commit
. Beware that this will permanently remove all files on the disk.Figure 10. Confirm Partitioning
Initializing the disk. The initialization of the target disk will start.
Figure 11. Initializing the disk.
File Installation. OPNsense files installation will start.
Figure 12. File Installation
Verification of the installation. OPNsense installer verifies the installation.
Figure 13. Verification of the installation
Preparing the target. OPNsense installer prepares the target system.
Figure 14. Preparing the target
Changing root password. Default OPNsense root password is
opnsense
. It is recommended that you change it with a strong one.Figure 15. Changing root password
Figure 16. Setting root password
Final Configuration. To apply the configuration and exit installer, select
Exit
and thenOK
.Figure 17. Final Configuration
Reboot. Installation of OPNsense from USB flash drive is finished successfully. The firewall needs to reboot. You should proceed to the initial configuration of your OPNsense firewall.
Figure 18. Reboot
note
You may learn how to install OPNsense on Proxmox Virtual Environment by reading the OPNsense Installation Tutorial written by Sunny Valley Networks. Since OPNsense installation on different platforms has almost the same procedures, this article may be helpful for USB installation also.
Step 5: Completing OPNSense Initial Configuration
After installing the OPNsense the following initial configuration steps should be completed.
Network device assignments
IP address settings
Updating OPNsense Firewall
Accessing the OPNsense GUI
Initial configuration of OPNsense Firewall
You may find more information about the initial configuration steps on OPNsense Installation Tutorial written by Zenarmor.
Which one is Better for OPNsense? UFS or ZFS?
OPNsense highly recommends using ZFS as the file system because of its exceptional data integrity, advanced snapshotting features, and robustness in dealing with power outages. It has sophisticated functionalities including as compression, deduplication, and self-healing, which make it well-suited for mission-critical applications.
UFS OPNsense utilizes the UFS file system, which is renowned for its straightforwardness and minimal resource demands. Nevertheless, ZFS surpasses it in terms of sophisticated functionalities and data security measures. UFS remains a feasible choice for configurations that need fewer resources or systems with restricted RAM.
ZFS greatly mitigates the likelihood of data loss in the event of power outages as compared to UFS. The atomic nature of the system guarantees data consistency, even in the case of unforeseen shutdowns. However, UFS is more prone to corruption in certain situations.