OPNsense is a FreeBSD-based open source firewall distribution. OPNsense, a fork of pfSense, was released in 2015. In addition to the Firewall, there are DHCP servers, DNS servers, VPNs, and other services available. Especially Zenarmor os-sensei
plugin which provides application control and web filtering features is very useful for the administrators to protect their networks against cyberattacks. It can be installed on a physical server as well as a virtual machine.
Proxmox VE is an excellent open-source enterprise virtualization platform built on Debian
Linux.
You can easily manage VMs and containers, highly available clusters, and integrated disaster recovery tools using the integrated web-based user interface. PVE has a significant advantage over other virtualization solutions in terms of simplicity. Even inexperienced users can set it up and install it in minutes. Most importantly, because it runs on Debian, all Linux experience is required.
OPNsense runs well in a KVM-based VM running on a Proxmox VE server. In this OPNsense installation on the Proxmox VE tutorial, we will explain why you should install OPNsense and walk you through a basic installation of OPNsense 21.1
to get you started by following the next steps given below:
- Checking hardware requirements of OPNsense firewall
- Downloading OPNsense image
- Uploading OPNsense ISO File to Proxmox VE
- Creating a Virtual Machine on Proxmox VE
- Setting Network Configuration of the OPNsense Virtual Machine on Proxmox VE
- Creating Linux Bridge
- Adding Network Devices to OPNsense VM on Proxmox
- Installing OPNsense
- Network Device Assignments for OPNsense Firewall
- IP Address Settings for OPNsense Firewall
- Updating OPNsense Firewall on CLI
- Accessing the OPNsense Web GUI
- Initial Configuration of the OPNsense Firewall
- Disable Network Hardware Off-loading on OPNsense Firewall
Why You Should Install OPNsense
By installing the OPNsense firewall to protect your network, you will get the following benefits of the OPNsense.
OPNsense has significant advantages over competitors, such as forward caching proxy, traffic shaping, intrusion detection, and simple OpenVPN client setup.
OPNsense's robust and dependable update mechanism enables it to provide critical security updates on time.
For more information about the OPNsense features, please refer to the Best Open Source Firewalls article.
1. OPNsense Hardware Requirements
Before installing the OPNsense firewall, you should verify the hardware requirements for the installation. You can review the requirements located on the official website. OPNsense is available for x86-64 (amd64)
bit microprocessor architectures. Although OPNsense supports a wide range of devices from embedded systems to rack-mounted servers, the hardware must be capable of running 64-bit
operating systems.
Minimum hardware requirements of OPNsense
At the time of the writing, minimum requirements are given as below. If you install OPNsense on a device with these specifications, you can not use features that require disk writes, e.g. a caching proxy (cache) or intrusion detection and prevention.
Type | Description |
---|---|
Processor | 1 GHz dual-core CPU |
RAM | 2 GB |
Install method | Serial console or video (VGA) |
Install target | SD or CF card with a minimum of 4 GB, use nano images for installation. |
Table 1: Minimum hardware requirements
Reasonable hardware requirements of OPNsense
If you install OPNsense on a device with these specifications, you can use every standard feature of the OPNsense. However, you may encounter some problems with high loads or lots of users.
Type | Description |
---|---|
Processor | 1 GHz dual-core CPU |
RAM | 4 GB |
Install method | Serial console or video (VGA) |
Install target | 40 GB SSD, a minimum of 2 GB memory is needed for the installer to run. |
Table 2: Reasonable hardware requirements
Recommended hardware requirements of OPNsense
If you install OPNsense on a device with these specifications, you can use every standard feature of the OPNsense without any problem.
Type | Description |
---|---|
Processor | 1.5 GHz multi-core CPU |
RAM | 8 GB |
Install method | Serial console or video (VGA) |
Install target | 120 GB SSD |
Table 3: Recommended hardware requirements
Virtual environment requirements
To install the OPNsense on a virtual environment such as Proxmox VE or Virtual Box, minimum hardware requirements are given below:
Type | Description |
---|---|
Processor | 1 or more virtual cores |
RAM | The minimum required RAM is 2 GB |
Install method | ISO |
Install target | Minimum recommended virtual disk size of 8GB |
Table 4: Minimum hardware requirements for virtual environment
warning
Beware that some features have a massive impact on hardware dimensioning. For example, Captive Portal features is a CPU-intensive feature and Squid is heavily reliant on CPU load and disk-cache writes.
Throughput of OPNsense
The primary hardware components involved in the OPNsense configuration include the CPU, RAM, mass storage (disk), and the quantity and quality of network ports. The throughput of OPNsense for different setups are given in the following table.
Throughput (Mbps) | Hardware requirements | Feature set | Users / Networks |
---|---|---|---|
11-150 | Basic spec. | narrowed | adjusted (10-30) |
11-150 | Minimum spec. | reduced | adjusted (10-30) |
151-350 | Reasonable spec. | all | substantial (30-50) |
350-750+ | Recommended spec. | all | substantial+ (50-150+) |
Table 5. OPNsense Throughput
Intel� network interface devices (NIC) for LAN connections are reliable, fast, and error-free, as stated in the FreeBSD hardware-lists and -recommendations. Intel chipset NICs provide increased throughput while reducing the CPU burden.
Now that you've checked if your system is compatible with OPNsense, let's get started with the OPNsense setup guide.
OPNsense Hardware Examples for Different Use Cases
In the following table we give OPNsense hardware configuration samples for different applications or use cases.
Requirement | Network throughput (Mbps) | Number of clients | CPU | RAM | Disc | Appliance |
---|---|---|---|---|---|---|
Minimum (OPNsense standard features, without caching proxy or IDS/IPS) | 11 - 150 | 10 - 30 | 1 GHz Dual-Core | 2 GB | 4 GB SD or CF card | Thomas Krenn Edge 4L |
Reasonable (OPNsense standard features, all functions can be used) | 151 - 350 | 30 - 50 | 1 GHz Dual-Core | 4 GB | 40 GB SSD | Thomas Krenn LES network 6L |
Recommended (OPNsense standard features, meets most use cases) | 350 - 750+ | 50 - 150+ | 1,5 GHz Multi-Core | 8 GB | 120 GB SSD | Thomas Krenn RI1101-SMXEFH |
Table 6. OPNsense Hardware Examples for Different Use Cases
2. Downloading OPNsense image
Now, you can go to the official OPNsense Download page. Installing OPNsense on a virtual machine can be done by using the DVD ISO image. So, download the DVD ISO
image from the OPNsense mirror site which is closest to you.
Figure 1. Downloading OPNsense DVD ISO file
After downloading the bzip
compressed ISO file (OPNsense-21.1-dvd-amd64.iso.bz2
), uncompress it to your local disk.
3. Upload OPNsense ISO File to Proxmox VE
To start the installation of the OPNsense on the Proxmox environment, you must upload the OPNsense ISO image from your local disk to the Proxmox node. You can easily upload the ISO file to your Proxmox VE system by following the next instructions.
Connect your Proxmox VE Web interface(such as
https://192.168.0.100:8006
) using your favorite browser and log in as root.Navigate to
Datacenter
→pve/node
→local disk (pve)
→ISO Images
Figure 2. Uploading OPNsense ISO image to Proxmox VE node
Click the
Upload
button.Select the OPNsense ISO image from your local disk to upload.
Figure 3. Selecting OPNsense ISO image from local disk to upload Proxmox VE
Click the
Upload
button.
tip
You can also copy the OPNsense ISO image to your Proxmox environment by using an SCP/SFTP client application. You should upload the ISO file into the /var/lib/vz/template/iso
directory on the Proxmox VE server.
4. Creating a Virtual Machine on Proxmox VE
After uploading the OPNsense ISO image to the Proxmox VE, we will create a Virtual Machine for our OPNsense firewall. To create a virtual machine on Proxmox, you should follow the next steps given below.
Click on the blue
Create VM
button in the upper right-hand corner of the Proxmox VE web UI.Enter a name for your virtual machine, such as
OPNsensefw
. Then, clickNext
Figure 4. Naming the OPNsense VM on Proxmox
Select the OPNsense ISO image under the
OS
tab, and then clickNext
.Figure 5. Selecting OPNsense ISO to install on Proxmox VE as an OS
You may accept the default settings on the
System
tab by clickingNext
.Figure 6. System settings of the OPNsense VM on Proxmox
Set the
Hard Disk
size as you wish. We recommend enabling theIO thread
which should improve IO performance by giving the disk its Datacenter worker thread.Figure 7. Setting Hard disk size as 32 GB for OPNsense on Proxmox VE
Set the
CPU
configuration as you wish.Figure 8. CPU settings for OPNsense firewall on Proxmox VE
Set the
Memory
size as you wish.Figure 9. Setting Memory size 8 GB for OPNsense firewall on Proxmox
Set
Multiqueue to 8
which will allow the BSD kernel to negotiate the optimal value with Proxmox VE in the Network configuration. We will cover this configuration for our topology deeply later.Figure 10. Network configuration of OPNsense VM on Proxmox VE
Confirm the OPNsense virtual machine configuration by clicking on the
Finish
button.See AlsoGeneral User Interface — OPNsense documentationInitial Installation & Configuration — OPNsense documentationVirtualizing pfSense Software with VMware vSphere / ESXiHow to Install OPNsense on AWS? - zenarmor.comFigure 11. Confirming the OPNsense virtual machine configuration
5. Setting Network Configuration of the OPNsense Virtual Machine on Proxmox VE
In this tutorial, we will configure two physical NICs for our OPNsense firewall. These NICs will be used and configured for the following purposes
WAN Connection: Internet connection/Untrusted zone.
LAN Connection: Clients and servers are placed in this trusted zone.
You may complete network configuration of the OPNsense Virtual Machine on Proxmox VE by following the next 2 steps:
- Creating Linux Bridge
- Adding Network Devices to OPNsense VM on Proxmox
5.1. Creating Linux Bridge
To be able to define 2 network interfaces for the OPNsense virtual machine, firstly we must create Linux bridge devices on the Proxmox device.
To create a Network Bridge
follow the next steps.
Navigate to
Data center
→pve
→Network
.Figure 12. Viewing the network devices of the Proxmox VE
Click on the
Create
button. This will pop up theLinux Bridge
configuration window.You may leave the name as default such as
vmbr1
. EnterIPv4/CIDR
address andBridge ports
(Network devices name seen on Network configuration window, such as ens3f0). Then, click on theCreate
button.Figure 13. Creating a Linux bridge on the Proxmox VE
Click on the
Apply Configuration
button orReboot
the Proxmox device to start to use new Linux bridges.
Now, you have two Linux Bridges as seen in the Figure below.
Figure 14. Viewing the network devices of the Proxmox VE
5.2. Adding Network Devices to OPNsense VM on Proxmox
It is time to add a network device that will be used for LAN connections.
To add a new network interface to the OPNsense virtual machine on Proxmox you can follow these steps.
Navigate to the
Data center
→pve
→OPNsensefw VM
→Hardware
→Add
.Click on
Network Device
.Figure 15. Adding NIC to OPNsense VM on Proxmox VE
Select the
Linux Bridge
such as vmbr1.Figure 16. Selecting Linux bridge for a NIC
Select
Model
asVirtlO(paravirtualized)
.Figure 17. Setting model for a network device of OPNsense VM on Proxmox VE
Uncheck
Firewall
option.Set
Multiqueue
to8
.Click the
Add
button
After finishing the network configuration of the OPNsense virtual machine on Proxmox, you should see the Hardware configuration for the OPNsense VM similar to the following figure.
Figure 18. Hardware configuration of the OPNsense VM on Proxmox VE
Now, your OPNsense firewall has 2 different physical interfaces ready to connect to different networks, Internet and LAN respectively.
tip
It is recommended that you should note the MAC address of the network devices used by OPNsense VM. You will need them to complete the network settings of the firewall after installing the OPNsense software.
6. Installing OPNsense
To start the installation of the OPNsense on your Proxmox environment, first, you should start the OPNsense virtual machine. To start the machine,
Click on the
OPNsensefw
virtual machine on the node list.Click on the
Start
button.
To continue the installation of the OPNsense, you should connect the virtual machine from the Proxmox console by clicking on the Console
.
Figure 19. Connecting OPNsense VM console on Proxmox VE
And then, you may follow the steps listed below.
While the system is booting do not press any key and wait for the login prompt.
Figure 20. OPNsense boot menu
Login: Login as
installer
and the default password isopnsense
. This will start the installation process.info
On OPNsense, default installer password is opnsense.
Figure 21. OPNsense installation login prompt
Confirmation: To confirm the installation press
Ok, let's go
.Figure 22. Confirming the OPNsense installation
Console configuration: Click on the
Accept these settings
for the console. The installer likely will detect the proper keymap by default. Or you may changeKeymap
andVideo Font
as you wish.Figure 23. Configuring console
Select Task: Click on the
Guided Installation
. If you wish to do advanced partitioning or import a configuration from another OpnSense firewall, you can accomplish these settings at this step.Figure 24. Selecting Guided installation
Select a Disk: Select the hard disk on which OPNsense will be installed. Be careful that all files on this disk will be deleted.
Figure 25. Selecting disk to install OPNsense
Selecting Install Mode: Select
GBT/UEFI
as an installation mode. Most modern-day systems support GPT/EFI but if you are using an older computer, MBR may be the only option supported. You may check within the BIOS settings of your system to see if it supports EFI/GPT.Figure 26. Selecting installation mode for OPNsense installation on Proxmox VE
Swap Size: Accept the recommended partition swap size by pressing
Yes
.Figure 27. Setting swap partition size
Package Installation: Packages are installed in your system for up to ten minutes.
Figure 28. Installing OPNsense packages
Setting root password: You may set your root password or left as default which is
opnsense
for now.Figure 29. Setting root password
Reboot: By pressing the
Reboot
, you should reboot your system.Unmount ISO image: Exit from the console and return to the Proxmox GUI.
- Navigate to the
OPNsensefw
VM node →Hardware
→CD/DVD Drive
. - Click on the
Remove
. - Confirm removing the CD/DVD Drive by clicking on
Yes
.
- Navigate to the
Return to the
Console
of the OPNsense firewall in Proxmox VE. After the OPNsense reboot is completed, you will see the login prompt.Figure 30. OPNsense CLI login prompt
Now, you can complete the installation of the OPNsense on your Proxmox environment by following the next 6 main steps:
- Network Device Assignments for OPNsense Firewall
- IP Address Settings for OPNsense Firewall
- Updating OPNsense Firewall on CLI
- Accessing the OPNsense Web GUI
- Initial Configuration of the OPNsense Firewall
- Disable Network Hardware Off-loading on OPNsense Firewall
6.1. Network Device Assignments for OPNsense Firewall
By default, the system will be configured with 2 interfaces LAN & WAN. The first network port found will be configured as LAN and the second will be WAN. However, OPNsense may not assign the network interface cards to the proper networks correctly. Then, you must assign the network devices to the proper networks manually.
For example, in our installation, OPNsense assigned the vtnet0
device to the LAN, and vtnet1
device to the WAN. But, the correct configuration is vice versa. While the vtnet0
device should be assigned to the WAN, vtnet1
device should be assigned to the LAN. Let's correct the network device configuration for our OPNsense.
warning
Default DHCP configuration of the networks interfaces on OPNsense firewall are as follows:
The WAN interface works as a DHCP client and expects to be assigned an IP address.
The LAN interface works as a DHCP server, has a static IP of 192.168.1.1/24, and offers IP addresses in the range of 192.168.1.100-200.
For network device assignments on your OPNsense firewall, you may follow the next steps given below:
Log in as root. Then, the Options menu will be displayed on the screen.
Figure 31. Options menu on OPNsense CLI
Press
1
to Assign interfaces.VLAN configuration: Wizard will ask for the VLAN configuration. You may also configure VLAN settings on OPNsense GUI later. Since we will not configure any VLAN now, Press
n
to continue.Figure 32. VLAN configuration for network interfaces of OPNsense on CLI
Setting WAN interface: Wizard will ask for the WAN interface name. Enter the name of the WAN interface and then press enter. For example, in our OPNsense system, the WAN interface name is
vtnet0
.Figure 33. WAN interface assignment on OPNsense CLI
Setting LAN interface: Wizard will ask for the LAN interface name. Enter the name of the LAN interface and then press enter. For example, in our OPNsense system, the nterface name is
vtnet1
.Figure 34. LAN interface assignment on OPNsense CLI
Setting Optional interface: Since we do not have any other network interface press enter to continue.
Figure 35. Optional interface assignment on OPNsense CLI
Confirmation: Network interface assignments will be listed. Press
y
to proceed.Figure 36. Confirming the network interface assignments on OPNsense CLI
All of the network interfaces on your OPNsense firewall are assigned to the proper networks.
6.2. IP Address Settings for OPNsense Firewall
After assigning the network interfaces to the corresponding networks (WAN and LAN), you should configure the IP address for the network interfaces of your OPNsense firewall.
In our OPNsense firewall, we will configure the WAN and LAN interfaces as given below.
Network | Interface name | IP assignment method | IP address |
---|---|---|---|
WAN | vtnet0 | Automatic via DHCP server | - |
LAN | vtnet1 | static | 10.10.10.1/24 |
We will enable a DHCP server for LAN on our OPNsense firewall. The DHCP server assigns the IP address in range 10.10.10.11-200/24 for our clients in LAN.
For IP address settings of the OPNsense firewall you can follow the next steps:
Select
2
in the OPNsense options menu toSet interface IP address
.Figure 37. Setting IP address for network interface of OPNsense on CLI
Selecting interface to configure: Available interfaces will be displayed. Press
1
to configure the LAN interface.Figure 38. Selecting LAN interface to configure on OPNsense CLI
IP assignment method. Wizard will ask to configure the IPv4 via the DHCP server. Since we will assign a static IP address manually Press
n
.Figure 39. Selecting IP assignment for LAN interface on OPNsense CLI
Setting IP address: Enter the IPv4 address for the LAN interface. For example, 10.10.10.1.
Figure 40. Setting IP address for LAN interface on OPNsense CLI
Setting subnet mask: Enter the subnet mask for the LAN interface. For example,
24
.Figure 41. Setting subnet mask for LAN interface on OPNsense CLI
Setting gateway: Press
enter
.Figure 42. Setting gateway for LAN interface on OPNsense CLI
Setting IPv6 via WAN tracking: You may press
n
.Setting IPv6 via DHCPv6: You may press
n
.Figure 43. IPv6 settings of LAN interface on OPNsense CLI
Setting IPv6: You may press
enter
.Enable DHCP server: To enable DHCP server on your LAN, press
y
.Setting start address of the IPv4 client address range: Enter the start address of the IPv4 client address range such as 10.10.10.11.
Setting end address of the IPv4 client address range: Enter the end address of the IPv4 client address range such as 10.10.10.200.
Figure 44. Configuring DHCP server on LAN interface of OPNsense
Enabling HTTP: pressing
n
you may access the OPNsense GUI via HTTPS protocol which is secure. If you wish to use the web interface with HTTP you may pressy
.Figure 45. HTTP setting for the OPNsense web GUI
Restore web GUI defaults. Press
n
. By pressingy
you can access the OPNsense GUI with default user and password.
note
Default OPNsense user: root
Default OPNsense password: opnsense
6.3. Updating OPNsense Firewall on CLI
After completing the OPNsense firewall installation on Proxmox VE, you should update your firewall. You can easily update the OPNsense system by selecting 12) Update from console
in the options menu on CLI.
Figure 46. Updating OPNsense firewall from the console
warning
Beware that some critical updates require your system to reboot.
6.4. Accessing the OPNsense Web GUI
Congratulations! You have successfully completed the installation of the OPNsense firewall. You can access the web GUI of your OPNsense firewall from a client in LAN using a browser. https://10.10.10.1
or http://10.10.10.1
.
Figure 47. Login OPNsense GUI
tip
For security reasons ssh is disabled by default and the console access is password protected on the OPNsense firewall.
When you log in OPNsense GUI, the Dashboard page will be displayed.
Figure 48. OPNsense dashboard
6.5. Initial Configuration of the OPNsense Firewall
To complete the initial configuration of your OPNsense firewall, you can follow the given steps below:
Navigate to the
System
→Wizard
on OPNsense Web GUI.This wizard will guide you through the initial system configuration. Click the
Next
button.You may set your hostname and domain name for your device. You may leave the
Override DNS
option selected. This will enable the OpnSense firewall to obtain DNS information from the ISP over the WAN interface. Then, click theNext
button.Figure 49. Initial configuration of OPNsense
Set
NTP server
andtimezone
for your OPNsense firewall. If you do not have your own NTP systems, OpnSense will provide a default set of NTP server pools. Then, click theNext
button.Figure 50. Setting NTP server and Timezone on OPNsense GUI
You may change the WAN interface configurations or leave them as default. You should leave
RFC1918
Networks settings as checked for security reasons.Figure 51. WAN interface configuration on OPNsense GUI
Figure 52. RFC1918 Networks settings for WAN interface on OPNsense GUI
You may change the LAN interface configurations or leave it as default.
Figure 53. LAN interface configuration on OPNsense GUI
You may change the
root
password or leave it as before.Figure 54. Setting root password on OPNsense GUI
Click
Reload
to apply the changes.When everything is completed successfully, OpnSense will welcome the user. You can get back to the main dashboard, by clicking
Dashboard
in the upper left corner of the web browser window.Figure 55. Finished initial configuration of OPNsense firewall
6.6. Disable Network Hardware Off-loading on OPNsense Firewall
Figure 56. Disabling hardware offloading on OPNsense GUI
After finishing the installation of the OPNsense, you should ensure that hardware offload features are disabled on the network interfaces. Because VirtIO interfaces have problems with NAT. To disable the hardware offloading on the network interface,
Navigate to
Interfaces
→Settings
on OPNsense GUI.Set
Hardware CRC
,Hardware TSO
, andHardware LRO
to Disable.Click
Save
.Reboot
the firewall.