OPNsense Firewall Installation on Proxmox VE - zenarmor.com (2024)

OPNsense is a FreeBSD-based open source firewall distribution. OPNsense, a fork of pfSense, was released in 2015. In addition to the Firewall, there are DHCP servers, DNS servers, VPNs, and other services available. Especially Zenarmor os-sensei plugin which provides application control and web filtering features is very useful for the administrators to protect their networks against cyberattacks. It can be installed on a physical server as well as a virtual machine.

Proxmox VE is an excellent open-source enterprise virtualization platform built on Debian Linux.

You can easily manage VMs and containers, highly available clusters, and integrated disaster recovery tools using the integrated web-based user interface. PVE has a significant advantage over other virtualization solutions in terms of simplicity. Even inexperienced users can set it up and install it in minutes. Most importantly, because it runs on Debian, all Linux experience is required.

OPNsense runs well in a KVM-based VM running on a Proxmox VE server. In this OPNsense installation on the Proxmox VE tutorial, we will explain why you should install OPNsense and walk you through a basic installation of OPNsense 21.1 to get you started by following the next steps given below:

1. Checking hardware requirements of OPNsense firewall
2. Downloading OPNsense image
3. Uploading OPNsense ISO File to Proxmox VE
4. Creating a Virtual Machine on Proxmox VE
5. Setting Network Configuration of the OPNsense Virtual Machine on Proxmox VE
   1. Creating Linux Bridge
   2. Adding Network Devices to OPNsense VM on Proxmox
6. Installing OPNsense
   1. Network Device Assignments for OPNsense Firewall
   2. IP Address Settings for OPNsense Firewall
   3. Updating OPNsense Firewall on CLI
   4. Accessing the OPNsense Web GUI
   5. Initial Configuration of the OPNsense Firewall
   6. Disable Network Hardware Off-loading on OPNsense Firewall

Why You Should Install OPNsense​

By installing the OPNsense firewall to protect your network, you will get the following benefits of the OPNsense.

• OPNsense has significant advantages over competitors, such as forward caching proxy, traffic shaping, intrusion detection, and simple OpenVPN client setup.

• OPNsense's robust and dependable update mechanism enables it to provide critical security updates on time.

For more information about the OPNsense features, please refer to the Best Open Source Firewalls article.

1. OPNsense Hardware Requirements​

Before installing the OPNsense firewall, you should verify the hardware requirements for the installation. You can review the requirements located on the official website. OPNsense is available for x86-64 (amd64) bit microprocessor architectures. Although OPNsense supports a wide range of devices from embedded systems to rack-mounted servers, the hardware must be capable of running 64-bit operating systems.

Minimum hardware requirements of OPNsense​

At the time of the writing, minimum requirements are given as below. If you install OPNsense on a device with these specifications, you can not use features that require disk writes, e.g. a caching proxy (cache) or intrusion detection and prevention.

Table 1: Minimum hardware requirements

Reasonable hardware requirements of OPNsense​

If you install OPNsense on a device with these specifications, you can use every standard feature of the OPNsense. However, you may encounter some problems with high loads or lots of users.

Table 2: Reasonable hardware requirements

Recommended hardware requirements of OPNsense​

If you install OPNsense on a device with these specifications, you can use every standard feature of the OPNsense without any problem.

Table 3: Recommended hardware requirements

Virtual environment requirements​

To install the OPNsense on a virtual environment such as Proxmox VE or Virtual Box, minimum hardware requirements are given below:

Table 4: Minimum hardware requirements for virtual environment

Throughput of OPNsense​

The primary hardware components involved in the OPNsense configuration include the CPU, RAM, mass storage (disk), and the quantity and quality of network ports. The throughput of OPNsense for different setups are given in the following table.

Table 5. OPNsense Throughput

Intel� network interface devices (NIC) for LAN connections are reliable, fast, and error-free, as stated in the FreeBSD hardware-lists and -recommendations. Intel chipset NICs provide increased throughput while reducing the CPU burden.

Now that you've checked if your system is compatible with OPNsense, let's get started with the OPNsense setup guide.

OPNsense Hardware Examples for Different Use Cases​

In the following table we give OPNsense hardware configuration samples for different applications or use cases.

Table 6. OPNsense Hardware Examples for Different Use Cases

2. Downloading OPNsense image​

Now, you can go to the official OPNsense Download page. Installing OPNsense on a virtual machine can be done by using the DVD ISO image. So, download the DVD ISO image from the OPNsense mirror site which is closest to you.

Figure 1. Downloading OPNsense DVD ISO file

After downloading the bzip compressed ISO file (OPNsense-21.1-dvd-amd64.iso.bz2), uncompress it to your local disk.

3. Upload OPNsense ISO File to Proxmox VE​

To start the installation of the OPNsense on the Proxmox environment, you must upload the OPNsense ISO image from your local disk to the Proxmox node. You can easily upload the ISO file to your Proxmox VE system by following the next instructions.

1. Connect your Proxmox VE Web interface(such as https://192.168.0.100:8006) using your favorite browser and log in as root.

2. Navigate to Datacenter → pve/node → local disk (pve) → ISO Images

   

   Figure 2. Uploading OPNsense ISO image to Proxmox VE node

3. Click the Upload button.

4. Select the OPNsense ISO image from your local disk to upload.

   

   Figure 3. Selecting OPNsense ISO image from local disk to upload Proxmox VE

5. Click the Uploadbutton.

4. Creating a Virtual Machine on Proxmox VE​

After uploading the OPNsense ISO image to the Proxmox VE, we will create a Virtual Machine for our OPNsense firewall. To create a virtual machine on Proxmox, you should follow the next steps given below.

1. Click on the blue Create VM button in the upper right-hand corner of the Proxmox VE web UI.

2. Enter a name for your virtual machine, such as OPNsensefw. Then, click Next

   

   Figure 4. Naming the OPNsense VM on Proxmox

3. Select the OPNsense ISO image under the OS tab, and then click Next.

   

   Figure 5. Selecting OPNsense ISO to install on Proxmox VE as an OS

4. You may accept the default settings on the System tab by clicking Next.

   

   Figure 6. System settings of the OPNsense VM on Proxmox

5. Set the Hard Disk size as you wish. We recommend enabling the IO threadwhich should improve IO performance by giving the disk its Datacenter worker thread.

   

   Figure 7. Setting Hard disk size as 32 GB for OPNsense on Proxmox VE

6. Set the CPU configuration as you wish.

   

   Figure 8. CPU settings for OPNsense firewall on Proxmox VE

7. Set the Memorysize as you wish.

   

   Figure 9. Setting Memory size 8 GB for OPNsense firewall on Proxmox

8. Set Multiqueue to 8 which will allow the BSD kernel to negotiate the optimal value with Proxmox VE in the Network configuration. We will cover this configuration for our topology deeply later.

   

   Figure 10. Network configuration of OPNsense VM on Proxmox VE

9. Confirm the OPNsense virtual machine configuration by clicking on the Finish button.

   

   See Also

   General User Interface — OPNsense documentationInitial Installation & Configuration — OPNsense documentationVirtualizing pfSense Software with VMware vSphere / ESXiHow to Install OPNsense on AWS? - zenarmor.com

   Figure 11. Confirming the OPNsense virtual machine configuration

5. Setting Network Configuration of the OPNsense Virtual Machine on Proxmox VE​

In this tutorial, we will configure two physical NICs for our OPNsense firewall. These NICs will be used and configured for the following purposes

• WAN Connection: Internet connection/Untrusted zone.

• LAN Connection: Clients and servers are placed in this trusted zone.

You may complete network configuration of the OPNsense Virtual Machine on Proxmox VE by following the next 2 steps:

1. Creating Linux Bridge
2. Adding Network Devices to OPNsense VM on Proxmox

5.1. Creating Linux Bridge​

To be able to define 2 network interfaces for the OPNsense virtual machine, firstly we must create Linux bridge devices on the Proxmox device.

To create a Network Bridge follow the next steps.

1. Navigate to Data center → pve → Network.

   

   Figure 12. Viewing the network devices of the Proxmox VE

2. Click on the Create button. This will pop up the Linux Bridge configuration window.

3. You may leave the name as default such as vmbr1. Enter IPv4/CIDR address and Bridge ports (Network devices name seen on Network configuration window, such as ens3f0). Then, click on the Create button.

   

   Figure 13. Creating a Linux bridge on the Proxmox VE

4. Click on the Apply Configuration button or Reboot the Proxmox device to start to use new Linux bridges.

Now, you have two Linux Bridges as seen in the Figure below.

Figure 14. Viewing the network devices of the Proxmox VE

5.2. Adding Network Devices to OPNsense VM on Proxmox​

It is time to add a network device that will be used for LAN connections.

To add a new network interface to the OPNsense virtual machine on Proxmox you can follow these steps.

1. Navigate to the Data center → pve → OPNsensefw VM → Hardware → Add.

2. Click on Network Device.

   

   Figure 15. Adding NIC to OPNsense VM on Proxmox VE

3. Select the Linux Bridge such as vmbr1.

   

   Figure 16. Selecting Linux bridge for a NIC

4. Select Model as VirtlO(paravirtualized).

   

   Figure 17. Setting model for a network device of OPNsense VM on Proxmox VE

5. Uncheck Firewall option.

6. Set Multiqueue to 8.

7. Click the Add button

After finishing the network configuration of the OPNsense virtual machine on Proxmox, you should see the Hardware configuration for the OPNsense VM similar to the following figure.

Figure 18. Hardware configuration of the OPNsense VM on Proxmox VE

Now, your OPNsense firewall has 2 different physical interfaces ready to connect to different networks, Internet and LAN respectively.

6. Installing OPNsense​

To start the installation of the OPNsense on your Proxmox environment, first, you should start the OPNsense virtual machine. To start the machine,

1. Click on the OPNsensefw virtual machine on the node list.

2. Click on the Start button.

To continue the installation of the OPNsense, you should connect the virtual machine from the Proxmox console by clicking on the Console.

Figure 19. Connecting OPNsense VM console on Proxmox VE

And then, you may follow the steps listed below.

1. While the system is booting do not press any key and wait for the login prompt.

   

   Figure 20. OPNsense boot menu

2. Login: Login as installer and the default password is opnsense. This will start the installation process.

   info

   On OPNsense, default installer password is opnsense.

   

   Figure 21. OPNsense installation login prompt

3. Confirmation: To confirm the installation press Ok, let's go.

   

   Figure 22. Confirming the OPNsense installation

4. Console configuration: Click on the Accept these settings for the console. The installer likely will detect the proper keymap by default. Or you may change Keymap and Video Font as you wish.

   

   Figure 23. Configuring console

5. Select Task: Click on the Guided Installation. If you wish to do advanced partitioning or import a configuration from another OpnSense firewall, you can accomplish these settings at this step.

   

   Figure 24. Selecting Guided installation

6. Select a Disk: Select the hard disk on which OPNsense will be installed. Be careful that all files on this disk will be deleted.

   

   Figure 25. Selecting disk to install OPNsense

   See Also

   Virtual Machines and VPNs in 2024: How Do They Work Together?

7. Selecting Install Mode: Select GBT/UEFI as an installation mode. Most modern-day systems support GPT/EFI but if you are using an older computer, MBR may be the only option supported. You may check within the BIOS settings of your system to see if it supports EFI/GPT.

   

   Figure 26. Selecting installation mode for OPNsense installation on Proxmox VE

8. Swap Size: Accept the recommended partition swap size by pressing Yes.

   

   Figure 27. Setting swap partition size

9. Package Installation: Packages are installed in your system for up to ten minutes.

   

   Figure 28. Installing OPNsense packages

10. Setting root password: You may set your root password or left as default which is opnsense for now.

    

    Figure 29. Setting root password

11. Reboot: By pressing the Reboot, you should reboot your system.

12. Unmount ISO image: Exit from the console and return to the Proxmox GUI.

    • Navigate to the OPNsensefw VM node → Hardware → CD/DVD Drive.
    • Click on the Remove.
    • Confirm removing the CD/DVD Drive by clicking on Yes.

13. Return to the Console of the OPNsense firewall in Proxmox VE. After the OPNsense reboot is completed, you will see the login prompt.

    

    Figure 30. OPNsense CLI login prompt

Now, you can complete the installation of the OPNsense on your Proxmox environment by following the next 6 main steps:

1. Network Device Assignments for OPNsense Firewall
2. IP Address Settings for OPNsense Firewall
3. Updating OPNsense Firewall on CLI
4. Accessing the OPNsense Web GUI
5. Initial Configuration of the OPNsense Firewall
6. Disable Network Hardware Off-loading on OPNsense Firewall

6.1. Network Device Assignments for OPNsense Firewall​

By default, the system will be configured with 2 interfaces LAN & WAN. The first network port found will be configured as LAN and the second will be WAN. However, OPNsense may not assign the network interface cards to the proper networks correctly. Then, you must assign the network devices to the proper networks manually.

For example, in our installation, OPNsense assigned the vtnet0 device to the LAN, and vtnet1 device to the WAN. But, the correct configuration is vice versa. While the vtnet0 device should be assigned to the WAN, vtnet1 device should be assigned to the LAN. Let's correct the network device configuration for our OPNsense.

For network device assignments on your OPNsense firewall, you may follow the next steps given below:

1. Log in as root. Then, the Options menu will be displayed on the screen.

   

   Figure 31. Options menu on OPNsense CLI

2. Press 1 to Assign interfaces.

3. VLAN configuration: Wizard will ask for the VLAN configuration. You may also configure VLAN settings on OPNsense GUI later. Since we will not configure any VLAN now, Press n to continue.

   

   Figure 32. VLAN configuration for network interfaces of OPNsense on CLI

4. Setting WAN interface: Wizard will ask for the WAN interface name. Enter the name of the WAN interface and then press enter. For example, in our OPNsense system, the WAN interface name is vtnet0.

   

   Figure 33. WAN interface assignment on OPNsense CLI

5. Setting LAN interface: Wizard will ask for the LAN interface name. Enter the name of the LAN interface and then press enter. For example, in our OPNsense system, the nterface name is vtnet1.

   

   Figure 34. LAN interface assignment on OPNsense CLI

6. Setting Optional interface: Since we do not have any other network interface press enter to continue.

   

   Figure 35. Optional interface assignment on OPNsense CLI

7. Confirmation: Network interface assignments will be listed. Press y to proceed.

   

   Figure 36. Confirming the network interface assignments on OPNsense CLI

All of the network interfaces on your OPNsense firewall are assigned to the proper networks.

6.2. IP Address Settings for OPNsense Firewall​

After assigning the network interfaces to the corresponding networks (WAN and LAN), you should configure the IP address for the network interfaces of your OPNsense firewall.

In our OPNsense firewall, we will configure the WAN and LAN interfaces as given below.

We will enable a DHCP server for LAN on our OPNsense firewall. The DHCP server assigns the IP address in range 10.10.10.11-200/24 for our clients in LAN.

For IP address settings of the OPNsense firewall you can follow the next steps:

1. Select 2 in the OPNsense options menu to Set interface IP address.

   

   Figure 37. Setting IP address for network interface of OPNsense on CLI

2. Selecting interface to configure: Available interfaces will be displayed. Press 1 to configure the LAN interface.

   

   Figure 38. Selecting LAN interface to configure on OPNsense CLI

3. IP assignment method. Wizard will ask to configure the IPv4 via the DHCP server. Since we will assign a static IP address manually Press n.

   

   Figure 39. Selecting IP assignment for LAN interface on OPNsense CLI

4. Setting IP address: Enter the IPv4 address for the LAN interface. For example, 10.10.10.1.

   

   Figure 40. Setting IP address for LAN interface on OPNsense CLI

5. Setting subnet mask: Enter the subnet mask for the LAN interface. For example, 24.

   

   Figure 41. Setting subnet mask for LAN interface on OPNsense CLI

6. Setting gateway: Press enter.

   

   Figure 42. Setting gateway for LAN interface on OPNsense CLI

7. Setting IPv6 via WAN tracking: You may press n.

8. Setting IPv6 via DHCPv6: You may press n.

   

   Figure 43. IPv6 settings of LAN interface on OPNsense CLI

9. Setting IPv6: You may press enter.

10. Enable DHCP server: To enable DHCP server on your LAN, press y.

11. Setting start address of the IPv4 client address range: Enter the start address of the IPv4 client address range such as 10.10.10.11.

12. Setting end address of the IPv4 client address range: Enter the end address of the IPv4 client address range such as 10.10.10.200.

    

    Figure 44. Configuring DHCP server on LAN interface of OPNsense

13. Enabling HTTP: pressing n you may access the OPNsense GUI via HTTPS protocol which is secure. If you wish to use the web interface with HTTP you may press y.

    

    Figure 45. HTTP setting for the OPNsense web GUI

14. Restore web GUI defaults. Press n. By pressing y you can access the OPNsense GUI with default user and password.

6.3. Updating OPNsense Firewall on CLI​

After completing the OPNsense firewall installation on Proxmox VE, you should update your firewall. You can easily update the OPNsense system by selecting 12) Update from console in the options menu on CLI.

Figure 46. Updating OPNsense firewall from the console

6.4. Accessing the OPNsense Web GUI​

Congratulations! You have successfully completed the installation of the OPNsense firewall. You can access the web GUI of your OPNsense firewall from a client in LAN using a browser. https://10.10.10.1 or http://10.10.10.1.

Figure 47. Login OPNsense GUI

When you log in OPNsense GUI, the Dashboard page will be displayed.

Figure 48. OPNsense dashboard

6.5. Initial Configuration of the OPNsense Firewall​

To complete the initial configuration of your OPNsense firewall, you can follow the given steps below:

1. Navigate to the System → Wizard on OPNsense Web GUI.

2. This wizard will guide you through the initial system configuration. Click the Next button.

3. You may set your hostname and domain name for your device. You may leave the Override DNS option selected. This will enable the OpnSense firewall to obtain DNS information from the ISP over the WAN interface. Then, click the Next button.

   

   Figure 49. Initial configuration of OPNsense

4. Set NTP server and timezone for your OPNsense firewall. If you do not have your own NTP systems, OpnSense will provide a default set of NTP server pools. Then, click the Next button.

   

   Figure 50. Setting NTP server and Timezone on OPNsense GUI

5. You may change the WAN interface configurations or leave them as default. You should leave RFC1918 Networks settings as checked for security reasons.

   

   Figure 51. WAN interface configuration on OPNsense GUI

   

   Figure 52. RFC1918 Networks settings for WAN interface on OPNsense GUI

6. You may change the LAN interface configurations or leave it as default.

   

   Figure 53. LAN interface configuration on OPNsense GUI

7. You may change the root password or leave it as before.

   

   Figure 54. Setting root password on OPNsense GUI

8. Click Reload to apply the changes.

9. When everything is completed successfully, OpnSense will welcome the user. You can get back to the main dashboard, by clicking Dashboard in the upper left corner of the web browser window.

   

   Figure 55. Finished initial configuration of OPNsense firewall

6.6. Disable Network Hardware Off-loading on OPNsense Firewall​

Figure 56. Disabling hardware offloading on OPNsense GUI

After finishing the installation of the OPNsense, you should ensure that hardware offload features are disabled on the network interfaces. Because VirtIO interfaces have problems with NAT. To disable the hardware offloading on the network interface,

• Navigate to Interfaces → Settings on OPNsense GUI.

• Set Hardware CRC, Hardware TSO, and Hardware LRO to Disable.

• Click Save.

• Reboot the firewall.