Install OPNsense

OPNsense is an open source firewall that offers functions similar to commercial firewalls. However, it can be run on a whole range of hardware.

Hardware requirements

For an installation recommendations are:

processor1.5 GHz 64-bit multi-core CPU (4+ cores)
Image outputserial console or VGA video
Network connections4

Installation media

Installation media are available at However, some of these cannot be installed as a boot medium. Since OPNsense is based on FreeBSD, it can also be installed using the FreeBSD memstick and the OPNsense bootstrap.

To do this, the installation medium for the FreeBSD Memstick version must be downloaded and prepared as a USB boot medium. The correct FreeBSD version must be used for the desired OPNsense version:

OPNsense versionFreeBSD version

FreeBSD installation

The FreeBSD installation begins with the choice between installing it and using it as a shell or live CD.

With the selection of “Install” the configuration of the installation begins, initially with the selection of the keyboard layout.

After selecting the desired assignment, it can be tested with “Test default keymap”. If the selection is correct, the configuration is continued with “Continue with default keymap”.

The next step is to enter the network name of the computer under which OPNsense can be reached.

The distribution is selected in the next step and should be made with the selected standard values.

The next step is to configure the distribution of the storage media. There are basically two file systems available, UFS or ZFS. ZFS should be preferred here so that there are no inconsistencies in the event of power failures.

To set up the ZFS pool, the desired system disk must be selected.

This is done under “T Pool Type / Disks”. First with the desired RAID level. If only one storage medium is available, “stripe” must be selected.

Then the desired plate can be selected. And then continue with “OK” and “Install”. A warning follows that all data on the selected target drive will be deleted.

The actual installation then begins with the confirmation.

Once all the necessary installation steps have been carried out, the root password is requested.

The network configuration follows. First of all, the appropriate interface has to be selected

and the configuration with the protocol selection follows

and the DHCP or static IP configuration.

The following are the DNS servers,

the time zone,

as well as the current date are requested.

The required services conclude; these should be used with the standard setting.

Likewise, other settings for the security configuration.

Further logins do not have to be configured here, as this basic installation will be replaced by OPNsense in the further course.

The installation ends with the confirmation on “Exit – Apply configuration and exit installer”

and the system is restarted.

After restarting and logging in, OPNsense is installed via the FreeBSD shell.

The actual installation of OPNsense takes place via the bootstrap mentioned above using the following 3 commands.

pkg install ca_root_nss
sh ./ -r 21.7

This will download and install a number of packages.

After the installation, a restart takes place and the system reboots into the OPNsense shell with OPNsense as the operating system.

You can log in here with “root” as the login and “opnsense” as the password and you can access the console’s configuration menu.

Before the further configuration can be continued via the browser, 2 settings must be made here.

  1. The definition of the network interfaces, as well
  2. the IP address of the management port must be configured so that it can then be accessed via a browser.

For the configuration of the network interfaces, at least 2 interfaces must be available at this time, which can be configured as LAN or WAN.

The configuration takes place via option 1 “Assign interfaces” and leads to the following figure.

This lists the available interfaces and assigns the respective interfaces to the functions LAN, WAN and MGNT. First, you are asked whether VLANs should be created. In most cases this can be answered with no.

This is followed by the query for the WAN and the LAN interface, here one of the previously issued names can be used, or the interface can be assigned using “auto-detection” (a) and removing and reconnecting the network cable. If the first port em0 is defined as WAN and the second em1 as LAN, the following picture emerges. The corresponding services are configured with the confirmation.

In the command line that then appears, the two interfaces are visible with their IP.

This post is also available in: German English

Leave a Reply