How to install OPNSense firewall on hardware appliance?

In this article, I will guide you on step by step installation of the OPNsense on one of the devices that you can order from Aliexpress. Once you put a phrase “pfsense” you’ll get a list of different vendors and products.

In my case, I’ve ordered a fanless Topton device based on N5105 Celeron processor that comes with 4x 2.5 Gigabit Intel NICS. The appliance is powerful enough to serve a small
company with low power consumption.

Specification:

 

Model: https://it.aliexpress.com/item/1005004501531656.html

Watch the hardware review from ServeTheHome channel:

 

STEP1: PREPARE INSTALLATION MEDIA

Find a USB stick with more than 4GB free memory that can be erased for next installation steps.

STEP2 DOWNLOAD OPNSENSE IMAGE

The OPNsense installation file can be obtained from the official OPNsense download page. You have the option to choose the system architecture based on your CPU, type of the image type and mirror location. For an installation on USB stick please proceed as follows:

  • Select vga image type for USB installation

  • Select the fastest mirror for your location

  • Click Download button.

 
 

 

STEP2: UNPACK THE FILE

The file usually is bzipped so before writing an image on installation media please unzip it first so you will have the .IMG file only.

From the GUI, on Windows is recommended to use 7Zip. On Linux, use PeaZip.

Alternatively use the Linux command

bunzip2 OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2

STEP4: WRITE THE IMG TO THE INSTALLATION MEDIA

On Windows, the easiest way is to use app called Rufus

On Linux via GUI you can flash the image using Balena Etcher or Popsicle.

 

Example settings with RUFUS.


Alternatively use a command line on Linux. To write the OPNsense image to a USB drive on a Linux system, run the following command.

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/sdX bs=16k

Where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage, it’s because of the digital signature)

For example:

dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/da1 bs=16k

STEP5: MAKE CHANGES ON YOUR APPLIANCE BIOS

Connect your external monitor and keyboard (you will only need to do that for initial configuration). Turn on the appliance and check if it runs correctly and there are no warnings presented in BIOS.

Most of the appliance comes with the default settings which are enough to make the OPNsense to boot properly. If the appliance needs to work as a reliable router/firewall, please consider enabling AC loss power failure setting to always ON. This way if the router loses the power, once the power is back it will boot automatically without any physical action.

When the appliance boots up hit DEL to enter the BIOS. Look for Advanced >> Hardware Monitor > Restore AC power loss and change it to Power ON

 

STEP6: INSTALL OPNSENSE FROM INSTALLATION MEDIA

 

Boot the device and wait until OPNsense autoboots.

 
 
The autoboot takes around 2-3 minutes. Don’t make any changes until you get the prompt for user credentials. Then use installer/opnsense credentials for the install process to begin.
 
 
Choose the keymap according to your keyboard layout.
 
 
You can use UFS or ZFS for the partition. It is recommended to use ZFS ffor more relability and continue.
 
 
If you have 2 disks you can configure them in RAID, otherwise use Stripe setting.
 
 
Choose the HDD/SSD drive:
 
 
Allow to wipe the existing data on drive.
 
 
Installation takes off.
 
 
On the last step choose Complete Install (password can be changed later from the default one).
 
 
The appliance will reboots itself from the SSD disk. Please remove the USB installation media.
 
 
Wait until the firewall is rebooted. You will notice below that the ports on the appliance were not assigned properly by auto-assignment function. We will login via the console using login root and password opnsense, so we can adjust the interfaces to better reflect our hardware ports.
 
 
Choose Option 1: Set interfaces and hit Enter
 
 
The hardware appliance that we use has 4x NICS/GB ports that we can assign to the OPNsense:
 
 
  • ETH0 (em0) – WAN interface, here we connect our ISP cable. This is our connection to the public Internet
  • ETH1 (em1) – LAN1 interface
  • ETH2 (em2) – LAN2 interface
  • ETH3 (em3) – LAN3 interface
 
Assign the ports in this hierarchy:
 
  • Do you want to configure LAGGS now? (y/N): n
  • Do you want to configure VLANS now? (y/N): n
  • WAN INTERFACE: em0
  • LAN INTERFACE: em1
  • OPTIONAL INTERFACE: em2
  • OPTIONAL INTERFACE: em3
 
 
Confirm assignment:
 
 
After changes you will see the ports:
 
WAN – gets a public IP from your ISP
LAN – uses default 192.168.1.0/24 subnet
 

 

STEP7: INITIAL CONFIGURATION VIA GUI

Now connect your PC to the LAN1 port and browse to the default https://192.168.1.1 address for initial configuration using a browser. 

Default credentials:

  • login: root
  • password: opnsense

After you login, there should be a Wizard opened for the initial configuration of system. If not, please navigate to System -> Wizard on OPNsense Web GUI.

Choose:

  • Hostname: name of the router
  • Domain: local domain namey
  • Primary DNS: 1.1.1.3 (Cloudflare)
  • Secondary DNS: 9.9.9.9 (QUAD9)

I recommend to leave default settings below as it is.

Initial configuration of OPNsense

Leave the NTP server and adjust your timezone.

You may change the WAN interface configurations or leave them as default. You should leave RFC1918 Networks settings as checked for security reasons.

NOTE: In the MAC ADDRESS field you are able to clone MAC ADDRESS from other device and overwrite it on WAN interface.

MTU you can leave on auto or change to 1500 so it will use jumbo frames.

WAN interface configuration on OPNsense GUI

RFC1918 Networks settings for WAN interface on OPNsense GUI

You may change the LAN interface configurations or leave it as default.

I strongly recommend to avoid default subnet at all costs and find some unique subnet from private range ex. 192.168.60.1-192.168.254.1

Click on Next. You may change the root password from default ‘opnsense

Click Reload to apply the changes.

When everything is completed successfully, OpnSense will welcome the user. You can get back to the main dashboard, by clicking Dashboard in the upper left corner of the web browser window.

Source:

Alternatively, you’ll find a lot of tutorials over the Youtube which can guide you through installation:

0 Shares:
You May Also Like