This guide will walk you through the basic steps to install and set up OPNsense on Proxmox VE as a virtual machine (VM), allowing you to utilize its functionality.
I’ll be using OPNsense version 23.1 and Proxmox VE version 7.3-3.
Step1: Download OPNsense DVD ISO
Open https://opnsense.org/download/ to download the ISO image for OPNsense. Make sure that you choose the DVD download.

After the ISO has been downloaded we can open the Proxmox window for next steps.
Step2: Upload the ISO to Proxmox VE
- Login to Proxmox VE via a web browser.
- From left menu, please expand the ‘Datacenter’ and server node dropdowns.
- Select local storage, select ‘ISO Images’, and click ‘Upload’

- Click ‘Select File’ and select the OPNsense ISO, then click ‘Upload’
Linux Bridges need to be assigned to network interfaces before creating the VM.
Step3: Create Linux Bridges to Use As Network Interfaces
By default, Proxmox VE will create Linux Bridge ‘vmbr0’ connected to the WAN port.
On this example HW running Proxmox hypervisor, we are using ETH0 as the port for Proxmox Management Console. To use the physical port for the firewall VM, we need to assign WAN and LAN ports on other free physical ports.

- On the Proxmox VE dashboard, select the server node. Select System > Network
- Click ‘Create‘ and select ‘Linux Bridge‘
- Name the interface, and designate a Bridge port. (The Bridge port must be named after a physical port)

- In this example, vmbr1 will bridge with enp2s0 to act as our WAN
- This will be connected to the modem’s ethernet port

- We will bridge vmbr2 with enp3s0, this will act as our LAN
- Connecting this ethernet cable to your PC will allow access to OPNsense web GUI

Now the Linux Bridges are configured, the VM can be created
Step4: Create a OPNsense VM
For basic VM creation use the following configuration, leaving all unspecified fields at their default values.
Click on Create VM located at the top right of the web GUI

Continue to System Tab:
Leave defaults

Continue to Disks:
For Bus/Devices: select ‘VirtIO Block‘
For Disk size (GiB): select at least 8GB.

- Continue to CPU tab:
- For Sockets: select ‘1‘
- For Cores: select at least 1
- For Type: select ‘host‘

Set memory to 4096 MB

Add WAN bridge interface created earlier:

- Continue to Confirm tab:
- Verify your settings and select ‘Finish‘
The VM is created, now the Linux Bridge for LAN must be added.
*Note: Additional information about VM creation can be found in [Proxmox VE Documentation].
Step5: Add the LAN Linux Bridge to OPNsense VM
- Choose your OPNsense VM, located under your sever node dropdown.
- Select OPNsense VM > Hardware > Add > Network Device

- For Bridge: Select your LAN Linux Bridge (‘vmbr2‘ in this example)
- For Model: Select VirtIO (paravirtualized)
- Click Add

WAN and LAN are now set up and ready to use with OPNsense.
Step6: Start and install OPNsense VM
To start the VM and begin the installation process:

OPNsense will begin booting, during boot OPNsense will display a timed prompt “Press any key to start the manual interface assignment: ”
- When asked if you want to configure LAGGs now? Input ‘n‘
- When asked if you want to configure VLANs now? Input ‘n‘
Valid interfaces will be displayed. OPNsense will name the Linux Bridges we set up earlier as vtnet0 and vtnet1, use these to configure OPNsense.
- For the WAN interface: enter vtnet0
- For the LAN interface: enter vtnet1
- Press ‘Enter‘ once more to finish adding interfaces
- Input ‘y‘ when ready to proceed.

- When prompted to log in, use credentials:
- login: installer
- password: opnsense
- Press Enter to Continue with default keymap

- Use the arrow keys to select ZFS install
- Press Enter to continue

- Select ‘Stripe‘
- Press Enter

- Use the spacebar to select the drive
- Press Enter
- If the drive is not selected with the spacebar, the installation will fail.

- Select Yes to write OPNsense to the VM partition
- This will use the storage space designated when the VM was created.
Allow to wipe the existing data on drive.

Installation takes off.

On the last step choose Complete Install (password can be changed later from the default one).

Step7: Access Web GUI and configure
Now connect your PC to the LAN (ETH2) port and browse to the default https://192.168.1.1 address for initial configuration using a browser.
Default credentials:
- login: root
- password: opnsense

After you login, there should be a Wizard opened for the initial configuration of system. If not, please navigate to System -> Wizard on OPNsense Web GUI.
Choose:
- Hostname: name of the router
- Domain: local domain namey
- Primary DNS: 1.1.1.3 (Cloudflare)
- Secondary DNS: 9.9.9.9 (QUAD9)
I recommend to leave default settings below as it is.

Leave the NTP server and adjust your timezone.

You may change the WAN interface configurations or leave them as default. You should leave RFC1918 Networks settings as checked for security reasons.
NOTE: In the MAC ADDRESS field you are able to clone MAC ADDRESS from other device and overwrite it on WAN interface.
MTU you can leave on auto or change to 1500 so it will use jumbo frames.


You may change the LAN interface configurations or leave it as default.
I strongly recommend to avoid default subnet at all costs and find some unique subnet from private range ex. 192.168.60.1-192.168.254.1

Click on Next. You may change the root
password from default ‘opnsense‘

Click Reload
to apply the changes.
When everything is completed successfully, OpnSense will welcome the user. You can get back to the main dashboard, by clicking Dashboard
in the upper left corner of the web browser window.

Step8: OPNsense performance optimization for Proxmox KVM VM
The first setting that is recommended to change is to turn off the hardware offloading by going to Interfaces > Settings in OPNsense.
Then go to System > Firmware > Status and check for latest update. Please upgrade all the outdated packages.
After the upgrade select the Firmware>Plugins tab and search for qemu-guest-agent plugin and click Add. This will install additional compatible drivers for KVM to OPNSENSE.
OPNsense Tunables (sysctl)
Please follow the recommendation below to achieve best level of performance when running OPNsense on Proxmox.
Most changes were according to the FreeBSD Network Performance Tuning guide.
Go to System > Settings > Tunables and make following changes.
If the setting isn’t listed you can Add a new tunable as example:
TUNABLES:
hw.ibrs_disable=1
This is a CPU related tunable to mitigate a Spectre V2 vulnerability. A lot of people suggested that disabling it was helpful for performance.
net.isr.maxthreads=-1
This uncaps the amount of CPU’s which can be used for netisr processing. By default this aspect of the network stack on FreeBSD seems to be single threaded. This value of -1 for me resulted in 24 threads spawning (for my 24 CPU’s).
net.isr.bindthreads = 1
This binds each of the ISR threads to 1 CPU core, which makes sense to do since we are launching one per core. I’d guess that doing this will reduce interrupts.
net.isr.dispatch = deferred
Per this Github thread seems that changing this tunable to “deferred” or “hybrid” is required to make the other net.isr tunables.
net.inet.rss.enabled = 1
Enable Receive Side Scaling, didn’t come from the tuning guide either, it came from an OPNsense forum thread. In a nutshell, RSS is another feature to improve parallel processing of network traffic on multi-core systems.
net.inet.rss.bits = 6
Side scaling tunable was taken also from the same forum thread. Set the value to 6 as it seems the optimal value is CPU cores divided by 4. I have 24 cores, so 24/4=6. Your value should be based on the number of CPU cores on your OPNsense virtual machine.
kern.ipc.maxsockbuf = 614400000
I grabbed this from the FreeBSD Network Performance Tuning Guide, this was their recommended value for if you have 100Gbps network adapters. The default value that came shipped with my OPNsense installation corresponded with the guide’s value for 2Gbps networking. I decided since I may want to expand in the future, I would increase this to this absurd level so I don’t have to deal with this again. You may want to set a more rational value, 16777216 should work for 10Gbps. The guide linked above goes into what this value does and other values it effects in great detail.
net.inet.tcp.recvbuf_max=4194304
net.inet.tcp.recvspace=65536
net.inet.tcp.sendbuf_inc=65536
net.inet.tcp.sendbuf_max=4194304
net.inet.tcp.sendspace=65536
These TCP buffer settings were taken from the FreeBSD Network Performance Tuning Guide, I didn’t look into them too deeply but they were all equivalent or larger buffers than what came shipped on OPNsense, so I rolled with it. The guide explains more about how these values can help improve performance.
net.inet.tcp.soreceive_stream = 1
Also from the tuning guide, this enables an optimized kernel socket interface which can significantly reduce the CPU impact of fast TCP streams.
net.pf.source_nodes_hashsize = 1048576
This increases the PF firewall hash table size to allow more connections in the table before performance deteriorates.
net.inet.tcp.mssdflt=1240
net.inet.tcp.abc_l_var=52
These tunables are intended to improve efficiency while processing IP fragments. There are slightly more aggressive values you can set here too, but it seems these are the more safe values, so I went with them.
net.inet.tcp.minmss = 536
This configures the minimum segment size, or smallest payload of data which a single IPv4 TCP segment will agree to transmit, aimed at improving efficiency.
kern.random.fortuna.minpoolsize=128
This isn’t related to the network at all, but it was a value recommended by the tuning guide to improve the RNG entropy pool. Since I am doing VPN stuff on this system, I figure more RNG is better.
net.isr.defaultqlimit=2048
This value originated from Reddit thread, it was quickly added during the last batch of tunables that finally pushed me over the edge in terms of performance, and I decided I’d leave it even if it wasn’t doing anything meaningful. Increasing queuing values seems to have been a theme of the tuning overall.
Maciej Zytowiecki
Network security expert with a deep passion for wireless networks, networking and data security. When I'm not working, you'll find me diving into hobby projects, contributing to open-source initiatives, or enjoying hands-on experiments with cutting-edge tech. My goal is to bridge the gap between complex concepts and accessible knowledge, making the world of network security both intriguing and approachable for all.