How to Install OPNsense Firewall for Your Home Lab

opnsense firewall

We will begin this journey with an install of the OPNsense firewall solution. OPNsense is an Open Source firewall solution that is available free for personal and small business use. This is a “next-gen” firewall includes features like VPN, Intrusion Detection and Prevention, and even two factor authentication.

I also like this solution because the interface is clean, and easy to use. The goal is to get a firewall in place for our Home Lab, and then have some flexibility to add on features later. OPNsense is a great tool to do this. Follow along and we will get our network protected and ready to go!

I am installing this on a physical device. This is optional. If you wish to do this install as a virtual machine, you absolutely can. Just skip the section about using Rufus to burn the IMG to a Flash Drive, and you can pick it up there. I talk about how to spin up a virtual machine in ESXi here, and you can use these same instructions to get OPNsense set up in a VM. If you aren’t familiar with configuring different port groups in ESXi to be able to assign the VM multiple nic’s, you can follow these instructions here.


Also, because this is an open source project and is free, please consider donating. There is so much value to the community to support and maintain Open Source software projects. Every donation helps, so even small ones are appreciated.

Donation to OPNsense project
DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk. This article may contain affiliate links for which I may make a small amount of money should you use them.

Project List

  1. Download and Install vSphere (ESXi)
  2. Install and Configure OPNsense Firewall
  3. Download and Install Windows Server 2022
  4. Download and Install FreeNAS or Configure Synology (TBD)
  5. Install Windows Server and Configure Veeam Backup Server
  6. Install Windows Server and Configure ManageEngine Patch Manager
  7. Download and Configure MFA solution (Duo or KeyCloak)
  8. Evaluate Home Lab against initial requirements list
  9. Write Lessons Learned Blog post
  10. Plan Next Steps for Home Lab including Expansion

Table of Contents

Download OPNsense Firewall & Burn to USB
Install OPNsense Firewall on our Device
Configure Base Settings
Conclusion

Download OPNsense Firewall & Burn to USB

Before we can install OPNsense firewall, we need to download it and burn the image to a USB.

  1. Navigate to Download – OPNsense® to download the image. Choose a Mirror that is closest to your location.
  1. Once the file is downloaded, we need to confirm the file hash matches what is indicated on the website. This helps prevent you from falling victim to a man-in-the-middle attack. In the File Explorer navigation bar, erase what you see there, and type ‘powershell.exe’ to open PowerShell in this location. Alternatively, you can open PowerShell and navigate to that directory using normal methods.
Shortcut to open PowerShell in a specific directory
Shortcut to open PowerShell in a specific directory
  1. In PowerShell, type ‘Get-FileHash filename‘ where filename is the name of the file that was extracted to this location. Compare this value to the one on the website. If it matches, then you know you have a good file.
Compare this to the SHA256 hash value on the website
Compare this to the value on the website
  1. Once the file is confirmed good, navigate to the file, and extract it using 7-Zip. This should leave you with a .IMG file in the location you chose.
  1. Once the file is downloaded, insert a USB flash drive to the PC, and open Rufus to burn the image to the flash drive. Select the flash drive, and choose the .IMG file as your image. Leave everything else as default, and hit START.
  2. Indicate yes that you want to overwrite any thing on the flash drive, and accept any default options it asks during the process.
  3. Once it is finished imaging, eject the flash drive from your PC, and insert it into the firewall device.

Configure the Install Settings for OPNsense

  1. Insert the flash drive into a USB slot on the Firewall device. You will also need a keyboard and monitor for the one I purchased since it is a fanless mini-PC. Boot to the flash drive. You should see the welcome menu. It should count down, and start the basic configuration on its own, no interaction necessary.
OPNsense firewall welcome screen
  1. Watch the installer as it goes. It will ask you to “Press any key to start the manual interface assignment”. This is on a time, so press a key as soon as you see it. It will ask if you want to configure LAGGS & VLANs. Say no to both of those as we can configure those at a later date.
choosing configuration settings for opnsense firewall
  1. It will ask you to indicate which is the WAN interface. Plug your WAN (Internet) cable into the first port on the device (physical ports says eth0 for me). Type the name of the first valid interface to assign this to the WAN (igc0 as indicated below).
assigning the WAN interface in opnsense firewall
  1. Plug an ethernet cable into the second port on the device. Assign the LAN interface to the second interface in the list. (igc1 as pictured below)
assigning the LAN interface in opnsense firewall
  1. On the next interface, leave it blank and hit enter to stop assigning interfaces. We can do the rest from the GUI later.
finalize setting the interfaces before installation

Install OPNsense Firewall on our Device

  1. After you confirm the interfaces, it will run through assigning the appropriate settings and configurations. When it is finished, it will let you know it is ready, and can be installed. We still need to install this to the drive on the actual device. When you see the login screen, login with the following default credentials to install to a drive.
    • Username: Installer
    • Password: opnsense
installer login of opnsense firewall setup
  1. Once you are logged in, it will load up a new screen and ask you about a keymap. If the standard QWERTY keyboard is what you are familiar with, hit enter to leave it as default. Otherwise, choose your preferred option, and hit enter to continue.
OPNsense firewall keymap selection for install
  1. The next page will ask you to choose a task to perform. We want to install a file system. So choose UFS or ZFS. In general, both will work. UFS is a little less resource intensive, so if you have limited resources on a physical machine or virtual machine, stick with UFS. Otherwise, ZFS is a little more reliable with power outages and crashes, so if you have the available resources, choose ZFS. In this case I chose UFS, but either is fine.
choose a file system to install
  1. Whether you chose ZFS or UFS, the next screen will ask you to choose a disk. Choose the locally installed disk, not the USB flash drive the installer is running from. Choose next to continue.
select an installation disk for opnsense firewall
  1. Choose ‘YES’ on the recommended swap partition. Then confirm you want to wipe the drive and overwrite all data.
recommended swap size for UFS configuration
  1. Once the installation is complete, you will be presented with this screen. Be sure to change your root password from the default password. Choose a nice strong password to protect your firewall. Then reboot choose Exit and Reboot.
create a strong password and reboot to finish installation of opnsense firewall
  1. You will then end up on this screen. Once all is finished, you can remove the boot media, and let the firewall reboot. Be sure not to leave the installer in as it may boot to the flash drive again. Once it is finished, it should take you back to the login screen. Now it is time to access the firewall via the web interface so we can run through the first time setup wizard.
installation of opnsense firewall is complete

Configure Base Firewall Settings

Now that our initial installation is complete, we will set up the base settings to get us started. You have to make sure you are behind the firewall on this, so it is easiest if you are plugged directly into that second ethernet port we configured as LAN. Later this will go to your switch, but for the initial configuration, this will be easiest.

  1. In a web browser, navigate to https://192.168.1.1. You should see a certificate warning, as it only has a self-signed certificate. This is normal. Choose advanced, and continue anyways. Once past this screen, login with the username root and the password you you created during setup. Upon logging in, you should be greeted by the System Wizard: General Setup page.
get started with opnsense firewall first time wizard
  1. Click next on the page, and fill out your General Information. If you don’t have a domain yet, it is fine to leave it default. We can change it later. Choose a primary and secondary DNS: (1.1.1.1 is Cloudflare & 9.9.9.9 is Quad9). Hit Next when ready.
configure the general system information
  1. On the next screen, choose the time zone where the Firewall will reside. Having accurate time is important for everything to stay in sync. Leave the NTP pools listed unless you have a specific NTP pool you wish to use. Hit next when you are ready.
configure time for accurate services
  1. Leave the next page default, and hit Next again. When you see the root password option, you either change the password or leave it as you have it. If you didn’t change it before, now is the time to make it something secure. Hit next when you are ready.
configure the root password with a strong password
  1. Finally, you are finished. Now your firewall is officially up and running, and is now protecting your Home Lab. It isn’t doing much since we haven’t configured anything beyond the basics, but we have enough to get started. There is one step left before we wrap this up.
congratulations you are finished with opnsense firewall first run wizard
  1. On that final page, choose ‘Check for updates’. If you already dismissed that page, navigate to System > Firmware > Updates. You can check for updates here. Install all available updates, and allow it to reboot.
installing updates for opnsense firewall

That is it! we have installed and configured the basic firewall for our environment, and are ready to move on to biggest and better configurations. Nice job!

Conclusion

So there you have it. The first line of defense for the home lab is up and running. Now we can begin to build everything else from here so that it is connected and protected. In this lab, we plan on using our firewall as our main source of time, DNS, and more. We will also plan on configuring IDS/IPS, look at a VPN connection, and plan on enforcing other security options as they come up.

I hope you find value in this series. It is helpful for me to go through these things writing as I go. It helps me remember the steps, and document my journey as I build a new home lab for myself. As always, I’m open to suggestions, and willing to update this as I go, so if you have suggestions on what I missed, please let me know.

As always, hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →