Home Installing OPNsense
Post
Cancel

Installing OPNsense

Completed project View Finished product

Overview

This is continuation of my Protectli OPNsense Router Project series. Head over to Part 1 - Project Overview for a complete overview of the project.

I’ll cover how to install OPNsense. For complete (and up to date) instructions and hardware requirements for installing OPNsense head over to: https://opnsense.org/users/get-started/.

Generally any recent (10 years old or less) Intel or AMD processor with 2GB of RAM and 16GB of hard drive storage is suitable. If it can run Windows 10, it should, for the most part run OPNsense. The more important component is the network cards. I always try to get Intel based network cards because they have better driver support in FreeBSD, the OS that OPNsense is based on. I rocked FreeBSD as my main desktop until 5.x. Glad we’re past that, was some rough waters.

Here we walk through the following steps:

  • Downloading the OPNsense installer image
  • Verifying the download integrity
  • Extracting the downloaded file
  • Writing the image to a USB flash drive
  • Installing the OPNsense operating system

Download OPNsense

Download OPNsense directly from the OPNsense website at https://opnsense.org/download/.

Be aware that the latest installation media does not always correspond with the latest released version. OPNsense installation images are provided on a regular basis together with major versions in January and July. You WILL need to install updates once the install is complete.

Select the version that best matches your target hardware. I’m selecting amd64 and dvd.

Verify File Integrity

opnsense checksum page

On the download page you should see the SHA256 checksum. This is a fingerprint of the file. If the file has been altered in any way the fingerprint will change. This could be though a bad actor, or a bad download. This checksum can be validated easily in Windows or Linux/Unix with a quick command.

Windows

You can use Windows Powershell to calculate the SHA-256 checksum for a file.

  1. Open Windows Powershell. (To do this, type Powershell in the Windows Start menu command box.)
  2. Type "Get-FileHash " followed by a space.
  3. Drag the downloaded ZIP file onto the Windows Powershell window after the Get-FileHash command.
    • This inserts the path after the command, to look like the following screen text:
    • PS C:\Users\UserName> Get-fileHash C:\Users\UserName\Downloads\OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2
  4. Compare the Hash string PowerShell gives you with the hash string on the OPNsense website. If they match your image is valid.
1
2
3
4
5
6
7
8
PowerShell 7.3.4
PS C:\Users\wwtw> get-filehash C:\Users\wwtw\Downloads\OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          F25C10113EF1EA13C031FC6102F8E6CAF73A7296B12BCC287670026CAB29C7C7       C:\Users\wwtw\D

PS C:\Users\wwtw>

Linux

Linux has a similar process as Windows.

  1. Open terminal window.
  2. Type sha256sum followed by a space and the file name.
  3. Compare the hash string on the left sha256sum gives you with the hash string on the OPNsense website. If they match your image is valid.
1
2
3
kevin@WWTW-01:~$ sha256sum OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2
f25c10113ef1ea13c031fc6102f8e6caf73a7296b12bcc287670026cab29c7c7  OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2
kevin@WWTW-01:~$

Extract the Download

Linux

bunzip (filename) This will take a minute or two.

1
kevin@WWTW-01:~$ bunzip2 OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2

Windows

Download and install 7-Zip Select the 64-Bit x-64 .exe file (Unfortunately, they do not provide a file hash here) https://www.7-zip.org/

Once installed, right click on the OPNsense bz2 file and select, 7-Zip, Extract Here. This will take a minute or two.

7-zip extract menu

Write the image to a USB flash drive

Linux

1
dd  if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/sdX bs=16k

where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage - it is because of the digital signature)

Windows

Lot’s of solutions exist for making bootable flash drives or a bootable CD. If you have something your prefer, use it. If not use Rufus.

https://rufus.ie/en/

You have two options, Rufus, or Rufus portable. Portable does not need to be installed, click and run. Delete the Rufus exe file when your finished If you use this utility often, install it on the system so you don’t need to hunt for for it every time you need it.

Upon opening Rufus you have several options:

  • Device: USB memory flash drive you wish to write to
  • Boot Selection: Image you want to write (click the select button to open the file manager)
  • Partition scheme: Leave this alone
  • Target system: For these Protectli computers use BIOS or UEFI
    • If you’re unsure choose BIOS
  • Volume label: I leave this alone, some ISO’s will write this for you, and expect a specific label for install

Rufus main View Example Settings - I’m going to erase an old Ubuntu installer

Installing the operating system

We are now ready to install OPNsense on the hardware. Connect a USB keyboard, HDMI (use the one near the serial port), boot media you created above, and the 12v power supply.

Press the power button on the left.

Front of PC View

BIOS Boot View

Boot process View

The system should boot from the USB flash drive.

More boot process View

Do not set interfaces here, this is the installer.

Login CLI View

You will be prompted to provide a username and password. We want to invoke the installer, login with user “installer” and password “opnsense”.

installer keymap View

Press enter to use the default keymap.

installer taks View

Press enter to use UFS.

disk select View

Select your target install location. You should see two, the boot media you created and the SSD. The name will vary depending on the model and size.

installer erase hard drive message

Press enter to create a swap partition.

Installer create swap

Select Yes and press enter to format the hard drive and begin the installation.

Installer progress

The installer will prep the drive and install the needed files. You don’t need to do anything until it completes.

Installer change password

Press enter to set a password or select complete install to use the defaults. The default credentials after a fresh install are username “root” and password “OPNsense”. Remove the flash drive.

System rebooting

Let the system autoboot.

Bootloader message

If you know the interface numbers, they can be assigned here, otherwise just leave this alone to assign them later. The system will auto assign interfaces.

system booting

The default credentials after a fresh install are username “root” and password “OPNsense”. At this point, connect a computer to the LAN interface and type the listed IP address into a browser window. In the case you would type 192.168.1.1 into the browser address bar.

Configuring the system

First login

Dashboard

You should be looking at a dashboard after you login.

interfaces list

Interfaces

Select interfaces and assignments from the left menu.

To create an interface, select from the available hardware in the New Interface drop-down and click the orange plus sign to the right. Do not worry about the NAME for now, we will change these later. We are assigning the MAC address/hardware name to the OPNsense interface name.

Warning:
Do not delete or mess with the LAN interface! This is how you’re configuring the system.

Assign as follows:

  • WAN - Port labeled WAN on the case. For me this was igb0.
    • WAN is used for wired internet access, primary or backup connectivity.
  • LAN – Port labeled LAN on the case, For me this was igb1.
    • LAN is used for local network access
  • OPT1 – Create this if you want, assign port labeled OPT1 on the case, igb2
    • OPT1 is unused
  • OPT2 – Create this if you want, assign port labeled OPT2 on the case, igb3
    • OPT2 is unused
  • WANLTE – Create this, assign the LTE card, ue0
    • WANLTE is used as primary or backup connectivity.

Tip:
To help find what interface is what label, plug another device into each port one at a time. The OPNsense should show the interface as up.

IP Addresses

configure IP screen

Select interfaces and LAN. Since we’re using Wireguard to connect this router to another router, we need to use non-overlapping subnets.

For example: 10.74.74.0/24 does not overlap with 10.99.99.0/24.

Choose a subnet for LAN, OPT1, OPT2 (if you’re using these interfaces) and Wireguard tunnel. If your other side, the remote location to this router, has IP addresses assigned already don’t overlap any of these subnets either. Write all these down so you can refer back to what goes where.

Where you use private IP addresses (RFC 1918) be sure to uncheck “Block private networks”. Block bogon is mostly unimportant for our configuration, I prefer to uncheck it and manage this via firewall rules.

Caution:
If you change the LAN IP and save, the IP address used to access this management interface will change to that IP.

Tip:
My specific use case for this router was to remotely monitor equipment. The equipment being monitored is not IPv6 capable so this proof of concept had it disabled. I use a philosophy of, if you don’t actively use it, turn it off.

enable interfaces

Interface Labels

Correct the labels and disable any interfaces you’re not using.

label interfaces

Enable WAN and the LTE interface. I named them WIREDWAN and WANLTE to make it easy for someone behind me to understand what is what.

In my case both WIREDWAN and WANLTE have the same configuration. Enabled, DHCP on IPv4, disable IPv6, “Block private networks” and “Block bogon networks” are both unchecked.

With the interfaces setup you can now connect the router to any internet connected network.

interfaces LTE status

Here I have an IP from the LTE interface.

interfaces WIREDWAN status

The WAN reports no carrier because I haven’t plugged in the cable.

You should have connectivity for the operating system (depending on the interface used), you might not have connectivity for anything else. In any case, let’s set up the gateways. Afterward, we will configure the firewall to allow traffic. The OPNsense the firewall blocks everything by default.

This post is already crazy long, so I’m going to end it here and pick it up in another post.

Part 6 - Configuring OPNsense Multi-WAN

Protectli UPS and Rack Mount Shelf

Cisco SG-300 Out Smarted By Smartport

Comments powered by Disqus.