OPNsense Firewall Configuración
OPNsense is a free, open-source firewall built on FreeBSD that proporciona advanced security features including stateful firewalling, VPN support, intrusion detection, traffic shaping, and web filtering. OPNsense is a community fork of pfSense that emphasizes user-friendliness, transparency, and regular security updates. Esta guía cubre installation, core firewall configuration, rule management, NAT setup, VPN connectivity, IDS/IPS integration, package installation, and high availability features.
Tabla de Contenidos
- System Requirements
- Instalación
- Initial Configuración
- Firewall Rules
- Aliases and Rule Gestión
- NAT Configuración
- VPN Configuración
- IDS/IPS Integration
- Traffic Shaping
- High Availability
- Plugins
- Conclusión
System Requirements
OPNsense requires specific hardware specifications for optimal performance:
- 64-bit Intel or AMD processor (2+ cores minimum, 4+ recommended)
- 2 GB RAM minimum (4 GB+ for production)
- 4 GB disk space (larger for high-traffic or caching)
- 2+ red interfaces (one for WAN, one for LAN)
- VT-x/AMD-V support for virtualization
- Dedicated hardware or virtual machine
Instalación
Download OPNsense from https://opnsense.org/download/
For bare metal installation, create a bootable USB:
wget https://mirror.opnsense.org/releases/22.7/OPNsense-22.7-OpenSSL-dvd-amd64.iso
sudo dd if=OPNsense-22.7-OpenSSL-dvd-amd64.iso of=/dev/sdX bs=4M conv=fsync
For virtual machine installation (KVM):
qemu-img create -f qcow2 opnsense.qcow2 4G
Boot from the USB or ISO. The installer presents these options:
- Continue with default keymap
- Accept the FreeBSD license
- Select installer type (Guided UFS, Guided ZFS)
- Partition selection (Auto, Manual)
- Reboot after completion
After installation, the system presents a console menu:
Welcome to OPNsense!
Options:
1. Assign interfaces
2. Set interface IP address
3. Reset webConfigurator password
4. Reset to factory defaults
5. Reboot system
6. Halt system
7. Ping host
8. SSH session
9. Actualiza system
10. Restaura a backup
11. Recover from GEOM corruption
0. Exit to shell
Initial Configuración
Begin configuration through the console and web interface.
Assign red interfaces:
Select option 1 at the console:
Do you want to configure interface bridging first?
(no): no
Valid interface names are: em0 em1 em2
Configura WAN interface - press ENTER if not present
em0 = WAN
em1 = LAN
ig0 = (not present)
em2 = (not present)
Enter the WAN interface name: em0
Enter the LAN interface name: em1
Configura IP addresses:
Select option 2:
Enter interface name (default = LAN):
Address (default = dhcp):
Subnet bits (default = 24):
IPv6 address (or press ENTER for none):
IP address = 192.168.1.1
Subnet = 24
IPv6 = none
Habilita DHCP server on LAN = yes
Set WAN IP:
Enter interface name: WAN
Address (dhcp or static): 203.0.113.1
Subnet bits: 24
Gateway: 203.0.113.254
Reset web interface password:
Select option 3:
New root password: your-secure-password
Confirm: your-secure-password
Access the web interface at https://192.168.1.1:
curl -k https://192.168.1.1/
Login with:
- Username: root
- Password: (the password you set)
Firewall Rules
Crea and manage firewall rules through the web interface.
Access firewall rules:
Firewall → Rules → WAN/LAN/Other
Crea a rule to allow HTTP/HTTPS from LAN:
Firewall → Rules → LAN
Click "Add" button
Action: Pass
Interface: LAN
Direction: in
Address Family: IPv4
Protocol: TCP
Source: LAN net
Destination: any
Destination Puerto Range: From HTTP (80) To HTTPS (443)
Description: Permite HTTP/HTTPS
Save and Apply Changes
Crea rules with more granular control:
Firewall → Rules → LAN
Click "Add"
Action: Pass
Quick: checked (applies rule first match)
Interface: LAN
Direction: in
Address Family: IPv4
Disabled: unchecked
Log: checked (log matching packets)
Protocol: TCP/UDP
Source: Single host or Red
Destination: Single host or Red
Destination Puerto Range: Puerto or range
Save and Apply Changes
Crea blocking rules:
Firewall → Rules → WAN
Click "Add"
Action: Bloquea
Log: checked
Protocol: TCP
Destination Puerto: 445 (SMB)
Source: any
Destination: WAN net
Description: Bloquea SMB from Internet
Save and Apply Changes
Reorder rules by dragging:
Firewall → Rules → [Interface]
Drag rules to reorder (top to bottom evaluation)
Click "Apply Changes"
View real-time rule matching:
Diagnostics → System Logs → Firewall
Shows all rule matches with source/destination/puerto information
Aliases and Rule Gestión
Crea aliases for easier rule management and maintenance.
Crea red aliases:
Firewall → Aliases
Click "Add"
Name: INTERNAL_NETWORKS
Type: Red(s)
Content: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
Description: All internal redes
Save and Apply Changes
Crea puerto aliases:
Firewall → Aliases
Click "Add"
Name: WEB_PORTS
Type: Puerto(s)
Content: 80 443 8080 8443
Description: Common web servicio puertos
Save and Apply Changes
Crea IP aliases:
Firewall → Aliases
Click "Add"
Name: TRUSTED_HOSTS
Type: Host(s)
Content: 192.168.1.10 192.168.1.11 192.168.1.12
Description: Trusted server IPs
Save and Apply Changes
Use aliases in rules:
Firewall → Rules → LAN
Click "Add"
Source: INTERNAL_NETWORKS (select from dropdown)
Destination Puerto: WEB_PORTS (select from dropdown)
Destination: TRUSTED_HOSTS (select from dropdown)
Manage aliases:
Firewall → Aliases
List shows all defined aliases
Click edit icon to modify
Click trash icon to delete
NAT Configuración
Configura Red Address Translation for traffic manipulation.
Configura outbound NAT:
Firewall → NAT → Outbound
Click "Add"
Interface: WAN
Source: LAN net
Source Puerto: any
Destination: any
Destination Puerto: any
Target: WAN Interface IP
Target Puerto: any
Static Puerto: unchecked
NAT Address: Interface Address
Description: NAT LAN to WAN
Save and Apply Changes
Configura puerto forwarding (inbound NAT):
Firewall → NAT → Puerto Forward
Click "Add"
Interface: WAN
Protocol: TCP
Destination: WAN Address
Destination Puerto: 8080
Redirect Target IP: 192.168.1.10
Redirect Target Puerto: 80
Filtra rule association: Add unassociated filter rule
Description: Forward WAN 8080 to Web Server 80
Save and Apply Changes
Configura 1:1 NAT:
Firewall → NAT → 1:1
Click "Add"
Interface: WAN
External Subnet IP: 203.0.113.10
Internal IP: 192.168.1.20
Destination: any
Description: 1:1 NAT for internal server
Bilateral: checked
Save and Apply Changes
Prueba NAT functionality:
Diagnostics → Ping
Address: 8.8.8.8
Click "Ping"
View NAT translations:
Diagnostics → Red Interfaces
Shows current NAT states and translations
VPN Configuración
Configura VPN for remote access and site-to-site connectivity.
Configuración OpenVPN server:
VPN → OpenVPN → Server
Click "Add"
Disabled: unchecked
Description: Remote Access VPN
Server Mode: Remote Access (User/Password Auth)
Protocol: UDP4
Puerto: 1194
TLS Authentication: Generate Key
Cipher: AES-256-GCM
Compression: Stub (None)
Habilita NCP: checked
Allowed Cipher Negotiation: AES-256-GCM
Gateway Creation: IPv4 only
Gateway Interface: LAN
Dynamic IP: unchecked
Save and Apply Changes
Crea OpenVPN users:
System → Access → Users
Click "Add"
Username: vpnuser1
Password: secure_password
API Token: Generate
Group: (optional)
Save
Configuración OpenVPN client override:
VPN → OpenVPN → Client Specific Overrides
Click "Add"
Common Name: vpnuser1
Habilita: checked
Redirect Gateway: checked (route all traffic through VPN)
Push Redes: 192.168.1.0/24 192.168.2.0/24
Custom Options: push "dns 8.8.8.8"
Save and Apply Changes
Configura site-to-site IPsec VPN:
VPN → IPsec → Tunnels
Click "Add"
Disabled: unchecked
Remote Gateway: remote-site-public-ip
Phase 1 - Proposals:
Encryption: AES256
Hash: SHA256
DH Group: Group14
Lifetime: 28800
Phase 2 - Proposals:
Protocol: ESP
Encryption: AES256-GCM
Hash: SHA256
PFS Group: Group14
Lifetime: 3600
Save and Apply Changes
Add IPsec encryption:
VPN → IPsec → Encryption
Click "Add"
Disabled: unchecked
Mode: Tunnel
Local Subnet: 192.168.1.0/24
Remote Gateway: remote-gateway-ip
Remote Subnet: 192.168.2.0/24
Save and Apply Changes
IDS/IPS Integration
Integrate Suricata for red intrusion detection and prevention.
Instala Suricata plugin:
System → Plugins
Search: "suricata"
Click "+" to install
Wait for installation
System restarts servicios
Configura Suricata:
Servicios → Suricata → Settings
General Settings:
Habilita Suricata: checked
Interface: LAN
Mode: IDS or IPS
Promisc Mode: checked
Habilita VLAN monitoring: checked
Save
Download and update rules:
Servicios → Suricata → Manage Rules
Click "Actualiza"
Select rule sources:
- ET Open (free)
- ET Pro (if subscribed)
- Custom rules
Click "Download Rules"
Habilita specific rule categories:
Servicios → Suricata → Manage Rules
Rule Source: ET Open
Select desired categories:
- Malware detection
- Command and control
- Policy violations
Habilita selected
Click "Save"
View IDS/IPS alerts:
Servicios → Suricata → Alerts
Shows real-time detected threats
Filtra by severity, source, destination
Configura IPS mode action:
Servicios → Suricata → Settings
Action on DROP rules: (IPS mode)
Click "Save"
Traffic Shaping
Configura quality of servicio to manage bandwidth allocation.
Crea traffic shaping rules:
Firewall → Shaper → Settings
Habilita Shaping: checked
Algorithms: CBQ or HFSC
Interface: WAN
Save
Define limiters:
Firewall → Shaper → Limiters
Click "Add"
Name: WEB_LIMIT
Bandwitdh: 100 Mbps
Type: CBQ
Description: Limit web traffic to 100 Mbps
Save
Crea queues:
Firewall → Shaper → Queues
Click "Add"
Limiter: WEB_LIMIT
Name: HTTP_QUEUE
Bandwidth: 50 Mbps
Type: CBQ
Priority: 5
Description: HTTP traffic queue
Save
Apply shaping rules:
Firewall → Shaper → Rules
Click "Add"
Disabled: unchecked
Interface: WAN
Protocol: TCP
Destination Puerto: 80 (HTTP)
Queue: HTTP_QUEUE
Description: Shape HTTP traffic
Save and Apply Changes
Monitorea traffic shaping:
Status → Queues
Shows active queue statistics and bandwidth usage
High Availability
Configura multiple OPNsense instances for failover and redundancy.
Habilita CARP (Common Address Redundancy Protocol):
System → High Availability → Settings
Habilita CARP: checked
CARP Interface: WAN
Virtual IP Address: 203.0.113.50
Virtual Subnet Mask: 24
CARP Password: secure-password
Sincroniza Interface: em2 (dedicated sync red)
Synchronize: checked
Save
Configura automatic rule synchronization:
System → High Availability → Settings
Synchronization Settings:
Synchronize Firewall Rules: checked
Synchronize NAT: checked
Synchronize IPS/IDS: checked
Sincroniza to: backup-opnsense-ip
Save
Monitorea HA status:
System → High Availability
Shows:
- Master/Respalda status
- Virtual IP status
- Sincroniza statistics
Prueba failover:
Diagnostics → Ping
Send ping to virtual IP
Desconecta primary OPNsense
Verifica ping continues through backup
Plugins
Extend OPNsense functionality with plugins.
Browse available plugins:
System → Plugins
View "Available" tab
Shows all installable plugins
Search by name or category
Instala plugins:
Common useful plugins:
- Suricata: IDS/IPS
- HAProxy: Load balancing
- Nginx: Reverse proxy
- ACME: Let's Cifra certificate management
- pfBlockerNG: IP reputation filtering
- FreeRADIUS: Authentication server
- Web Filtra: URL filtering
Example installation (HAProxy):
System → Plugins
Search: "HAProxy"
Click "+" to install
Wait for completion
Servicios → HAProxy becomes available
Manage installed plugins:
System → Plugins
View "Installed" tab
Show installed packages
Click settings icon to configure
Click trash icon to remove
Conclusión
OPNsense proporciona comprehensive firewall and red security capabilities suitable for protecting redes of any size. By following this guide, you've installed OPNsense, configured red interfaces and firewall rules for traffic control, created aliases for efficient rule management, set up NAT for address translation and puerto forwarding, configured VPN for remote access and site-to-site connectivity, integrated Suricata for intrusion detection, implemented traffic shaping for bandwidth management, and enabled high availability for continuous operation. Regular updates, rule tuning, and security monitoring asegúrate de que sustained red protection and optimal performance. Whether deployed in small office environments or large enterprise redes, OPNsense scales with flexible configuration and extensive feature support.