OPNsense Firewall Configuration
OPNsense is a free, open-source firewall built on FreeBSD that provides advanced security features including stateful firewalling, VPN support, intrusion detection, traffic shaping, and web filtering. OPNsense is a community fork of pfSense that emphasizes user-friendliness, transparency, and regular security updates. This guide covers installation, core firewall configuration, rule management, NAT setup, VPN connectivity, IDS/IPS integration, package installation, and high availability features.
Table of Contents
- System Requirements
- Installation
- Initial Setup
- Firewall Rules
- Aliases and Rule Management
- NAT Configuration
- VPN Setup
- IDS/IPS Integration
- Traffic Shaping
- High Availability
- Plugins
- Conclusion
System Requirements
OPNsense requires specific hardware specifications for optimal performance:
- 64-bit Intel or AMD processor (2+ cores minimum, 4+ recommended)
- 2 GB RAM minimum (4 GB+ for production)
- 4 GB disk space (larger for high-traffic or caching)
- 2+ network interfaces (one for WAN, one for LAN)
- VT-x/AMD-V support for virtualization
- Dedicated hardware or virtual machine
Installation
Download OPNsense from https://opnsense.org/download/
For bare metal installation, create a bootable USB:
wget https://mirror.opnsense.org/releases/22.7/OPNsense-22.7-OpenSSL-dvd-amd64.iso
sudo dd if=OPNsense-22.7-OpenSSL-dvd-amd64.iso of=/dev/sdX bs=4M conv=fsync
For virtual machine installation (KVM):
qemu-img create -f qcow2 opnsense.qcow2 4G
Boot from the USB or ISO. The installer presents these options:
- Continue with default keymap
- Accept the FreeBSD license
- Select installer type (Guided UFS, Guided ZFS)
- Partition selection (Auto, Manual)
- Reboot after completion
After installation, the system presents a console menu:
Welcome to OPNsense!
Options:
1. Assign interfaces
2. Set interface IP address
3. Reset webConfigurator password
4. Reset to factory defaults
5. Reboot system
6. Halt system
7. Ping host
8. SSH session
9. Update system
10. Restore a backup
11. Recover from GEOM corruption
0. Exit to shell
Initial Setup
Begin configuration through the console and web interface.
Assign network interfaces:
Select option 1 at the console:
Do you want to configure interface bridging first?
(no): no
Valid interface names are: em0 em1 em2
Configure WAN interface - press ENTER if not present
em0 = WAN
em1 = LAN
ig0 = (not present)
em2 = (not present)
Enter the WAN interface name: em0
Enter the LAN interface name: em1
Configure IP addresses:
Select option 2:
Enter interface name (default = LAN):
Address (default = dhcp):
Subnet bits (default = 24):
IPv6 address (or press ENTER for none):
IP address = 192.168.1.1
Subnet = 24
IPv6 = none
Enable DHCP server on LAN = yes
Set WAN IP:
Enter interface name: WAN
Address (dhcp or static): 203.0.113.1
Subnet bits: 24
Gateway: 203.0.113.254
Reset web interface password:
Select option 3:
New root password: your-secure-password
Confirm: your-secure-password
Access the web interface at https://192.168.1.1:
curl -k https://192.168.1.1/
Login with:
- Username: root
- Password: (the password you set)
Firewall Rules
Create and manage firewall rules through the web interface.
Access firewall rules:
Firewall → Rules → WAN/LAN/Other
Create a rule to allow HTTP/HTTPS from LAN:
Firewall → Rules → LAN
Click "Add" button
Action: Pass
Interface: LAN
Direction: in
Address Family: IPv4
Protocol: TCP
Source: LAN net
Destination: any
Destination Port Range: From HTTP (80) To HTTPS (443)
Description: Allow HTTP/HTTPS
Save and Apply Changes
Create rules with more granular control:
Firewall → Rules → LAN
Click "Add"
Action: Pass
Quick: checked (applies rule first match)
Interface: LAN
Direction: in
Address Family: IPv4
Disabled: unchecked
Log: checked (log matching packets)
Protocol: TCP/UDP
Source: Single host or Network
Destination: Single host or Network
Destination Port Range: Port or range
Save and Apply Changes
Create blocking rules:
Firewall → Rules → WAN
Click "Add"
Action: Block
Log: checked
Protocol: TCP
Destination Port: 445 (SMB)
Source: any
Destination: WAN net
Description: Block SMB from Internet
Save and Apply Changes
Reorder rules by dragging:
Firewall → Rules → [Interface]
Drag rules to reorder (top to bottom evaluation)
Click "Apply Changes"
View real-time rule matching:
Diagnostics → System Logs → Firewall
Shows all rule matches with source/destination/port information
Aliases and Rule Management
Create aliases for easier rule management and maintenance.
Create network aliases:
Firewall → Aliases
Click "Add"
Name: INTERNAL_NETWORKS
Type: Network(s)
Content: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
Description: All internal networks
Save and Apply Changes
Create port aliases:
Firewall → Aliases
Click "Add"
Name: WEB_PORTS
Type: Port(s)
Content: 80 443 8080 8443
Description: Common web service ports
Save and Apply Changes
Create IP aliases:
Firewall → Aliases
Click "Add"
Name: TRUSTED_HOSTS
Type: Host(s)
Content: 192.168.1.10 192.168.1.11 192.168.1.12
Description: Trusted server IPs
Save and Apply Changes
Use aliases in rules:
Firewall → Rules → LAN
Click "Add"
Source: INTERNAL_NETWORKS (select from dropdown)
Destination Port: WEB_PORTS (select from dropdown)
Destination: TRUSTED_HOSTS (select from dropdown)
Manage aliases:
Firewall → Aliases
List shows all defined aliases
Click edit icon to modify
Click trash icon to delete
NAT Configuration
Configure Network Address Translation for traffic manipulation.
Configure outbound NAT:
Firewall → NAT → Outbound
Click "Add"
Interface: WAN
Source: LAN net
Source Port: any
Destination: any
Destination Port: any
Target: WAN Interface IP
Target Port: any
Static Port: unchecked
NAT Address: Interface Address
Description: NAT LAN to WAN
Save and Apply Changes
Configure port forwarding (inbound NAT):
Firewall → NAT → Port Forward
Click "Add"
Interface: WAN
Protocol: TCP
Destination: WAN Address
Destination Port: 8080
Redirect Target IP: 192.168.1.10
Redirect Target Port: 80
Filter rule association: Add unassociated filter rule
Description: Forward WAN 8080 to Web Server 80
Save and Apply Changes
Configure 1:1 NAT:
Firewall → NAT → 1:1
Click "Add"
Interface: WAN
External Subnet IP: 203.0.113.10
Internal IP: 192.168.1.20
Destination: any
Description: 1:1 NAT for internal server
Bilateral: checked
Save and Apply Changes
Test NAT functionality:
Diagnostics → Ping
Address: 8.8.8.8
Click "Ping"
View NAT translations:
Diagnostics → Network Interfaces
Shows current NAT states and translations
VPN Setup
Configure VPN for remote access and site-to-site connectivity.
Setup OpenVPN server:
VPN → OpenVPN → Server
Click "Add"
Disabled: unchecked
Description: Remote Access VPN
Server Mode: Remote Access (User/Password Auth)
Protocol: UDP4
Port: 1194
TLS Authentication: Generate Key
Cipher: AES-256-GCM
Compression: Stub (None)
Enable NCP: checked
Allowed Cipher Negotiation: AES-256-GCM
Gateway Creation: IPv4 only
Gateway Interface: LAN
Dynamic IP: unchecked
Save and Apply Changes
Create OpenVPN users:
System → Access → Users
Click "Add"
Username: vpnuser1
Password: secure_password
API Token: Generate
Group: (optional)
Save
Setup OpenVPN client override:
VPN → OpenVPN → Client Specific Overrides
Click "Add"
Common Name: vpnuser1
Enable: checked
Redirect Gateway: checked (route all traffic through VPN)
Push Networks: 192.168.1.0/24 192.168.2.0/24
Custom Options: push "dns 8.8.8.8"
Save and Apply Changes
Configure site-to-site IPsec VPN:
VPN → IPsec → Tunnels
Click "Add"
Disabled: unchecked
Remote Gateway: remote-site-public-ip
Phase 1 - Proposals:
Encryption: AES256
Hash: SHA256
DH Group: Group14
Lifetime: 28800
Phase 2 - Proposals:
Protocol: ESP
Encryption: AES256-GCM
Hash: SHA256
PFS Group: Group14
Lifetime: 3600
Save and Apply Changes
Add IPsec encryption:
VPN → IPsec → Encryption
Click "Add"
Disabled: unchecked
Mode: Tunnel
Local Subnet: 192.168.1.0/24
Remote Gateway: remote-gateway-ip
Remote Subnet: 192.168.2.0/24
Save and Apply Changes
IDS/IPS Integration
Integrate Suricata for network intrusion detection and prevention.
Install Suricata plugin:
System → Plugins
Search: "suricata"
Click "+" to install
Wait for installation
System restarts services
Configure Suricata:
Services → Suricata → Settings
General Settings:
Enable Suricata: checked
Interface: LAN
Mode: IDS or IPS
Promisc Mode: checked
Enable VLAN monitoring: checked
Save
Download and update rules:
Services → Suricata → Manage Rules
Click "Update"
Select rule sources:
- ET Open (free)
- ET Pro (if subscribed)
- Custom rules
Click "Download Rules"
Enable specific rule categories:
Services → Suricata → Manage Rules
Rule Source: ET Open
Select desired categories:
- Malware detection
- Command and control
- Policy violations
Enable selected
Click "Save"
View IDS/IPS alerts:
Services → Suricata → Alerts
Shows real-time detected threats
Filter by severity, source, destination
Configure IPS mode action:
Services → Suricata → Settings
Action on DROP rules: (IPS mode)
Click "Save"
Traffic Shaping
Configure quality of service to manage bandwidth allocation.
Create traffic shaping rules:
Firewall → Shaper → Settings
Enable Shaping: checked
Algorithms: CBQ or HFSC
Interface: WAN
Save
Define limiters:
Firewall → Shaper → Limiters
Click "Add"
Name: WEB_LIMIT
Bandwitdh: 100 Mbps
Type: CBQ
Description: Limit web traffic to 100 Mbps
Save
Create queues:
Firewall → Shaper → Queues
Click "Add"
Limiter: WEB_LIMIT
Name: HTTP_QUEUE
Bandwidth: 50 Mbps
Type: CBQ
Priority: 5
Description: HTTP traffic queue
Save
Apply shaping rules:
Firewall → Shaper → Rules
Click "Add"
Disabled: unchecked
Interface: WAN
Protocol: TCP
Destination Port: 80 (HTTP)
Queue: HTTP_QUEUE
Description: Shape HTTP traffic
Save and Apply Changes
Monitor traffic shaping:
Status → Queues
Shows active queue statistics and bandwidth usage
High Availability
Configure multiple OPNsense instances for failover and redundancy.
Enable CARP (Common Address Redundancy Protocol):
System → High Availability → Settings
Enable CARP: checked
CARP Interface: WAN
Virtual IP Address: 203.0.113.50
Virtual Subnet Mask: 24
CARP Password: secure-password
Sync Interface: em2 (dedicated sync network)
Synchronize: checked
Save
Configure automatic rule synchronization:
System → High Availability → Settings
Synchronization Settings:
Synchronize Firewall Rules: checked
Synchronize NAT: checked
Synchronize IPS/IDS: checked
Sync to: backup-opnsense-ip
Save
Monitor HA status:
System → High Availability
Shows:
- Master/Backup status
- Virtual IP status
- Sync statistics
Test failover:
Diagnostics → Ping
Send ping to virtual IP
Disconnect primary OPNsense
Verify ping continues through backup
Plugins
Extend OPNsense functionality with plugins.
Browse available plugins:
System → Plugins
View "Available" tab
Shows all installable plugins
Search by name or category
Install plugins:
Common useful plugins:
- Suricata: IDS/IPS
- HAProxy: Load balancing
- Nginx: Reverse proxy
- ACME: Let's Encrypt certificate management
- pfBlockerNG: IP reputation filtering
- FreeRADIUS: Authentication server
- Web Filter: URL filtering
Example installation (HAProxy):
System → Plugins
Search: "HAProxy"
Click "+" to install
Wait for completion
Services → HAProxy becomes available
Manage installed plugins:
System → Plugins
View "Installed" tab
Show installed packages
Click settings icon to configure
Click trash icon to remove
Conclusion
OPNsense provides comprehensive firewall and network security capabilities suitable for protecting networks of any size. By following this guide, you've installed OPNsense, configured network interfaces and firewall rules for traffic control, created aliases for efficient rule management, set up NAT for address translation and port forwarding, configured VPN for remote access and site-to-site connectivity, integrated Suricata for intrusion detection, implemented traffic shaping for bandwidth management, and enabled high availability for continuous operation. Regular updates, rule tuning, and security monitoring ensure sustained network protection and optimal performance. Whether deployed in small office environments or large enterprise networks, OPNsense scales with flexible configuration and extensive feature support.