Skip to content
Fiction Becomes Fact

OPNSense installation from USB flash drive

Introduction

My USG (Unifi Security Gateway) is a few years old and only receives security updates. Since I had a mini ITX motherboard with a reasonably energy-efficient i3 processor and two Intel network ports (for WAN/LAN) on hand, I decided to use it to replace the USG. However, you don’t necessarily need to build the new firewall/router yourself. For instance, I also considered purchasing a Protectli Vault.

In my search for open-source firewall/router software, I came across pfSense and OPNsense, among others. I ultimately chose OPNsense because it is actively maintained and gave me a good overall impression. While there are many comparisons available highlighting the pros and cons of each, I won’t dive into those details here. In my opinion, OPNsense is a good successor to the USG and the sometimes clunky Unifi software. Within OPNsense, I will utilize Suricata IDS/IPS to detect and mitigate security threats at wire speed and WireGuard, a simple, fast VPN protocol. These features were either not available or limited in the USG.

Additionally, I will set up VLANs on my Unifi switches and Unifi access point.

How To

OPNsense Installation from USB Flash Drive

  1. Download the latest USB installer image (image type vga). For example OPNsense-22.1.2-OpenSSL-vga-amd64.img.bz2
  2. Open the bz2 file and extract the image. For example with 7-zip
  3. Choose your installation method here and write the image to the USB flash drive. I did this via Linux/Ubuntu with the command: sudo dd if=OPNsense-22.1.2-OpenSSL-vga-amd64.img of=/dev/sda bs=16k. If you need to find out the device path to the USB flash drive you can find more information here
  4. Let the system boot from the USB flash drive and wait for you to login. You will then also see important information about the LAN and WAN ports. For example: LAN igb0 192.168.1.1/24 and WAN em0
  5. Then install OPNsense to the target system. Login:
    • User: installer
    • Password: opnsense
  6. Follow the setup. Keymap selection: choose your keymap. I chose standard US — Continue with default keymap
  7. Install ZFS or UFS: I chose ZFS. ZFS seems to be less error-prone, for example in the event of a power failure
  8. In my case I then chose: Stripe - No Redundancy
  9. Select the target drive: in my case the SSD nvd0
  10. Confirm destroying the current contents of the disk
  11. When the installation is done:
    • It is good practice to change the root password: Change Root Password (Default user: root / password: opnsense)
    • Then choose Complete Install Exit and Reboot
  12. After rebooting I turned off the system when I was able to log in again and removed the installation media and turned the device back on

Next, I connected a laptop directly to the LAN port. You can then navigate to https://192.168.1.1 to continue configuring OPNsense through the web UI.

OPNsense Configuration

My next steps will be (the order is not yet completely determined):

  • Configure the VLANs, interfaces and DHCP static mappings
  • Connect OPNsense to the internet and have updates installed
  • Replace the USG with OPNsense and set the Unifi switch and AP for VLANS
  • Further configure OPNsense: e.g. firewall, mDNS, Wireguard, IDS/IPS
  • Connect devices to the switch and AP with the correct VLAN. For example, I will create a new IoT VLAN

Comments

    No comments found for this note.

    Join the discussion for this note on Github. Comments appear on this page instantly.

    Tags:
    Copyright 2021- Fiction Becomes Fact