OPNsense - Installation from USB Flash Drive

My USG (Unifi Security Gateway) is already a few years old and only gets security updates. Because I had a mini ITX motherboard on the shelf with a reasonably energy-efficient i3 processor and with two Intel network ports (for WAN/LAN), I wanted to use it to replace the USG. By the way you don’t necessarily need to build the new firewall/router yourself, for example, I also considered purchasing a Protectli Vault.

As the FreeBSD hardware-lists and -recommendations say, Intel network interface cards (NIC) for LAN connections are reliable, fast and not error-prone. Intel chipset NICs deliver higher throughput at a reduced CPU load. Source

So I went looking for open source firewall/router software and came across pfSense and OPNsense among others. In the end I chose OPNsense, the software is actively maintained and I had a good feeling about it. There are many comparisons with pros and cons, so I won’t go into that. OPNsense is a good successor I think to the USG and the sometimes clunky Unifi software. Within OPNsense I will use Suricata IDS/IPS to detect and mitigate security threats at wire speed and WireGuard a simple, fast VPN protocol. This was not or limited available with the USG.

An Intrustion Detection System (IDS) watches network traffic for suspicious patterns and can alert operators when a pattern matches a database of known behaviors. An Intrusion Prevention System (IPS) goes a step further by inspecting each packet as it traverses a network interface to determine if the packet is suspicious in some way. If it matches a known pattern the system can drop the packet in an attempt to mitigate a threat. Source

I will also be using vlans and setting this up on my Unifi switches and Unifi access point.

OPNsense Installation from USB Flash Drive

1. Download the latest USB installer image (image type vga). For example OPNsense-22.1.2-OpenSSL-vga-amd64.img.bz2
2. Open the bz2 file and extract the image. For example with 7-zip
3. Choose your installation method here and write the image to the USB flash drive. I did this via Linux/Ubuntu with the command: sudo dd if=OPNsense-22.1.2-OpenSSL-vga-amd64.img of=/dev/sda bs=16k. If you need to find out the device path to the USB flash drive you can find more information here
4. Let the system boot from the USB flash drive and wait for you to login. You will then also see important information about the LAN and WAN ports. For example: LAN igb0 192.168.1.1/24 and WAN em0

The WAN port will have a dhcp client and expects to be assigned an IP adress

1. Then install OPNsense to the target system. Login:
   • User: installer
   • Password: opnsense
2. Follow the setup. Keymap selection: choose your keymap. I chose standard US – Continue with default keymap
3. Install ZFS or UFS: I chose ZFS. ZFS seems to be less error-prone, for example in the event of a power failure
4. In my case I then chose: Stripe - No Redundancy
5. Select the target drive: in my case the SSD nvd0
6. Confirm destroying the current contents of the disk
7. When the installation is done:
   • It is good practice to change the root password: Change Root Password (Default user: root / password: opnsense)
   • Then choose Complete Install Exit and Reboot
8. After rebooting I turned off the system when I was able to log in again and removed the installation media and turned the device back on

I then connected a laptop directly to the LAN port. Now you can navigate to https://192.168.1.1 to further configure OPNsense via the web UI

OPNsense Configuration

My next steps will be (the order is not yet completely determined):

• Configure the VLANS, interfaces and DHCP static mappings
• Connect OPNsense to the internet and have updates installed
• Replace the USG with OPNsense and set the Unifi switch and AP for VLANS
• Further configure OPNsense: e.g. firewall, mDNS, Wireguard, IDS/IPS
• Connect devices to the switch and AP with the correct VLAN. For example, I will create a new IoT WLAN

Read other notes