Have a Question?

OPNsense on the Vault

Print

OPNsense Overview

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.  It is a popular choice for those interested in an open source firewall.  More information about OPNsense can be found on the OPNsense website https://opnsense.org/

If you love using OPNsense with your Protectli Vault, consider donating to their project at: https://opnsense.org/donate/ (They deserve it!)

Pre-Install Information

OPNsense is a pre-install option for any of our Vault products if purchased directly from our website. By default, OPNsense assigns the LAN port to the first Ethernet port and the WAN port to the second Ethernet port. However, we will make changes to this depending on what unit is purchased.

If you select OPNsense as a preinstall option on a FW2/4/6 Vault, we will assign WAN to port 1 and LAN to port 2 to correlate with the written label on the faceplate of the unit. 

On a V Series Vault, we will allow OPNsense to automatically determine the interface assignments, meaning port 1 will be LAN and port 2 will be WAN.

On a VP series Vault, we will allow OPNsense to automatically determine the interface assignments, meaning port 1 will be LAN and port 2 will be WAN. On the VP6600, the WAN and LAN will be configured to be the 10GbE interfaces (WAN will be ixl1 [SFP+2] and LAN will be ixl0 [SFP+1]).

Please keep in mind that you can configure this however you would like once you have the product in your hands. This can be modified in the OPNsense webGUI or console. Any ethernet port on the Vault can be configured to be WAN or LAN. 

Check out the last section of this article for info on how we configure the interfaces if preinstalled by Protectli.

Default GUI Address and Login

LAN default IP address is 192.168.1.1 with DHCP enabled. Connect a computer to the LAN port of the Vault. Open a web browser like Firefox, Chrome, Edge, etc on the computer that is connected to the Vault.

Navigate to the default WebGUI access via 192.168.1.1 in the web browser

Default login credentials (all lowercase): 

Username: root

Password: opnsense

Installing OPNsense

Obtain the Installation Image and Uncompress It

The OPNsense installation image can be downloaded from https://www.opnsense.org/download/. The same image can be used to install OPNsense on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Architecture” and “Image Type".  The proper selections are as follows and shown in the screenshot below.

Architecture: AMD64 (64 bit) 

Note: The 32 bit version will not work.  Be sure to download the 64 bit version.

Image Type: VGA or Serial as needed.  Use VGA if you plan on installing OPNsense with a monitor and keyboard connected to the Vault. Use Serial if you are installing OPNsense while utilizing the serial COM connection (use our guide here on using the Serial/COM Connection). What you choose here depends on how you want to access the OPNsense console.  This is NOT how you will manage your OPNsense installation on a daily basis, but rather the way that you will access OPNsense in the event that you cannot log into the web UI. 

Click the Download button after making the correct choices.

Note regarding OPNsense version: We typically recommend installing the newest available version that we have qualified, which is 23.7 at the time of updating this article. However, there is a relatively low chance of major issues occurring if you would rather use the newest available version. We strive to qualify the newest available version of OPNsense at any given time, but after a major release it may take awhile for us to qualify it on all of our products.

Uncompressing the Image and Burning to a USB

Now that the compressed image file has been downloaded, you will need to unzip the file that has been downloaded. On Windows, use a program like "7zip" or "WinRAR" to decompress the file.  The resulting file should look the same, except that the file name will now end in ".img" instead of ".img.bz2".

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “balenaEtcher” on MacOS. See this link for detailed instructions on how to create a bootable USB drive using Rufus or balenaEtcher.

Install OPNsense on the Vault

Once the OPNsense installation image is properly burned to the USB drive, it is ready to be installed on the Vault.

  • Verify the Vault is powered off
  • Verify a monitor (or COM cable/serial console) is connected
  • Verify the wired USB keyboard is plugged in (ignore if using serial connection)
  • While powering up the Vault, hold the <F11> key to open boot options
  • Select your USB drive
    • If you see a partition that mentions UEFI, select this one
  • OPNsense should now start booting, lots of text will start flying across the screen (don't be scared!)
  • Pay attention to the screen until you see a message stating: "Press any key to start the configuration importer"
  • Press the <Enter> key two times to skip this
  • Pay attention until you see a message stating: "Press any key to start the manual interface assignment"
  • Press <Enter> key
  • When asked to configure LAGGs:
    • Type "N" and hit <Enter>
  • When asked to configure VLANs:
    • Type "N" and hit <Enter>

This next part is very important. You must manually configure the interfaces so you actually have a WAN and LAN port to use. You should see a list of all the NICs (Ethernet Interfaces) shown on the screen. These will be different (igb, igc, ixl) depending on the NICs found in the Vault. They will be listed in numerical order. The interface ending in 0 is the very first Ethernet port on the unit, which will be signified by "WAN" or "1" or "SFP+1" on the chassis of the Vault. To make this as simple as possible for tutorial purposes, we will configure WAN to be the first Ethernet Port and LAN as the second ethernet port:

  •  When asked to "Enter the WAN interface name":
    • Type the interface name ending in 0 and hit <Enter>
      • This may be igb0, igc0, ixl0, em0 depending on the Vault
  • When asked to "Enter the LAN interface name":
    • Type the interface name ending in 1 and hit <Enter>
  • When asked to "Enter the Optional interface 1 name":
    • Press your <Enter> key one time to skip
    • You can setup the other interfaces at a later time by following this guide
  • When asked "Do you want to proceed?"
    • Type "y" and hit your <Enter> key
  • It will start configuring the interfaces and other features
  • You will eventually be prompted with a welcome message and a login
    • Type installer for the login and hit <Enter>
    • Type opnsense for the password and hit <Enter>
  • A new installer screen should show up
  • Continue with default keymap
  • Select Install (ZFS) as the filesystem, hit <Enter>
    • You should select UFS only if you are installing to an eMMC storage device on a VP series Vault
  • Select Stripe – No Redundancy, hit <Enter>
  • Highlight over the SSD by using the arrow keys, and press your SPACEBAR (please, please hit the spacebar key) to actually select the drive. You will see an [*] when the drive is selected. If you do not select the drive you will get an error.
  • Hit <Enter>
  • If prompted for a "Last Chance!" message, confirm that you want to completely overwrite the contents of your SSD by selecting:  <Yes>
  • Allow the installation to complete, reboot the system, unplug the USB drive from the Vault

Change Boot Order (UEFI coreboot only)

If you are on a unit with UEFI coreboot (VP Series or FW4C), you may need to change the boot order in the coreboot menu to make sure the SSD with OPNsense is at the top of the boot order.

    • Hold <DEL> at the time of boot to access the coreboot menu
    • Navigate to Boot Maintenance Manager > Boot Options > Change Boot Order
      • Hit <Enter> to select the first option
      • Use arrow keys to highlight the SSD
      • Press <Shift> and <+> to move it up to the top selection
      • Hit <Enter>
      • Hit <F10> to save
      • Reboot

Accessing the OPNsense WebGUI

After the initial reboot:

  • Connect a computer to the Vault's LAN port
  • Browse to the OPNsense dashboard at 192.168.1.1 login with the default credentials.
    • Username: root
    • Password: opnsense
  •  If a warning regarding an insecure connection shows, simply ignore and continue (this is normal)
  • Verify the dashboard is displayed

 

OPNsense has a comprehensive installation procedure that describes each step of the process here.

OPNsense BIOS Compatibility

The table below shows the compatibility of tested releases of OPNsense and BIOS on each of the Vaults.

VaultOPNsense VersionAMI BIOS – LegacyAMI BIOS – UEFIBIOS – coreboot
FW2B23.7TestedTestedTested
FW4B23.7TestedTestedTested
FW4C23.7TestedTestedTested
FW6A23.7TestedTestedTested
FW6B23.7TestedTestedTested
FW6C23.7TestedTestedTested
FW6D23.7TestedTestedTested
FW6E23.7TestedTestedTested
VP241023.7TestedTestedTested
VP242023.7N/ATestedTested
VP463023.7N/ATestedTested
VP465023.7N/ATestedTested
VP467023.7N/ATestedTested
VP66XX23.7N/ATestedTBD

Default Interface Assignments if Preinstalled by Protectli

ModelWANLANOPT1OPT2OPT3OPT4
FW2Bigb0igb1N/AN/AN/AN/A
FW4Bigb0igb1igb2igb3N/AN/A
FW4Cigc0igc1igc2igc3N/AN/A
FW6 Seriesigb0igb1igb2igb3igb4igb5
VP2410igb1igb0igb2igb3N/AN/A
VP2420igc1igc0igc2igc3N/AN/A
VP4600 Seriesigc1igc0igc2igc3igc4igc5
VP6600 Seriesixl1 (SFP+2)ixl0 (SFP+1)igc0igc1igc2igc3
V Seriesigc1igc0N/AN/AN/AN/A
Table of Contents