Have a Question?

OPNsense on the Vault


OPNsense Overview

OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform.  It is a popular choice for those interested in an open source firewall.  More information about OPNsense can be found on the OPNsense website https://opnsense.org/

Pre-Installed information

OPNsense can now be selected as a pre-installed option during checkout. By default, OPNsense assigns the LAN port to the first Ethernet port and the WAN port to the second Ethernet port.

WAN and LAN are assigned to correctly match the ports as labeled on the Vault. The VP4600/Vp2400 series has numbered ports, not specifically labelled “WAN” and “LAN”. The VP4600/VP2400 series use the OPNsense defaults and  LAN is assigned to “1” and WAN is assigned to “2”.

LAN default IP address is with DHCP enabled

WebUI access via

Default login credentials: 



Install OPNsense

Obtain the Installation Image and Uncompress it

The OPNsense installation image can be downloaded from https://www.opnsense.org/download/. The same image can be used to install OPNsense on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Architecture” and “Image Type”.  The proper selections are as follows and shown in the screenshot below.

Architecture: AMD64 (64 bit) Note: The 32 bit version will not work.  Be sure to download the 64 bit version.

Image Type: VGA or Serial as needed.  What you choose here depends on how you want to access the OPNsense console.  This is NOT how you will manage your OPNsense installation on a daily basis, but rather the way that you will access OPNsense in the event that you cannot log into the web UI.  A Serial console installation allows you to interface with the OPNsense console without a physical keyboard or monitor.  In order to use the serial connection, you will need to use the blue RJ45 to serial cable provided with your vault.  If your computer does not have a DB9 serial connection, you will need a USB to serial adapter.  A VGA installation will require a USB keyboard and HDMI monitor (FW2B, FW4B, FW4C, FW6, VP) or VGA monitor (FW1, FW2, FW4A).

protectli opnsense select image type

OPNsense Download Page

This article shows an example installation with version 19.1 of OPNsense.  Unless advised to the contrary, we recommend downloading the latest available version. (The newest version we have tested is 23.1 “Quintessential Quail”)

Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” on Windows to decompress the file.  The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.

Burn the Installation Image to a USB Drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “balenaEtcher” on Apple OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or balenaEtcher.

Note: If using the Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and the USB keyboard with a plug that is relatively skinny.  The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Verify the BIOS Mode

As mentioned above there is a simple fix to the bug introduced in 11.2. By changing the BIOS mode to UEFI the issue is resolved. We have a Knowledge Base article which gives step by step instructions linked here. If the unit is a VP2400 series, VP4630, or VP4650 and has coreboot installed, it will be in UEFI mode by default.

Install the Operating System on the Vault

Once the OPNsense installation image is properly copied to the USB drive, it is ready to be installed on the Vault.

Important Note: The ports marked “WAN” and “LAN” are reversed when using OPNsense. In order to correct this issue see the PORT REVERSAL section below. For the VP2400 and VP4600, the ports are numbered, not specifically “WAN” and “LAN”, so port reversal is not needed, but the configuration steps are shown below.

  • Verify the Vault is powered down
  • Verify the monitor is connected
  • Verify the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
  • While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.
  • Select “Advanced” tab
  • Select “CSM Configuration”
  • Select “Boot option filter”
  • Select “UEFI only”
  • Press “F4” to save and exit the BIOS
  • Power off the unit and insert the USB install drive into the other USB port on the Vault
  • While powering up the Vault again, press “F11” key and verify that it boots to the BIOS boot options screen.
    • NOTE: If using the serial installer, F11 commonly will not show the boot options menu.  In this case, use the “DEL” key to enter the BIOS.  In the BIOS, a specific boot device can be chosen from the last, or rightmost tab.
  • Select the USB drive UEFI partition to boot from


  • Press any key to continue

  • enter the following command:N

  • For FW6A, Br2, C, D, E enter the following command:igb0
  • For FW2B and FW4B enter the following command: igb0
  • For FW4C enter the following command: igc0
  • For VP2410 enter the following command: igb1
  • For VP2420 enter the following command: igc1
  • For VP4600 Series enter the following command: igc1

  • For FW6A, Br2, C, D, E enter the following command: igb1
  • For FW2B and FW4B enter the following command: igb1
  • For FW4C enter the following command: igc01
  • For VP2410 enter the following command: igb0
  • For VP2420 enter the following command: igc0
  • For VP4600 Series enter the following command: igc0
  • If you have additional interfaces those can be configured in the GUI after install is complete
  • Verify login prompt occurs. In order to finish install of OPNsense, login as user “installer” with password “opnsense”
  • Verify installation screen appears. Follow the prompts on the screen to complete the installation
  • Note: If installing on a VP2400 or VP4600 series with coreboot flashed, make sure to select ZFS or UFS (UEFI). If installing on eMMC please only select UFS.
  • When prompted, reboot the system
  • Verify unit reboots to login prompt
  • Browse to the OPNsense dashboard at login with the default credentials. Username: root Password: opnsense
  • Verify the dashboard is displayed

OPNsense has a comprehensive installation procedure that describes each step of the process here.

protectli opnsense dashboard

OPNsense Dashboard

When prompted, reboot the unit. If it is a VP2400 series with coreboot, follow the instructions to edit the boot order at:

OPNsense BIOS Compatibility

The table below shows the compatibility of tested releases of OPNsense and BIOS on each of the Vaults.

VaultOPNsense VersionAMI BIOS - LegacyAMI BIOS - UEFIBIOS - coreboot

OPNsense Port Assignments

When installing OPNsense with default settings the WAN and LAN ports will be swapped. This means that the very first port on your Vault will be the LAN port, and the second port will be WAN. If you order a Vault from Protectli that is pre-configured with OPNsense, we will use the “Recommended Assignments”, which will correlate with the labels found on the Vault. The VP series Vaults will use the default assignments. Please review the following charts for both the default port assignments as well as Protectli’s recommended assignments.

Default Port Assignments

FW6 Seriesigb1igb0igb2igb3igb4igb5
VP4600 Seriesigc1igc0igc2igc3igc4igc5

Recommended Port Assignments

FW6 Seriesigb0igb1igb2igb3igb4igb5
VP4600 Seriesigc1igc0igc2igc3igc4igc5
Table of Contents