Looking for a Specific Topic?
How to Install OPNsense on the Vault
OPNsense Overview
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. It is a popular choice for those interested in an open source firewall. More information about OPNsense can be found on the OPNsense website https://opnsense.org/
If you love using OPNsense with your Protectli Vault, consider donating to their project at: https://opnsense.org/donate/ (They deserve it!)
Video Tutorial
Below we have a video tutorial on how to install OPNsense on the Vault. Written instructions can be found below the video. The second video below contains information on connecting the Vault to your modem.
Pre-Install Information
OPNsense is a pre-install option for any of our Vault products if purchased directly from our website. By default, OPNsense assigns the LAN port to the first Ethernet port and the WAN port to the second Ethernet port. However, we will make changes to this depending on what unit is purchased.
If you select OPNsense as a preinstall option on a FW2/4/6 Vault, we will assign WAN to port 1 and LAN to port 2 to correlate with the written label on the faceplate of the unit.
On a V Series Vault, we will allow OPNsense to automatically determine the interface assignments, meaning port 1 will be LAN and port 2 will be WAN.
On a VP series Vault, we will allow OPNsense to automatically determine the interface assignments, meaning port 1 will be LAN and port 2 will be WAN. On the VP6600, the WAN and LAN will be configured to be the 10GbE interfaces (WAN will be ixl1 [SFP+2] and LAN will be ixl0 [SFP+1]).
Please keep in mind that you can configure this however you would like once you have the product in your hands. This can be modified in the OPNsense webGUI or console. Any ethernet port on the Vault can be configured to be WAN or LAN.
Check out the last section of this article for info on how we configure the interfaces if preinstalled by Protectli.
Default GUI Address and Login
LAN default IP address is 192.168.1.1 with DHCP enabled. Connect a computer to the LAN port of the Vault. Open a web browser like Firefox, Chrome, Edge, etc on the computer that is connected to the Vault.
Navigate to the default WebGUI access via 192.168.1.1 in the web browser
Default login credentials (all lowercase):
Username: root
Password: opnsense
Installing OPNsense
Obtain the Installation Image and Uncompress It
The OPNsense installation image can be downloaded from https://www.opnsense.org/download/. The same image can be used to install OPNsense on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Architecture” and “Image Type". The proper selections are as follows and shown in the screenshot below.
Architecture: AMD64 (64 bit)
Note: The 32 bit version will not work. Be sure to download the 64 bit version.
Image Type: VGA or Serial as needed. Use VGA if you plan on installing OPNsense with a monitor and keyboard connected to the Vault. Use Serial if you are installing OPNsense while utilizing the serial COM connection (use our guide here on using the Serial/COM Connection). What you choose here depends on how you want to access the OPNsense console. This is NOT how you will manage your OPNsense installation on a daily basis, but rather the way that you will access OPNsense in the event that you cannot log into the web UI.
Click the Download button after making the correct choices.
Note regarding OPNsense version: We typically recommend installing the newest available version of OPNsense that is available. When a new version of OPNsense is released, it may take us some time to fully qualify the OS for preinstalls. We will only preinstall versions of OPNsense that are 100% guaranteed to work with all our products. There is very little likelihood of new versions not working, though.
Uncompressing the Image and Burning to a USB
Now that the compressed image file has been downloaded, you will need to unzip the file that has been downloaded. On Windows, use a program like "7zip" or "WinRAR" to decompress the file. The resulting file should look the same, except that the file name will now end in ".img" instead of ".img.bz2".
The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “balenaEtcher” on MacOS. See this link for detailed instructions on how to create a bootable USB drive using Rufus or balenaEtcher.
Install OPNsense on the Vault
Once the OPNsense installation image is properly burned to the USB drive, it is ready to be installed on the Vault.
- Verify the Vault is powered off
- Verify a monitor (or COM cable/serial console) is connected
- Verify the wired USB keyboard is plugged in (ignore if using serial connection)
- While powering up the Vault, hold the <F11> key to open boot options
- Select your USB drive
- If you see a partition that mentions UEFI, select this one
- OPNsense should now start booting, lots of text will start flying across the screen (don't be scared!)
- Pay attention to the screen until you see a message stating: "Press any key to start the configuration importer" (This message may not show up with some coreboot firmware)
- Press the <Enter> key two times to skip this
- Pay attention until you see a message stating: "Press any key to start the manual interface assignment" (This message and the following few steps may not show up with some coreboot firmware, it may just skip to the login prompt and automatically set WAN to port 2 and LAN to port 1)
- Press <Enter> key
- When asked to configure LAGGs:
- Type "N" and hit <Enter>
- When asked to configure VLANs:
- Type "N" and hit <Enter>
This next part is very important. You must manually configure the interfaces so you actually have a WAN and LAN port to use. You should see a list of all the NICs (Ethernet Interfaces) shown on the screen. These will be different (igb, igc, ixl) depending on the NICs found in the Vault. They will be listed in numerical order. The interface ending in 0 is the very first Ethernet port on the unit, which will be signified by "WAN" or "1" or "SFP+1" on the chassis of the Vault. To make this as simple as possible for tutorial purposes, we will configure WAN to be the first Ethernet Port and LAN as the second ethernet port (If you bought OPNsense preinstalled from us, please refer to the chart at the bottom of this article for how we set them up for you):
- When asked to "Enter the WAN interface name":
- Type the interface name ending in 0 and hit <Enter>
- This may be igb0, igc0, ixl0, em0 depending on the Vault
- Type the interface name ending in 0 and hit <Enter>
- When asked to "Enter the LAN interface name":
- Type the interface name ending in 1 and hit <Enter>
- When asked to "Enter the Optional interface 1 name":
- Press your <Enter> key one time to skip
- You can setup the other interfaces at a later time by following this guide
- When asked "Do you want to proceed?"
- Type "y" and hit your <Enter> key
- It will start configuring the interfaces and other features
- You will eventually be prompted with a welcome message and a login
- Type installer for the login and hit <Enter>
- Type opnsense for the password and hit <Enter>
- A new installer screen should show up
- Continue with default keymap
- Select Install (ZFS) as the filesystem, hit <Enter>
- You should select UFS only if you are installing to an eMMC storage device on a V/VP series Vault
- Select Stripe – No Redundancy, hit <Enter>
- Highlight over the SSD by using the arrow keys, and press your SPACEBAR (please, please hit the spacebar key) to actually select the drive. You will see an [*] when the drive is selected. If you do not select the drive you will get an error.
- Hit <Enter>
- If prompted for a "Last Chance!" message, confirm that you want to completely overwrite the contents of your SSD by selecting: <Yes>
- Allow the installation to complete, reboot the system, unplug the USB drive from the Vault
Change Boot Order (UEFI coreboot only)
If you are on a unit with UEFI coreboot (VP Series, V Series, or FW4C), you may need to change the boot order in the coreboot menu to make sure the SSD with OPNsense is at the top of the boot order.
-
- Hold <DEL> at the time of boot to access the coreboot menu
- Navigate to Boot Maintenance Manager > Boot Options > Change Boot Order
- Hit <Enter> to select the first option
- Use arrow keys to highlight the SSD
- Press <Shift> and <+> to move it up to the top selection
- Hit <Enter>
- Hit <F10> to save
- Reboot
Accessing the OPNsense WebGUI
After the initial reboot:
- Connect a computer to the Vault's LAN port
- Browse to the OPNsense dashboard at 192.168.1.1 login with the default credentials.
- Username: root
- Password: opnsense
- If a warning regarding an insecure connection shows, simply ignore and continue (this is normal)
- Verify the dashboard is displayed
OPNsense has a comprehensive installation procedure that describes each step of the process here.
OPNsense BIOS Compatibility
The table below shows the compatibility of tested releases of OPNsense and BIOS on each of the Vaults.
| Vault | OPNsense Version | AMI BIOS – Legacy | AMI BIOS – UEFI | BIOS – coreboot |
|---|---|---|---|---|
| FW2B | 24.7 | Tested | Tested | Tested |
| FW4B | 24.7 | Tested | Tested | Tested |
| FW4C | 24.7 | Tested | Tested | Tested |
| FW6A | 24.7 | Tested | Tested | Tested |
| FW6B | 24.7 | Tested | Tested | Tested |
| FW6C | 24.7 | Tested | Tested | Tested |
| FW6D | 24.7 | Tested | Tested | Tested |
| FW6E | 24.7 | Tested | Tested | Tested |
| VP2410 | 24.7 | Tested | Tested | Tested |
| VP2420 | 24.7 | N/A | Tested | Tested |
| VP4630 | 24.7 | N/A | Tested | Tested |
| VP4650 | 24.7 | N/A | Tested | Tested |
| VP4670 | 24.7 | N/A | Tested | Tested |
| VP66XX | 24.7 | N/A | Tested | Tested |
| V1XXX Series | 24.7 | N/A | Tested | Tested |
| VP3200 Series | 24.7 | N/A | Tested | TBD |
Default Interface Assignments if Preinstalled by Protectli
| Model | WAN | LAN | OPT1 | OPT2 | OPT3 | OPT4 |
|---|---|---|---|---|---|---|
| FW2B | igb0 | igb1 | N/A | N/A | N/A | N/A |
| FW4B | igb0 | igb1 | igb2 | igb3 | N/A | N/A |
| FW4C | igc0 | igc1 | igc2 | igc3 | N/A | N/A |
| FW6 Series | igb0 | igb1 | igb2 | igb3 | igb4 | igb5 |
| VP2410 | igb1 | igb0 | igb2 | igb3 | N/A | N/A |
| VP2420 | igc1 | igc0 | igc2 | igc3 | N/A | N/A |
| VP4600 Series | igc1 | igc0 | igc2 | igc3 | igc4 | igc5 |
| VP6600 Series | ixl1 (SFP+2) | ixl0 (SFP+1) | igc0 | igc1 | igc2 | igc3 |
| V12XX | igc1 | igc0 | N/A | N/A | N/A | N/A |
| V14XX | igc1 | igc0 | igc2 | igc3 | N/A | N/A |
| V16XX | igc1 | igc0 | igc2 | igc3 | igc4 | igc5 |