Step 3: Installing the OPNsense Firewall

Are you considering using OPNsense as your firewall solution? If so, you're in the right place! In this article, we'll walk you through the steps to install OPNsense on VMware ESXi.

VMware ESXi, as a type-1 hypervisor, allows you to run multiple virtual machines on a single physical server, making it an ideal platform for testing and deploying our firewall solution. We'll cover the prerequisites, installation process, and provide some helpful resources along the way to ensure a successful installation. Let's get started!

Preparation

Before starting the installation process, make sure that you have downloaded the latest version of the OPNsense ISO image. Also, ensure that your VMware ESXi server is up-to-date with the latest patches and security updates. Once you have all the necessary prerequisites, follow the step-by-step instructions in the resources provided to complete the installation process. If you encounter any issues during the installation, refer to the troubleshooting section in the resources or seek assistance from the FreeBSD or OPNsense community forums.

The versions used for this demonstration and walkthrough are in the table below:

SoftwareVersionSource

OPNsense

23.1.7 “Quintessential Quail”

https://opnsense.org/

ESXi

8 U1

https://customerconnect.vmware.com/downloads/get-download?downloadGroup=ESXI800

The required resources to run the Virtual Machine are:

  • At least 2 GB of RAM

  • At least 20 GB of free disk space

  • At least 1 vCPU

Ensure that the virtual machine is configured with at least two network interfaces: one for WAN and one for LAN. This will allow you to connect OPNsense to your physical network and configure it as your firewall solution. Further information on hardware sizing and setup can be found in the OPNsense documentation.

Creating the OPNsense Virtual Machine on ESXi

  1. Open the VMware ESXi web interface and navigate to the virtual machine inventory.

  2. Click "Create/Register VM" and select "Create a new virtual machine."

  3. Enter a name for the virtual machine and select the guest operating system family as “Other” and the version as "FreeBSD 13.x 64-bit"

  4. Select the datastore where the virtual machine files will be stored.

  5. Configure the virtual hardware to meet the aforementioned minimum specifications.

  6. Add two network adapters, one for WAN and one for LAN.

  7. Mount the OPNSense ISO image to the virtual CD/DVD drive.

  8. Power on the virtual machine and and wait for the boot to present the OPNsense login prompt.

  9. Login using the installer credentials supplied in the OPNsense documentation, user installer and password opnsense to begin the installer wizard.

  10. Select the keymap, ‘Continue with default keymap’ for english.

  11. Choose storage configuration, ‘Install (ZFS)’, Stripe - No Redundancy.

  12. Change the default root password because we are good security conscious people.

  13. Select the ‘Exit and reboot’ option to complete the installation.

With these steps, you should now have a Virtual Machine running the OPNsense firewall solution running on your VMware ESXi server. If you encounter any issues during the installation process, refer to the resources provided or seek assistance from the FreeBSD or OPNsense community forums.

Configuring OPNsense Access

  1. Once the reboot has completed and the login screen is displayed, enter the username root and the password set during the installation.

  2. By default, OPNsense assigns the WAN interface to vmx0 which needs to be changed. Select option 1 Assign Interfaces.

  3. Select N for ‘LAGG’ and ‘VLAN’ configuration.

  4. Enter the WAN interface, vmx0 in this example.

  5. Enter the LAN interface, vmx1 in this example.

  6. Enter any optional interfaces if connected, take note of the MAC addresses to assign the appropriate interfaces.

  7. Wait for the interface assignment to configure the settings and return back to the option selection screen.

By default, OPNsense denies inbound connections via the WAN. To access the GUI, you must do so via a host on the LAN or by disabling the FreeBSD packet filter. To disable the packet filter, complete the steps below. Note that the packet filter will be re-enabled upon reboot. Therefore, it is recommended that you add a firewall rule to allow traffic from a designated host on the WAN.

  1. Select option 8 to enter the OPNsense Shell.

  2. Type the command pfctl -d to disable the packet filter.

  3. Access the OPNsense GUI via the assigned WAN IP address from a host on the WAN.

  4. Login with the same credentials: username root and the password set at installation.

Configuring OPNsense via the GUI

Setting a WAN Access Firewall Rule

  1. Upon initial login to the OPNsense GUI, the option for a General Setup using the Wizard is offered. DO NOT select the ‘Next’ button as first a firewall rule must be created to ensure WAN access to the firewall.

  2. Choose the Firewall > Rules > WAN dashboard and select the ‘Add’ plus symbol from the top right.

  3. Set the ‘Source’ to ‘Single host or Network’ and enter the host IP which you will limit access from the WAN to the Firewall. Next, set the ‘Destination’ to ‘This Firewall’ and add a description then save the rule.

  4. Apply the changes once returned to the WAN Firewall Rules dashboard.

  5. Choose the System > Wizard menu option, and then select ‘Next’ to configure additional parameters.

Configuring Optional Interfaces

The OPNsense Wizard will only configure the WAN and LAN interfaces, therefore if there are optional interfaces connected, they must be configured manually.

  1. Navigate to Interfaces > [OPT#] to display the optional interface configuration.

  2. Set parameters as desired, in the demonstration example the ‘Description’ is set to identify the network, ‘IPv4 Configuration Type’ is set to ‘Static IPv4’, the interface ‘MAC address’ is set using the details on the ESXi NIC, and a static IP address is set in the ‘IPv4 address’ configuration.

Configuring DHCPv4 for Network Interfaces

  1. Navigate to Services > DHCPv4 > [Interface name] to display the DHCP server information for the chosen interface.

  2. Change the ‘Range’ values as desired for the DHCP scope, in the demonstration example the range is set from 10.10.10.10 to 10.10.10.245 for the /24 ‘Droid’ subnet.

  3. To set static DHCP mappings, there is an option on the bottom of the page where a hosts MAC address can be added to a static IP address.

Adding Additional Plugins to OPNsense

Plugins are packages offered by OPNsense which can be installed directly via the user interface and often come with setup options.

  1. Navigate to System > Firmware > Plugins to access the list of available plugins.

  2. Find a plugin to install, in this example the VMware Tools package which is listed as ‘os-vmware’.

  3. Select the ‘install’ option represented as the plus mark on the far right, the plugin will then be installed.

Resources

PreviousStep 2: Installing and Configuring VMware ESXi 8NextStep 4: Configuring OPNsense Firewall Rules

Last updated