Initial Installation & Configuration — OPNsense Wiki & Documentation documentation (2024)

Architecture¶

The software setup and installation of OPNsense® is available forx86-32 andx86-64 bit microprocessorarchitectures.

Embedded vs Full¶

Full installs can run on SD memorycards, solid-statedisks (SSD) orhard disk drives(HDD).

Since version 15.1.10 (04 May 2015) the option to install anembeddedOPNsense image is also supported.

The main differences between an embedded image and a full image are:

Embedded	Full
Uses NanoBSD	Uses FreeBSD
Writes to RAM disk	Writes to local disk
No log data retentionafter reboot	Log data retentionafter reboot
Not intended forlocal disk writes	Suitable for diskwrites.
Embedded only use	Can enable RAM diskfor embedded mode.

Embedded images (nanobsd) store logging and cache data in memory only, while full versionswill keep the data stored on the local drive. A full version can mimic thebehavior of an embedded version by enabling RAM disks, this is especiallyuseful for SD memory card installations.

⚠ See the chapter Hardware Setup forfurther information on hardware requirements prior to an install.

Download¶

The OPNsense distribution can be downloadedfrom one of our mirrors

OpenSSL & LibreSSL¶

OPNsense images are provided based upon OpenSSL.The LibreSSL flavor can be selected from withinthe GUI ( System⇒Firmware⇒Settings ). In order to apply your choice an updatemust be performed after save, which can include a reboot of the system.

Installation Method¶

Download the installation image from one of the mirrors listed on the OPNsense website.

The easiest method of installation is the USB-memstick installer. Ifyour target platform has a serial interface choose the “serial image.64-bit and 32-bit install images are provided. The following examplesapply to both.

Write the image to a USB flash drive (>= 1GB) or an IDE hard disk,either with dd under FreeBSD or under Windows with physdiskwrite

Before writing an (iso) image you need to unpack it first (use bunzip2).

FreeBSD

dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k

Where X = the device number of your USB flash drive (check dmesg)

OPNsense Importer¶

All images feature the new “opnsense-importer” utility, which is now invokedinstead of the early installer. You can stop the automatic timeout by pressingany key. Afterwards you will have the opportunity to select a disk to importfrom. If the option times out or the importer is exited without a disk selection,the factory defaults will be used for the boot.

The next prompt will be for manual interface selection.This step is well-established since OPNsense 15.7 .

Live environment¶

The system will then continue into a live environment. If the config importerwas used previously on an existing installation, the system will boot up with afully functional setup, but will not overwrite the previous installation. Usethis feature for safely previewing upgrades.

If you have used a CD-ROM, VGA, Serial image without a config import you are bydefault able to (a) log into the root shell using the user “root” with password“opnsense”, or (b) log into the installer using the user “installer” withpassword “opnsense”. The GUI will listen on https://192.168.1.1/ for user “root”with password “opnsense”. Using SSH, the “root” and “installer” users areavailable as well on IP 192.168.1.1. Note that these install medias areread-only, which means your current live configuration will be lost after reboot.

Nano Image¶

If you have used a Nano image, your system is already up and running as it isdesigned as such. It is set to read-write attempting to minimise write cycles bymounting relevant partitions as memory file systems. If you should require aninstaller anyway, log in as user “root”, select option 8 from the menu and type“opnsense-installer”. The “opnsense-importer” can be run this way as well shouldyou require to run the import again.

Create a bootable USB flash drive with the downloaded and unpacked imgfile. Configure your system to boot from USB.

Installation Steps¶

The installation process involves a few simple steps.

Note

To invoke the installer login with user installer and passwordopnsense

Tip

The installer can also be started from the network using ssh, default ipaddress is 192.168.1.1

Configure console - The default configuration should be fine for mostoccasions.
Select task - The Quick/Easy Install option should be fine for mostoccasions. For installations on embedded systems or systems with minimaldiskspace choose Custom Installation and do not create a swap slice.Continue with default settings.
Are you SURE? - When proceeding OPNsense will be installed on thefirst hard disk in the system.
Reboot - The system is now installed and needs to be rebooted tocontinue with configuration.

Warning

You will lose all files on the installation disk. If another disk is to beused then choose a Custom installation instead of the Quick/Easy Install.

Initial configuration¶

After installation the system will prompt you for the interfaceassignment, if you ignore this then default settings are applied.Installation ends with the login prompt.

By default you have to log in to enter the console.

Welcome message

* * * Welcome to OPNsense [OPNsense 15.7.25 (amd64/OpenSSL) on OPNsense * * *WAN(em1) ->LAN(em0) -> v4: 192.168.1.1/24FreeBSD/10.1 (OPNsense.localdomain) (ttyv0)login:

Tip

A user can login to the console menu with hiscredentials. The default credentials after a fresh install are username “root”and password “opnsense”.

VLANs and assigning interfaces: If choose to do manual interface assignment or when no config file can befound then you are asked to assign Interfaces and VLANs. VLANs are optional.If you do not need VLAN’s then choose no. You can always configureVLAN’s at a later time.
LAN, WAN and optional interfaces: The first interface is the LAN interface. Type the appropriateinterface name, for example “em0”. The second interface is the WANinterface. Type the appropriate interface name, eg. “em1” . Possibleadditional interfaces can be assigned as OPT interfaces. If youassigned all your interfaces you can press [ENTER] and confirm thesettings. OPNsense will configure your system and present the loginprompt when finished.
Minimum installation actions: In case of a minimum install setup (i.e. on CF cards), OPNsense canbe run with all standard features, expect for the ones that requiredisk writes, e.g. a caching proxy like Squid. Do not create a swapslice, but a RAM Disk instead. In the GUI enable System⇒Settings⇒Miscellaneous⇒RAM Disk Settingsand set the size to 100-128 MB or more, depending on your available RAM.Afterwards reboot.

Enable RAM disk manually

Then via console, check your /etc/fstab and make sure your primarypartition has rw,noatime instead of just rw.

Console

The console menu shows 13 options.

0) Logout 7) Ping host1) Assign interfaces 8) Shell2) Set interface(s) IP address 9) pfTop3) Reset the root password 10) Filter logs4) Reset to factory defaults 11) Restart web interface5) Reboot system 12) Upgrade from console6) Halt system 13) Restore a configuration

Table: The console menu

opnsense-update

OPNsense features a command lineinterface (CLI) tool “opnsense-update”. Via menu option 8)Shell, the user canget to the shell and use opnsense-update.

For help type opnsense-update -help and [Enter]

Upgrade from console

The other method to upgrade the system is via console option 12) Upgrade from console

GUI

An update can be done through the GUI via System⇒Firmware⇒Updates.