Skip to content

OPNSense

https://opnsense.org/

For detailed and up-to-date information, always refer to the official documentation: https://docs.opnsense.org/setup.html

OPNsense Image

Downloading the image

Download the image from: https://opnsense.org/

Image types (selected: dvd):

  • nano - A preinstalled serial image for 4GB USB sticks, SD or CF cards for use with low-end embedded devices
  • dvd - ISO installer image with live system capabilities running in VGA-only mode
  • vga - USB installer image with live system capabilities running in VGA-only mode
  • serial - USB installer image with live system capabilities running in serial console (115200) mode with secondary VGA support

Image preparation

Example downloaded image:

OPNsense-25.7-dvd-amd64.iso.bz2

Verifying the SHA256 checksum

Assumptions:

  • SHA256 - control sum from site
  • ISO - name of file .bz2
echo "SHA256 ISO" | sha256sum -c -

If the output is OK, the file is valid.

Extracting .bz2 to .iso:

bunzip2 OPNsense-25.7-dvd-amd64.iso.bz2

If bunzip2 is not installed: sudo pacman -S bzip2

Current project

More information about this project can be found in the home-lab section

Topology

Internet
    |
[ Home Router ]
    |
[ Arch Linux Host ]
    |
    +-- virbr0 (NAT) ---> WAN (OPNsense)
    |
    +-- virbr1 --------> LAN (OPNsense) ---> Client and Server VMs

Creating the LAN network interface

Create the directories and the network configuration file:

sudo mkdir -p /etc/libvirt/networks/xml && nano /etc/libvirt/networks/xml/lan-lab.xml

Example LAN network configuration:

<network>
    <name>lan-lab</name>
    <bridge name='virbr1' stp='on' delay='0'/>
    <ip address='10.0.0.1' netmask='255.255.255.0'>
        <dhcp>
            <range start='10.0.0.100' end='10.0.0.200'/>
        </dhcp>
    </ip>
</network>

Define the network:

sudo virsh net-define /etc/libvirt/networks/xml/lan-lab.xml

Start the network:

sudo virsh net-start lan-lab

Enable autostart:

sudo virsh net-autostart lan-lab

List available networks:

sudo virsh net-list -all

Expected working output:

 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes
 lan-lab   active   yes         yes

Preparing the OPNsense VM in QEMU/KVM

VM creation and installation are performed using Virtual Machine Manager (virt-manager).

opnsense-01

opnsense-02

opnsense-03

opnsense-04

opnsense-05

opnsense-06

opnsense-07

Order matters: WAN must be first.

Installing OPNsense

Start the VM.

When the message appears: Press any key to start the manual interface assignment: press any key

1 - Press any key

2 - N

3 - N

opnsense-08

To identify interfaces, refer to the second screenshot:

1 - WAN Interface (em0 in this case)

2 - LAN Interface (em1 in this case)

3 - No more interfaces Return

opnsense-09

1 - System information

2 - WAN interface

3 - LAN interface

opnsense-09a

To install OPNsense, log in as:

  • user: installer
  • password: (as documented in the official documentation)

Logging in as root (with the documented password) will start live mode instead of the installer.

Navigation in the installer is intuitive and uses:

  • arrow keys
  • space
  • enter
  • tab

Installation steps:

  1. Select keymap (use space to select) – Polish
  2. Install (ZFS)
  3. Stripe
  4. QEMU HARDDISK (only available option)
  5. Optionally change the root password
  6. Finalize installation

Interface configuration

After installation, the WAN interface usually receives a valid IPv4 address via DHCP, while the LAN interface is often misconfigured.

Select: 2) Set interface IP address

IMPORTANT

  • The LAN IP address and netmask must match the LAN network configuration (see Creating the LAN network interface)
  • The LAN IP address must be different from the bridge IP defined in the libvirt network file
  • The LAN IP address must be static, otherwise Web GUI access will not work
  • The DHCP range must match the range defined in the LAN network configuration

1 - Select LAN interface 1

2 - N

3 - 10.0.0.10

4 - 24

5 - Return

opnsense-10

1 - N

2 - N

3 - Return

4 - Y

5 - 10.0.0.100 – DHCP start address

6 - 10.0.0.200 – DHCP end address

7 - N

8 - N

9 - N

opnsense-11

The LAN interface IP address should now be updated.

Verification:

  1. Open the Web GUI: https://10.0.0.10

    If access fails, repeat the previous steps and switch HTTPS to HTTP when prompted.

  2. Connectivity tests:

    Where HOST_IP is the IP address of the machine running QEMU/KVM and OPNsense.

ping -c 3 8.8.8.8
ping -c 3 google.com
ping -c 3 HOST_IP

Removing a DHCP lease

Edit leases file

To manually remove a DHCP lease, log in to the OPNsense machine and edit the DHCP leases file:

vi /var/db/dhcpd.leases

Remove the appropriate lease entry, then save the file.

⚠️ Note

This method should be used with caution.

The preferred and safer approach is to remove or clear leases via the OPNsense web GUI: Services → DHCPv4 → Leases.

Restart dnsmasq

It can be done with GUI

Renewing the DHCP lease on the host

After removing the lease, the client must request a new DHCP address.

If the interface is managed by NetworkManager, first identify the interface:

nmcli device status

Then disconnect and reconnect the same interface:

sudo nmcli device disconnect ens3
sudo nmcli device connect ens3