How to Set Up OPNsense on FreeBSD Bare Metal

OPNsense is a FreeBSD-based firewall and routing platform. It is a fork of pfSense with a focus on security, code quality, and regular updates. Running it on bare metal (dedicated hardware rather than a VM) gives you the best performance and eliminates hypervisor overhead for your network's most critical component.

This guide covers hardware selection, installation, initial WAN/LAN configuration, firewall rule creation, VPN setup, useful plugins, and update management. By the end, you will have a production-ready firewall appliance.

Hardware Selection

OPNsense runs on standard x86_64 hardware. The right hardware depends on your throughput requirements.

Minimum Requirements

| Component | Minimum | Recommended |

|---|---|---|

| CPU | 64-bit, 1 GHz dual-core | Intel i3/i5 or AMD Ryzen |

| RAM | 2 GB | 8 GB (16 GB with IDS/IPS) |

| Storage | 16 GB SSD | 120 GB SSD |

| NICs | 2 (WAN + LAN) | 4+ (WAN, LAN, DMZ, etc.) |

Recommended Hardware Platforms

Purpose-built appliances: Protectli, Qotom, and Yanling mini PCs with Intel NICs are popular choices. They are fanless, low power, and have multiple Intel i225-V or i226-V 2.5G NICs.

Server hardware: Supermicro or HP MicroServers work well for higher throughput. Look for Intel NICs (igb or ix driver supported).

Avoid: Realtek NICs (re driver has known performance issues under high load). Consumer Wi-Fi adapters (OPNsense needs Ethernet for WAN/LAN; handle Wi-Fi with a separate access point).

NIC Recommendations

Intel NICs are strongly recommended. FreeBSD's Intel drivers (igb, em, ix, ice) are mature and performant:

1 GbE: Intel i210, i211, i350
2.5 GbE: Intel i225-V, i226-V
10 GbE: Intel X520, X540, X710

Downloading OPNsense

Download the installer from the OPNsense website or mirror:

sh
fetch https://mirror.dns-root.de/opnsense/releases/24.7/OPNsense-24.7-dvd-amd64.iso.bz2
bunzip2 OPNsense-24.7-dvd-amd64.iso.bz2

For USB installation media:

sh
fetch https://mirror.dns-root.de/opnsense/releases/24.7/OPNsense-24.7-vga-amd64.img.bz2
bunzip2 OPNsense-24.7-vga-amd64.img.bz2

Write to a USB drive:

sh
dd if=OPNsense-24.7-vga-amd64.img of=/dev/da0 bs=1m status=progress

Replace /dev/da0 with your actual USB device. Double-check the device name to avoid overwriting the wrong disk.

Installation

Boot from USB

Connect the USB drive, a monitor, and a keyboard. Boot from USB (usually F12 or F2 for boot menu on most BIOSes).

Installer Steps

OPNsense boots into a live environment. Log in with user installer and password opnsense.
The installer launches automatically. Select your keymap.
Choose Install (ZFS) for a ZFS-based installation (recommended) or Install (UFS) for traditional UFS.
For ZFS, select your disk layout:

Stripe for a single disk
Mirror for two disks (recommended for reliability)

Select the target disk(s).
Confirm and wait for the installation to complete.
Set the root password when prompted.
Reboot and remove the USB drive.

ZFS Installation Options

If you choose ZFS (recommended):

shell
Pool Type: stripe (single disk) or mirror (two disks)
Disk(s): ada0 (and ada1 for mirror)
Pool Name: zroot
Force 4K Sectors: YES
Encrypt Disks: Optional (GELI encryption)
Swap Size: 2G-4G

ZFS gives you snapshots before upgrades, which makes rollbacks trivial.

Initial Configuration

Console Interface Assignment

After first boot, OPNsense presents a console menu. Assign interfaces:

shell
1) Assign Interfaces

Do you want to configure VLANs now? [y/N]: N

Enter the WAN interface name: igb0
Enter the LAN interface name: igb1
Enter the Optional 1 interface name (or nothing if finished): [Enter]

Do you want to proceed? [y/N]: y

Set LAN IP Address

From the console menu:

shell
2) Set interface IP address

Enter the number of the interface to configure: 1 (LAN)
Configure IPv4 address LAN interface via DHCP? [y/N]: N
Enter the new LAN IPv4 address: 192.168.1.1
Enter the new LAN IPv4 subnet bit count: 24
For a WAN, enter the new upstream gateway: [Enter]
Do you want to enable the DHCP server on LAN? [y/N]: y
Enter the start address of the client range: 192.168.1.100
Enter the end address of the client range: 192.168.1.200

WAN Configuration

If your WAN uses DHCP (most ISPs):

shell
2) Set interface IP address

Enter the number of the interface to configure: 0 (WAN)
Configure IPv4 address WAN interface via DHCP? [y/N]: y

For PPPoE (some DSL connections), configure this through the web interface later.

Web Interface Setup

Access the Dashboard

Connect a computer to the LAN port. It should receive a DHCP address in the 192.168.1.100-200 range. Open a browser and navigate to:

shell
https://192.168.1.1

Accept the self-signed certificate warning. Log in with:

Username: root
Password: the password you set during installation

Initial Wizard

The setup wizard walks through:

General Information: Hostname, domain, DNS servers
Time Server: NTP settings and timezone
WAN Configuration: Confirm DHCP, static, or PPPoE settings
LAN Configuration: Confirm LAN IP and subnet
Root Password: Option to change the root password
Reload: Apply settings

Firewall Rules

Understanding the Default Rules

OPNsense ships with:

WAN: Block all incoming traffic (default deny)
LAN: Allow all outgoing traffic
Anti-lockout: Allow access to the web interface from LAN

Creating Firewall Rules

Navigate to Firewall > Rules > LAN (or WAN) and click Add.

Example: Allow incoming SSH on WAN:

| Field | Value |

|---|---|

| Action | Pass |

| Interface | WAN |

| Direction | in |

| Protocol | TCP |

| Source | Any |

| Destination | WAN address |

| Destination Port | 22 |

| Description | Allow SSH from internet |

Example: Block LAN clients from accessing a specific external IP:

| Field | Value |

|---|---|

| Action | Block |

| Interface | LAN |

| Direction | in |

| Protocol | Any |

| Source | LAN net |

| Destination | Single host: 203.0.113.50 |

| Description | Block access to blacklisted IP |

Rule Order

Rules are evaluated top to bottom, first match wins. Place specific rules above general rules.

Aliases

Use aliases to manage groups of IPs or ports:

Navigate to Firewall > Aliases and create:

Name: trusted_hosts
Type: Host(s)
Content: List of IPs

Reference aliases in rules instead of individual IPs.

VPN Configuration

WireGuard VPN

WireGuard is the recommended VPN for OPNsense due to its simplicity and performance.

Navigate to VPN > WireGuard > Instances:

Click Add to create a new instance
Set a Name (e.g., wg0)
Generate a Key Pair (click the gear icon)
Set Listen Port: 51820
Set Tunnel Address: 10.10.10.1/24
Save and apply

Add a peer under VPN > WireGuard > Peers:

Name: Client name
Public Key: The client's WireGuard public key
Allowed IPs: 10.10.10.2/32 (the client's tunnel IP)
Instance: Select wg0

Create firewall rules to allow WireGuard traffic:

On WAN:

shell
Action: Pass
Protocol: UDP
Destination Port: 51820
Description: Allow WireGuard

On the WireGuard interface (assigned under Interfaces > Assignments):

shell
Action: Pass
Source: WireGuard net
Description: Allow WireGuard clients

OpenVPN

For OpenVPN, navigate to VPN > OpenVPN > Servers:

Use the wizard at System > Trust > Authorities to create a CA
Create a server certificate
Configure the OpenVPN server with your preferred settings
Export client configurations via the Client Export plugin

IPsec Site-to-Site

For connecting two OPNsense firewalls:

Navigate to VPN > IPsec > Tunnel Settings:

Add Phase 1: IKEv2, remote gateway, pre-shared key or certificates
Add Phase 2: Define the local and remote subnets to connect
Enable and apply

Useful Plugins

Install plugins via System > Firmware > Plugins.

Essential Plugins

| Plugin | Purpose |

|---|---|

| os-haproxy | Load balancer and reverse proxy |

| os-acme-client | Let's Encrypt certificate automation |

| os-wireguard | WireGuard VPN (may be built-in on newer versions) |

| os-theme-cicada | Alternative dark theme |

| os-ntopng | Traffic analysis |

| os-telegraf | Metrics export to InfluxDB/Grafana |

| os-crowdsec | Collaborative IDS/IPS |

IDS/IPS with Suricata

OPNsense includes Suricata for intrusion detection/prevention:

Navigate to Services > Intrusion Detection > Administration
Enable IDS (detection) or IPS (prevention) mode
Select rulesets (ET Open, Abuse.ch, etc.)
Download and apply rules

IPS mode requires sufficient CPU. A modern quad-core handles 1 Gbps with IPS enabled.

DNS over HTTPS (Unbound)

OPNsense uses Unbound as its built-in DNS resolver:

Navigate to Services > Unbound DNS > General
Enable DNSSEC
Under DNS over TLS, add upstream servers like Cloudflare (1.1.1.1) or Google (8.8.8.8) with their TLS hostnames

High Availability (CARP)

For production networks that cannot afford downtime, deploy two OPNsense boxes in a CARP (Common Address Redundancy Protocol) pair:

Connect both firewalls with a dedicated sync interface (crossover cable or dedicated VLAN)
Navigate to System > High Availability > Settings on both nodes
Configure the primary and secondary, sync interfaces, and shared CARP VIPs
Assign CARP virtual IPs on each interface that clients use as their gateway

When the primary fails, the secondary takes over within seconds.

Updates and Maintenance

Regular Updates

shell
System > Firmware > Status > Check for Updates

OPNsense releases major versions twice yearly and security patches regularly. Always update from the web interface to ensure proper migration steps run.

Pre-Update Snapshots (ZFS)

If you installed on ZFS, take a snapshot before updating:

Via SSH or console:

sh
zfs snapshot -r zroot@pre-update-$(date +%Y%m%d)

If the update causes issues, rollback:

sh
zfs rollback -r zroot@pre-update-20260409
reboot

Configuration Backup

Navigate to System > Configuration > Backups:

Download the XML configuration file
Store it securely offline

For automated backups to Google Drive or Nextcloud, configure System > Configuration > Backups > Google Drive or install the appropriate plugin.

Console Updates

From the console or SSH:

sh
opnsense-update
reboot

Performance Tuning

System Tunables

Navigate to System > Settings > Tunables:

| Tunable | Value | Purpose |

|---|---|---|

| net.inet.ip.forwarding | 1 | Enable IPv4 forwarding |

| net.link.bridge.pfil_bridge | 0 | Disable PF on bridge (if not needed) |

| hw.ibrs_disable | 1 | Disable Spectre mitigations for performance (evaluate risk) |

| kern.ipc.maxsockbuf | 16777216 | Increase socket buffer size |

Hardware Offloading

Navigate to Interfaces > Settings:

Enable hardware checksum offload
Enable hardware TCP segmentation offload
Enable hardware large receive offload

Only if your NIC driver supports them reliably. Intel NICs handle this well.

FAQ

Is OPNsense based on FreeBSD?

Yes. OPNsense is built on HardenedBSD, which is a security-enhanced fork of FreeBSD. It inherits FreeBSD's network stack, ZFS, and driver support.

OPNsense or pfSense -- which should I use?

OPNsense has more frequent updates, a cleaner codebase, a modern API, and no commercial licensing restrictions. pfSense has a larger community and more third-party guides. For new deployments, OPNsense is the better choice.

How much throughput can OPNsense handle on bare metal?

An Intel i5 with Intel NICs handles 5-10 Gbps of firewall throughput. With IDS/IPS (Suricata) enabled, expect 1-3 Gbps depending on ruleset size. A Celeron handles 1 Gbps easily for home or small office use.

Can I run OPNsense alongside other services on the same hardware?

Not recommended. A firewall should be a dedicated, minimal-attack-surface device. Run other services on separate machines behind the firewall.

How do I migrate from pfSense to OPNsense?

OPNsense can import pfSense configuration files with some manual adjustments. Export your pfSense config as XML, import it in OPNsense under System > Configuration > Backups, and review the settings. Package names and some features differ.

Does OPNsense support Wi-Fi?

OPNsense can use FreeBSD-supported Wi-Fi adapters as access points, but this is not recommended. Use a dedicated wireless access point connected to an OPNsense LAN port instead. This provides better Wi-Fi performance and keeps the firewall focused on its primary job.