Installation

Posts relating to the installation of OPNsense

Configuring DHCP in OPNsense

If you only have a few devices on your network, you could easily configure them with static IP addresses and not use a DHCP server at all. In such cases, Internet connectivity will be established more quickly, since computers on the network won’t have to go through the DHCP discovery-offer-request-acknowledge process. As the size of your network grows, however, a DHCP server becomes essential, as keeping track of statically assigned IP addresses will become far too cumbersome.

Moreover, if two nodes have the same IP address, this constitutes an IP address conflict, which is not good, for a variety of reasons:

  • It can cause network connectivity problems;
  • It can cause network outages, as the network becomes unable to route data to the correct device;
  • If two devices have the same IP address, incoming traffic intended for one device may be incorrectly routed to the other device, causing data to be lost or transmitted to the wrong device.

In most cases, if two nodes have the same IP address, the router will recognize one device and ignore the other node, so the only issue is figuring out why one node can’t communicate on the network. Still, it’s beneficial to enable the DHCP server.

Fortunately, configuring OPNsense to act as a DHCP server is relatively easy, and can be done from either the console or the web GUI.

Configuring DHCP from the console is simple, although it doesn’t have as many options. To configure DHCP at the console, do the following:

  • At the console, select “Set Interface IP address”
  • Select the interface on which you want to enable DHCP (e.g. 1=LAN, 2=OPT1, etc.). For the next steps, x=the interface selected.
  • You will have to configure the IP address for the interface. For “Configure IPv4 address x interface via DHCP? [y/N]”, type ‘N’ and press Enter.
  • Type in the new x address and the new subnet bit count (probably 24).
  • For the interface upstream gateway address, press Enter.
  • For “Configure IPv6 x interface via x tracking? [Y/n]”, type ‘N’ and press Enter.
  • For “Configure IPv6 x interface via DHCP6? [Y/n]”, type ‘N’ and press Enter.
  • Type in the new IPv6 x address and the new subnet bit count (probably 64).
  • For the IPv6 LAN upstream gateway address, press Enter.
  • The console will query “Do you want to enable the DHCP server on x? [y/N]”. Type y and press Enter.
  • Enter the start IP address for the scope and press Enter.
  • Enter the end IP address for the scope and press Enter.
  • The console will query “Do you want to enable the DHCP6 server on LAN? [y/N]”. You may or may not want to enable the DHCP6 server on the LAN. If so, you will have to enter the start IPv6 address and the end IPv6 address.

If you follow all these steps, you will have successfully configured DHCP at the console in OPNsense. But there are some drawbacks. First, you entered some parameters irrelevant to enabling DHCP. Second, you only configured a fraction of the options available that would be available in the web GUI. If you want to configure many of the options available, you will have to configure DHCP in the web GUI.

To configure DHCP in the web gui, access OPNsense’s IP address and log in. Then do the following:

  • In the left sidebar menu, click on Services.
  • In the left sidebar menu, click on ISC DHCPv4.
  • Click on the interface on which you want to enable DHCP; e.g. LAN
  • The page will have a series of DHCP settings; e.g.:
    • Enable: This will enable the DHCP server on this interface.
    • Deny unknown clients: If this option is checked, then only the clients defined in MAC Address Control will get DHCP leases from the server.
    • Range: The scope of IP addresses used for DHCP leases. Note that the range previously specified at the console (192.168.2.10 to 192.168.2.100) is in the edit boxes.
    • Additional Pools: You can specify additional pools by clicking on the plus (+) button.
    • WINS servers: This allows you to specify the IP addresses of systems running Windows Internet Name Service (WINS), a legacy computer name resolution system that maps NetBIOS names to IP addresses.
    • DNS servers: You can specify DNS servers, or leave these edit boxes blank to use the system default DNS servers.
    • Gateway: You can use this to specify a gateway IP that is not the IP of this interface.
    • Domain name: This is for an alternate domain name.
    • Default lease time (seconds): This is used to specify a lease time if clients do not ask for a specific lease time; the default time is 7200 seconds.
    • Maximum lease time (seconds): This is the maximum lease time for clients that ask for a specified maximum lease time; the default is 86400 seconds.
    • Response delay (seconds): This is the minimum number of seconds since a client began trying to acquire a lease before the DHCP server responds; the default is 0 seconds.
    • Interface MTU: This is the minimum transmission unit to use; the default is 68
    • Failover peer IP: This is the IP address of an alternate router using Common Address Resolution Protocol (CARP). The default is no IP address.
    • Failover split: Use this to specify the load balancing split for a load balancing split; the default of 128 has the primary handling a 50-50 split, while 256 will exclusively use the primary.
    • Static ARP: If this option is enabled, only the machines listed in the MAC Address Control will be able to communicate via Address Resolution Protocol (ARP).
    • MAC Address Control: The first edit box lists MAC addresses to allow access to; the second edit box lists MAC addresses to deny access to
    • DHCP Static Mappings: Here, you can use this to specify an IP address for nodes that require a static IP address; e.g. a web server or an FTP server. Click on the plus (+) icon to add to the DHCP Static Mappings. There you will find the following settings:
      • MAC Address: Here, you can specify the MAC address for the Network Interface Card (NIC) on the node. You can click on “Copy my MAC address” to copy the MAC address on the node from which you are accessing the web GUI.
      • Client identifier: the identifier of this client.
      • IP address: The IP address for the node. The IP address must be part of the subnet for this interface.
      • Hostname: Name of the host, without the domain part.
      • Description: A brief description of this node.
      • ARP Table Static Entry: Enabling this option allows you to create a static ARP table entry for this MAC and IP address pair.
      • WINS servers/DNS servers/Gateway/Domain name/Domain search list/Default lease time/Maximum lease time(seconds): See above.
      • Dynamic DNS domain: You can use this to enter the dynamic DNS domain, which will be used to register this client.
      • NTP servers: Use this to add an NTP (Network Time Protocol) server
      • TFTP server: Use this to add a TFTP (Trivial File Transfer Protocol) server and bootfile
  • When you are done making changes, click on the Save button at the bottom of the page.

If you have followed all the steps, you have configured IPv6 successfully. But there is still one more question that deserves attention.

Should I Enable DHCPv6?

If your network relies on IPv4, and has more than a dozen nodes, you instinctively want to enable DHCP, which exists because of concern over IPv4 address scarcity. Essentially, DHCP is an efficient manner of allocating scarce resources (private IPv4 addresses). Is this the case for DHCPv6? Not really. The total number of IPv6 addresses is 3.4 * 10^38, so even a randomly chosen IPv6 address will likely not generate an address conflict.

However, there are several advantages to using DHCPv6:

  • If VLANs are enabled, then enabling DHCPv6 allows the switch to obtain a global unicast address.
  • Enabling DHCPv6 allows the switch to obtain additional information such as an NTP server address or a DNS server address that can be used by the switch.

Keep in mind that a DHCPv6 server does not assign link-local addresses and enabling DHCPv6 on a VLAN does not affect a pre-existing link-local address.

To configure DHCPv6 on an interface, just repeat the same steps as outlined for IPv6, but instead of clicking on Services, ISC DHCPv4 and the interface, click on Services, ISC DHCPv6 and the interface. Much of the parameters for IPv4 are the same in IPv6, with some exceptions:

  • Prefix Delegation Range: If your router has a number of subrouters, then you can assign a network to the subrouters. Note that the start and end of the range mus end on boundaries of the prefix delegation size. Ensure that any prefix delegation range does not overlap the interface prefix range.
  • Subnet mask: The subnet mask cannot be changed.

It’s up to you to decide to enable DHCPv6, but you can do this easily in OPNsense.

February 14, 2024 by Confiiguration Installation

Installing OPNsense in 5 Easy Steps

How to Install OPNsense in 5 Easy Steps

OPNsense is a FreeBSD-based firewall and routing software. It is a fork of pfSense, which in turn is a fork of the m0n0wall project. OPNsense launched in January 2015; it was named OPNsense when m0n0wall closed down in February 2015.

OPNsense can run on x86_64 processors, and as it’s based on Free BSD, a Unix derivative, it can run on more lightweight hardware than Windows. And it is free; you can download it from the OPNsense website with no licensing involved. Although configuring OPNsense requires more time and resources than commercial software, you can install OPNsense in five easy steps and start tinkering with the settings, and see if OPNsense meets your requirements. If it does, you will likely save money.

  1. Find out if your hardware meets the minimum hardware requirements. If your hardware does not meet the minimum specifications, it seems logical that you cannot install OPNsense. Fortunately, the hardware requirements are fairly simple, and are listed on the OPNsense website as minimum specification, reasonable specification, and recommended specification. These requirements are summarized in the following table:

MinimumReasonableRecommended
Processor1 GHz dual core CPU1 GHz dual core CPU1.5 GHz multi core CPU
RAM2 GB4 GB8 GB
Install methodSerial console or video (VGA)Serial console or video (VGA)Serial console or video (VGA)
Install targetSD or CF card with a minimum of 4 GB; use nano images for installation40 GB SSD; a minimum of 2 GB is needed for the installer to run120 GB SSD

If you are purchasing hardware or installing it on a virtual machine, it behooves you to use the reasonable or recommended specifications to inform your decisions. But if you have existing hardware, the minimum specification should clue you in as far as the hardware is concerned.

  1. Download OPNsense. You can download OPNsense at the official OPNsense website [https://opnsense.org/download/]. Although there is only one option for the CPU (amd64), there are several options for the image type:
    1. DVD (ISO image installer with live system capabilities running in VGA mode; UEFI boot is supported, as well as legacy boot)
    2. VGA (USB installer image with live system capabilities running in VGA mode; again, UEFI and legacy boot are supported)
    3. Serial (USB installer image with live system capabilities running in serial mode; supports UEFI and legacy boot)
    4. Nano (a preinstalled serial image for USB sticks, SD or CF card as MBR boot; these images are 3G in size and automatically adapt to the installed media after the first boot

After you have downloaded the image, it is probably a good idea to run a checksum on the downloaded image. The checksum is listed on the download page on the official OPNsense website. Verifying the checksum guarantees:

  • that the downloaded file downloaded successfully;
  • that the downloaded file was not corrupted in any way.

You can download a checksum checker from these sites:

  1. Transfer the image file to the appropriate media for installation. As of now, you have the OPNsense image file. You need to transfer the image to the installation media. If you are installing OPNsense to a virtual machine, then you can skip this step; you just need to specify the image file when you are configuring settings for the virtual machine. If the system to which you are installing OPNsense has an optical drive, you may burn the image to a DVD. But if the system does not have an optical drive and has a USB interface, you might write the image to a USB thumb drive. Writing an image to a USB drive has several advantages:
  • It’s easy to do with the right software;
  • It’s relatively cheap, with a 16 GB Sandisk thumb drive costing only $5;
  • It’s very compact, as compared to a DVD;
  • Depending on the speed of your USB interface, it may be faster than a DVD;
  • Unlike a DVD, you can rewrite the image.

Keep in mind that your device may not support USB (although at this point, with USB having been produced since May 1996, it’s harder to see this as a rationale), and continued writes will reduce the life span of the device. But in reality, you’re more likely to physically damage a USB thumb drive than reach the end of life for a thumb drive by constant re-writes.

In any case, here are some programs you can use to write images to a thumb drive:

If you want to burn an image to a DVD, there’s the always excellent CD Burner XP available

  1. Using the installation media, boot the target system and begin installation. If you are using a DVD, this may be as easy as inserting the DVD into the optical drive and booting the system, as many systems check the optical drive first. If this is not the case, or if you are using a USB thumb drive, you may have to run the BIOS/UEFI settings, or run a one-time boot menu.

Once the system boots, OPNsense will detect the system hardware, and OPNsense will load from the optical drive. Then OPNsense will prompt you for a username and password. You can log in with the default username and password:

  • Username: root/installer
  • Password: opnsense

Since you want to install OPNsense, you should use username “installer” and password “opnsense”. This will take you to the installation software, in which you can configure the following:

  • The keymap
  • The mode of installation (UFS, ZFS, or extended installation, using a previously save configuration, a password reset, or, if everything else fails, rebooting)

I could easily get bogged down in the minutia of the different installation options, but that’s a topic for a different article.

  1. Now that the installation is complete, remove the installation media and reboot. You should be booting up the installation from the target drive. While it would be tempting to declare success, you should be mindful of two crucial elements:
    1. Change the default password. This is extremely important, for security reasons.
    2. Assign the interfaces. If the default interface assignments are not what you expected, assign at least the WAN and LAN interfaces.
    3. Assign an IP address for each interface. Remember that in most cases, the WAN interface is assigned by your ISP via DHCP; the LAN interface is statically assigned, and in most cases is 192.168.1.1.

Now that you have configured these parameters, you can do the rest of the configuration using the web-based graphical user interface (GUI) by accessing http://192.168.1.1 on your browser. You may still have some configuration to do, but you have successfully installed OPNsense.

February 11, 2024 by Installation

Configuring WAN and LAN Interfaces in OPNsense

For this article, I’m going to assume you have downloaded and installed OPNsense, either in a virtual machine or on a real system. You now can log into the web GUI at 192.168.1.1. When you have logged into the web GUI for the first time, a setup utility will take you through several steps:

  1. The hostname and domain of the router.
  2. The timezone and language.
  3. The time server hostname.
  4. DNS servers

In addition to these settings, the setup utility will also let you configure the WAN and LAN interface, which we will now consider.

On the WAN interface, there is an option to block private networks and block bogon networks. We should address both these issues.

  • Private networks, also known as RFC 1918 addresses, are blocks of network IP addresses reserved for private use. These addresses are commonly used behind a firewall to allow a single public IP address to be shared with multiple devices using Network Address Translation (NAT). As a general rule, it is good practice to prevent network traffic using private addresses from leaving the firewall via the WAN interface. This avoids unnecessary traffic on the WAN network and provides a security benefit by keeping information about the LAN network behind the firewall. This option should remain checked. There are two circumstances in which this option should not be selected:
    • When your Internet service provider (ISP) assigns private network addresses to their customers
    • When the firewall is behind another firewall or router.
  • Bogon networks are those which should never be seen on the Internet, including reserved and unassigned IP address space; the presence of traffic from these networks can indicate either spoofed traffic or an unused subnet that has been highjacked for malicious use, Normally, bogon networks should be blocked on the WAN, so this option should be checked.

You need to choose the selected type for this interface. For most ISPs, this should be DHCP, as it is the mechanism used to distribute IP addresses. But if your ISP assigned a static IP address, there’s an option for this as well. There are also several different options for configuration type:

  • PPP: Point-to-Point Protocol, which should be the option if your ISP supports it
  • PPoE: Point-to-Point over Ethernet
  • PPTP: Point-to-Point Tunneling Protocol, which some VPNs use
  • L2TP: Layer 2 Tunneling Protocol, another option some VPNs use

There is an option for MAC address. Here you can enter a different MAC address, which

There are also options for MTU (Maximum Transmission Unit) and MSS (Maximum Segment Size). The default for MTU is 1500; the default for MSS is 536 for IPv4 and 1220 for IPv6. Increasing either of these options could optimize speed on your network, but in most cases, you probably should keep these at the default.

There is an option for speed and duplex. Here there is a variety of options, from 1000baseT, 100baseTX, and 10baseT. In most cases, you can leave this at the default value, which will cause the speed and duplex to autoselect.

In the WAN settings, there are options for DHCP client configuration and DHCPv6 client configuration, but for the most part, you can leave these settings unchanged and click on the Next button.

The next interface to configure is the LAN interface. There is also an option to block private networks and block bogon networks. It is generally recommended that these options will not be checked, as the LAN interface is not the interface to the Internet.

Next is the configuration type. Unlike the WAN interface, this should be configured as Static, unless you have a DHCP server upstream, in which case you should use DHCP. Selecting static means that you must manually configure the static IPv4 and IPv6 options. Unless you have reason for having a different address configuration, IPv4 should be designated as 192.168.1.1 and IPv6 should be designated as fd00:1::1/64.

There are also options for MAC address, MTU and MSS. Unless there is a compelling reason to change these options, you should keep these as the default values.

By clicking on the Save button, you will have configured both the LAN and WAN interfaces. Next is configuring the DMZ and configuring VLAN settings, which will be covered in future articles.

February 9, 2024 by Installation