OPNsenseLab
Isometric scene of USB installation media connecting to a compact firewall appliance
Getting Started

OPNsense Initial Setup: Complete Installation Guide (2026)

Step-by-step walkthrough for installing OPNsense on a Protectli vault or mini-PC, covering installer options, interface assignment, WAN/LAN configuration

By OPNsenseLab Editorial · · 8 min read

OPNsense is an open-source firewall and routing platform based on FreeBSD. This guide walks you through a fresh install from USB to a working WAN+LAN configuration.

Hardware: What you need

Any x86-64 system with at least two NICs works. Common homelab choices:

  • Protectli FW4C — Intel J3160, 4×GbE, fanless, ~$250 used
  • Protectli VP2420 — Intel Celeron J6412, 4×2.5GbE, ~$350
  • Netgate 2100 — ARM-based (Marvell OCTEON TX2), official pfSense-adjacent hardware that also runs OPNsense

For a basic WAN+LAN setup any two-NIC x86-64 box is sufficient, including a repurposed Optiplex or ThinkCentre. A few hardware notes that save grief later: prefer Intel NICs (igb/em drivers) over Realtek — the Realtek FreeBSD drivers have historically been less reliable under load, and OPNsense is a FreeBSD system. Disable any onboard hardware RAID and present plain AHCI disks. If the box has IPMI/BMC, leave it on its own management interface, not the OPNsense WAN. Plan for at least 8 GB of storage; if you intend to run Suricata, Netflow, or reporting, 20 GB+ and a real SSD make a noticeable difference because those features write continuously.

Download the installer

  1. Go to opnsense.org/download and grab the latest stable release. Pick the mirror closest to you.
  2. Choose dvd for a live/install image, vga for serial-less console install on a monitor, serial for headless appliances, or nano for embedded (CF/SSD with limited writes — note nano images are pre-imaged, not installed).
  3. Verify the download. OPNsense publishes SHA-256 checksums and a PGP signature on the download page. At minimum check the hash: sha256sum OPNsense-*.img.bz2 and compare. This matters — a tampered firewall image compromises everything behind it.
  4. Decompress and write to USB: bzip2 -d OPNsense-*.img.bz2 then dd if=OPNsense-*.img of=/dev/sdX bs=4M status=progress conv=fsync (Linux/macOS). Double-check /dev/sdX with lsblk — writing to the wrong disk destroys it.

Boot and install

  1. Boot from USB. The system comes up to a live environment. Log in at the console with installer / opnsense.
  2. The installer launches. Choose your keymap, then select Install (UFS) for broad compatibility or, on modern hardware with adequate RAM, Install (ZFS) — ZFS gives you boot environments (snapshot/rollback of the OS before an upgrade), which is genuinely valuable on a firewall. For ZFS on a single disk choose the stripe layout; for two disks, mirror.
  3. Select the target disk, confirm the destructive write, set the root password when prompted (use a strong one — this account owns the firewall), then choose Complete Install.
  4. Reboot and remove the USB so it doesn’t boot back into the installer.

Interface assignment

OPNsense needs to know which physical NIC is WAN and which is LAN. If it can’t auto-detect, it drops to the assignment prompt at first boot; you can also re-enter it from the console menu (option 1 — Assign interfaces):

Do you want to configure LAGGs now? → N
Do you want to configure VLANs now? → N
Enter the WAN interface name: igb0    (your WAN NIC)
Enter the LAN interface name: igb1    (your LAN NIC)

Tip for identifying NICs: if you’re unsure which port is which, the assignment dialog can use link-state auto-detection — it prompts you to plug a cable into the WAN port, and the interface that changes to “up” is selected. Confirm and let it apply. The console then shows the assigned IPv4 (LAN defaults to 192.168.1.1/24 with DHCP serving the LAN).

First-boot web UI access

From a LAN-connected device, browse to https://192.168.1.1. Default credentials: root / opnsense.

Run the setup wizard (System → Wizard) to:

  • Set hostname and domain
  • Configure DNS (use 1.1.1.1 + 9.9.9.9 or your preferred upstream)
  • Set timezone
  • Configure WAN (DHCP for most ISPs, PPPoE if required)
  • Confirm LAN IP

Immediate hardening steps

Before exposing the box or building services on it, lock down the management plane:

  1. Set a strong root password and add a non-root admin — System → Access → Users. Create a dedicated admin account in the admins group and use it day-to-day; keep root for break-glass only.
  2. Protect the web UI — System → Settings → Administration. Set the protocol to HTTPS, enable HTTP redirect off (force HTTPS only), and consider changing the TCP port off 443. Critically, set Listen interfaces to LAN only so the GUI is never reachable from WAN.
  3. Enable the anti-lockout awareness — OPNsense auto-creates a LAN anti-lockout rule so you can’t fence yourself out of the GUI. If you later harden LAN rules, leave that rule until you have verified out-of-band access.
  4. SSH, if you need it — System → Settings → Administration → Secure Shell: enable, then set Login group to admins, disable Permit root user login, and disable Permit password login (key auth only). Bind SSH to LAN.
  5. Updates — System → Firmware → Settings: set the mirror and Release type: Production. Run System → Firmware → Updates and apply the latest patch level before building anything; the installer image is usually behind.
  6. Back up the config now — System → Configuration → Backups. Download the config.xml (consider encrypting it; it contains secrets) and enable Google Drive/Nextcloud backup if you use one. A firewall config is cheap to back up and expensive to rebuild.
  7. Enable a remote log target later — System → Settings → Logging / Logging Targets — so logs survive a disk failure.

A quick verification pass: from the LAN, confirm https://192.168.1.1 loads over HTTPS only; from the WAN side (e.g., tether a laptop), confirm the GUI and SSH are not reachable; and check System → Firmware → Status shows you on the latest patch.

When not to do certain things

Don’t enable remote/WAN GUI access “temporarily” without at least an IP allowlist and HTTPS — exposed firewall admin panels are actively scanned. Don’t run OPNsense as a VM on the same host as the workloads it’s protecting unless you fully understand the NIC pass-through and failure-domain implications. And don’t skip the post-install update step expecting the installer to be current.

Next steps

For the full set of versioned commands, default ports, and config references that pair with these guides, keep our OPNsense references hub open in a second tab.

Comparing platforms? See firewallcompare.com for OPNsense vs pfSense vs UniFi side-by-side.

Related

Comments