OPNsense Initial Setup: Complete Installation Guide (2026)
Step-by-step walkthrough for installing OPNsense on a Protectli vault or mini-PC, covering installer options, interface assignment, WAN/LAN configuration, and first-boot hardening.
OPNsense is an open-source firewall and routing platform based on FreeBSD. This guide walks you through a fresh install from USB to a working WAN+LAN configuration.
Hardware: What you need
Any x86-64 system with at least two NICs works. Common homelab choices:
- Protectli FW4C — Intel J3160, 4×GbE, fanless, ~$250 used
- Protectli VP2420 — Intel Celeron J6412, 4×2.5GbE, ~$350
- Netgate 2100 — ARM-based (Marvell OCTEON TX2), official pfSense-adjacent hardware that also runs OPNsense
For a basic WAN+LAN setup any two-NIC x86-64 box is sufficient, including a repurposed Optiplex or ThinkCentre.
Download the installer
- Go to opnsense.org/download ↗ and grab the latest stable release.
- Choose dvd for a live/install image or nano for embedded (CF/SSD with limited writes).
- Write to USB:
dd if=OPNsense-*.iso of=/dev/sdX bs=4M status=progress(Linux/macOS).
Boot and install
- Boot from USB. Default login at the live console:
installer/opnsense. - Select Guided installation → accept disk layout → set root password.
- Reboot, remove USB.
Interface assignment
At the console prompt (option 1 — Assign interfaces):
Do you want to configure LAGGs now? → N
Do you want to configure VLANs now? → N
Enter the WAN interface name: igb0 (your WAN NIC)
Enter the LAN interface name: igb1 (your LAN NIC)Confirm and let it apply.
First-boot web UI access
From a LAN-connected device, browse to https://192.168.1.1. Default credentials: root / opnsense.
Run the setup wizard (System → Wizard) to:
- Set hostname and domain
- Configure DNS (use 1.1.1.1 + 9.9.9.9 or your preferred upstream)
- Set timezone
- Configure WAN (DHCP for most ISPs, PPPoE if required)
- Confirm LAN IP
Immediate hardening steps
Before doing anything else:
- Change root password — System → Settings → Administration → Password
- Disable HTTP access — same page, uncheck “HTTP redirect”
- Enable auto-update check — System → Firmware → Settings → enable “Release type: Production”
- Lock SSH to key-auth only — if you enable SSH, disable password auth immediately
Next steps
- VLAN configuration on OPNsense — segment IoT, guest, and trusted traffic
- Suricata IDS/IPS setup — enable inline intrusion detection
- ACME Let’s Encrypt certificates — get a trusted cert for the web UI
Comparing platforms? See firewallcompare.com ↗ for OPNsense vs pfSense vs UniFi side-by-side.
Related
Best Hardware for OPNsense in 2026: Protectli, Netgate, and Mini-PC Options
Tested hardware recommendations for running OPNsense: fanless Protectli vaults, refurbished mini-PCs, and purpose-built appliances — with throughput data and price tiers.
OPNsense VLAN Configuration: Segment IoT, Guest, and Trusted Networks
How to create and enforce VLANs on OPNsense to isolate IoT devices, guest Wi-Fi, and your trusted LAN — with firewall rules that block inter-VLAN traffic by default.
OPNsense Suricata IDS/IPS: Installation and Tuning Guide
Set up Suricata as an inline IPS on OPNsense — install the plugin, enable ET Open or ET Pro rulesets, configure alert actions, and tune to reduce false positives.