Skip to main content

How to Install OPNsense from USB?

OPNsense is an open-source firewall distribution based on FreeBSD. There are also DHCP servers, DNS servers, VPNs, and other services available in addition to the firewall. OPNsense has a number of advantages over competitors, including forward caching proxy, traffic shaping, intrusion detection, and a simple OpenVPN client setup. The Sensei (ZENARMOR) plugin, in particular, which provides application control and web filtering features, is extremely useful for administrators in protecting their networks from cyberattacks. OPNsense's dependable update mechanism allows it to deliver critical security updates on time.

For more information about the OPNsense features, please refer to the Best Open Source Firewalls article written by Sunny Valley Networks.

In this OPNsense installation guide, we will cover how to install OPNsense from a USB stick by describing the following topics.

  • What are the System Requirements for OPNSense Setup?
  • Where to Download OPNSense?
  • How to Install OPNSense Files?
  • Step 1: How to Select Hardware and Sizing?
  • Step 2: Download OPNSense
  • Step 3: How to Write to Installation Media?
  • Step 4: How to Install OPNSense from USB to Target Device?
  • Step 5: How to Configure OPNSense?

What are the System Requirements for OPNSense Setup?#

You should check the hardware requirements for the installation before installing the OPNsense firewall. Up-to-date requirements can be found on the official website.

OPNsense supports a variety of devices ranging from embedded systems to rack-mounted servers. But, the hardware must be capable of running 64-bit operating systems. Since only x86-64 (amd64)bit microprocessor architectures are supported by OPNsense.

Full installs can run on solid-state disks (SSD), hard disk drives (HDD), or SD memory cards.

The option to install an embedded OPNsense image has been supported since version 15.1.10 (04 May 2015).

Embedded images (nano) only keep logging and cache data in memory, whereas full image versions keep the data on the local drive. By enabling RAM disks, a full version can mimic the behavior of an embedded version, which is especially useful for SD memory card installations.

OPNsense is built on HardenedBSD 11.2-RELEASE. The OPNsense kernel includes all HardenedBSD drivers, and hardware compatibility is the same.

The hardware requirements of the OPNsense may be constrained for its functionality. There are minimum, reasonable, and recommended system requirements for the full functionality of OPNsense. At the time of the writing, the hardware requirements of the OPNsense are given as below.

1. Minimum System Requirements#

If you install OPNsense on a device that meets these requirements, you will be unable to use features that require disks writes, such as a caching proxy (cache) or intrusion detection and prevention.

TypeDescription
Processor1 GHz dual-core CPU
RAM2 GB
Install methodSerial console or video (VGA)
Install targetSD or CF card with a minimum of 4 GB, use nano images for installation.

Table 1: Minimum system requirements

2. Reasonable System Requirements#

If you install OPNsense on a device that meets these requirements, you will be able to use all of the standard features of the OPNsense. However, if you have a large number of users or a high load, you may run into some issues.

TypeDescription
Processor1 GHz dual-core CPU
RAM4 GB
Install methodSerial console or video (VGA)
Install target40 GB SSD, a minimum of 2 GB memory is needed for the installer to run.

Table 2: Reasonable system requirements

3. Recommended System Requirements#

If you install OPNsense on a device that meets these requirements, you will be able to use all of the OPNsense's standard features without issue.

TypeDescription
Processor1.5 GHz multi-core CPU
RAM8 GB
Install methodSerial console or video (VGA)
Install target120 GB SSD

Table 3: Recommended system requirements

Where to Download OPNSense?#

Depending on your hardware and use case different installation files are provided to download and install OPNsense:

  • dvd: ISO installer image with live system capabilities running in VGA mode. On amd64, UEFI boot is supported as well.

  • vga: USB installer image with live system capabilities running in VGA mode as GPT boot. On amd64, UEFI boot is supported as well.

  • serial: USB installer image with live system capabilities running in serial console (115200) mode as MBR boot.

  • nano: a preinstalled serial image for USB sticks, SD or CF cards as MBR boot. These images are 3G in size and automatically adapt to the installed media size after first boot.

Sample file listing

  • OPNsense-21.7.1-OpenSSL-cdrom-amd64.iso.bz2
  • OPNsense-21.7.1-OpenSSL-nano-amd64.img.bz2
  • OPNsense-21.7.1-OpenSSL-serial-amd64.img.bz2
  • OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2

The USB-memstick installer is the simplest way to install OPNsense. If your target platform has a serial interface, download the serial image. If not, you should select vga for the image type. You may choose any mirror for your liking.

How to Install OPNSense Files?#

You may easily install the OPNsense firewall by following the 5 steps given below.

Step 1: How to Select Hardware and Sizing?#

While the majority of features have no effect on hardware dimensioning, a few do. The candidates are as follows:

  • Squid: A caching web proxy that is used for web-content control, and so on. These packages are heavily reliant on CPU load and disk-cache writes.
  • Captive Portal: Settings with hundreds of concurrently served captive portal users will necessitate high CPU power
  • State transition tables: Each state table entry requires approximately 1 kB (kilobytes) of RAM. A typical state table with 1000 entries will take up about 10 MB (megabytes) of RAM. OPNsense usage settings with hundreds of thousands of connections will necessitate additional memory.

You should select the hardware according to the system requirements given above.

Step 2: Download OPNSense#

You may download the OPNsense installation file from the official OPNsense download page. You may select system architecture according to your system�s CPU architecture, and also specify image type and mirror location as well. OPNsense ISO Download steps are given below.

  • Select vga image type for USB installation
  • Select the fastest mirror for your location
  • Click Download button.

Downloading OPNsense vga ISO file

Figure 1. Downloading OPNsense vga ISO file

Step 3: How to Write to Installation Media?#

After downloading the OPNsense image, you need to unpack it first by running the following command..

bunzip2 OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2

Then, you may write the image to a USB flash drive (>= 1GB), either with dd under FreeBSD or under Windows with physdiskwrite (or Rufus).

Writing an OPNsense image to a USB is explained in detail below for various platforms.

1. FreeBSD#

To write the OPNsense image to a USB drive on FreeBSD system, run the following command.

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/daX bs=16k
note

Where X = the device number of your USB flash drive (check dmesg)

For example,

dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/da1 bs=16k

2. Linux#

To write the OPNsense image to a USB drive on a Linux system, run the following command.

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/sdX bs=16k
note

Where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) (ignore the warning about trailing garbage, it's because of the digital signature)

For example,

dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/da1 bs=16k

3. OpenBSD#

To write the OPNsense image to a USB drive on an OpenBSD system, run the following command.

dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rsd6c bs=16k
note

The device must be the ENTIRE device (in Windows/DOS language: the 'C' partition), and a raw I/O device (the 'r' in front of the device "sd6"), not a block mode device.

For example,

dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/rsd6c bs=16k

4. Mac OS X#

To write the OPNsense image to a USB drive on a Mac OS X system, run the following command.

sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].[img|iso] of=/dev/rdiskX bs=64k
note

Where r = raw device, and where X = the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage, it's because of the digital signature)

For example,

sudo dd if=OPNsense-21.7.1-OpenSSL-vga-amd64.img of=/dev/rdiskX bs=64k

5. Windows#

To write the OPNsense image to a USB drive on a Mac OS X system, run the following command.

physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].[img|iso].img

For example,

physdiskwrite -u OPNsense-21.7.1-OpenSSL-vga-amd64.img
note

A simple alternative for writing images under Windows is Rufus a tool to create bootable USB sticks with a nice GUI.

Step 4: How to Install OPNSense from USB to Target Device?#

After configuring your system to boot from a USB device, place the USB stick into the one of USB slots and boot your system. The default behavior is to start the Live environment. Therefore, to start the installation login with user installer and password opnsense.

  • Default OPNsense username: installer

  • Default OPNsense installer password: opnsense

You can connect either on the local console or via SSH.

  1. Keymap selection: Select the keymap as you wish. The default configuration is a US keyboard map. You may continue with default settings.

Keymap Selection

Figure 2. Keymap Selection

  1. Installation Selection. The native ZFS installation is officially supported by the installer with the release of OPNsense 21.7. You may select one of the following installation tasks.
  • UFS
  • ZFS
  • Other Modes (Extended Installation)

Installation Selection

Figure 3 . Installation Selection

  1. Task Selection: You may select one of the Guided Disk Setup, such as UFS and ZFS or Manual Disk Setup.

Selecting Disk Setup

Figure 4 . Selecting Disk Setup

  1. Select Disk: Select the disk on which you want to install the OPNsense.

Select the disk to install the OPNsense

Figure 5. Select the disk to install the OPNsense

  1. Select Entire Disk. You may select Entire Disk for partitioning

Selecting Entire Disk for partitioning

Figure 6. Selecting Entire Disk for partitioning

  1. Partition Confirmation. Confirm the disk partitioning. Beware that this will erase all the data on the disk.

Partition Confirmation

Figure 7. Partition Confirmation

  1. Selecting Partition Scheme. You may select GPT.

Selecting Partition Scheme

Figure 8 . Selecting Partition Scheme

  1. Review Partition Setup. After reviewing the disk partitioning setup, select Finish.

Review Partition Setup

Figure 9. Review Partition Setup

  1. Confirm Partitioning. To confirm the disk partitioning, select Commit. Beware that this will permanently remove all files on the disk.

Confirm Partitioning

Figure 10. Confirm Partitioning

  1. Initializing the disk. The initialization of the target disk will start.

Initializing the disk.

Figure 11. Initializing the disk.

  1. File Installation. OPNsense files installation will start.

File Installation

Figure 12. File Installation

  1. Verification of the installation. OPNsense installer verifies the installation.

Verification of the installation

Figure 13. Verification of the installation

  1. Preparing the target. OPNsense installer prepares the target system.

Preparing the target

Figure 14. Preparing the target

  1. Changing root password. Default OPNsense root password is root. It is recommended that you change it with a strong one.

Changing root password on OPNsense installer

Figure 15. Changing root password

Setting root password on OPNsense installer

Figure 16. Setting root password

  1. Final Configuration. To apply the configuration and exit installer, select Exit and then OK.

Final Configuration

Figure 17. Final Configuration

  1. Reboot. Installation of OPNsense from USB flash drive is finished successfully. The firewall needs to reboot. You should proceed to the initial configuration of your OPNsense firewall.

Reboot

Figure 18. Reboot

note

You may also learn how to install OPNsense on Proxmox Virtual Environment by reading the OPNsense Installation Tutorial written by Sunny Valley Networks. Since OPNsense installation on different platforms has almost the same procedures, this article may be helpful for USB installation also.

Step 5: How to Configure OPNSense?#

After installing the OPNsense the following initial configuration steps should be completed.

  1. Network device assignments
  2. IP address settings
  3. Updating OPNsense Firewall
  4. Accessing the OPNsense GUI
  5. Initial configuration of OPNsense Firewall

You may find more information about the initial configuration steps on OPNsense Installation Tutorial written by Sunny Valley Networks.