Firewall 📖 30 min read

OPNsense Firewall Setup

pfSense and OPNsense are 90% the same firewall. They forked from the same codebase in 2015. The differences are in the 10% — and that 10% is why I switched to OPNsense. I run it on a Protectli FW4B pushing full gigabit without breaking 15% CPU. Here's how I set it up and where the experience actually differs from pfSense.

Why Replace Your Router?

Consumer routers are built to be cheap. Your ISP's free router is worse — half of them can't even receive firmware updates, which means known vulnerabilities stay open indefinitely.

Either OPNsense or pfSense gives you:

  • Proper firewall rules with full traffic visibility
  • VPN server built-in (WireGuard, OpenVPN)
  • VLAN support for network segmentation
  • Intrusion detection and prevention
  • Traffic shaping and QoS
  • Regular security patches (OPNsense ships them weekly; pfSense is slower)

Hardware Requirements

OPNsense needs at least two network interfaces (WAN and LAN). Options:

Dedicated Hardware (Best)

  • Protectli/Qotom boxes - Purpose-built, fanless, multiple NICs
  • Dell OptiPlex + Intel NIC - Cheap, reliable, add a dual-port NIC
  • Netgate devices - Official pfSense hardware, works with OPNsense too

Virtual Machine

Works in Proxmox or ESXi with PCIe passthrough:

  • 2 CPU cores minimum
  • 4GB RAM (8GB if running plugins)
  • Pass through physical NICs for best performance

Not Recommended

Running on a Raspberry Pi - OPNsense is FreeBSD-based, and ARM support is limited.

Installation

Download and Flash

Get the ISO from opnsense.org. Use Rufus or dd to create bootable USB.

Install Process

  1. Boot from USB
  2. Login with installer / opnsense
  3. Follow the wizard - mostly defaults are fine
  4. Assign interfaces when prompted (WAN = internet, LAN = internal network)
  5. Set LAN IP (default 192.168.1.1)
  6. Reboot

Initial Configuration

Connect a computer to the LAN port. Navigate to https://192.168.1.1

Default credentials: root / opnsense

Setup Wizard

The wizard walks you through:

  • General settings (hostname, domain, DNS)
  • Time server
  • WAN configuration (DHCP from ISP, PPPoE, or static)
  • LAN configuration
  • Admin password change

Basic Firewall Rules

If you're coming from pfSense, the rule layout looks familiar but the menu structure is different enough to trip you up for the first hour. The OPNsense web UI is genuinely better designed — things are where you'd expect them to be, and the live search in the menu bar saves real time once you have a lot of rules. My advice: start with the defaults, confirm internet works, then add rules one at a time. Don't try to recreate your entire pfSense config in one sitting — I tried that and locked myself out of the web UI.

Default rules:

  • WAN: Block everything incoming (good)
  • LAN: Allow everything outgoing (convenient but can be tightened)

Creating Rules

Firewall → Rules → [Interface]

  • Action: Pass, Block, or Reject
  • Interface: Where rule applies
  • Direction: In or Out (usually In)
  • Protocol: TCP, UDP, ICMP, Any
  • Source/Destination: IPs or networks
  • Port: Single, range, or alias

VLANs for Network Segmentation

Don't let your IoT devices talk to your computers. VLANs create separate logical networks.

Example setup:

  • VLAN 10: Trusted devices (computers, phones)
  • VLAN 20: IoT devices (smart home stuff)
  • VLAN 30: Guest network

Interfaces → Other Types → VLAN → Add

Then assign interfaces and create firewall rules for each VLAN. The VLAN workflow is nearly identical to pfSense here — if you've set up VLANs on one, you'll recognize the steps on the other.

VPN Server

OPNsense has built-in WireGuard and OpenVPN support.

WireGuard Setup

  1. VPN → WireGuard → Settings → Enable
  2. Add Instance (generate keys)
  3. Add Peer for each client
  4. Firewall rules to allow VPN traffic

Much simpler than standalone WireGuard setup. Note: pfSense added WireGuard support later than OPNsense and had some stability issues early on. In OPNsense it's been solid for me since day one.

Intrusion Detection (Suricata)

Services → Intrusion Detection

Suricata scans traffic for known attack patterns. Enable it on WAN to catch inbound threats. Both OPNsense and pfSense support Suricata, so this part is identical across the two.

Fair warning: this eats CPU. On my FW4B it adds about 10% CPU load at gigabit speeds. Don't enable it on weak hardware or you'll bottleneck your throughput.

DNS and DHCP

OPNsense runs Unbound for DNS and ISC DHCP by default. Both work well out of the box.

Local DNS Entries

Services → Unbound DNS → Overrides

Add entries like nas.home → 192.168.1.50

DHCP Reservations

Services → DHCPv4 → [Interface] → Static Mappings

Assign fixed IPs to specific MAC addresses.

Updates

System → Firmware → Updates

OPNsense pushes updates weekly — mostly security patches, occasionally new features. This is one of the clearest differences from pfSense, which ships updates far less often. Check at least monthly, but honestly the update notifications in the dashboard make it hard to forget.

Backup Configuration

System → Configuration → Backups

Download your config regularly. If hardware dies, you can restore to new hardware in minutes.

Common Mistakes

  • Enabling too many plugins - Each uses resources. Start minimal.
  • Overly complex rules - Start simple, add complexity only when needed.
  • Ignoring updates - Security patches are important.
  • No backup config - Hardware fails. Be prepared.

The 10% That Matters

  • UI modernization — OPNsense rebuilt the web interface from scratch. Live search, better menu organization, a responsive layout that works on a phone. pfSense's UI still feels like 2012.
  • Plugin system — OPNsense uses a proper package manager (pkg) with a curated plugin repository. Installing Zenarmor, WireGuard, or HAProxy is a few clicks. pfSense has packages too, but the ecosystem is smaller and updates lag behind.
  • Update frequency — OPNsense ships weekly security patches and minor releases. pfSense CE updates arrive every few months. For a device sitting at the edge of your network, faster patching matters.
  • Licensing and direction — Netgate's move toward pfSense Plus (closed source) and the CE version getting slower attention pushed a lot of people toward OPNsense. OPNsense is BSD-licensed and the full source is on GitHub.

⚖️ Where pfSense is still better:

  • Commercial support and Netgate appliances — If you need a vendor standing behind your firewall with a support contract, Netgate offers that. OPNsense has Deciso, but Netgate's commercial ecosystem is larger and more established in enterprise environments.
  • Third-party documentation — pfSense has been around longer and has more forum posts, YouTube guides, and blog tutorials. When you hit a weird edge case, the odds of finding someone who already solved it are higher on the pfSense side.
  • pfBlockerNG — pfSense's DNS-level ad and threat blocking package is more mature than OPNsense's equivalent. OPNsense has Unbound with blocklists, but pfBlockerNG's IP-based GeoIP blocking and DNSBL feeds are more polished.

If you're starting fresh, OPNsense. The UI is better, updates ship faster, and the licensing situation is straightforward. If you're already on pfSense and it's working, there's no urgent reason to migrate. The firewall underneath is the same — pf on FreeBSD, same packet filter, same kernel. The 10% on top is what differs, and for a running system, that may not be enough to justify the switchover time.

📚 Related Tutorials

Linux Package Management Docker Installation Guide AWS EC2 Deployment

💬 Comments