Tag Archives: OPNsense Firewall Tutorials

OPNsense is a free firewall distribution based on FreeBSD and HardenedBSD’s Address Space Layout Randomization. OPNsense offers a wide range of functions, is easy to use and can be used as a firewall and routing platform.

How to Setup OPNsense as a Virtual Machine

OPNsense virtual machine. This post shows how to install an OPNsense as a virtual machine on VMware ESXi. Finally, made the configuration able for access to the web GUI via WAN interface. This how to can also be used for provisioning using other virtualization platforms.


OPNsense can be downloaded as an ISO image here. Choose the image type: select dvd. Configure the hardware with at least 2 GB of RAM and 16 GB hard disk and two or more network adapters, choose as the operating system FreeBSD 64 bit.

VMware ESXi vSphere Console OPNsense virtual machine
VMware ESXi vSphere Console OPNsense

After switching on the OPNsense VM, the login screen appears.

VMware ESXi Console opnsense Login screen

After logging in, the Console main menu appears with option 0 – 13.

VMware ESXi OPNsense Console Main menu

Select option 2 for Set interface IP address. Add your Static Public IPv4 address to WAN interface and enter the upstream gateway address.

The IPv4 configuration is entered as follows.

Enter the number of the interface to configure: 2

Configure IPv4 address WAN interface via DHCP? [Y/n] n

Enter the new WAN IPv4 address. Press <ENTER> for none:

Subnet masks are entered as bit counts (like CIDR notation).
e.g. = 24 = 16 = 8

Enter the new WAN IPv4 subnet bit count (1 to 32);
> 28

For a WAN. enter the new WAN IPv4 upstream gateway address.
For a LAN. press <ENTER> for none:

Do you want to use the gateway as the IPv4 name server. Too? [Y/n] n
Enter the IPv4 name server or press <ENTER> for none:

Configure IPv6 address WAN interaces via DHCP6? [Y/n] n

Enter the new WAN IPv6 address. Press <ENTER> for none:

Do you want to change the web GUI protocol from HTTPS to HTTP [y/N] N
Do you want to generate a new self-signet web GUI certificate? [y/N] y
Restore web GUI access defaults? [y/N] N

The IPv4 configuration for the WAN interface is now complete. In the next step, the packet filter firewall must be temporarily deactivated, hit the number 8 for fire up the Shell and enter the command.

root@OPNsense:~ # pfctl -d
pf disabled

Now the OPNsense web GUI can be opened in a browser, here in this example

OPNsense web GUI Login

OPNsense Default Username root and Password opnsense

Now add a new rule, under Firewll – Rules – WAN by clicking on the plus (+) in the upper right corner.

OPNsense Firewall Rules WAN

The rule is intended to allow incoming requests with pass for this firewall.

important! after applying the new rule with “Apply changes”, the OPNsense must be restarted. This in the VM Console with 6 Reboot system.

Finally, additional interfaces, rules or, for example, OpenVPN and more can be set up.

OPNsense Interfaces LAN

CAUTION! Don’t forget to change the root password now. The OPNsense allows 2FA authentication with TOTP and Google Authenticator, the post can be found here. It is also recommendit to install the VMware Tools, under System – Firmware – Plugins. To do this, you first have to go to the Status tab and click Check for updates.

VMware Tools Plugin

VMware Tools is a set of services and modules that enable multiple capabilities for better management of guest operating systems and seamless user interactions. For optimal performance, it is worth installing the os-vmware plugin under System – Firmware – Plugins

OPNsense installing the os-vmware plugin under System - Firmware - Plugins


If you got tangled up when configuring, there is the possibility of resetting with the option 4) Reset to factory defaults. The firewall will then be restarted and you will find yourself in the wizard for the basic setup of OPNsense, that after login with the default credentials. The IP addressing of the interface can be carried out again here.

How to OPNsense 2FA TOTP with Google Authenticator

This guide shows how to provide One-time Password (OTP) for 2 factor authentication with OPNsense and Google’s Authenticator. All OPNsense services can be used with the 2FA solution.

Step 1 – Add authentication server

To add a TOTP server, go to System ‣ Access ‣ Servers and click the plus (+) for Add server in the top right.

OPNsense System Access TOTP Server

Select Type Local+Timebased One Time Password from drop-down list.

Step 2 – Add or change users

For this example, we’ll create a new user, go to System ‣ Access ‣ Users and click the plus (+) in the right corner.

Add or change OPNsense users

Enter a username and password and fill in the other fields, just like for any other user. Then left at OTP-seed click the checkbox at Generate new secret (160bit).

Generate new secret OPNsense System Access Users OTP-seed

Then click the Save button.

Step 3 – Enable the authenticator for OTP seed

To activate the new OTP seed on the Google Authenticator, first open the user you just created again, click on the pencil icon, then on the Click to unhide button.

Enable the authenticator for the OTP seed

Be very careful with the seed or QR code as this is the only thing you need to calculate the token. KEEP YOUR SEED/QR CODE SAFE !

Step 4 – Activate authentication server

Now activate the authentication server and deactivate the local database, under System ‣ Settings ‣ Administration on Authentication – Server: click on TOTP Server.

Activate authentication server

Do deactivate the Local Database and click the Save button.

Step 5 – Google Authenticator Installation

Open your platform’s App Store, such as iOS or Android, and search for Google Authenticator. Install the app on your device as usual.

Step 6 – Scan QR code

Now open the Google Authenticator app on your smartphone or tablet PC and select the option to scan the QR code, may with the + icon, alternatively the seed can be entered directly.

To test user authentication, OPNsense offers a simple tester. This under System ‣ Access ‣ Tester.

Select the previously configured authentication server and enter the user name. The entry must be made in the form of token + password together in the password field.

  The password field is used to enter both the token and password, ie. Password: 123456PASSWORD when using the default configuration. The OTP authentication server can also be configured to be used in reverse order like PASSWORD123456.