This is Part one of a two-part series. Part two is located here.
A good friend of mine supports many small and medium businesses and has started transitioning their firewalls to OPNSense from others such as PFSense, Sophos or ASA as they age out. I offered to design devices and a base config that is easy for him to manage so they are uniform in configuration. I documented the OPNSense configuration to support this and thought I would share it here.
For the hardware, I obtained a bunch of older 4 and 6 port 1RU commodity firewall devices and upgraded their CPU, memory, and added mirrored SSD storage to handle line speed routing depending on their ISP options.
To upgrade them I obtained 4C4T CPUs to replace the 1C2T CPUs the devices came with. These were towards the top range of that socket but without a high TDP cost. As I had memory I upgraded them from 2GB to 8GB. I also had several mSATA drives so obtained some SATA to mSATA converters to give mirrored ZFS storage for the firewalls and even color-coded the SATA cables to make replacement identity very easy...All in I have spent around $80 per device with a dozen done so far and I buy more as I come across them.
For the OPNSense configuration, it is split into two parts with this being the "base-config", or all settings common to all clients, and a second "post-deploy" with custom settings unique to each client. I will post the second part shortly. This allows the base-config to be easily manipulated and re-creatable for a newer release even though the config file is forward compatible.
This was last updated with 23.1 however many screenshots are still 22.7. Since it is for a specific, albeit wide use case, you will need to make some adjustments such as IP addresses/ranges if you follow this guide. The OPNSense install documentation is fantastic.
Create Base-Config
Download the Latest ISO Installer from OPNSense
Create VM in ESXi choosing FreeBSD 13+ 64-Bit
UEFI
2 cores (1x2)
4GB memory
20GB Storage
20GB Storage
Intel e1000e NIC on LAN VLAN
Intel e1000e NIC on its own non-routed VLAN
Intel e1000e NIC on its own non-routed VLAN
Downloaded ISO
Boot from Media and let it autoconfigure network
Login: installer
Password: opnsense
Choose Select to use default keymap
Choose Install (ZFS)
Choose mirror
Select both 20GB Drives
Select Yes at the configuration
It will install a clone of the live system
Leave Root password as default and Select Complete Install and choose OK
The System will restart and goto landing login
Login: root
Password: opnsense
Choose Option 12 to update to latest build version
Choose Yes to proceed.
Use PgDn to scroll through the release notes and type Q at the : or (END) prompt
It will update to the latest minor dot version and restart
After restart login again as root and run option 12 again as it may have a patch release to apply
STOP If on Part 2 and return to Part 2.
From another PC on the non-routed VLAN goto HTTPS://192.168.1.1 and login and let it start the wizard.
On the initial Wizard screen set the following:
Override DNS = unchecked
Enable Resolver = Checked
Enable DNSSEC Support = Checked
Harden DNSSEC data = Checked
Choose Next and on the Time Server Wizard set
Time server hostname = time.cloudflare.com time.facebook.com 0.us.pool.ntp.org 1.us.pool.ntp.org
Timezone = America/Denver
Choose Next and on the Configure WAN interface wizard choose Next to leave defaults
On the Configure LAN interface wizard choose Next to leave at default
On the Set Root Password wizard choose Next to leave at default
Finally, choose Reload to apply the changes.
Initial Wizard is now complete
Navigate to INTERFACES:LAN
IPV6 Configuration Type = None
Select Save
Navigate to INTERFACES:WAN
IPV6 Configuration Type = None
Select Save
Select Apply changes at top
Navigate to INTERFACES: ASSIGNMENTS
Under new interface verify em2 is listed and enter WLAN for its description.
Click the Plus sign
Select Save
Navigate to INTERFACES: WLAN
Enable=checked
IPv4 Configuration Type = Static IPv4
Static IPv4 configuration
IPV4 address = 192.168.2.1 /24
Click Save
Click Apply Changes at top
Navigate to SYSTEM: FIRMWARE: Plugins and install the following plugins
os-crowdsecs-dmidecode
os-dmidecode
os-hw-probe
os-iperf
os-smart
os-theme-cicada
os-vnstat
os-nut
os-sunnyvalley
Navigate to SYSTEM: SETTINGS: General
Change Theme to cicada
Select Save
Navigate to SYSTEM: SETTINGS: ADMINISTRATION
Access Log=checked
Secure Shell Server = checked
Root Login = checked
Inactivity timeout = 20
Click Save
Navigate to SYSTEM: SETTINGS: LOGGING
Preserve Logs(Days) = 90
Select Save
Navigate to SYSTEM: SETTINGS: MISCELLANEOUS
Thermal Sensors
Hardware = Intel Core CPU on-die thermal sensor (coretemp)
Power Savings
Use PowerD = Checked
On AC Power Mode = Hiadaptive
On Battery Power Mode = Hiadaptive
On Normal Power Mode = Hiadaptive
Disk / Memory Settings (reboot to apply changes)
Swap File = checked
Select Save
Navigate to SERVICES: DHCPv4: LAN
Range = 192.168.1.11 to 192.168.1.245
Click Save
Navigate to SERVICES: DHCPv4: WLAN
Range = 192.168.2.11 to 192.168.2.245
Click Save
Navigate to SERVICES: NETWORK TIME: GENERAL
NTP Graphs - checked
Syslog logging
Enable logging of peer messages = checked
Enable logging of system messages = checked
Click Save
Navigate to SERVICES: CROWDSEC: SETTINGS
Click Apply
Navigate to REPORTING: SETTINGS
Under Unbound DNS reporting
Statistics = checked
Click Save
Navigate to SERVICES: UNBOUND DNS: GENERAL
DHCP Registration = checked
TXT Comment Support = checked
Click Save
Click Apply Changes
Navigate to SERVICES: UNBOUND DNS: ADVANCED
Prefetch Support = checked
Prefetch DNS Key Support = checked
Harden DNSSEC data = checked
Message Cache Size = 10MB
Extended statistics = checked
Number of Hosts to cache = 50000
Click Apply
Navigate to SERVICES: UNBOUND DNS: DNS OVER TLS
Use System Nameservers = unchecked
Click the Plus sign to create a new entry.
Entry One Server IP = 1.1.1.1 Hostname = cloudflare-dns.com
Entry One Server IP = 1.0.0.1 Hostname = cloudflare-dns.com
Click Apply
Navigate to FIREWALL: GROUPS
Click Plus sign to create a group
Name=ALL_INTERNL_NET
Members=LAN, WLAN
Click Save
Click Apply Changes
Navigate to FIREWALL: ALIASES
Click Plus sign to create an Alias
Name=GeoIPBlock
Type=GeoIP
Africa=Sudan
America=Cuba
Asia=China,Iran,Iraq,Korea (North),Myanmar (Burma),Syria
Europe=Lithuania, Russia
Description=Countries Being Blocked
Navigate to FIREWALL: ALIASES: GeoIP settings
URL=Temp maxmind URL
Click Apply
URL=blank
Click Apply
Navigate to FIREWALL: RULES: ALL_INTRNL_NETS
Click Plus to create a rule
Action = Block
Interface=ALL_INTRNL_NETS
Source= ALL_INTRNL_NETS
Destination=crowdsec_blacklists
Log=checked
Description=Block Outbound to CrowdSec IPv4
Select Save
Clone the above rule and set the following
TCP/IP Version=IPv6
Destination=crowdsec6_blacklists
Description=Block Outbound to CrowdSec IPv6
Select Save
Clone crowdsec IPv4 rule and set the following
Destination=GeoIPBlock
TCP/IP Version=IPv4
Description=Block Outbound to GeoIPBlock IPv4
Select Save
Clone GeoIPBlock IPv4 rule and set the following
TCP/IP Version=IPv6
Description=Block Outbound to GeoIPBlock IPv6
Select Save
Click Plus to create a rule
TCP/IP Version=IPV4+IPv6
Destination This Firewall
Click Save
Navigate to FIREWALL: RULES: WAN
Click Plus to create a rule
Action=Block
TCP/IP Version = IPv4
Source=GeoIPBlock
Log=checked
Description=GeoIP Inbound Block
Click Save
Clone the above GeoIP Rule and set the following
TCP/IP Version=IPV6
Description=GeoIP Inbound Block IPv6
Click Save
Navigate to FIREWALL: RULES: LAN
Clone the Default allow LAN to any rule and change the following
Interface=WLAN
Source=WLAN net
Description=Default allow WLAN to any rule
Click Save
Navigate to FIREWALL: RULES: WLAN
Clone the Default allow LAN IPv6 to any rule and change the following
Interface=WLAN
Source=WLAN
Description=Default allow WLAN IPv6 to any rule
Click Save