Setting Up and Securing OPNsense 26.1 (DVD ISO) as a Virtual Primary Gateway

Setting Up and Securing OPNsense 26.1 (DVD ISO) as a Virtual Primary Gateway

This guide walks through installing OPNsense 26.1 using the DVD ISO and configuring it as the primary gateway for all virtual machines in your environment. The goal is to build a secure, production-ready virtual firewall that routes and protects all internal traffic.

We’ll cover:

  • Virtual environment design

  • Installing OPNsense 26.1 from DVD ISO

  • Network configuration (WAN/LAN)

  • Hardening and security best practices

  • Making OPNsense the default gateway for all VMs

1. Architecture Overview

Before installing OPNsense, design your virtual network properly.

Recommended Virtual Topology

            Internet

      (Bridged / External vSwitch)

             WAN (OPNsense)
          ┌───────────────┐
          │   OPNsense    │
          └───────────────┘
               LAN (Internal vSwitch)

      ┌────────┴─────────┐
    VM1 (Server)      VM2 (Client)

Network Design

  • WAN Interface

    • Connected to a bridged/external switch

    • IP from ISP or upstream router

  • LAN Interface

    • Connected to an internal-only switch

    • Static private subnet (e.g., 192.168.10.0/24)

    • All VMs connect only to the LAN network

2. Requirements

  • Hypervisor: VMware, Proxmox, VirtualBox, Hyper-V, etc.

  • OPNsense 26.1 DVD ISO – download from OPNsense.org

  • Minimum VM Specs:

    • 2 vCPUs

    • 4GB RAM (recommended)

    • 20GB disk

    • 2 network adapters (WAN + LAN)

3. Creating the OPNsense Virtual Machine

Step 1 – Create VM

  • OS Type: FreeBSD (64-bit)

  • CPU: 2 cores minimum

  • RAM: 4GB recommended

  • Disk: 20GB (thin-provisioned OK)

Step 2 – Attach Network Adapters

AdapterPurposeVirtual Switch
NIC 1WANExternal / Bridged
NIC 2LANInternal-only

Important: Do not attach other VMs to the WAN network.

Step 3 – Mount DVD ISO

  • Attach OPNsense 26.1 DVD ISO to VM’s virtual CD/DVD drive

  • Boot the VM

4. Installing OPNsense 26.1

  1. Select Install at boot

  2. Choose keyboard layout

  3. Use guided partitioning (ZFS recommended for production)

  4. Set root password

  5. Reboot and remove the ISO

After reboot, OPNsense will display console configuration options.

5. Assigning Interfaces

  • Assign WAN: usually vtnet0 or em0

  • Assign LAN: usually vtnet1

  • Confirm configuration

  • Expected defaults:

    • WAN IP: DHCP or manual

    • LAN IP: 192.168.1.1

6. Accessing the Web Interface

From a VM on the LAN network:

  • Browse to: https://192.168.1.1

  • Default login:

    • Username: root

    • Password: (the one you set)

Setup Wizard:

  1. Change hostname

  2. Set domain

  3. Configure DNS servers

  4. Set WAN settings

  5. Change admin password (if not already)

7. Making OPNsense the Primary Gateway

Option A – Use OPNsense DHCP (Recommended)

  1. Navigate to: Services → DHCPv4 → LAN

  2. Enable DHCP server

  3. Set range (e.g., 192.168.10.100 – 192.168.10.200)

  4. Apply

All LAN VMs automatically get:

  • Default Gateway: 192.168.10.1

  • DNS: OPNsense

Option B – Static Configuration

Manually configure on each VM:

  • IP: 192.168.10.x

  • Subnet: 255.255.255.0

  • Gateway: 192.168.10.1

  • DNS: 192.168.10.1

8. Essential Security Hardening

1️⃣ Change Default Ports

  • System → Settings → Administration

  • Change HTTPS port (e.g., 8443)

  • Disable HTTP redirect

  • Enable TLS 1.2/1.3 only

2️⃣ Disable WAN Management Access

  • Firewall → Rules → WAN

  • No rule allowing: HTTPS, SSH, Web GUI

  • Management access only from LAN

3️⃣ Enable SSH Securely (Optional)

  • System → Settings → Administration

  • Enable SSH

  • Disable password authentication

  • Use key-based authentication only

  • Restrict to LAN interface

4️⃣ Automatic Updates

  • System → Firmware → Settings

  • Enable periodic updates

  • Enable security patch notifications

5️⃣ Enable Intrusion Detection (IDS/IPS)

  • Services → Intrusion Detection (Suricata)

  • Enable on WAN and LAN

  • Download rule sets

  • Switch to IPS mode (block)

6️⃣ Configure DNS with Unbound

  • Services → Unbound DNS

  • Enable DNSSEC

  • Enable DNS Query Forwarding if required

  • Register DHCP leases

7️⃣ Configure NAT and Outbound Rules

  • Firewall → NAT → Outbound → Hybrid Outbound NAT

  • Restrict unnecessary outbound traffic (e.g., block SMTP except mail server)

8️⃣ Create Proper LAN Rules

  • Default LAN rule allows all traffic out

  • For better security, allow only required ports (HTTP/HTTPS, DNS)

  • Block everything else

9️⃣ Logging and Monitoring

  • Enable logging for all rules

  • Firewall → Log Files → Live View

  • Consider NetFlow, reporting plugins, Monit

10️⃣ Optional Advanced Security Features

  • VLAN segmentation

  • Guest network

  • VPN (WireGuard/OpenVPN)

  • GeoIP blocking

  • Multi-WAN failover

  • HA with CARP

9. Testing Your Setup

  • Verify clients get DHCP

  • Verify internet connectivity

  • Confirm public IP via browser

  • Run external port scan

  • Confirm WAN ports are closed

  • Test from external, internal, and VPN (if configured)

10. Final Checklist

✔ WAN management disabled
✔ LAN rules restricted
✔ DHCP configured
✔ IDS/IPS enabled
✔ DNS secured
✔ Updates enabled
✔ Logs monitored

✅ Conclusion

Using OPNsense 26.1 DVD ISO in a virtual environment gives you a robust and flexible gateway for all VMs. Properly segmented and hardened, OPNsense can rival commercial firewalls, providing:

  • Centralized traffic control

  • Enforced firewall policies

  • Deep packet inspection

  • Improved visibility

  • Enhanced security posture

Location: Orangeburg, SC 29115, USA

Comments

Post a Comment

Got something to say? Drop a comment below — let’s chat!

Popular posts from this blog

Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability

  Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability In this guide, we’ll walk through setting up OPNsense 26.1 as a primary gateway in a virtualized environment using Hyper-V , with VLAN segmentation, a DMZ, staged VPN, and optional CARP failover for high availability. This architecture ensures strong isolation, centralized traffic control, and enterprise-grade security — all without joining the firewall or hypervisor to Active Directory , reducing the attack surface. 1️⃣ Architecture Overview Logical Design Internet │ [External vSwitch] │ WAN (OPNsense) ┌──────────────────┐ │ OPNsense │ │ VLAN Gateways + HA│ └──────────────────┘ │ [Internal vSwitch - Trunk] │ ┌───────────────┬──────...
Read more

Proxmox VE + full Kubernetes (kubeadm) step-by-step

  Production-ready guide: Proxmox VE + full Kubernetes (kubeadm) step-by-step A practical, end-to-end walkthrough to deploy a hardened Proxmox VE environment and run a production-grade Kubernetes control plane and worker nodes (kubeadm). Includes HA control-plane, etcd considerations, load-balancing, networking (Calico), storage (Longhorn + option for Ceph), security hardening, backups, and monitoring. This blog assumes you have basic Linux + virtualization familiarity and a small cluster of physical servers for Proxmox (3+ nodes recommended for HA). Where choices exist I explain trade-offs and give concrete commands and config snippets you can copy. Outline Goals & prerequisites Logical architecture (ASCII diagram) Prepare Proxmox VE hosts (install & base hardening) Proxmox networking and storage planning Create cloud-init VM template for Kubernetes nodes Deploy VMs for Kubernetes control plane and workers Provision HA load balancer for kube-api (H...
Read more

Monitoring Virtualized Environments with Graylog: A Complete Guide

  Monitoring Virtualized Environments with Graylog: A Complete Guide Virtualization has become the backbone of modern datacenters, but as environments grow, so does the challenge of monitoring them effectively. Whether you’re running VMware vSphere, Hyper-V, Proxmox, KVM, Xen, or Nutanix , log visibility is essential for performance, capacity planning, and security. Graylog , with its flexible pipelines, dashboards, and alerting capabilities, provides a powerful centralized logging solution for virtualized infrastructures of all sizes. This guide walks through everything you need to know to monitor your virtual environment using Graylog—from collecting hypervisor logs to building dashboards and alerts that actually matter. Why Graylog for Virtualization Monitoring? Virtualization platforms all generate significant amounts of structured and unstructured log data: Host health VM lifecycle changes Storage access Virtual network changes Failovers and migrations ...
Read more