Beginner's Guide to Set up a Full Network using OPNsense

I’m glad you found it helpful!

@homenetworkguy Thanks for the reply :) certainly did help, made me realise what I was doing wrong whilst setting it up aha

Thanks! Hopefully it helps people to get started especially if new to the whole process.

And because of what Pfsense just did to everyone so all these people ditching Pfsense !@@homenetworkguy

Yeah I already had the written guide started before the pfSense news so that prompted me to make this more of a priority.

You’re welcome. This guide is very bare minimum but once you have it running, you can introduce one feature at a time until you reach your goals.

Thanks, I appreciate it. Glad you found them helpful!

Thanks!

Thanks! I thought about creating a member only subscription on CZcams to get early access to videos (as one perk) since CZcams has that functionality built in so it is easy to set up. I’d have to think about other perks that don’t consume a lot of my time (such as certain extra content) since I can only get so much accomplished in a limited amount of time.

Yes, start with that.
One perk can be a Q&A section, you can answer questions when it suits the time. Regarding time, short of time you always have plenty of😅.

Q&A would be good. Since I would be paying customers I could try to give those a bit more of a timely response than other questions I receive. I still try hard to answer everyone but it’s getting more difficult to do as I grow my website and channel.
Yeah I don’t have the pleasure of doing this full-time. Haha.

Thanks! Glad you liked it.

You’re welcome! I’m glad it was beneficial!

You’re welcome! Thanks.

You’re welcome! Hope it helps!

Thanks! You’re welcome! Glad you liked it.

You’re welcome!

Thanks! More to come!

Thanks! Yeah logging is helpful. I don’t cover all topics in a single video to keep the time constrained and to stay focused on the topic at hand.
1. DHCP must be enabled after creating new interfaces (regardless whether it’s a physical interface or a VLAN interface).
2. Every interface can either be a physical interface or a VLAN interface. It’s not necessarily just VLANs. If your system has multiple physical network interfaces, OPT1, etc can be the physical interface. VLANs sit on top of physical interfaces but show up the same as real physical interfaces. They are treated the same as physical interfaces once you create VLANs.
3. You cannot assign the same VLAN on multiple physical interfaces unless you bridge those interfaces together (which is not generally recommended). You can connect a switch to the network interface and multiple APs to the switch if you need additional WiFi coverage.
4. There are some CLI commands you can use but I rarely use the command line since I do all the configuration via the web interface.
Yeah TP-Link switches in particular require you set the PVID while other switches may do that automatically for you when you assign the VLAN.

Thanks! I personally prefer bare metal so that I don’t take the network down if my virtualization server goes down or I’m rebooting it. But I also virtualize OPNsense for testing various things or doing videos or written content.
There are ups and downs to both approaches. VMs are super easy to backup but with bare metal you need to save the config file (manually or automatically) and if you use ZFS you can take advantage of boot environments (via command line) if you need to roll back if something goes wrong.
I find OPNsense so stable that I’ve never had to reinstall it from scratch unless I’m switching out my hardware.

Thanks! Glad you found it helpeful. Yes, you can create firewall rule groups! You basically choose your interfaces you want in each group (it can be a physical or a virtual interface). See one of my previous videos for a more detailed explanation: czcams.com/video/ReQRcQt050U/video.html

@@homenetworkguy Sounds great. I'm switching from an old pfsense community edition and I am enjoying opnsense so far! Keep up the excellent videos, they are really helpful!
TY!!

Dang. That is a small detail that will get you messed up for hours! It still happens to me on occasion when I’m used to switches that do it for me. Haha. I’m hoping to purchase some cheap managed switches at some point from popular brands so I can show how to set up VLANs across many vendors.

With 2 interfaces you could actually create 2 separate physical networks without needing VLANs at all if you wanted to, but if you put a VLAN on igc2 while using igc1 as your trusted untagged network (which has no VLANs associated), you would simply need to add the appropriate firewall rules if you want to access anything between the 2 networks.
Any interface/VLAN that is assigned on the OPNsense box you can have access to from OPNsense. You control access via firewall rules but OPNsense can route traffic to and from any of the interfaces (both physical and virtual) on the OPNsense box.

@@homenetworkguy Thank you for the clarification! Great stuff.

Yes! You can use the default single LAN network with OPNsense just like a consumer grade router but you will have a lot more control over your router/firewall. An unmanaged switch will work just fine for that. You can put your WiFi router in access point mode if you wish to eliminate double NAT for devices connected to your WiFi. It will actually work leaving it in router mode but if you do that I recommend making sure it or OPNsense uses a different set of IP addresses to avoid issues if you want to access any wired devices on the switch connected to your OPNsense. It is less than ideal to leave it in router mode because it can be more difficult to access the wired devices from your wireless router and vice versa.

Yes! This is perfectly acceptable and how many users do it (even if they have a mini PC with 3+ interfaces). The only downside is that it can become a bottleneck when routing traffic across networks unless you have higher speed interfaces. If you don’t transfer files between networks often or mac out your bandwidth on a regular basis, it shouldn’t be a problem.

great, I was thinking of only using 2 vlans 1 for my wifi devices and another for my work set up as I work from home. I do have a NAS but its only really for storing files and runs my plex. So I don't think I would have an issue with bottlenecks, hopefully.. Thanks for the quick reply !!@@homenetworkguy

You’re welcome! Glad they helped you with your home network! I currently have a cable Internet connection that offers 1.2 Gbps download (sometimes can burst to 1.4-1.5 Gbps) but the upload is 35 Mbps but can burst to 40-45 Mbps. Because I run read only powerful mini-PCs and my Internet bandwidth is only 1.2 Gbps max, I have no trouble getting full throughput with OPNsense even when enabling CPU intensive services like Zenarmor. Anytime you add Zenarmor, Suricata, VPNs, etc into the mix, you start taking performance hits. If you need more than 3-6 Gbps, you’re going to need a much faster system than the power efficient mini-PCs.

​@@homenetworkguythank you for your information. My internet is 1Gbps. I installed OPNsense on Proxmox on a Zimaboard 8G with default settings only and the speed test dropped down significantly, it's just around 300Mbps. After that, I switched back to OpenWrt and it gets back to around 870Mbps. Thanks so much to your tutorials, I know that there is another approach to install OPNsense without using Proxmox, it could be much huge problem to me.

​@@homenetworkguyMy internet connection is 1Gbps and I'm using Zimaboard 8G running totally for firewall functionality. At first, I installed OPNsense on Proxmox VE, but when I did internet speed testing, my throughput was dramatically down to about 450Mbps (like half). I thought possibly could be because of running on virtualization, so I re-installed OPNsense running directly on Zimaboard and did the test again. The speed increased a little bit, around 500Mbps, but still so disappointed. And I also found out that my internet connection was being dropped like always after doing several speed tests because of disappeared default routes to wan. I re-installed OpenWrt back to Zimaboard, and now my internet speed is nearly 900Mbps. These problems lead me to a question that is it worth using OPNsense as main firewall gw at this moment? How do you think about that? I'd appreciate your opinions so much.. Thanks.

​@@homenetworkguyMy internet connection is 1Gbps and I'm using Zimaboard totally for main firewall functionality. At first, I installed OPNsense on Proxmox VE and tried several speed tests, the throughput is like around 400Mbps. So I thought may be because of virtualization, then I re-installed OPNsense running directly on Zimaboard. The speed increased a little bit, around 500Mbps but not what I expected. Finally, I re-installed OpenWrt on Zimaboard for now, the speed is back to nearly 900Mbps. One more problem I had when using OPNsense was that after several times doing speed testing successfully, the internet connection was being dropped because of some default routes were removed and I have no idea how. These problems lead me to a question that is it worth using OPNsense at the moment as main firewall gateway? I have no problem with OpenWrt so far. How do you think about that? I'd appreciated your opinions so much. Thanks

@@homenetworkguy​ My internet connection is 1Gbps and I'm using Zimaboard totally for main firewall functionality. At first, I installed OPNsense on Proxmox VE and tried several speed tests, the throughput is like around 400Mbps. So I thought may be because of virtualization, then I re-installed OPNsense running directly on Zimaboard. The speed increased a little bit, around 500Mbps but not what I expected. Finally, I re-installed OpenWrt on Zimaboard for now, the speed is back to nearly 900Mbps. One more thing I had when using OPNsense was that after several times doing speed testing successfully, the internet connection was being down because of some default routes were removed somehow. These experiences lead me to a question that is it worth using OPNsense at the moment as main firewall gateway? I have no problem with OpenWrt so far. How do you think about that? I'd appreciated your opinions so much. Thanks

I would have to check the Grandstream AP to see. I know it does with UniFi APs. Haven’t had the chance to check my Grandstream AP since I just use it for demonstration purposes.

If you’re not hosting any services or gaming, most things will be ok with double NAT (especially if the services are cloud based or use some sort of proxy). You could test it to see if it interferes with anything you use. If not, you can save on the cost of a dedicated or hassle of switching to bridge mode (although setting to bridge mode isn’t super difficult).
Buying a dedicated modem can save on rental fees and potentially offer a better experience since you will be using your own quality router rather than the cheap all-in-one devices your ISP uses. I personally prefer owning my modem to save on fees and so I can run my own powerful, stable, and secure router.

I haven’t tried setting it up in a container yet (even though it performs better) since WireGuard on OPNsense works well enough for my needs. I could put it on the list but I thought about doing one with WireGuard on OPNsense now that they’ve updated the UI and included a QR code for adding clients, which was greatly needed and is appreciated.

Looking forward to all your co tent; much appreciated.

The faster interfaces are useful for the LAN only if you have more than one local network and you plan to route 10G across VLANs. It takes a reasonably powerful system to route full 10G across VLANs especially if you’re running services such as Zenarmor. But even if you can only route 3-5 Gbps, it’s still better than just 1 Gbps if you have faster clients on your network.
Even better is if you can create a separate VLAN or dedicated 10G switch just for faster clients and you wouldn’t need to even route 10G traffic across the firewall. It puts less strain on the firewall.

Yes VLAN 1 is the default. I believe I mentioned that I would be using the default VLAN 1 (which is the LAN interface on OPNsense) as the trusted network. I’m going to be releasing a new video soon on how to set up a separate dedicated management VLAN for core network infrastructure. I know some prefer to use a dedicated VLAN but I just use the default VLAN 1 as my management network. I just make sure that I don’t have anything on the management network that’s not supposed to be on it.

I could try to cover some of these topics at some point. It’s been on my todo list for a while to cover VPNs for outgoing traffic. I already cover accessing your home network via VPN on my website (haven’t done a video on that yet).

Site to site vpn would be awesome

Thanks for point that out! Yeah, I knew you could click the logo to skip the wizard. I think I have that mentioned in my written guides, but when I recorded the video, I didn't do it that way. I definitely make mistakes in the videos. Unfortunately, I can't go back and fix the minor issues and mistakes on CZcams like I can on my website. My website documentation is much more refined in that regard. I have edited some of my guides at least a half a dozen times or more over the last few years.
If you watch my first full network build guide (part 2), I messed up the video in regards to setting up a LAGG. I realized I missed a step when recording, so I went back to fix it later but the web interface doesn't have the LAGG set up in one of the steps but later it is set up... I believe the overall process is correct, but it's confusing looking at the web interface because in some steps the LAGG interface isn't showing but in other steps it is.
I may do another network build video later and try to refine and clean up some things in an effort of continual improvement. I have found creating technical videos to be much more difficult than creating written documentation (for others, it may be easier to produce video content, but not for me, haha).

I would say it would depend on your goals and your budget. If you want to run intrusion detection services, you’ll need a more powerful system to use as your router. Otherwise you could probably get by with more budget friendly hardware. A lot of people like the mini PCs with the Intel N100 CPU.
As for switches I’ve used TP-Link switches as budget friendly switches but I’ve moved over to Grandstream switches.

Thanks! It might depend on your ISP, but with Comcast for example, I am able to use my own modem with voice and it works fine with a standard handset. I believe it also worked fine when using Comcast's XB7 all-in-one box when it was in bridge mode so you don't lose that capability when using your own router such as OPNsense.

@@homenetworkguy I know it depends but make a video about your isp for example please 🙏

Glad you find it useful!

Are you referring to connecting the switches together and then connect one of them to OPNsense? That’s what I do for my home network so I can have more ports but also use the same VLANs across both switches (a router on a stick configuration). It works great and I’ve reduced the likelihood of bottlenecks for traffic traversing the different VLANs/networks since my router interface is faster than 1Gbps (I have a 10Gbps interface).

Exactly what I meant! You must have a teacher skill hidden inside you 😊 My routers max speed is 2.5 Gb, I want to achieve what you describe with four switches.

I could do that. Basically doesn’t require any extra configuration on OPNsense- just need to make sure the VLANs pass through each switch. With 3+ switches I recommend using one switch as an aggregation switch and plugging the other 3 into that switch. That way if one of the switches dies, it doesn’t take down the entire network (unless it’s your main aggregation switch that died).
Of course there are ways to add more redundancy by connecting the switches to each other but then you have to configure spanning tree protocol (which I haven’t tried yet since I don’t need that level of redundancy especially for a home network where switches last a long time and I don’t have more than 2 switches to connect for my main network).

Please do! Show the configuration steps hands on. It can be a natural follow up to your “Set up a Full Network using OPNsense” series.
Looking forward to that video!

If you are using VLANs on the AP, it needs to be tagged.

@@homenetworkguy What if I want to use my wireless AP (no VLAN /no VLAN aware) for both traffics? Is there any way to do it or do I need to use a double WAN AP..? (I have a Asus router with double WAN but no VLAN as well).

I don’t use an external VPN but if you do, you’re going to need to make use of policy based firewall rules so you can designate rules to some traffic to go through the VPN and others to not go through the VPN. I believe you can do this by specifying the gateway in your firewall rules. It’s something I want to explore more at some point.

I actually figured it out about 10 minutes after I sent that message. I was just over complicating my situation. I actually solved it by using an alias for some reason it won’t use a host directly. At least it wouldn’t on my install. I have it working flawlessly now basically as I stated, I have my VPN as the primary connection that way all traffic goes through the VPN. Any additional devices can be rerouted by adding a simple rule above the VPN rule button instead of directing the traffic to the VPN set the gateway as the one address actually it works by setting it as default as well and then of course change your source to the alias that has your host say apply you now can direct any IP that is in the alias host to use your home net which gives you higher speeds the VPN, which was originally what my problem was trying to play games on a VPN had very, very high latency and ping times, sometimes upward of 10k kudos to your instructions on setting up OPN following your instructions, made my install and configuration simple appreciate all the work you put into this because your knowledge has added to my success, and completing my home server set up@@homenetworkguy

You have to allow ping via firewall rules (you need to allow the ICMP protocol). Some people like having pings blocked while others enable it for certain parts of their network.

Hmm, it's hard to say without knowing the details of steps you are taking (I know you said you followed exactly but something is going wrong-- it can be some tiny detail).
In theory, there should be an anti-lockout rule in OPNsense to prevent you from locking yourself out if you are connected to the LAN interface. Adding a VLAN to the default LAN interface shouldn't interfere with the functioning of the LAN interface (where the untagged network traffic resides). So you should be able to plug directly into the LAN interface with your PC/laptop (I don't know if you're trying to connect via a switch or directly to the LAN interface) to have access to OPNsense unless some incorrect configuration changes which could prevent that from working properly.
When you start adding VLANs to your switch, you have to be careful to not change the network interface that you plugged into to a different VLAN since you will lose access.

@@homenetworkguy Funny you say that, I was just looking at the default firewall rule that is set up and I saw the anti-blockout. So I think I did something wrong at the switch. The switch I have is not the same as the one you used to demonstrate so I got confused and probably blocked myself out there. I will keep plugging away to see what I did. Thanks for the reply. Fyi I am using a Netgear GS108Ev3 switch

I haven’t considered OpenWAF before but I suppose it’s a possibility. I don’t have any experience with it so it would be a bit of a learning curve to get up to speed on it.

I think I was trying to say, hopefully using a VPN and not exposing apps/services directly to the world. Of course you can expose them if you understand the risks and know how to secure them well (and monitor it on a regular basis for malicious activity). A VPN offers a secure connection so no one on the outside can get in (unless there is some rare vulnerability).
I want to update this series at some point since I was new to CZcams when I created these.

@@homenetworkguy thanks for the reply.
I'm still not sure if I have understood.
To my knowledge, (correct me please where u see fit, because I'm still trying to understand this), a VPN is just a different entry point on the internet to your home.
Imagine you have a VPN configured in your router and all your home network goes in it when accessing the internet.
How does this protect your network.
Your router basically only has a different wan ip, no? All the ports can be hit in the vpn ip, instead of your ip, correct?

I’m referring to hosting apps on your network. You can set up a VPN server on your router or your internal network that you can connect remotely to your home network. Only the VPN port is exposed to the Internet rather than your app you are hosting. This means only users who use your VPN server can access it. It’s protected via encryption/keys, etc.
What you are referring to is connecting your home network to a 3rd party VPN provider to route all of your home’s Internet traffic through it. Some users do it for increased privacy but then you have to trust the VPN provider. I don’t use 3rd party VPN providers but I know that some users prefer to do that. You may sacrifice latency and throughput depending on the VPN provider and the capabilities of your home router (a slower router may not handle higher throughput VPN traffic as well due to the CPU overhead of encryption).

Add a rule on the LAN interface to access the Apple TV on the Untrusted network (you can use the Apple port list to determine specific ports or simply allow all ports even though it’s more open). It needs to be above the bottom rule. Ideally you would need to make the Apple TV a static IP and use the MDNS plugin so that you can auto discover the Apple TV from your phone.
I haven’t tried making this work in a while because it’s tough to get even working properly because devices like the Apple TV are designed to be on a flat network. You can work around it but it can be extra work. I put my phones on the same IoT network as my Apple TV just to keep things easy/seamless between my iPhone and Apple TVs. I’m ok with classifying my phone as an IoT device even though it’s likely much more secure than many IoT devices that do not prioritize security.

It can be difficult especially if you have your system on the edge of your network and you are not able to monitor the traffic. If you put the system behind your main router/firewall, you can start observing the traffic to ensure nothing suspicious is happening. Of course, even this is a less than ideal way to know if the firmware has been compromised. I would say the likelihood of it happening is pretty low unless you are being targeted by a nation state, but there is always the possibility that vulnerabilities can be exploited which could potentially get into the firmware of your system. I'm sure how often that occurs since the most likely scenario is someone physically tampered with the device or it came from the manufacturer/supply chain with a backdoor or vulnerability already installed in the firmware.

Which config are you referring to? OPNsense, the network switch, or the AP configuration? For OPNsense, the configuration will be saved if you click the Apply or Save buttons (depending on the config you are changing). You can also backup the configuration on the System > Configuration > Backup page. For many network switches, you have to click a Save button to persist changes on a reboot. Otherwise, you lose all of your configuration since the last time you saved the changes. This is done in case you mess up your config-- you could reboot and clear out the messed up configuration. Switches often let you export the configuration for backup as well. For the AP configuration, you should be able to Apply and Save changes. Depending on the AP, that process could vary. Also you can export a backup config for APs as well. If your switches and APs are in the same ecosystem, you only need to backup the configuration from the controller software such as the UniFi Controller.

@homenetworkguy I was able to save config once I pulled out the install usb haha . It was booting from the install even after I finished

Ohh… I didn’t show the installation portion to save time on the video because it would make it longer. Also was focusing on the topic at hand of building a network.

I include IPv6 on the more advanced configuration guide videos I have created. I was trying to keep things simple and minimal with this guide.

@@homenetworkguy ipv6 is really simple, IPv4 is complicated

If you only have a single network that may be the case. However that has not been my experience when you want IPv6 for multiple internal networks. If your ISP doesn’t support prefix delegation, you can’t really use GUA addresses from the ISP. ULA addresses have to be used which complicates things and isn’t always recommended because it goes against the principles of IPv6 where everything can have a GUA address because there’s enough addresses to go around. Another complication is many ISPs use dynamic IPv6 addresses and if you wish to firewall such devices on your internal network using GUAs that can be a problem. OPNsense allows you to create aliases with dynamic prefixes to help with this but you would probably need to make the 2nd half of the IPv6 address static using a DHCPv6 reservation. Does this all sound simpler than IPv4? I keep the IPv6 configuration to a minimum on my network and just only allow IPv6 to access IPv6 content online and do not use it much internally.

Nice. Did you see it off to the side of one of their videos?

@@homenetworkguy Your video is linked in the last ShortCircuit video description!

Ohh wow! Awesome! Thanks for letting me know!

That’s a neat tiny little box but it does have one Realtek NIC so you may have to avoid using that one NIC (or just use it as a management interface). Realtek NICs generally do not work well with OPNsense (due to poor driver support in FreeBSD).