Guide: Build your own router/firewall with Opnsense

Do you enjoy tinkering with computers and taking on more advanced projects? Then I have a suggestion: build your own router/firewall.

Routers run more advanced operating systems on more powerful hardware than standard consumer routers, opening up a world of new possibilities. While there is a learning curve and it may feel complicated at first, things that are possible with routers such as Asus become easier, but are actually quite complicated.

There are a variety of operating systems to choose from, ranging from Openwrt, which can also be installed on consumer-grade routers, to various Linux-based systems such as Clear OS and IP Fire, to Unix systems such as PF Sense and Opnsense.

The latter two seem to be the most popular, and I’ve had a router with Opnsense myself for a few years, so I’ve chosen that system for this guide.

Other articles in this series:

Why build it yourself?

For many people, the answer is enough: because it is possible, because it is interesting and instructive. But you don’t have to do it just out of curiosity. There are also some practical and technical advantages.

Once you start learning the basics, things like setting up multiple VLANs with different firewall rules (for example, preventing smart home devices from accessing the Internet), using dynamic DNS, running your own recursive DNS servers, etc. will immediately become much easier device, display a welcome message when guests connect to the wireless network, and more.

Perhaps the biggest benefit, however, is security. Instead of relying on the manufacturer to release updates and keep your router secure, you’ll get new updates almost every week so that all parts of your system have the latest security fixes. There are also add-ons that can provide a higher level of protection to the network than ordinary consumer products.

Choose the right hardware

You can repurpose an old computer for Opnsense, in which case you usually only need to purchase a network card or two. But such a computer often consumes power unnecessarily and is a large device that is difficult to place in your home.

Opnsense is based on the Unix system Freebsd. This means that it is more picky about hardware than Linux. On top of that, the network card could be an issue. The system prefers and works best with Intel-based cards, so if you’re buying a new card it might be worth checking to see if the computer you choose has an Intel networking chip.

A mini PC with two Ethernet connectors may be a better choice, and in fact there are computers on sale specifically designed for use with Opnsense or PF Sense. For example, Amazon sells This model comes from Hunsn It costs just over $200 and comes with an Intel networking chip. Since memory is cheap, I recommend starting with 16 GB and at least a 128 GB SSD.

In addition to the router computer, I highly recommend using a managed switch to connect to, for example, you can set up an old router as an access point instead of a router, just for Wi-Fi. It is also required if you want to start using virtual networks (VLANs).

Install Opnsense

Start with download Latest version of Opnsense (Just click on the “Download” button with pre-selected options). Also download and install ballena etching machinea simple program for writing .iso and .img files to USB drives.

Unzip the downloaded .bz2 file to obtain the .img file. Insert the USB flash drive, start Etcher, and click from file flash memory and select the file. Select your USB stick as the target and click flash.

Once done you can eject the flash drive and connect it to your router computer, first you need to connect your monitor and keyboard. Boot the computer from the USB memory stick through the boot menu or BIOS.

The system starts with text only, and the text scrolls for a while. Once completed, you will see a login prompt. Enter username Installer and password Disgusted. The installer will now start.

Select the language on your keyboard and continue. choose Installation (ZFS) This is now the normal recommended method. choose stripe Then use the space bar to select the target SSD. Go ahead and accept, it will format the disk and copy all files. Once done, you can choose Complete installation (You can change the root password more easily in the next step).

Basic settings

When the router computer reboots, you can remove the USB and let it boot from the SSD. As before, the startup process scrolls through a bunch of text until a login prompt appears.

I recommend changing the address of the LAN interface first so that Opnsense doesn’t mess up your old router if you want to connect to both routers before you move your Internet connection to Opnsense.

Log in with username root and password Disgusted. according to 2 Change IP address. Press the correct LAN number (usually 1). Press the Enter key to choose not to use DHCP. Enter an appropriate address, such as 10.1.1.1, and then enter 24 to retain addresses in the format 10.1.1.x. For the remaining questions, you can press Enter to accept the pre-selected options.

Before performing any other operations, you need to connect the Opnsense machine to a regular computer using a network cable, either directly or through a switch.

Open settings On your regular computer and go to Networks & Internet > Ethernet. You should have an address in the same format as Opnsense (eg 10.1.1.2), the address you just selected is gateway and mask 255.255.255.0. If it doesn’t appear by itself, you can click edit On the right side of the IP allocation, fill it in yourself.

Then open your browser and type 10.1.1.1 You should get a security warning about invalid credentials, which you must click through to enter the Opnsense web interface. Username is root and default password is antonym.

You will now enter the basic setup of Opnsense guidance. The first thing to do is the DNS settings. Here I suggest leaving the dns server field blank and unchecking it. Override DNS And check the three boxes under “Unbound DNS”.

You can click to skip the rest of the steps until you get to the question about changing the root account password. Choose a new, secure password and write it down.

Internet access

In order for Opnsense to access the Internet and act as a router/firewall, you need to connect an Ethernet cable to it. You can take the cable out of your old router’s broadband socket and connect it to Opnsense. Alternatively, you can connect to the outlet or switch in your old router (if you have one), but this is a little more complicated.

If you have regular broadband connected to DHCP via fiber, Opnsense should automatically connect and obtain the external IP. You can check this by selecting Interface > Overview in the web interface.

If the WAN has acquired an address, you can test that everything is working fine by checking for updates. choose System > Firmware > Status then click Check for updates. If it works, now is a good time to install the first of many upcoming updates.

Then try visiting any website using your regular computer. If this also works, then you have a working Opnsense router. Other settings in the system can be retained temporarily – the system has no unsafe default options.

Learn interfaces and understand firewalls

The Opnsense web interface is structured slightly differently than most routers. There is a hierarchical menu on the left where you can find all the settings divided into different categories. There’s also a search bar in the upper right corner, which is great for finding settings at the lowest level in the hierarchy.

System menu There are mainly the settings for Opnsense itself, but also the updating and installation of plug-ins – an important feature when you want to start building a router with smart features.

interface Regarding the different network interfaces, usually LAN and WAN, but if the Internet provider requires login and VPN server interfaces, you can also find VLAN, PPPoE here.

firewall Of course, there are rules involved in blocking and allowing traffic, but also port forwarding. below Aliasfor example, you can create aliases for individual devices to make them easier to use in firewall rules.

VPN menu VPN server for external connections to the local network and for connecting the entire network to external VPN services.

Serve Is a collection menu of other built-in features, such as DHCP and DNS (unbound), as well as features from installed plug-ins.

Smart home without Internet VLAN

A common use case for more advanced routers like Opnsense is to place a number of connected devices on separate networks with different firewall rules. For example, the network of smart home devices has no access to the Internet and has limited access to the rest of the network.

To do this, first open Interface > Other Types > VLAN. Click plus button Create a new VLAN. Give it a short name like SMART and fill in a number VLAN tag Between 1 and 4,094, I usually choose ten, like 10.

Go now Interface > Assignment and fill in the same name below describe for the new interface. Click Add to.

Click now Interface > [SMART] and check enable interface and Prevent the interface from being removed. choose Static IPv4 below IPv4 configuration type. Scroll down to the bottom and fill in the appropriate IP address, then select 24 instead of 32 to the right of the address. If you choose to give the regular network an address of 10.1.1.1, you can choose 10.1.10.1 for the VLAN network (I usually use the same number as the VLAN tag in the third group, so the guest network tagged 20 will get address 10.1.20.1, etc.). Save and apply changes.

Go to Services > ISC DHCPv4 > [SMART]. Tick Enable DHCP server… and fill in the address range, for example 10.1.10.100-10.1.10.254 (I usually keep the address below 100 for devices that should have fixed IP addresses). Save and apply changes.

if you look in Firewall > Rules > SMART You will see that there are no rules, which means all traffic is stopped. If you look at the rules for your LAN, you will see that Opnsense has automatically added a rule to allow all traffic originating from that network. So, if you want to allow smart home devices to use the internet, you need to establish a rule for this.

To actually use the device and connect it to a VLAN network, you need a managed switch. In its settings, you can enable VLAN tagging for one or more Ethernet connectors, and gadgets connected to those connectors will only “see” VLAN networks. In the adjacent image you can see what a Unifi switch looks like – other manufacturers such as D-Link and TP-Link have similar setups. If your Opnsense machine has more network connectors, you can “tag” these connectors and use them.

Do you need assistance?

If you get stuck somewhere, there are many resources available to help. Home Networking Expert Blog There are several guides on Opnsense, from installation to more advanced topics such as VLANs. it also has a Very good YouTube channel I highly recommend. On Reddit, there are several groups that offer assistance, such as r/opnsense and r/homelab.

Tip: Virtual Router

If you want to try Opnsense and see how the interface feels, you can do so in a virtual machine rather than on a physical computer. For example, you can do this using Virtualbox directly in Windows, just to get familiar with the interface and how to set it up. You can also run the system more permanently on a server computer running Linux (usually a Proxmox variant). Home Network Guy has a great guide.