Hardware

OPNsense runs on FreeBSD; the supported NIC list is solid for Intel and broadcom chips, less reliable for cheap Realtek-only boxes. Three tiers:

  • $200–400 mini PC with two or four Intel i225/i226 2.5G NICs, x86 quad-core, 8 GB RAM — saturates gigabit, handles light IPS, handles WireGuard at 800 Mbps+. The mainstream pick.
  • Used SFF business PC (Dell OptiPlex / HP EliteDesk) + a $30 Intel dual-port NIC — same performance class for less, more power-hungry.
  • Custom Atom / Celeron board (Protectli, Qotom) — same idea, factory-built, slightly more expensive.

Avoid Realtek-only multi-NIC boxes — they technically work but the driver edge cases bite.

Install

Download the nano or vga ISO from opnsense.org/download:

  • nano — serial console only, intended for headless appliance boxes
  • vga — HDMI/VGA console; pick this if you have a monitor for first boot

Boot from USB. The installer asks for the install target disk, keyboard layout, root password. After install: reboot, console shows the assignment of network interfaces. Plug the WAN cable into one port, LAN into another, and assign them at the console prompt.

Browse to https://192.168.1.1/ from a client on the LAN port; the web UI's first-run wizard sets timezone, DNS, admin user, and basic firewall rules.

The core concepts

  • Interfaces — physical NICs plus VLANs and aliases. WAN, LAN, OPT1, OPT2…
  • Firewall → Rules — per-interface. Default for WAN is "deny everything inbound"; default for LAN is "allow everything outbound." Both can be reshaped freely.
  • NAT → Outbound — automatic by default; manual mode is needed for static NAT setups.
  • NAT → Port Forward — expose a single internal host on a public port. Most home setups don't need this; use Tailscale / Cloudflared (see Tailscale, Cloudflared) instead.
  • Services — DHCP, DNS (Unbound), NTP, Wake-on-LAN, captive portal, etc.

Add a VLAN for IoT devices

IoT segments are the single biggest practical win from running a real router. The pattern: dump every "smart" device (cameras, TVs, smart plugs, voice assistants) onto a VLAN that can't talk to the trusted LAN.

  1. Interfaces → Other Types → VLAN → Add. Parent interface = LAN's physical NIC. VLAN tag = 30 (any number 1–4094). Description: IOT.
  2. Interfaces → Assignments → assign the new VLAN to OPT1. Edit OPT1: enable, name "IOT", static IPv4 10.0.30.1/24.
  3. Services → DHCPv4 → IOT → enable, range 10.0.30.100–.200.
  4. Firewall → Rules → IOT:
    • Allow IOT → any on port 53 (DNS to Unbound).
    • Allow IOT → WAN net (outbound internet).
    • Block IOT → LAN net and RFC1918 aliases (no East/West reach to other VLANs).
    • Permit specific exceptions, e.g. Home Assistant on LAN can reach IOT for device control. Direction matters — the rule belongs on the LAN interface, allowing LAN → IOT for that source IP.
  5. On the LAN switch / managed switch, configure ports for the appropriate VLAN. Cheap dumb switches don't support VLANs; for real segmentation you need a managed switch (Mikrotik, TP-Link Omada, Unifi, etc.).

WireGuard for remote access

OPNsense ships WireGuard in-tree. VPN → WireGuard:

  1. Local → Add a new instance. Listen port 51820, tunnel address 10.66.0.1/24.
  2. Generate a key pair (the UI provides this).
  3. Peers → Add for each client — phone, laptop. Allowed IPs 10.66.0.2/32, etc.
  4. Generate a client config file or QR code from the UI.
  5. Firewall → Rules → WireGuard interface → Allow all (or restrict to specific destinations).
  6. Firewall → NAT → Port Forward → WAN, UDP/51820 → the WireGuard listener.

Mobile clients connect via the WireGuard app + QR code; from a laptop, import the config into wg-quick.

Suricata IPS

For inbound traffic that needs L7 inspection (not just port-level firewalling), enable Suricata under Services → Intrusion Detection. Pick rule sets:

  • ET Open (free, broad coverage)
  • OPNsense's curated rule subset
  • Optionally, ET Pro (paid; better fidelity)

Run in IDS mode first (alert only) for a few days, then flip to IPS (block + alert) once the false-positive list is clean. CPU cost on a quad-core mini PC is noticeable at gigabit-line-rate — on small/medium connections it's invisible.

Unbound + DNSBL for LAN-wide ad blocking

Services → Unbound DNS → DNS over TLS Forwarding → add Cloudflare/Quad9 over DoT. Or set it recursive so the resolver queries the root directly (see Pi-hole + Unbound for the same idea, separately deployed).

OPNsense bundles a DNSBL (blocklist) feature inside Unbound:

  1. Services → Unbound DNS → Blocklist → pick block lists (StevenBlack, hagezi, oisd).
  2. Save & Apply — every device on the LAN now uses ad-block DNS without per-device config.

Backups

System → Configuration → Backups → Download configuration. The XML dump is one file containing all firewall rules, interfaces, VLAN definitions, VPN configs, DHCP leases. Restore = upload it on a fresh OPNsense install.

For automation: enable Google Drive sync (Plugins → os-google-drive) or Nextcloud sync to push the config off-device on every change.

OPNsense vs pfSense in 2026

  • OPNsense releases every 6 months on a predictable schedule; pfSense Community Edition lags considerably and Netgate's pfSense+ is the commercially-supported branch.
  • WireGuard, Suricata, HAProxy, and OPNsense's plugin system are noticeably more polished.
  • The OPNsense UI is consistent; pfSense's accumulated decades of UI dialects.

Both work. New deployments in 2026 mostly choose OPNsense; the gap is real but neither is wrong.