HT-004 - OPNsense Setup

Overview

OPNsense is a free, open-source firewall and routing platform based on HardenedBSD. It replaces expensive commercial firewalls like Palo Alto with enterprise-grade features at zero licensing cost. This guide covers hardware selection, installation, initial configuration, and integration with the Atlantis ITS security stack (Cloudflare + IPVanish + Avast Premium).

+-----------------------------------------------------------------------+ | > 💡 Why OPNsense for Atlantis? The Palo Alto PA-500 is fully EOL as | | > of October 2023 --- no security patches, no PAN-OS updates. | | > OPNsense on a \$150--\$300 mini PC delivers more functionality, | | > active development, and zero licensing fees forever. | +=======================================================================+

When to Use This Guide

Setting up a dedicated hardware firewall for the Atlantis ITS home office
Replacing the EOL Palo Alto PA-500
Adding a dedicated firewall layer to close the gap in the 8.5/10 security rating
Deploying OPNsense as the foundation for the Grafana + Telegraf + NTFY monitoring stack

Hardware Requirements

Minimum Spec (basic firewall only)

Component Minimum

CPU 64-bit (x86-64 / amd64)

RAM 2GB

Storage 4GB SSD or SD card

NICs 2 (WAN + LAN)

Recommended Spec (full features --- IDS/IPS, VPN, logging)

Component Recommended

CPU Intel Celeron / Core i3 or better

RAM 8GB+

Storage 32GB+ SSD

NICs 2--4 ports

✅ Recommended Hardware for Atlantis

Option Device Price Notes

Budget Protectli Vault FW2B \~\$150 2-port, fanless, 4GB RAM, 32GB SSD --- perfect for home office

Sweet spot Protectli Vault FW4B \~\$280 4-port, 8GB RAM, 120GB SSD --- room to grow

Repurpose Any mini PC with 2 Varies Add a USB NIC if only 1 NICs port built in

+-----------------------------------------------------------------------+ | > ⚠️ OPNsense runs on BSD, not Linux. Not all hardware NICs are | | > supported. Protectli devices are pre-validated and recommended by | | > the OPNsense community. | +=======================================================================+

Step 1 --- Download OPNsense

Go to: https://opnsense.org/download/
Select: Architecture = amd64 | Image type = dvd | Mirror = US East (closest to Gainesville, GA)
Download the .iso.bz2 file
Verify the checksum matches the listed SHA256 hash

{width="6.296048775153106in" height="2.106754155730534in"}

Step 2 --- Create Bootable USB (Rufus on Windows)

Download Rufus: https://rufus.ie
Extract the .bz2 file using 7-Zip: right-click → Extract Here
Open Rufus → Device: select USB drive → Boot selection: select extracted .iso
Partition scheme: MBR → Click START → OK to write

+-----------------------------------------------------------------------+ | > ⚠️ This will wipe the USB drive. Use a dedicated stick. | +=======================================================================+

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Rufus settings configured for | | > OPNsense | +=======================================================================+

Step 3 --- Install OPNsense

Insert USB into the firewall hardware
Boot from USB (F12 / F2 / DEL for BIOS boot menu depending on device)
OPNsense boots into a live environment automatically
At the login prompt --- Username: installer | Password: opnsense
Follow installer wizard: accept keyboard layout → select ZFS (recommended for SSDs) → select target drive → confirm and install
When complete --- remove USB and reboot

+-----------------------------------------------------------------------+ | > 💡 ZFS is recommended for SSDs --- it provides better data | | > integrity and survives power loss cleanly. | +=======================================================================+

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- OPNsense installer wizard screen | +=======================================================================+

Step 4 --- First Boot & Interface Assignment

On first boot OPNsense will ask you to assign interfaces:

WAN interface → connect to your router/modem/ISP
LAN interface → connect to your switch or directly to your PC

Default IP Assignments After Install

Interface IP Notes

LAN 192.168.1.1/24 DHCP server active, range .100--.200

WAN DHCP Expects IP from your ISP/router

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Interface assignment screen on first | | > boot | +=======================================================================+

Step 5 --- Access the Web Interface

Connect a PC to the LAN port of the OPNsense device
Open a browser and go to: https://192.168.1.1
Accept the self-signed certificate warning (click Advanced → Proceed)
Login --- Username: root | Password: opnsense ← CHANGE THIS IMMEDIATELY

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- OPNsense web GUI login screen | +=======================================================================+

Step 6 --- Initial Setup Wizard

OPNsense will launch a setup wizard. Complete all steps:

General Settings

Setting Value

Hostname opnsense

Domain atlantisits.local

Primary DNS 1.1.1.1 (Cloudflare)

Secondary DNS 1.0.0.1

Timezone America/New_York (Gainesville, GA)

WAN Interface

Type: DHCP (default --- gets IP from your router)
Block RFC1918: Enable if WAN is a public IP --- DISABLE if WAN is private (e.g. 192.168.x.x behind home router)

+-----------------------------------------------------------------------+ | > ⚠️ For Atlantis home office --- if OPNsense sits behind your ISP | | > router, WAN will be a private IP. Uncheck \"Block RFC1918 | | > networks\" or all WAN traffic will be blocked. | +=======================================================================+

LAN Interface

IP: 192.168.1.1 (default --- change if this conflicts with existing network)
Subnet: 24

Set New Root Password

Choose a strong password --- store in your password manager
This replaces the default opnsense password
Click Reload --- OPNsense applies all settings

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Setup wizard: General Settings screen | +=======================================================================+

Step 7 --- Essential Post-Install Configuration

7.1 Update Firmware

Navigate to: System → Firmware → Updates

Click Check for Updates → install all available updates before configuring anything else.

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Firmware update screen showing | | > available updates | +=======================================================================+

7.2 Enable Suricata IDS/IPS

Navigate to: Services → Intrusion Detection → Administration

Enable: ✅
IPS mode: ✅ (blocks threats, not just detects)
Download rulesets: ET Open (free), abuse.ch (free)
Click Download & Update Rules → Apply

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Suricata IDS/IPS configuration screen | +=======================================================================+

7.3 Install Telegraf Plugin (for Grafana monitoring)

Navigate to: System → Firmware → Plugins

Search for os-telegraf → click + to install

Configure under: Services → Telegraf → General

Enable: ✅
Hostname: opnsense-atlantis
Output: InfluxDB (configure when Grafana stack is deployed)

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Telegraf plugin installed and | | > configured | +=======================================================================+

7.4 Change LAN DHCP Range (Optional)

Navigate to: Services → DHCPv4 → [LAN]

Range start: 192.168.1.100
Range end: 192.168.1.200

7.5 Disable IPv6 if Not Needed

Interfaces → [WAN] → IPv6 Configuration Type → None → Save

Step 8 --- Firewall Rules Basics

OPNsense uses a default deny model on WAN and default allow on LAN.

View existing rules: Firewall → Rules → LAN | Firewall → Rules → WAN

Create a Basic Allow Rule (example --- allow HTTPS outbound)

+-----------------------------------------------------------------------+ | > 💡 The default LAN rule allows all outbound traffic. Only restrict | | > if you need granular control. Start permissive and tighten over | | > time. | +=======================================================================+

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Firewall rules screen showing LAN | | > rules | +=======================================================================+

Step 9 --- Integrate with Atlantis Security Stack

IPVanish VPN Integration

Navigate to: VPN → OpenVPN → Clients → Add

Download IPVanish OpenVPN config files from: https://www.ipvanish.com/software/configs/
Import the .ovpn config for your preferred server
Add credentials (IPVanish username/password)
Enable: ✅ → Save

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- OpenVPN client configured with | | > IPVanish | +=======================================================================+

Cloudflare DNS Integration

Navigate to: Services → Unbound DNS → General

Enable: ✅
DNSSEC: ✅
Forward DNS queries to: 1.1.1.1 (Cloudflare)

+-----------------------------------------------------------------------+ | > 📸 SCREENSHOT PLACEHOLDER --- Unbound DNS configured with | | > Cloudflare | +=======================================================================+

NTFY Alert Integration (via Grafana)

Once Grafana + Telegraf + InfluxDB stack is deployed:

+-----------------------------------------------------------------------+ | > Grafana → Alerting → Contact Points → Add NTFY webhook\ | | > URL: http://[your-ntfy-server]:8080/[topic]\ | | > \ | | > Alert flow:\ | | > OPNsense → Telegraf → InfluxDB → Grafana → NTFY | +=======================================================================+

Troubleshooting

Issue Cause Fix

Can\'t access GUI at PC not on LAN port Connect directly to LAN 192.168.1.1 port, not WAN

WAN shows no IP RFC1918 block Disable Block RFC1918 if active behind home router

Self-signed cert warning Normal behavior Click Advanced → Proceed --- safe to accept

No internet through NAT not configured Firewall → NAT → Outbound → OPNsense set to Automatic

IDS using too much CPU Too many rulesets Keep only ET Open + abuse.ch

Can\'t ping LAN from WAN Default deny on WAN Expected behavior --- correct and secure

Quick Reference

Item Value

Default LAN IP 192.168.1.1

Web GUI URL https://192.168.1.1

Default login root / opnsense

Installer login installer / opnsense

Download https://opnsense.org/download/

Official docs https://docs.opnsense.org

Release cycle Every 6 months (January + July)

License BSD 2-Clause --- free forever

Atlantis target hardware Protectli Vault FW4B (\~\$280)

Atlantis Security Rating Impact

Before OPNsense After OPNsense + Grafana + NTFY

8.5 / 10 (Mercy\'s rating) 9.5 / 10

No dedicated firewall ✅ Full NGFW with IDS/IPS (Suricata)

No SIEM / log aggregation ✅ Telegraf + InfluxDB + Grafana

Telegram notifications ✅ Self-hosted NTFY

--- Remaining gap: HA hardware redundancy (future)

HT-004 --- Atlantis ITS Knowledge Base | Author: Ozzy (Claude --- Atlantis AI) | Reviewed by: Shane Hardin | v1.0 --- March 2026