Going beyond the basics of home networking

source

Set Up a Fully Functioning Home Network Using OPNsense

When writing guides, I often choose very specific topics to limit the scope of the topic at hand. Guides on specific topics are great when you know or have some idea of what you are wanting to accomplish.

However, if you are new to a subject and/or having a difficult time putting together all of the information, you may be overwhelmed where to start. I see this occur on a regular basis when I receive questions from others who are starting their journey of building a more advanced home network using OPNsense.

In an effort to help those individuals, I decided to write my most comprehensive guide to date. I will discuss how to build an entire network using OPNsense and other network hardware in order to demonstrate how all of it works together. Much of the guide will be focused on OPNsense configuration since it lies at the core of the network infrastructure, but managed switches and wireless access points will be discussed as well.

When discussing network switches and wireless access points, I cannot include an example of all varieties. Therefore, you will have to adapt this guide to the hardware you are using. I personally prefer to use managed network switches which have a web interface for configuration rather than switches which only provide a command line interface (even though I am not afraid of the command line).

Because there is so much to cover, I will attempt to be more concise than usual, and in some cases I may refer to other guides I have written if you wish to go into more depth about a particular subject.

Disclaimer: Please consider that I am merely presenting one network architecture that may be used as a reference. I am not endorsing or claiming that this architecture is the best way to implement your home network – it is simply one way you could implement it. In the end, you have to decide what meets your needs the best.

Network Architecture

The example network will assume the following architecture:

  1. The connection from the ISP will utilize a modem or a modem/router in bridge mode (to avoid double NAT)
  2. The modem is connected to the first port of a four port OPNsense box for the WAN interface
  3. The LAN interface will be connected to a smart/managed network switch to be used as a dedicated management interface and will only contained untagged network traffic
  4. The remaining two interfaces on the OPNsense box will be set up as a LAGG (link aggregation) to the network switch to provide extra bandwidth and will only contain tagged VLAN traffic
  5. A wireless access point with VLAN support will be connected to the network switch to provide wireless for the networks
  6. Other devices will be connected to the network switch in various VLANs
  7. The network will use dual stack IPv4 & IPv6*

In the example described above, it is important to note that the management LAN interface (where all of the critical network infrastructure will be managed) will only have untagged network traffic while the LAGG interface will only have tagged VLAN traffic.

Some users prefer to set up a dedicated management VLAN where all network infrastructure can be managed and avoid using the default untagged network, which is often depicted as “VLAN 1” on network switches. The primary reason is the security concern of users plugging devices into ports that are not assigned to any VLANs since they would have access to the most sensitive part of the network.

When using the default “VLAN 1” as your management network, you need to be sure to assign all unused ports to a VLAN to avoid unwanted devices on your management VLAN. You could assign unused ports to the GUEST network or to a sinkhole network with no network access. You could even disable the ports on the switch but that seems a bit extreme and inconvenient.

For home networks in particular, this risk is likely much lower than on business/enterprise networks especially since most guests in your home typically use WiFi rather than plugging directly into your network switch (or a wall jack which is connected to your network switch).

Regardless of whether or not you use the untagged LAN or have a separate VLAN for managing your critical network infrastructure, the OPNsense team recommends separating untagged and tagged VLAN traffic so they are not on the same interface to prevent potential security issues due to carelessly written firewall rules on the parent interface. This actually caught several users by surprise including myself.

Do not worry because this guide will demonstrate separating untagged and untagged interfaces by using one of the interfaces on the router/firewall box as a dedicated management interface and the remaining interfaces for VLANs only.

* For the IPv6 configuration demonstrated in this guide, it will be based on the assumptions that the ISP is providing dynamic IPv6 addresses and that IPv6 will only be configured to allow Internet access. Similar to IPv4, the IPv6 networks will be configured to isolate them from each other.

I will not demonstrate using IPv6 for your internal networks in this guide. There are some challenges with using dynamic IPv6 addresses on your internal network especially when IPv6 addresses change. For this reason and more, I will only use IPv4 examples for allowing access between devices. IPv6 configuration will be limited to Internet access only.

Logical Network Diagram

To have a visual representation of what this guide will implement, I have included the following logical network diagram:

Logical Network Diagram

Physical Diagram of Network Infrastructure

Refer to the image below for the physical connections of the network infrastructure that I will be using.

To keep the physical network infrastructure image less cluttered, the image below only shows the basic network infrastructure described in my example and not the various devices connected to the network (see also the physical diagram of connected devices).

Network Device Connections

TL;DR Overview

Because this guide will be longer than my usual content, below is an outline of what will be done to complete the full network example I am discussing:

  1. Install OPNsense
  2. Configure OPNsense
  3. Configure network switch
  4. Configure wireless access point

The full setup may seem daunting, but I am including a lot of configuration information with brief descriptions in an effort to show all of the necessary or recommended values to build a fully functioning network with OPNsense.

Let us get started with installing OPNsense!

watch

Install OPNsense

The first step you need to do is install OPNsense on your desired hardware. I am using a Protectli VP2410 in my network example, but you can use any hardware compatible with OPNsense.

Go to the OPNsense download page. Choose the “vga” installer so you can install it on a USB drive. Use a program such as Etcher to flash the drive with the image you just downloaded (you do not even have to extract the image if you are using Etcher).

To keep this guide shorter, I will not include screenshots in this step like I did with my installation guide.

  1. Do not press any key when prompted for the configuration importer
  2. Press any key for manual interface assignment (I prefer to manually configure than using the automatic process)
  3. Press “Enter” to skip the LAGG configuration (will do this later in the web interface)
  4. Press “Enter” to skip creating VLANs (also will do this later)
  5. Enter igb0 for the WAN interface name (for the Protectli VP2410 – your interface names may be different)
  6. Enter igb1 for the LAN interface name (for the Protectli VP2410)
  7. When prompted for an optional interface name, press “Enter” to skip configuration (will do this later)
  8. Press “y” and “Enter” to continue
  9. At the login prompt, enter the username installer and the password opnsense to continue with the installation
  10. Press “Enter” to continue with the default keymap (if you are using the US keyboard, otherwise select the appropriate option)
  11. Select the “Install (ZFS)” option to use the ZFS filesystem
  12. Select the disk where you want to install it (you should be able to tell the difference between the USB and internal hard drive based on the name and size)
  13. Select “Yes” to continue with the recommended swap partition size of 8 GB
  14. Select “Yes” to continue to destroy the current contents of the disk
  15. Select “Change root password” now so you do not forget (you will use this to log into the web interface or console)
  16. Enter the password twice
  17. Select “Complete Install” to finish installing OPNsense

When it is finished, it will reboot and you should see a login screen with the IP addresses of your interfaces.

Configure OPNsense

Before configuring OPNsense, make sure you have your PC, laptop, or other device you wish to use to configure OPNsense plugged into the LAN interface. In our example, that would be the second interface from the right side of the box. The LAN interface will be used as the dedicated interface to manage OPNsense and other network infrastructure.

If you are setting up OPNsense on new hardware and you are connecting the WAN interface to your existing home network, you need to be careful when configuring your interfaces.

One issue I accidentally encountered is configuring an interface which has the same IP address range of the network where the WAN interface is attached. I was testing configuration similar to my main network and did not think about this issue. This caused an issue with DNS because the WAN of my test system was using the DNS server (192.168.20.1) of the VLAN on my main network and one of my VLANs on my test system was set up to use the 192.168.20.1/24 network. The local interfaces take priority so the WAN DNS no longer worked properly.

For the OPNsense configuration, you will need to login to the default https://192.168.1.1 URL. You could use the default opnsense.local domain, but if you decide to change the host/domain name during when configuring OPNsense, you will have to switch to the new hostname in your browser to continue the configuration. If you use the IP address instead, you will not be interrupted due to an OPNsense host/domain name change.

Configuration Wizard

You will be presented with the configuration wizard when you first log into OPNsense. The configuration wizard is completely optional. In this guide, I will skip using the configuration wizard so that you will know where all of the configuration options are located in case you want to make changes in the future.

System Configuration

The system settings is a good place to start with configuring OPNsense. I will cover the most common settings you will like want to change, but of course if your needs are different, you can deviate from this guide.

Settings: General

On the “System > Settings > General” page, you can customize a few network-wide settings such as the domain name and DNS settings, which can be confusing since there are a few places where you can configure various DNS options. Of course, these settings are free for you to change to your own personal preferences. I do not expect you to use homenetworkguy.com as your domain name, for instance!

Option Value
Hostname router (or choose your own hostname)
Domain homenetworkguy.com (choose your own domain name)
Time zone America/New_York (choose your own time zone)
DNS servers Leave blank
DNS server options Leave both boxes unchecked

If you are unchecking the default DNS server options and you have your OPNsense router plugged into your main router, DNS may not work until properly until you plug your new OPNsense router into your modem as your main router since I am assuming this router will be on the edge of your network when it is fully configured.

Alternatively, you could leave the default DNS server options in the “General Settings” and enable “Use System Nameservers” on the “Services > Unbound DNS > Query Forwarding” page so that DNS queries are forwarded to your main network’s DNS server. You will have to remember to change them back later once you use the newly configured OPNsense box as your primary router.

Settings: Administration

The “System > Settings > Administration” page contains useful configuration for how you wish to access OPNsense (web, SSH, and console):

Web GUI:

  • Option: Protocol
    • Value: HTTPS (should be the default value)
  • Option: HTTP Strict Transport Security
    • Value: Check “Enable HTTP Strict Transport Security”
  • Option: TCP port
    • Value: Change to 8443 if exposing an internal web server to the Internet (securely, of course)
  • Option: HTTP Redirect
    • Value: Leave unchecked unless you are exposing port 80/HTTP to the Internet for the purpose of redirecting to 443/HTTPS
  • Option: DNS Rebind Check
    • Value: Leave unchecked for security (may interfere with certain name resolutions)
  • Option: HTTP Compression
    • Value: High (if you have a reasonably fast system)
  • Option: Listen Interfaces
    • Value: LAN (only listen on the LAN interface to limit access to web GUI)

Secure Shell:

  • Option: Secure Shell Server
    • Value: Check “Enable Secure Shell” (to allow access to OPNsense via SSH)
  • Option: Root Login
    • Value: Check “Permit root user login” (since only SSH keys are allowed via the next option below, allowing the root login is much more secure, but you may disable this for extra security)
  • Option: Authentication Method
    • Value: Uncheck “Permit password login” to improve security (only SSH keys are allowed)
  • Option: SSH port
    • Value: Leave blank for default port of 22
  • Option: Listen Interfaces
    • Value: LAN (only listen on the LAN interface to limit access to SSH)

Console:

  • Option: Console driver
    • Value: Check “Use the virtual terminal driver (vt)”
  • Option: Primary Console
    • Value: Select “VGA Console” (if you plan to connect to a monitor, which I recommend leaving enabled)
  • Option: Secondary Console
    • Value: Select “Serial Console” (if your device has a serial console)
  • Option: Serial Speed
    • Value: Most likely the default of 115200 should be ok (but consult your user manual)
  • Option: USB-based serial
    • Value: Check “Use USB-based serial ports” (if your serial console uses USB)
  • Option: Console menu
    • Value: Check “Password protect the console menu” to add more protection to console access

If you changed the “Protocol” to “HTTPS” when you are using “HTTP” or you changed the “TCP port” to a different value, you will need to change the URL you are using to access OPNsense accordingly (if you are not automatically redirected to the new URL).

Settings: Miscellaneous

The “System > Settings > Miscellaneous” page has a few options you may want to tweak such as the CPU type for the thermal sensors widget on the “Dashboard”. There are some periodic backup options, power savings options, and memory/swap options.

Option Value
Thermal Sensors Hardware Intel Core CPU (unless you have AMD hardware)
Periodic RRD Backup 24 hours (optional)
Periodic DHCP Leases Backup 24 hours (optional)
Periodic NetFlow Backup 24 hours (optional)
Use PowerD Checked (if you have power saving options enabled in the BIOS)
Power Mode Hiadaptive (to favor performance over power savings)

If you are using a SSD or a traditional hard disk, you should not need to adjust any of the disk/memory settings at the bottom of the page since those options are more designed for systems where you want to minimize wear on the disk or if disk space is very constrained. Modern SSDs can handle a lot of writes before the disks wear out.

Firmware: Status

If you have your new OPNsense box connected to your primary/existing network while you are setting it up, you may want to update to the latest OPNsense version before proceeding with the rest of the configuration described in this guide. Otherwise, you can perform this step once you complete this guide and you have swapped out your old router with your new OPNsense box.

Go to the “System > Firmware > Status” page and click the “Check for updates” button. It will jump over to the “Updates” tab while checking for updates. If any updates are available, you will be notified.

When you close the information box for an update, you can see at the bottom of the page if the update requires a reboot or not. This is very helpful in determining if you wish to proceed with an update. I will often wait to perform the update when nobody is using the network whenever I see that a reboot is required. Typically smaller updates will not require a reboot, but of course it depends on what part of the system is being updated.

Access: Users

Generally speaking, a security recommendation is to create a new user with administrator privileges rather than using the default root user. Once another user is created, you can actually disable the root user to minimize the likelihood of the root user account being used maliciously.

On the “System > Access > Users” page, click on the “+” button to add a new user. Enter the following information (use your own values where it makes sense):

  • Option: Username
    • Value: dustin
  • Option: Password
    • Value: examplepassword
  • Option: Full Name
    • Value: Dustin Casto
  • Option: E-Mail
    • Value: [email protected]
  • Option: Login shell
    • Value: /usr/local/bin/bash (to allow shell access)
  • Option: Group Memberships
    • Value: admins (click admins and the right arrow button)
  • Option: OTP seed
    • Value: Check “Generate new secret (160 bit)” (if using two factor authentication – requires server described in next section)
  • Option: Authorized keys
    • Value: Paste a generated SSH key if you plan to use SSH for this account

If you wish to disable the root user, logout of the root user account and login with your new administrator account. Then go back to the “System > Access > Users” page. Click the pencil button next to the root user and click the “Disabled” check box. Save your changes.

If you only want to use the root user to log into OPNsense via console/SSH but not allow the root user access to the web interface, you can simply leave the root user enabled and remove the root user from the admins group. This only revokes the web interface access but not console/SSH access for the root user. You may want to do this if you like having access to the root user menu when you login via the console or SSH.

If you leave SSH password authentication disabled and only use SSH keys, your root account should still be protected better than using a password while further limiting access to the web UI which would be easier to access since it uses password authentication by default.

Note that you can only remove the root user from the admins group after creating another admin account.

After you save your account, you will be able to click the “Click to unhide” button for the “OTP QR code” option which is now visible. This allows you to use a QR code to add the TOTP to your favorite authenticator application on your phone or other device. If you are using a password manager, you can copy/paste the “OTP seed” to be able to generate codes from your password manager.

Access: Servers

The access servers in OPNsense allow you to add different authentication methods such as timebased one time password (TOTP) to enable two factor authentication. On the “System > Access > Servers” page, click on the “+” button to add a new authentication method. Enter the following values:

Option Value
Descriptive name TOTP server
Type Local + Timebased One Time Password
Token length 6 (the default value)
Reverse token order Checked

By default the token needs to be entered before the password, but if you check the “Reverse token order” option, the token should be entered after the password. The reason I prefer to add the 6 digit token at the end of the password is that it works great for password managers such as BitWarden since the token is automatically copied to the clipboard after the username/password is filled it on the page. That allows you to click the password manager’s “auto fill” button and then immediately issue a “Ctrl + V” to paste the token to the end of the password. I find that to be convenient if you utilize password managers that also store the tokens.

Some users prefer not to store their second factor token in the same location as their passwords, which is certainly understandable from a security standpoint.

Note that at this point two factor authentication is not enabled yet. Before enabling it, you should test out the two factor authentication first, which leads us to the next section below.

Access: Tester

The “System > Access > Tester” page allows you to test out your other authentication methods before enabling them, which is very handy. You do not want to inadvertently lock yourself out the system.

To test out the TOTP server you just created, select the “TOTP server” from the dropdown menu. It will be named whatever you called it in the “Descriptive name” from the previous step. Simply enter the username and password + token of the admin user you just created. You will receive a pass/fail message after testing the user.

Access: Users (Again)

If the login for the new admin user passes the test from the previous step, you can remove the root user from the admins group to revoke root user access to the web interface. Go back to the “System > Access > Users” page, and click the pencil edit button for the root user.

If you are currently logged in as the root user (which you likely are since you just created the new user), log out and log back in as the new admin user before proceeding.

For the “Group Memberships” option, click on “admins” in the “Member Of” box and click the left arrow to move it to “Not Member Of”. Click the “Save” button to persist the changes. Now you will only be able to log into OPNsense using your new admin user!

Keep in mind that you can still log into the server as the root user via the console or SSH if you have it enabled. If you allow root user access for SSH, I recommend using only SSH keys and disabling the password for SSH access.

Interface Configuration

Next up is configuring the interfaces. I highly recommend you consider how you want to layout your network before creating the interfaces because you may find that it is very disruptive to reconfigure the interfaces at a later time since it likely involves temporarily taking down some or all of your network.

In this example, I will be configuring a LAGG interface to demonstrate the process, but you may skip this section and go to the VLAN section if you do not want to use a LAGG interface. The process of creating VLANs is the same whether or not you are using a LAGG interface. The only difference is the physical interface you choose to associate to the VLAN.

If you plan to use Zenarmor, I highly recommend you test if LAGGs will function properly before committing to using a LAGG. Since I tested my OPNsense configuration on a separate system wile using my old firewall appliance, I could verify that the LAGG would function well with Zenarmor.

Your mileage may vary depending on the type of hardware you are using since there may be issues with netmap that prevent certain types of network interfaces from working properly in LAGGs. You may be safe if you have igb based 1G interfaces such as those found on the Protectli VP2410 because it has been stable for me for an extended period of time.

Also in discussions on Twitter, it was mentioned that perhaps issues are more likely to occur with LAGGs on networks that have heavy traffic on a regular basis such as saturated business/enterprise networks.

Interfaces: Settings

  • Option: Hardware CRC
    • Value: Check “Disable hardware checksum offload” (if not already checked)
  • Option: Hardware TSO
    • Value: Check “Disable hardware TCP segmentation offload” (if not already checked)
  • Option: Hardware LRO
    • Value: Check “Disable hardware large receive offload” (if not already checked)
  • Option: VLAN Hardware Filtering
    • Value: Choose the “Disable VLAN Hardware Filtering” option

I have often seen the recommendation to disable hardware offloading on the network interfaces due to various issues that may be encountered. For most users, it is always best to leave it off unless you have thoroughly tested out these configuration options.

In a home network, hardware offloading (if it works) is likely less impactful than using it on a heavily saturated business or enterprise network unless you regularly saturate your network’s bandwidth.

Other Types: LAGG

As mentioned earlier, I am going to assume a default OPNsense installation where only the WAN and LAN interfaces are enabled and the remaining interfaces were not assigned during installation. You should be connected to the LAN interface while configuring the interfaces in OPNsense. This allows you to easily change the interface configuration without dropping your connection or accidentally locking yourself out. Hence, the advantage of dedicating one of the network interfaces for management and administration purposes as described in this guide!

The Protectli box in my example has 4 interfaces, which means I am able to use the remaining 2 interfaces to create a LAGG interface. Go to the “Interfaces > Other Types > LAGG” page and click on the “+” button to configure a LAGG interface.

In order to assign the parent interfaces to a LAGG, they must not be currently assigned. The dropdown box will only show interfaces which are allowed to be added to a LAGG interface.

  • Option: Parent interface
    • Value: Select the interfaces to be in a LAGG (in this example: igb2 and igb3)
  • Option: Lag proto
    • Value: LACP (you will need a switch which supports LACP – configuration is described later)
  • Option: Description
    • Value: VLAN LAGG (you may enter your own value here)
  • Option: MTU
    • Value: Leave blank to use default value

Other Types: VLAN

With the LAGG created, you can now create the VLANs that will be associated to the LAGG interface. Once the VLANs are associated to the LAGG interface, you will be able to assign VLAN interfaces in the same way as physical interfaces as shown in the next section.

In this example, I am going to create several VLANs to demonstrate different use cases you may want to use in your network. You definitely do not need to have this many VLANs or you can create even more than what I have shown. Think about the types of devices you wish to isolate and create the appropriate VLANs. You may find it helpful to consider the function of the devices when creating VLANs. Devices which perform similar functions and need to have similar restrictions/access are good candidates for being on the same network.

For the purposes of this guide, the following VLANs will be created along with some of the reasons why you may want such a VLAN on your network:

  • VLAN Tag: 10
    • VLAN Description: DMZ
    • Purpose: For anything you want to expose to the Internet
  • VLAN Tag: 20
    • VLAN Description: USER
    • Purpose: For PCs, laptops, phones (to isolate from IoT devices)
  • VLAN Tag: 30
    • VLAN Description: IOT
    • Purpose: For Internet of Things (IoT) devices to protect other parts of your network
  • VLAN Tag: 40
    • VLAN Description: GUEST
    • Purpose: Guest network for visitors/untrusted devices
  • VLAN Tag: 50
    • VLAN Description: IPCAM
    • Purpose: Isolated network for IP cameras (for local access only)

Create the VLANs by navigating to the “Interfaces > Other Types > VLAN” page. To minimize the length of this guide, repeat the following configuration below for each VLAN in the table above:

  • Option: Device
    • Value: Leave empty to automatically generate a name
  • Option: Parent
    • Value: lagg0 (use the LAGG interface as the parent for all VLANs)
  • Option: VLAN tag
    • Value: Use the values in the table above for each VLAN
  • Option: VLAN priority
    • Value: You may use the default “Best Effort” or select priorities (not sure how much it impacts actual performance)
  • Option: Description
    • Value: Use the values in the table above for each VLAN (or use your own)

Interfaces: Assignments

After the VLANs are created, you will be able to assign them to interfaces. You can think of an “interface” as not only the address of the physical port itself but also an entirely separate network. That concept may seem confusing to new users, but creating a new interface assignment is how you create separate physical or logical networks in OPNsense (and other router platforms). When creating an interface you can specify the size of the network, which limits the total number of devices that can be connected to each network. The interface acts as the gateway for each network where traffic may enter or exit.

On the “Interfaces > Assignments” page, you can create a new interface by clicking on the “+” button in the “New interface” section of the page. The dropdown box only shows unassigned physical/logical interfaces. Once you assign the interface, it will no longer be included in the dropdown.

The WAN and LAN interfaces should already be assigned from the OPNsense installation so I will only mention setting up the VLAN interface assignments.

Select each VLAN listed in the table below in the “Network port” dropdown box and add the appropriate “Description”. The “Description” is displayed on the “Interfaces” section in the left side menu so it is important to use a short name to indicate the purpose of each network. Otherwise, they will show up as “OPT1”, “OPT2”, etc., which will be very confusing when you have multiple networks to manage.

Network Port Description
vlan01 DMZ (Parent: lagg0, Tag: 10) DMZ
vlan02 USER (Parent: lagg0, Tag: 20) USER
vlan03 IOT (Parent: lagg0, Tag: 30) IOT
vlan04 GUEST (Parent: lagg0, Tag: 40) GUEST
vlan05 IPCAM (Parent: lagg0, Tag: 50) IPCAM

Click the “Save” button when you are finished.

I have seen mention of resolving performance issues by assigning the physical parent interface when the parent interface is not being utilized. If you are experiencing poor performance across your VLANs, you may need to assign the parent interface without fully configuring the interface.

Personally, I have not noticed this issue with the Protectli VP2410 and the network configuration described in this guide. I tried assigning/unassigning the parent interface with no noticeable impact to performance.

Interface Pages

Each interface has its own page under the “Interfaces” menu on the left side of the OPNsense user interface. They will appear as [WAN], [LAN], etc. Go to the appropriate interface pages below to modify the configuration described below.

Interfaces > [WAN]

For the WAN interface, you may not have to change much of the configuration especially if your ISP uses DHCP, but for the sake of completeness I will list out the configuration settings with brief explanations for your reference.

  • Option: Enable
    • Value: “Enable Interface” should be checked by default by the OPNsense installation
  • Option: Lock
    • Value: Check “Prevent interface removal” so you cannot easily remove the interface from the “Interfaces > Assignments” page
  • Option: Description
    • Value: WAN (the default value from the OPNsense installation)
  • Option: Block private networks
    • Value: Checked (should be checked if connected directly to the Internet, otherwise you should uncheck it)
  • Option: Block bogon networks
    • Value: Checked (should be checked if connected directly to the Internet, otherwise you should uncheck it)
  • Option: IPv4 Configuration Type
    • Value: DHCP (if your ISP uses DHCP)
  • Option: IPv6 Configuration Type
    • Value: DHCPv6 (if your ISP uses DHCP)

If you want to use IPv6 with your VLANs and your ISP supports prefixes greater than /64 (such as Comcast Xfinity), you may enter configuration similar to the following under the “DHCPv6 client configuration”:

Option Value
Request only an IPv6 prefix Unchecked
Prefix delegation size 60
Send IPv6 prefix hint Checked
Use IPv4 connectivity Unchecked
Use VLAN priority Disabled

Interfaces > [LAN], [DMZ], etc.

For the LAN/VLAN interfaces, use the following common values for the options of every interface:

  • Option: Enable
    • Value: “Enable Interface” should be checked by default by the OPNsense installation
  • Option: Lock
    • Value: Check “Prevent interface removal” so you cannot easily remove the interface from the “Interfaces > Assignments” page
  • Option: Block private networks
    • Value: Unchecked (all internal networks should have this unchecked)
  • Option: Block bogon networks
    • Value: Unchecked (all internal networks should have this unchecked)
  • Option: IPv4 Configuration Type
    • Value: Static IPv4
  • Option: IPv6 Configuration Type
    • Value: Track Interface (if your ISP allows prefix delegations)
  • Option: IPv4 Upstream Gateway
    • Value: Auto-detect
  • Option: IPv6 Interface
    • Value: WAN
  • Option: Manual configuration
    • Value: Check “Allow manual adjustment of DHCPv6 and Router Advertisements”

And use the following IPv4/IPv6 values in the table below for each corresponding interface:

Interface Description IPv4 address IPv6 Prefix ID
[LAN] LAN 192.168.1.1/24 0
[DMZ] DMZ 192.168.10.1/24 1
[USER] USER 192.168.20.1/24 2
[IOT] IOT 192.168.30.1/24 3
[GUEST] GUEST 192.168.40.1/24 4
[IPCAM] IPCAM 192.168.50.1/24 5

DHCP Configuration

Once the interfaces are enabled, you will most likely want to enable DHCP on the interfaces so that all of your devices will automatically be assigned IP addresses when they are plugged into your network switch or join your WiFi network.

For the DHCP settings, I am going use consistent values with all my networks. You may want to enable a wider range of IP addresses if you have more than 100 devices on any of your networks, but for most users the ranges I specify below will be sufficient.

If you plan to have some devices use static IP addresses (which is recommended when hosting various apps/services on your network), I recommend that you do not set the DHCP IP address range to include the full subnet (192.168.1.2 - 192.168.1.254, for example) so that you have some available addresses for static IPs.

Do not forget to click the “Save” button after configuring each interface.

DHCPv4

To reduce the length of this guide, refer to the table below to enter the IP address ranges for each interface’s DHCPv4 page by going to the “Services > DHCPv4” section and clicking on each interface’s page.

For every interface below, be sure to click the “Enable” checkbox.

Interface Range from Range to
[LAN] 192.168.1.100 192.168.1.200
[DMZ] 192.168.10.100 192.168.10.200
[USER] 192.168.20.100 192.168.20.200
[IOT] 192.168.30.100 192.168.30.200
[GUEST] 192.168.40.100 192.168.40.200
[IPCAM] 192.168.50.100 192.168.50.200

Add at the bottom of the each interface’s page, click the “+” button to add static DHCP reservations for devices that are hosting apps/services or devices where you wish to apply specific firewall rules (although you can use hostnames in firewall aliases for clients with dynamic IP addresses, I have found it to be problematic at times – a static IP is the most reliable approach).

You can also add static DHCP reservations directly from the “Services > DHCPv4 > Leases” page. It has the added benefit of prefilling the MAC address. Either way, you will need to enter the same information.

For demonstration purposes, I will use several static DHCPv4 IP reservations that will be referenced by firewall rule aliases and included in several firewall rules. I am using randomly generated MAC addresses in the table as examples, but you will need to use your actual MAC addresses.

Interface MAC address IP address Hostname
[DMZ] 0e:66:c8:ee:a8:ee 192.168.10.10 webserver
[USER] 00:49:c0:9b:a8:cc 192.168.20.10 pc
[IOT] 3e:03:06:01:45:d3 192.168.30.10 printer
[IPCAM] ee:f2:4d:ca:92:44 192.168.50.10 ipcam1
[IPCAM] c3:c7:cb:db:66:d6 192.168.50.11 ipcam2
[IPCAM] 23:d1:6f:17:31:8e 192.168.50.12 ipcam3

DHCPv6

As with DHCPv6 to reduce the length of this guide, refer to the table below to enter the IP address ranges for each interface’s DHCPv6 page by going to the “Services > DHCPv6” section and clicking on each interface’s page.

For IPv6 addresses, you may specify only the second half of the address such as ::1000. The first half of the address is used by default and if you only specify 1 segment, the rest are filled with zeroes (it is how IPv6 notation works to allow shorter addresses to be expressed).

For every interface below, be sure to click the “Enable” checkbox.

Interface Range from Range to
[LAN] ::1000 ::2000
[DMZ] ::1000 ::2000
[USER] ::1000 ::2000
[IOT] ::1000 ::2000
[GUEST] ::1000 ::2000
[IPCAM] ::1000 ::2000

You will not be able to assign the above ranges for DHCPv6 when you are using DHCPv6 on the WAN interface and “track interface” for each local network interface (LAN, DMZ, etc.) as shown in this guide unless the OPNsense box is connected to your modem. Otherwise if you are not connected, there will be no available IPv6 address ranges to assign since they are assigned by the ISP. You will see an error message on the page that says there are no addresses available to assign. Once you are connected to your modem and have DHCPv6 addresses assigned by the ISP, you should be able to complete this step.

Router Advertisements

For IPv6, there is an additional step which I think is good to do in order to help support all possible IPv6 clients on your network. I like to set the “Router Advertisements” to “Assisted” so that both DHCPv6 and SLAAC is used because not all clients may support DHCPv6.

Although I have learned a lot about how to configure IPv6 in OPNsense, I still do not consider myself to be an IPv6 expert, which is why I am providing a more general IPv6 configuration.

Go to each interface’s page under the “Services > Router Advertisements” section. The first option is “Router Advertisements”. Simply choose “Assisted” and click “Save”. This step is the same for all of the local networks.

DNS Configuration

I think configuring the DNS options in OPNsense can be a bit confusing for new users (I struggled at first too) primarily because there are a couple of places where you may specify DNS information. There are various approaches to how you may configure DNS so depending on the approach taken is where you need to enter the DNS configuration.

You may simply use the ISP’s DNS servers (that is the default DNS configuration in OPNsense), external DNS over TLS (DoT) servers, or another internal DNS server such as Pi-hole or AdGuard Home (which then may use external DoT/DoH servers). In this guide, I am going to configure Unbound DNS as the primary local DNS server which then uses DNS over TLS as the upstream, external DNS servers.

As I briefly mentioned earlier in this guide, I am going to assume you have no DNS servers configured on the “System > Settings > General " page and that you have the 2 “DNS server options” unchecked (to ensure the ISP DNS servers are not being used as the upstream/external DNS servers). Since DNS over TLS is going to be configured in the Unbound DNS settings, the system DNS servers do not need to be specified.

Unbound DNS: General

On the “Services > Unbound DNS > General” page, set the following configuration values:

  • Option: Enable
    • Value: Check “Enable Unbound” (if not enabled already)
  • Option: Listen Port
    • Value: Leave as default 53
  • Option: Network Interfaces
    • Value: Choose “All (recommended)” (should be default)
  • Option: DNSSEC
    • Value: Check “Enable DNSSEC Support”
  • Option: DHCP Registration
    • Value: Check “Register DHCP leases” (to use hostnames of DHCP clients)
  • Option: DHCP Static Mappings
    • Value: Check “Register DHCP static mappings” (to use hostnames of static DHCP clients)
  • Option: IPv6 Link-local
    • Value: Check “Register IPv6 link-local addresses”
  • Option: DNS Cache
    • Value: Check “Flush DNS cache during reload” (to clear the cache after making changes to Unbound)
  • Option: Local Zone Type
    • Value: transparent (the default value)

Click the “Save” button at the bottom of the page and then click the “Apply changes” button at the top of the page to reload the Unbound service to apply configuration changes.

Unbound DNS: Advanced

You may want to set a few of the “advanced” options especially if you are interested in looking at DNS logs in more detail.

  • Option: Prefetch Support
    • Value: Checked (increases DNS queries and CPU load slightly so consider your hardware resources)
  • Option: Prefetch DNS Key Support
    • Value: Checked (increases CPU load slightly so consider your hardware resources)
  • Option: Log Queries
    • Value: Checked (if you want to troubleshoot DNS lookups or verify DoT is working by seeing DNS servers/ports being queried)
  • Option: Log Level Verbosity
    • Value: Level 2 (to see more log detail such as the DNS servers being used which helps verify DoT configuration)

For the logging of queries and the log levels, you may only want to temporarily change these settings to verify DNS is operating as expected since this can be slightly detrimental to performance on slower hardware. It would also add more wear to the disks due to increased logging, which may be important depending on the hardware you are using. I find the DNS query logging useful when verifying DNS over TLS configurations since I can see that it is reaching out to the Cloudflare DNS servers on port 853, which is the port used by DoT for encrypted DNS queries.

Click “Apply” to persist the changes.

Unbound DNS: DNS over TLS

I prefer to use encrypted DNS queries for all outbound DNS queries since it is designed to not only enhance the privacy by limiting tracking of your DNS lookups, but it also offers improved security by reducing the likelihood your DNS queries will be hijacked via man in the middle attack. With a DNS over TLS (DoT) connection, you essentially have an encrypted tunnel to the configured DNS servers. I will be using Cloudflare in my example.

Navigate to the “Services > Unbound DNS > DNS over TLS” page to begin configuring DoT. Click on the “+” button to add a new DoT server. Cloudflare provides several different servers some of which provide additional filtering. Since I am using Zenarmor, I prefer to use the unfiltered Cloudflare servers because it is one less area I need to troubleshoot in case something is inadvertently blocked. The visibility of what Cloudflare blocks is not seen in OPNsense because Cloudflare does the filtering on their end unlike Zenarmor, Pi-hole, or AdGuard where you can see the queries which are being blocked.

Below is the list of DNS over TLS servers you may use for both IPv4 and IPv6. I recommend you include at least 2 DNS servers for IPv4 and at least 2 DNS servers for IPv6 for redundancy:

DNS Filter Server IP Server Port Verify CN
No filter 1.1.1.1 853 cloudflare-dns.com
No filter 1.0.0.1 853 cloudflare-dns.com
No filter 2606:4700:4700::1111 853 cloudflare-dns.com
No filter 2606:4700:4700::1001 853 cloudflare-dns.com
Malware 1.1.1.2 853 security.cloudflare-dns.com
Malware 1.0.0.2 853 security.cloudflare-dns.com
Malware 2606:4700:4700::1112 853 security.cloudflare-dns.com
Malware 2606:4700:4700::1002 853 security.cloudflare-dns.com
Malware + Adult 1.1.1.3 853 security.cloudflare-dns.com
Malware + Adult 1.0.0.3 853 security.cloudflare-dns.com
Malware + Adult 2606:4700:4700::1113 853 security.cloudflare-dns.com
Malware + Adult 2606:4700:4700::1003 853 security.cloudflare-dns.com

Use the information above to fill in for each DoT server you wish to use. You may leave the “Domain” box empty so all lookups go through the same DoT servers since that option is only used if you want a specific domain name (such as homenetworkguy.com) to use a specific DoT server when performing DNS lookups.

Firewall Configuration

The time has come to create firewall rules. Firewall rules are critical for providing increased security among the devices in your network. Having a solid understanding in this area will be crucial in helping you lock down your network tighter.

As you likely know, no software or hardware is fully impenetrable, which is why it is important to have several layers of defense when protecting your network.

I decided to include several VLANs in this guide in order to demonstrate different types of networks you may want to implement in your home network. They should provide some good use cases for how the firewall rules may look different for the types of access desired. Of course, you do not need to implement all of these VLANs in your network.

I will be making use of firewall aliases in the firewall rules below, so if you see a name instead of an IP address for the “Source” or “Destination” it means I am using either a built-in firewall alias or the custom firewall aliases I describe in the “Firewall: Aliases” section.

The names in the firewall rules are not hostnames of devices on the network because hostnames can only be used in firewall aliases. Firewall rules only allow you to enter a single IP/network address or a single firewall alias (aliases may contain more than one value). If you want to use multiple IP addresses or network addresses in a single firewall rule, you have to create an alias containing those addresses and use that alias in the firewall rule.