# OPNsense — Open Source Firewall and Routing Platform > A FreeBSD-based open-source firewall and routing platform with a modern web UI, plugin ecosystem, and enterprise features like intrusion detection, VPN, and traffic shaping. ## Install Save as a script file and run: # OPNsense — Open Source Firewall and Routing Platform ## Quick Use ```bash # Download the ISO from opnsense.org # Install on dedicated hardware or a VM (min 2 GB RAM, 2 NICs) # Access the web UI at https://192.168.1.1 # Default credentials: root / opnsense ``` ## Introduction OPNsense is a FreeBSD-based firewall and routing platform forked from pfSense in 2015. It provides a polished web interface, weekly security updates, and a plugin system covering intrusion detection, VPN, DNS filtering, and traffic shaping — suitable for home labs through enterprise edge deployments. ## What OPNsense Does - Stateful packet filtering with NAT, port forwarding, and floating rules - Runs Suricata-based intrusion detection and prevention (IDS/IPS) with ET and Abuse.ch rulesets - Provides VPN connectivity via WireGuard, OpenVPN, and IPsec with GUI configuration - Shapes and prioritizes traffic using CoDel, FQ-CoDel, and HFSC queuing disciplines - Manages DNS with Unbound resolver, DHCP, and optional DNS-over-TLS/HTTPS forwarding ## Architecture Overview OPNsense runs on HardenedBSD (a security-focused FreeBSD fork) with pf as its packet filter. The web UI is built with PHP (Phalcon MVC framework) and communicates with the backend via a configd service that applies configuration changes to system daemons. Plugins extend functionality through the OPNsense package repository. The configuration is stored as a single XML file, making backup and version control straightforward. ## Self-Hosting & Configuration - Install from ISO on bare metal (x86-64) or in a VM with at least two network interfaces - Complete initial setup via the web wizard: WAN, LAN, DNS, and admin password - Configure firewall rules, NAT, and aliases through the Rules section - Enable IDS/IPS under Services > Intrusion Detection with one-click ruleset downloads - Install plugins (WireGuard, HAProxy, Crowdsec, etc.) from System > Firmware > Plugins ## Key Features - Weekly security updates and a transparent release process with changelogs - Plugin ecosystem with 80+ packages including HAProxy, FRR routing, Crowdsec, and Telegraf - Configuration backup and restore from a single XML file - Multi-WAN failover and load balancing with gateway groups - API access for automation via REST endpoints with key-based authentication ## Comparison with Similar Tools - **pfSense** — The project OPNsense forked from; similar features but less frequent updates and a more restrictive license - **VyOS** — Linux-based network OS with CLI-first configuration; no web UI in the free edition - **MikroTik RouterOS** — Proprietary router OS with powerful features; not open source - **IPFire** — Linux-based firewall; simpler feature set, Pakfire package manager - **Untangle** — Commercial firewall with limited free tier; more appliance-focused ## FAQ **Q: What hardware does OPNsense support?** A: Any x86-64 system with at least 2 GB RAM and two NICs. Popular choices include Protectli, Netgate, and Minisforum mini PCs. **Q: Can OPNsense replace a commercial firewall?** A: Yes. It supports enterprise features like HA (CARP), multi-WAN, IDS/IPS, and centralized logging via syslog or Elasticsearch. **Q: How does OPNsense differ from pfSense?** A: OPNsense has a more modern UI, weekly security updates, a broader plugin ecosystem, and uses HardenedBSD with ASLR and other mitigations. **Q: Does it support VLANs?** A: Yes. Configure 802.1Q VLANs under Interfaces > Other Types > VLAN and assign them to firewall zones. ## Sources - https://github.com/opnsense/core - https://opnsense.org --- Source: https://tokrepo.com/en/workflows/asset-423572f3 Author: Script Depot