> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/compute/kvm-virtual-machines/how-tos/manage-private-networks/how-to-deploy-opnsense-on-glesys.md). # How to deploy OPNsense on Glesys *** OPNsense is a powerful, open-source firewall and routing platform based on FreeBSD. It is designed to deliver enterprise-grade network security while remaining accessible and easy to use for businesses, organizations, and advanced home networks. Originally forked from pfSense in 2015, OPNsense has since evolved into a modern, flexible solution with a strong focus on security, stability, and usability. Its intuitive web-based interface, combined with a wide range of features, makes it a popular choice for administrators who need both simplicity and advanced functionality. ## Overview To demonstrate how to configure OPNsense between a private network and the internet, we'll create the following environment. Adapt the steps to match your specific needs. * An OPNsense firewall using the ready-made KVM template. * The firewall will sit between a private network and the public internet. * The firewall will have two network interfaces: one connected to the internet, the other to the private network. * The WAN interface (internet) will have two publicly accessible IP addresses, one for IPv4 and one for IPv6. * The LAN interface (private network) will have two internal addresses, one for IPv4 and one for IPv6. * NAT will be set up for both IPv4 and IPv6. * For demonstrative purposes, a web server will be set up on an internal Debian virtual machine. * Internally, computers will be assigned static IPv4 and IPv6 addresses (manual configuration on each VM). * For remote access, a WireGuard tunnel will be set up.

## Creating a private network (if you don’t already have one) In the control panel, navigate to **Networking → Private networks**. Click **Create**.

Give the network a name, such as *OPNsense lab*. Click **Create**.

Next, click **Create segment**.

Give the segment a name, for example, **Private LAN**. Leave the platform at KVM. Select a data center for the segment. Set the internal IPv4 to match your desired network. Here, we'll leave it at the default since it doesn't really matter in this case. Click **Create**.

## Creating a virtual machine for OPNsense In the control panel, navigate to **Computer → Virtual machines** and click **Create server**.

Select **KVM** as the platform. Adjust the resources as needed. Under *Template & Data center*, select the latest **OPNsense** template, and the same data center you used for the private network. Give the virtual machine a hostname, such as *opnsense-lab*. The IP addresses can be left as-is (one IPv4 and one IPv6 address assigned). Click **Create server**.

Once the VM is ready, go to the **Network adapters** tab and create a new adapter. This network adapter will be used for the LAN.

Give the adapter a name, select the LAN segment created earlier, and click **Create**.

## Initial configuration of OPNsense When the VM is online, and the new adapter is connected, click **Actions → Console**.

The console will now open. You'll need to do some initial configuration before you can reach the OPNsense WebUI. Log in with the default username. If there's no login prompt, hit Enter a couple of times until it appears. * **Username:** `root` * **Password:** `opnsense`

From the console, you'll need to perform the following steps: * Select option 3 to set a new root password. * Type **y** to proceed and press Enter. * Enter your new password. * Select option 6 to reboot the firewall (only required after the first install). * Type **y** to proceed and press Enter. * Log in again with `root` and your new password. * Select option 1 to assign the interfaces: * Do you want to configure LAGGs now? → press Enter (No) * Do you want to configure VLANs now? → press Enter (No) * Enter the WAN interface name → enter the first interface: `vtnet0` * Enter the LAN interface name → enter the second interface: `vtnet1` * Enter the Optional interface 1 name → press Enter (skip) * Do you want to proceed? → type **y** and press Enter The WAN IPv4 address should now be assigned by DHCP. If not, select option 2 to manually configure the address. * Next, you'll need to disable the firewall temporarily so you can access the WebUI: * Select option 8 (Shell). * Enter `pfctl -d` to temporarily disable the firewall. * Type `exit` and press Enter to exit the shell. * Select option 0 to log out. ## Accessing the WebUI using the public address Access the WebUI in a browser using the IPv4 address assigned to the WAN interface. You'll see a warning about the certificate being self-signed. Accept the certificate and continue. Log in with the username root and your password. Next, you'll need to add a rule so that you can continue accessing the WebUI from your home or office with the firewall enabled in OPNsense. Navigate to **Firewall → Rules → WAN**. Click the **red** **+ icon** on the right side.

* Set *Protocol* to **TCP.** * Change *Source* to **Single host or Network** and enter your public IP (the IP of your home or office). * Set the *Destination* to **WAN address**. * Set *Destination port range* to: * From: **HTTPS** * To: **HTTPS** * Click **Save.**

Next, you'll need to click **Apply changes** for the new rule to have an effect. As soon as the rule is applied, the firewall will be enabled (which we previously disabled). If the web page keeps reloading or you only see a blank page, try clicking the URL in the browser and pressing Enter.

## Setting up the interfaces It's now time to continue configuring the interfaces. This will entail setting up IPv6 on the WAN interface and IPv4 and IPv6 on the LAN interface. IPv6 is optional, but its adoption is growing, however slowly. ### IPv6 on WAN Let's start by adding the IPv6 address to the WAN interface. Currently, there are some problems retrieving the IPv6 address in OPNsense over DHCPv6. To get around this, it's better to configure the IPv6 address manually. First, look up the IPv6 address in Glesys Cloud. Navigate to your virtual machine for OPNsense and scroll down to *IP Addresses*. Here, you'll find the assigned IPv6 address. Next, you'll need to look up the gateway and netmask for the address. You'll do this under **Networking → IP addresses**. Click the **info icon** next to the IPv6 address. Note down the gateway and netmask.

Back in OPNsense, navigate to **System → Gateways → Configuration**. Here, click the **red + icon**.

In the dialog box that opens, fill in a name for the gateway, such as ***WAN\_static\_ipv6***. Leave the *Interface* at **WAN**. Select **IPv6** as the *Address Family*. In the *IP Address* field, fill in the **gateway address** from the previous step (don't copy the address from the screenshot below, it won't work). Click **Save.**

Next, navigate to **Interfaces → WAN**. Leave most of it as it is, but change the following: * Set *IPv6 Configuration Type* to **Static IPv6.** * At the bottom of the page, fill in your virtual machine's IPv6 address in the *IPv6 address* field, and select the netmask from the previous step. * Select the newly created gateway, ***WAN\_static\_ipv6***, in the *IPv6 gateway rules* field. * Click **Save**.

Next, click **Apply changes** at the top.

### IPv4 and IPv6 on the LAN (private network) Navigate to **Interfaces → LAN**. For *IPv4 configuration type* and *IPv6 configuration type*, select **Static IPv4** and **Static IPv6,** respectively. Then, fill in the **IPv4** and **IPv6 addresses** that this OPNsense machine shall be reachable on in the private network. Choose networks that won't collide with your home or office network (we'll create a WireGuard tunnel to the OPNsense firewall later, and hence connect the private network to your home/office). Here, we choose *192.168.73.1/24* for the IPv4 address and *fd10:a:b:c::1/64* for the IPv6 address. Click **Save** when the IPv4 and IPv6 addresses are set.

Then, click **Apply changes**.

## Setting up IPv6 NAT Navigate to **Firewall → NAT → Outbound**. Select **Hybrid outbound NAT rule generation**. Click **Save**.

Next, under *Manual rules*, click the **red + icon**.

Here, fill in the following values and leave the rest as it is: * *Interface*, select **WAN**. * *TCP/IP Version*, select **IPv6**. * *Source address*, select **LAN net**. * *Translation/target*, select **WAN address**. When you're done, click **Save** at the bottom of the page.

Once the page is saved, click **Apply changes**.

## Setting up WireGuard for remote access WireGuard is a fast and modern VPN tunnel that's included in OPNsense. It's an excellent choice for remote access to both the firewall itself and the private network. Navigate to **VPN → WireGuard → Instances**. Click the **red + icon**.

In the instance dialog, give the instance a name, such as *RemoteAccess*. Then, generate a new key by clicking the **cog icon**. The values for the *Public key* and *Private key* will then be filled out automatically. For the *Listen port*, set it to a static value, such as **51820**. *Tunnel address* is the IP address and network that will be used inside the tunnel. Choose a unique address that won't collide with any of your existing networks. In this example, we'll choose *10.0.55.1/24*. Click **Save**.

Then, make sure to check **Enable WireGuard** and click **Apply**.

### Generating a peer/client configuration OPNsense has built-in support for generating configuration files for peers/clients. Click the tab **Peer generator** to generate the first peer configuration. The first peer is generated automatically when you click the generator tab. However, you need to fill in some additional values before copying the configuration. * *Instance*: Select the ***RemoteAccess*** WireGuard instances created earlier. * *Endpoint*: Fill in the public IPv4 WAN address to this firewall and the port of the WireGuard instance (51820). Separate the IPv4 address and the port with a colon. * *Name*: Choose a name for this peer, such as ***MyHome*** or ***MyOffice***. * *Address*: Leave this as it is; OPNsense automatically chooses the next available address. * *Allowed IPs*: Change this to the private network, such as ***192.168.73.0/24***. If you skip this part, the WireGuard peer will try to route all traffic through the tunnel. Once these fields are filled in, copy the text in the *Config* field and save it on the computer you will use to connect to the tunnel. For example, save it in `/etc/wireguard/wg1.conf` if you're running Linux. Next—after you have copied the text—click the **red checkmark icon**. This will save the current peer configuration and create a new configuration for the next peer.

### Allowing WireGuard traffic to the OPNsense firewall You also need to allow the WireGuard port you chose for the instance, for example, 51820. By default, OPNsense blocks all incoming connections. Navigate to **Firewall → Rules → WAN**. Click the **red + icon** to create a new rule.

When the rule page appears, set the following values and leave the rest as it is. * *TCP/IP version:* **IPv4** * *Protocol:* **UDP** * *Destination:* **WAN address** * *Destination port range:* * *From:* **(other) 51820** * *To:* **(other) 51820** When everything is filled out, click **Save**.

Then, when you return to the rules overview, click **Apply changes**.

### Allowing traffic from the tunnel to the private network Next, you also have to allow traffic from the WireGuard tunnel to connect to the private network behind the OPNsense firewall. This allows you to connect to the OPNsense WebUI and all the virtual machines in the private network. Navigate to **Firewall → Rules → WireGuard (Group)**. Click the **red + icon**.

For the new rule, set the *TCP/IP Version* to **IPv4** if it isn't already the default. Set the *Destination* to **LAN net**. Click **Save** at the bottom of the page to save the settings. When you return to the rules overview, click **Apply changes**.

### Connecting to the tunnel Assuming you have saved the configuration file on your Linux system in `/etc/wireguard/wg1.conf` and installed WireGuard, connect to it using the following command as root (on your local home or office computer). {% code title="Command" %} ``` wg-quick up wg1 ``` {% endcode %} You can then try to ping the firewall's IP address in the private network, in our case, 192.168.73.1.

ping -c 3 192.168.73.1
PING 192.168.73.1 (192.168.73.1) 56(84) bytes of data.
64 bytes from 192.168.73.1: icmp_seq=1 ttl=64 time=11.6 ms
64 bytes from 192.168.73.1: icmp_seq=2 ttl=64 time=5.31 ms
64 bytes from 192.168.73.1: icmp_seq=3 ttl=64 time=5.22 ms

--- 192.168.73.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 5.220/7.361/11.552/2.963 ms

### Removing the rule that allows your home or office IP If pinging the firewall on the LAN address works, you can instead connect to the OPNsense WebUI on the LAN address (192.168.73.1). After that, you can proceed to remove the rule you created at the very beginning, the one that allows your home or office IP. Navigate to **Firewall → Rules → WAN**. Then click the **trashcan icon** next to the rule with your home or office IP and port 443. Click **yes** when asked to confirm the deletion. And finally, click **Apply changes**.

## Setting up a Debian VM inside the private network To demonstrate how to configure a virtual machine inside the private network, we'll set up a Debian server. We'll also set up port-forwarding of port 80 to it, both via IPv4 and IPv6. Create a new KVM virtual machine as you usually would (see the guide [Create virtual machines](/products/compute/kvm-virtual-machines/how-tos/create-virtual-machines.md)). While creating the VM, choose the Debian 13 template. For IPv4 and IPv6 addresses, select **No IPv4** and **No IPv6** (since the VM should sit inside the private network, it shouldn't be reachable via a public IP). Set a password for your user; you'll need to log in with that user through the console later on to set the IP addresses. Once the VM is created, switch to the **Network adapter** tab. Click **Create network adapter**.

Next, give the adapter a name and select the private network created earlier. Click **Create** when done.

Now you'll need to open the console and configure the network (since it doesn't have any IP addresses). Click **Actions → Console**.

Once the console is open, log in with the username and password you chose when creating the virtual machine. If you can't see any login prompt, try hitting Enter a couple of times. When you are logged in, execute the command `ip addr`. This should give you a list of all the network adapters in the virtual machine. Most likely, there are three adapters: *lo*, *ens1*, and *enp9s0*. The network adapter for the private network is the last one, in this case, *enp9s0*.

In Glesys's Debian 13 template, the network is configured using NetPlan. In this case, we will give this virtual machine the IPv4 address *192.168.73.2* and the IPv6 address *fd10:a:b:c::2*. To configure the network, run the command `sudo nano /etc/netplan/50-cloud-init.yaml` and enter your password when `sudo` asks for it. {% code title="Command" %} ``` sudo nano /etc/netplan/50-cloud-init.yaml ``` {% endcode %} This will open an editor. Edit the file so that it looks like this (adjust the IP addresses to match your private network and the interface to match your VM): {% code title="/etc/netplan/50-cloud-init.yaml" %} ``` network: version: 2 ethernets: ens1: {} enp9s0: addresses: [192.168.73.2/24, "fd10:a:b:c::2/64"] nameservers: addresses: [192.168.73.1, "fd10:a:b:c::1"] routes: - to: default via: 192.168.73.1 - to: "::/0" via: "fd10:a:b:c::1" ``` {% endcode %} When you are finished editing the file, press Ctrl+X to quit the editor. Answer **y** (yes) to the question if you want to save the file and press Enter. Next, run `sudo netplan apply` to activate the new IP addresses. Confirm it's working by pinging the OPNsense firewall using both the IPv4 and IPv6 addresses.

sudo netplan apply

ping -c 3 192.168.73.1
PING 192.168.73.1 (192.168.73.1) 56(84) bytes of data.
64 bytes from 192.168.73.1: icmp_seq=1 ttl=64 time=0.472 ms
64 bytes from 192.168.73.1: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.73.1: icmp_seq=3 ttl=64 time=0.276 ms

--- 192.168.73.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2050ms
rtt min/avg/max/mdev = 0.215/0.321/0.472/0.109 ms

ping -c 3 fd10:a:b:c::1
PING fd10:a:b:c::1 (fd10:a:b:c::1) 56 data bytes
64 bytes from fd10:a:b:c::1: icmp_seq=1 ttl=64 time=1.07 ms
64 bytes from fd10:a:b:c::1: icmp_seq=2 ttl=64 time=0.339 ms
64 bytes from fd10:a:b:c::1: icmp_seq=3 ttl=64 time=0.650 ms

--- fd10:a:b:c::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2026ms
rtt min/avg/max/mdev = 0.339/0.686/1.069/0.299 ms

Also, verify that the VM can reach the internet over both IPv4 and IPv6 by pinging, for example, google.com.

ping -4 -c 3 google.com
PING google.com (192.178.25.14) 56(84) bytes of data.
64 bytes from lcarna-ae-in-f14.1e100.net (192.178.25.14): icmp_seq=1 ttl=116 time=9.77 ms
64 bytes from lcarna-ae-in-f14.1e100.net (192.178.25.14): icmp_seq=2 ttl=116 time=9.85 ms
64 bytes from lcarna-ae-in-f14.1e100.net (192.178.25.14): icmp_seq=3 ttl=116 time=9.90 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 9.767/9.838/9.897/0.053 ms

ping -6 -c 3 google.com
PING google.com (2a00:1450:400f:808::200e) 56 data bytes
64 bytes from lcarna-ad-in-x0e.1e100.net (2a00:1450:400f:808::200e): icmp_seq=1 ttl=116 time=10.6 ms
64 bytes from lcarna-ad-in-x0e.1e100.net (2a00:1450:400f:808::200e): icmp_seq=2 ttl=116 time=9.75 ms
64 bytes from lcarna-ad-in-x0e.1e100.net (2a00:1450:400f:808::200e): icmp_seq=3 ttl=116 time=9.47 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 9.466/9.942/10.617/0.490 ms

### Connecting to the Debian VM over the WireGuard tunnel From now on, while connected to WireGuard, you can SSH into the Debian VM from your home or office computer using the IP address *192.168.73.2*. ### Expose a web server on the Debian VM (optional) To demonstrate how to port-forward from OPNsense to a VM over both IPv4 and IPv6, we'll set up a web server on the Debian VM. This will make the web server accessible over both of the public addresses (IPv4 and IPv6). Start by installing Apache on the Debian VM. {% code title="Command" %} ``` sudo apt install apache2 ``` {% endcode %} Let's change the default web page to something simple so you can see if it's the correct page being served: {% code title="Command" %} ``` echo "Debian private network web server" | sudo tee /var/www/html/index.html ``` {% endcode %} If you do a local test, the above text should display:

curl http://127.0.0.1
Debian private network web server

Now that you know the web server is working and serving the test page, it's time to port-forward traffic from the public IP addresses to it. Navigate to **Firewall → NAT → Destination NAT**. Click the **red + icon**.

Start by adding the IPv4 port-forward. Fill in the following values: * *Interface:* **WAN** * *Version:* **IPv4** * *Protocol:* **TCP** * *Destination address:* **This Firewall** * *Destination port:* **Single port or range** * **80** * *Redirect target IP:* **Single host or network** * **192.168.73.2** * *Redirect target port:* **Single port** * **80** * *Firewall rule:* **Register rule** Click **Save**.

Repeat the process by clicking the **red + icon** again to configure IPv6 port-forwarding. This time, fill in the following values: * *Interface:* **WAN** * *Version:* **IPv6** * *Protocol:* **TCP** * *Destination address:* **This Firewall** * *Destination port:* **Single port or range** * **80** * *Redirect target IP:* **Single host or network** * **fd10:a:b:c::2** * *Redirect target port:* **Single port** * **80** * *Firewall rule:* **Register rule** Click **Save**.

Finally, when the rules are saved, click **Apply**.

#### Connecting to the web server from the outside At last, you can try connecting to the web server from the public internet. From another computer—at home or at the office—that has both IPv4 and IPv6, use curl to connect to the public addresses of the firewall.

curl 203.0.113.51
Debian private network web server
curl [2001:db8:aa::2b2]
Debian private network web server

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.glesys.com/products/compute/kvm-virtual-machines/how-tos/manage-private-networks/how-to-deploy-opnsense-on-glesys.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.