OPNsense Protectli Setup
With many people continuing to work from home or shifting to a hybrid work model, our home internet connections are more crucial than ever. I’m in a WFH situation myself, and I recently installed and configured a new router running OPNsense, an open-source router and firewall, using a Protectli FW4B. OPNsense will work on a variety of different hardware, but I chose the Protectli because it fits my needs and has a company behind it to support the product.
OPNsense originally started as a fork of pfSense and continues as a firewall based on HardenedBSD, which itself is a downstream fork of the FreeBSD foundation on which pfSense is built. At the time of this writing, the current release version is OPNsense 22.1.
I’ll walk through a setup of OPNsense and include a few nice-to-haves for home and home office usage. I hope this helps others looking to build a more capable home office router and firewall than what most off-the-shelf products offer. My criteria and goals with this build were as follows:
- Fast, reliable hardware able to handle a 1 Gbps symmetrical fiber connection at line speed (my ISP is Frontier FIOS)
- The router should be concerned with wired connections only–I have good wireless coverage and speed with Netgear Orbi APs, in addition to an unmanaged gigabit switch
- The platform should include regular security updates
- Support for ad-blocking, tracker-blocking, and basic parental controls
- Able to monitor traffic logs and visualize metrics for troubleshooting
- Quality-of-Service (QoS) and traffic shaping for critical traffic (VoIP/video conferencing)
- Importantly, keeping things simple and stable–while I work at home right now, my family shares this connection, and interruptions should be kept to a minimum1
Hardware⌗
There are a ton of options for OPNsense hardware, from repurposing an old desktop, to new DIY gear, to purpose-built appliances. Since my previous Ubiquiti hardware died, I needed something new and decided to purchase a Protectli Vault FW4B (no affiliation). It’s not the most powerful equipment, but it will handle gigabit speed2, and it supports AES-NI for hardware accelerated VPN/cryptography. It’s fanless, silent, and consumes little power, which is good for running in my office. This model also supports coreboot, an open-source alternative to the traditional BIOS. Furthermore, it’s been solid for the last few months of running it, so I have no regrets on this purchase. You can find many other options and specs on the OPNsense Subreddit.
Installation⌗
If you’re using similar hardware, both OPNsense and Protectli offer installation guides to walk you through the process. I’ll mention a few preferences and decisions that I used during the setup.
I started out with a bootable USB flash drive created using the vga
OPNsense image type, prepared with Balena Etcher. This allows you to connect an HDMI display and USB keyboard directly to the router for initial configuration, and it starts you off in a live boot environment, allowing you to access the web GUI once you’ve configured your interfaces. One key issue with the Protectli vault is that the WAN and LAN interface assignments are swapped by default, but you’ll have the opportunity to reassign them during this process. I’m assuming here that the upstream WAN connection is capable of providing a standard DHCP-assigned public IP address, which is the case with most fiber-to-the-home (FTTH) providers or bridged cable or DSL modems. If that’s not the case, you may need to contact your ISP’s technical support to find out the best option for you.
Once you have booted the live image, log in as the installer user:
Username: installer
Password: opnsense
This will launch you into the installer. You can select the Quick/Easy Install. You’ll have the choice of two file systems, UFS or ZFS. I chose to use ZFS due to its use of copy-on-write and checksum validation, even though this is a low-power system without ECC memory. You still realize greater reliability compared to the traditional UFS file system, with the potential tradeoff of a slight storage performance hit. The Quick/East Install will reboot the system at the end. After restarting, when prompted to start interface assignments, use the Protectli guide linked above to select the appropriate LAN and WAN interfaces.
From here on, you’ll use the web GUI for configuration.
Basic Configuration⌗
There are several settings you’ll want to configure for a secure setup. Before getting into that, though, make sure all the system packages are up-to-date by selecting “Click to check for updates” on the Lobby Dashboard. If you need to reboot due to updates, go ahead and do that before starting the next steps.
Proceed to System > Settings > General. Here, configure the router’s hostname and domain. If you own a domain, a common option is to set your home network’s domain as a subdomain of your registered domain (e.g., home.domain.com). You’ll also need to configure DNS servers on this page for your router itself to use. A non-exhaustive list of reliable, privacy-respecting options that offer security and malware filtering includes Quad9, CleanBrowsing DNS, Cloudflare 1.1.1.1 for Families, and Adguard DNS3. Keep in mind that after configuring DNS on your LAN, the router will default to using 127.0.0.1 as its first option to use the service you have defined for devices on your network.
Continue to System > Settings > Miscellaneous to set power and temperature options. If you’re using a Protectli or similar hardware, you may gain modest power savings while preserving performance by activating PowerD, leaving power modes set to Hiadaptive. If you’d like to monitor thermal levels on your router, since many of these devices are fanless, set the Thermal Sensors / Hardware option to “Intel Core® CPU on-die thermal sensor (coretemp)” if available on your system. Reboot your router after this step, then head back to the Dashboard. Click Add widget and select Thermal Sensors to visualize CPU temps here. While you’re at it, you may want to add the Traffic Graph widget as well.
DHCP Services⌗
Now, let’s make sure that DHCP is configured correctly by going to the Services > DHCPv4 > [LAN] page. I will assume the exclusive use of IPv4 in this article. While you may have established the basic range of addresses during installation, I want to point out and confirm a couple of things. First, your Range should be large enough to accommodate all the networked devices in your home. This includes computers, tablets, and phones, of course, but you may have other smart devices such as TVs, thermostats, cameras, and other IoT and home automation devices. Leave your subnet enough room outside the range for any static mappings you’d like to make.
You should also confirm that your subnet won’t cause any conflicts with other networks you may connect to, such as with site-to-site VPNs.
Continue to the Leases page to see hosts that have already connected to your network. To create a static mapping so that a device will always have the same reserved address, click the + button at the end of its row. You’ll see a page where you can assign an IP address to the device, and here you’ll want to use an address outside your DHCP range. Notice that you can assign other settings specific to that device here, but we’ll assume that a static IP is all we need.
DNS⌗
With DNS, things can get much more interesting. OPNsense includes two DNS servers to choose from: Dnsmasq and Unbound. By default, Unbound is the active choice, and I’d recommend sticking with that unless you have a specific reason not to, as it is more capable and customizable. Browse to Services > Unbound DNS > General to get started.
If you’re using one of the DNS providers mentioned above, each of them supports DNSSEC, and you can select Enable DNSSEC Support for improved public DNS integrity.
If you would like to allow devices to register their own hostnames when connecting to the network (so that you can browse by hostname to any services they may be hosting), select Register DHCP leases and Register DHCP static mappings. Click Save when done.
Continue to the Overrides page, which is used to create custom records in your local DNS zone. I prefer to register a record for my router as router., so that I can browse to it easily and acquire a valid SSL/TLS certificate for it.
Next, go to the Advanced page. These settings involve more personal preference, but I like to enable Prefetch Support, Prefetch DNS Key Support, and Harden DNSSEC data for greater DNS performance and security. In addition, review the Number of Hosts to cache and determine if the cache size is appropriate for your usage.
The next page to review is the Blocklist page. Unbound comes with the built-in capability to load DNS blocklists such as Adguard List, EasyPrivacy, etc.; however, I have chosen not to use this for reasons I’ll explain below.
Finally, check out the DNS over TLS page. Unbound natively supports secure DNS forwarding with DNS over TLS (DoT), similar to many devices' support of DNS over HTTPS (DoH) or DNSCrypt. DoT uses dedicated port 853 to communicate with supported providers using TLS encryption. For increased privacy of your internet connection, prefer this over standard DNS forwarding on UDP port 53. My preference is to define two sets of DNS servers here, one pair for primary use, and a secondary pair as a backup. I’ll explain my choices in more detail below, but for a set-and-forget option with generally good, audited security and privacy, I would recommend Cloudflare 1.1.1.1 for Families service as shown here, set to enabled. Make sure to click Apply when done.
Blocking Ads and Trackers⌗
DNS Providers⌗
As I mentioned previously, Unbound can use many popular blocklists for eliminating ads and trackers through DNS, similar to Pi-Hole or Adguard Home. However, it lacks visibility into stats and blocked addresses, making troubleshooting difficult. I would still recommend it if you’re uninterested in adding more services, but be aware of what you’re getting yourself into, especially if you share your home network with family or friends who would be affected.
There are two services I feel comfortable recommending here: Adguard DNS (currently in beta), Cloudflare Zero Trust (formerly Cloudflare for Teams), or Cloudflare 1.1.1.1 for Families. Each of these options are currently either free or have a free tier. Cloudflare Zero Trust is notably different from 1.1.1.1 for Families in that you can customize traffic policies to, for example, enforce Safe Search or block specific web content categories, while still having security and malware filtering similar to Families. I won’t go into more detail on the Cloudflare services here, but consider that any of these options are a major improvement in security, privacy, and performance compared to your default ISP DNS servers. I highly recommend using these as a quick way to improve internet privacy and security, blocking known malicious domains for your entire home network and preventing intrusive ads and tracking on your devices, including Smart TVs, game consoles, and other IoT devices.
I’ve been trying out the Adguard DNS beta for several weeks, and I can say it’s been effective. Users of Pi-Hole or Adguard Home will find its interface and settings familiar.
To set up DNS policies, you’ll create a “Server” and assign blocklists, custom user rules, parental controls if desired, and browsing security. You can connect individual devices by using the Adguard agent on your systems, as well as configuring as a secure DNS provider in Unbound’s DNS over TLS settings. When you enroll your router as a device, you’ll receive uniquely identifying server addresses to configure in Unbound.
To translate these to Unbound settings, go to Unbound’s DNS over TLS page, click + to add new servers, and enter the following for each of the “Plain DNS server addresses” from Adguard DNS:
Make sure that you’ve checked each new DNS server as Enabled in the OPNsense GUI.
To enforce your home devices' use of the Adguard DNS integration, there are a few firewall and NAT rules to configure. We want to prevent any use of DNS from network devices out to the internet, including traditional DNS, DoT, and DoH, so that the rules you have configured are applied network-wide. Note that because DoH traffic appears as HTTPS traffic from the firewall’s perspective, we have to block individual hosts and IPs, making that protocol like a game of whack-a-mole. Understand that these rules will block a lot of DoH requests, but with no guarantee to catch all of them.
Head over to Firewall > Aliases and click + to create a new alias. Enter the following:
Property | Value |
---|---|
Name | DoH_Servers |
Type | URL Table (IPs) |
Refresh Frequency | 1 day |
Content | https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt 4 |
The content URL above is a popular DoH server blocklist. See the footnotes for the original reference, with other blocklists you can try if you want greater coverage.
Also create an alias for the router. Give it a name of “router_host” or similar, using the “Host” type and content of the router’s LAN address.
Next, we need to create a NAT rule to redirect rogue DNS (UDP port 53) traffic to the router, allowing Unbound to intercept those requests. Go to Firewall > NAT > Port Forward and create a new rule on the LAN interface. Include TCP/UDP port 53 (DNS) for all traffic not set to a destination address of the router with a target of the “router_host”.
Finally, browse to Firewall > Rules > LAN. Configure the rules shown below to allow the firewall and select devices to access DNS services while blocking any others. OPNsense processes firewall rules at first match, so if a packet matches an earlier rule, such as permitting “allowed_dns_hosts” to communicate outbound on UDP port 53, before hitting a block or reject rule, the traffic will be allowed.
Other Features⌗
There are far too many services and features, such as intrusion detection & prevention, whole-home VPNs and encrypted mesh networks, traffic shaping, etc., within OPNsense to list here, and many of them are dependent on your personal needs. A favorite feature of mine is Let’s Encrypt SSL/TLS certificate integration. This involves setting up additional plugins and services, but it allows you to have a valid certificate and HTTPS connection to the router, which I’ll have to explain in a separate article.
Let’s Go⌗
At this point, you have a functioning firewall with significant security and privacy advantages over off-the-shelf consumer routers. I hope this has been helpful in setting up a powerful yet user-friendly configuration that will serve you reliably for both home and home office use. There are many community resources available for OPNsense, such as the OPNsenseFirewall Subreddit and the OPNsense Forum, to help and to answer questions. Let me know if you have any feedback, questions, or corrections through the contact info on my About page.
-
You might say an off-the-shelf product would be better for family use and simplicity, but that fails to meet other requirements. Plus, it’s not nearly as much fun. ↩︎
-
Caution on performance: this will vary based on the modules you use. In particular, IPS/IDS packages like Suricata will impact speeds. ↩︎
-
See Privacy Guides for more privacy-oriented recommendations on DNS and other solutions. ↩︎
-
Source: https://forum.opnsense.org/index.php?topic=9245.msg126363#msg126363 ↩︎