Boost your productivity and organize your tasks and projects with Akiflow: https://akiflow.pro/ChristianLempa
In this video, I guide you through building your own HomeLab firewall using the powerful, free, and open-source OPNsense software on a compact Mini-PC. Discover how to install and configure OPNsense, address common driver issues, and set up your network interfaces for a robust and secure home network. Join me as I share my experience and initial setup steps to get you started with this versatile firewall solution.
References#
- OPNsense Official Website & Download: https://opnsense.org
- OPNsense Packages: https://pkg.opnsense.org/
- My OPNsense Hardware Kit: https://kit.co/christianlempa/my-opnsense-firewall
Notes#
Why choose OPNsense for your HomeLab?#
OPNsense is a free and open-source firewall solution offering extensive features for home network protection. It supports basic routing (DNS, DHCP, VLANs), advanced security (VPN, IDS, IPS, Firewall Rules), and offers greater control over software, plugins, and features, including API and Terraform management, compared to many commercial alternatives. It’s an excellent choice for those looking to tinker and build a robust, custom firewall system.
Hardware Considerations for OPNsense#
OPNsense is highly flexible regarding hardware, supporting mini PCs, professional appliances, virtual machines, or even old computers. The most crucial hardware requirement is having at least two physical network interfaces: one for the Local Area Network (LAN) to connect your HomeLab switch and one for the Wide Area Network (WAN) to connect to your modem or public internet.
My Hardware Setup: MinisForum MS-A1#
For this setup, I used the MinisForum MS-A1 bare-bone mini PC, which allows for custom CPU and memory selection.
- CPU: AMD Ryzen 5 8500G (6 cores, 12 threads, integrated GPU) – chosen for its efficiency.
- RAM: 16 GB (2x 8 GB Crucial modules).
- Storage: 1 TB NVMe drive. This configuration provides ample resources for a powerful firewall system and is highly expandable, featuring two 2.5 Gigabit Ethernet ports, excellent cooling, 4x M.2 slots, and fast USB4 ports. Other suitable mini PC brands include Geekom and Zima, but always ensure they have at least two physical network interfaces.
OPNsense Installation Process#
- Download the Full Image: For most regular computer installations, download the VGA image type for USB drives from the OPNsense download page. Avoid the embedded image unless specific conditions apply.
- Create a Bootable USB Drive: Use tools like Balena Etcher to flash the OPNsense image to a USB stick.
- Boot and Install:
- Boot your PC from the USB drive. OPNsense will load into a live environment, allowing you to explore its features without making permanent changes.
- To install, log in with the username
installerand the passwordopnsense. This will launch a guided installation wizard.
- Filesystem Choice: The OPNsense documentation recommends ZFS in most cases for its reliability and redundancy capabilities (especially with multiple drives).
- Disk Selection: Be cautious, as installing OPNsense will erase all data on the selected disk.
- Post-Installation: After the installation completes and the system reboots, you’ll be presented with the OPNsense console, a basic administrative menu. The main configuration is done via the web interface after network setup.
Solving Realtek 2.5 Gigabit Network Driver Issues#
A common issue with some hardware, like the MinisForum MS-A1, is that OPNsense may not load Realtek 2.5 Gigabit network drivers by default, preventing network interface detection. If you can’t access the web interface, you’ll need to install these drivers via the OPNsense shell:
Steps to Install Drivers via Shell:#
- Download Packages: From
pkg.opnsense.org, navigate to the latest FreeBSD version for OPNsense and download theos-realtek-repackage and its dependency,realtek-re-kmod. Place these on a separate USB stick. - Identify USB Stick: On the OPNsense console, use the command
camcontrol devlistto identify your USB stick’s device name (e.g.,da0p1). - Install Packages:
- Create a mount point:
mkdir /mnt/usb - Mount the USB stick:
mount -t msdosfs /dev/da0p1 /mnt/usb(replaceda0p1with your device name if different) - Install the dependency first:
pkg add /mnt/usb/realtek-re-kmod.pkg - Then install the main package:
pkg add /mnt/usb/os-realtek-re.pkg
- Create a mount point:
- Reboot: After installation, reboot the system for the drivers to be loaded correctly.
Initial Network Interface Configuration#
After drivers are installed and interfaces are detected, configure your network:
- WAN Interface: Configure for DHCP to obtain an IP address from your existing home router, granting internet access.
- LAN Interface: Assign a static IPv4 address. This interface will act as the gateway for your HomeLab.
- DHCP Server: Enable the DHCP server on your LAN interface to automatically assign IP addresses to devices connected to your HomeLab network.
- VLANs (Optional): If you use VLANs, you can set them up at this stage.
- Important: Ensure your LAN subnet is different from your WAN subnet to prevent conflicts.
Once the basic network configuration is complete, OPNsense will provide the URL to access its main web interface, where all further advanced configurations are performed.
Key OPNsense Web Interface Configuration Areas#
Once logged into the OPNsense web interface, explore these critical sections:
- System: For general settings, access control, user management, firmware updates, and logs.
System→Settings→General(hostname, domain, theme)Gateways→Configuration
- Interfaces: To manage and configure your network interfaces, including VLANs, assignments, and specific settings for WAN and LAN.
Interfaces→Devices→VLANsInterfaces→Devices→AssignmentsInterfaces→WANInterfaces→LAN
- Services: To configure essential network services.
Services→ISC DHCPv4(for your DHCP server)Services→Unbound DNS→General&Query Forwarding(for DNS resolution)
- Firewall: To define and manage your network’s security rules.
Firewall→NAT→OutboundFirewall→Rules→LAN
