How to Install and Configure OPNsense in VMware

In this guide, we will walk through the complete installation and configuration of OPNsense, an open-source firewall, in a virtual home lab environment using VMware Workstation. We will cover downloading the ISO, setting up the virtual machine with multiple network segments, performing the initial CLI configuration, and finally setting up firewall rules via the web interface.

Step 1: Download and Extract OPNsense

OPNsense is free and open-source. To get started, visit opnsense.org and navigate to the download section.

1. Select Architecture and Mirror

Choose the DVD ISO image type (usually paired with amd64 architecture). Select a mirror close to your location for faster download speeds.

2. Extract the File

The downloaded file will be compressed (e.g., .bz2). You will need a tool like 7-Zip to extract the actual .iso file from the archive before you can use it in VMware.

Step 2: Create the Virtual Machine

We will configure the VM to act as a central router/firewall for our lab network.

1. VM Configuration

Create a new Virtual Machine in VMware Workstation. Select "Typical" and browse to your extracted OPNsense ISO file.

OS Type: FreeBSD (OPNsense is based on FreeBSD).
Disk: 20 GB single file is sufficient.
Memory: Increase to 4 GB.
Processors: 2 cores.

2. Network Adapters (Crucial Step)

We need three distinct network adapters to simulate a real firewall environment:

Adapter 1 (WAN): Set to Bridged mode. This connects the VM directly to your physical network, allowing it to receive an IP from your home router (simulating an ISP connection).
Adapter 2 (LAN 1): Set to LAN Segment 1. This will connect to your Windows 11 client VM.
Adapter 3 (LAN 2): Set to LAN Segment 2. This will connect to your Windows Server VM.

Step 3: Installation via CLI

Power on the VM. It will boot into a "Live Mode". To perform a permanent installation, log in with the user installer and password opnsense.

1. Guided Installation

Follow the installer prompts:

Select your keymap (default is US).
Choose ZFS as the file system (recommended).
Select Stripe (no redundancy needed for a single virtual disk).
Select the virtual disk (da0) and confirm to destroy contents.

Once installation is complete, reboot the system.

Step 4: Assign Interfaces and IP Addresses

After rebooting, log in as root with password opnsense. You will be presented with a text-based menu.

1. Assign Interfaces (Option 1)

Select Option 1. Based on the MAC addresses in VMware settings, map the interfaces:

WAN: em0.
LAN: em1.
Optional (LAN 2): em2.

2. Set Interface IP Addresses (Option 2)

By default, LAN 1 might conflict with your home network IP range. We need to change it.

Select LAN interface.
Configure IPv4: Static (Type 'n' for DHCP).
IP Address: 192.168.11.1 (or any subnet different from your WAN).
Subnet: /24.
Gateway: None (Press Enter).
Enable DHCP Server: Yes. Range 192.168.11.100 to 192.168.11.199.

Step 5: Web GUI Configuration

Switch to your Windows 11 VM (connected to LAN Segment 1). It should receive an IP in the 192.168.11.x range. Open a browser and navigate to http://192.168.11.1.

1. Initial Wizard

Log in (root/opnsense). The wizard will guide you through general setup like hostname, domain, and DNS servers (e.g., 8.8.8.8).

Important: Uncheck "Block RFC1918 Private Networks" on the WAN interface settings. Since our WAN is a private home network, keeping this checked would block our internet access.

2. Configure Second LAN Interface

Go to Interfaces > Assignments. You will see the optional interface (opt1). Enable it, rename it to "LAN Server", and set a static IPv4 address (e.g., 192.168.22.1/24).

Step 6: Firewall Rules

By default, the new LAN interface (LAN 2) blocks all traffic. We need to create a rule to allow traffic.

1. Create Pass Rule

Navigate to Firewall > Rules > LAN Server (or whatever you named the second interface).

Click Add.
Action: Pass.
Interface: LAN Server.
Protocol: Any (to allow internet access and ping).
Source: LAN Server Net.
Destination: Any.

Click Save and Apply Changes. Your Windows Server on LAN 2 should now have internet connectivity and be able to communicate with devices on LAN 1.

← Back to Guides Homepage