Post

Building an OPNsense Firewall with a Protetcli FW4B

Posted
By Manuel Laggner
6 min read
Building an OPNsense Firewall with a Protetcli FW4B

In this article, I will guide you through the process of building a custom firewall using OPNsense on a Protetcli FW4B device. OPNsense is a powerful open-source firewall and routing platform that provides a wide range of features including VPN, traffic shaping, intrusion detection, and much more. By setting up a firewall with OPNsense on reliable hardware, you can ensure better network security and performance for your home or small office network.

What You Will Need

To build this firewall, you will need the following components:

  • Protetcli FW4B: A compact network appliance designed for custom firewall installations. It provides excellent performance for home and small office networks. The CPU (Intel® J3160) in this appliance is strong enough to handle the traffic for even a medium sized office. The 4 port version of the Protectli gives you room for later extensions - even if we just use 2 ports in our demo setup.
  • CRUCIAL-DDR3L-8GB: A low-voltage DDR3L RAM module. OPNsense does not require much RAM, but 8GB will provide plenty of headroom for future needs. In theory any DDR3 SO-DIMM will fit into the Protectli, but I’ve chosen an low-voltage version to cut down power usage to a minimum.
  • Kingston mSATA KC600 240GB SSD: A high-performance SSD for the system installation. The SSD will improve boot times and overall system performance compared to traditional hard drives. You can also use any mSATA drive in your Protectli - I’ve ordered a well known/compatible one directly from the Protectli website to ensure maximum compatibility.
  • OPNsense Installation Media: A USB flash drive with the OPNsense installation image.

Step 1: Preparing the Installation Media

  1. Download OPNsense:
    Visit the OPNsense website and download the latest stable image for your architecture (amd64 in our case). Select the appropriate version based on the platform and desired features. I’ve used the vga version, because our Protectli offers a HDMI port to attach a monitor for setup.

  2. Create Bootable USB:
    Use software like Rufus (for Windows) or dd (for Linux/Mac) to create a bootable USB drive with the OPNsense installation image. For example, using dd on Linux:

    1

    sudo dd if=OPNsense.img of=/dev/sdX bs=4M status=progress && sync

    Replace /dev/sdX with the correct device name of your USB drive.

Step 2: Preparing the Protetcli FW4B Device

  1. Install the CRUCIAL-DDR3L-8GB RAM:
    • Open the case of your Protetcli FW4B and insert the CRUCIAL-DDR3L-8GB RAM module into the available slot. Ensure the RAM is properly seated.
  2. Install the Kingston mSATA KC600 SSD:
    • Insert the Kingston mSATA KC600 240GB SSD into the mSATA slot on the Protetcli FW4B device. This SSD will be used to install the OPNsense system.
  3. Connect the Protetcli FW4B to a Monitor and Keyboard:
    • Use a HDMI cable or the shipped serial-to-USB adapter for terminal access. Connect your monitor and keyboard to the Protetcli FW4B so you can interact with the BIOS and the OPNsense installation process.

Step 3: Installing OPNsense

  1. Boot from USB:
    Insert the USB drive with the OPNsense installation image into one of the USB ports on the Protetcli FW4B. Power on the device, and during the boot process, access the boot menu (usually by pressing F12, Esc, or a similar key). Choose the USB drive as the boot device.

  2. Install OPNsense:
    Once the system boots into the OPNsense installer, follow these steps:

    • Select the default installation language (English) and press Enter.
    • Choose Install (Full Installation) to install the complete OPNsense system to the Kingston mSATA SSD.
    • Accept the license agreement.
    • Select the mSATA SSD as the destination for the OPNsense installation.
    • Choose the appropriate disk partitioning scheme (the default settings should work for most setups).
    • Confirm your choices and proceed with the installation.

  3. Finalize the Installation:
    After installation completes, the system will prompt you to remove the installation media (the USB drive) and reboot. Follow the instructions, and the system will boot into OPNsense.

Step 4: Initial OPNsense Configuration

  1. Access the OPNsense Web Interface:
    Once OPNsense has booted, it will provide you with an IP address for the web interface (usually 192.168.1.1). Open a web browser on a computer connected to the same network and navigate to the address provided.

  2. Login to OPNsense:
    Use the default login credentials:
    • Username: root
    • Password: opnsense
  3. Run the Setup Wizard:
    Upon logging in, OPNsense will offer a setup wizard to guide you through the initial configuration. Follow the wizard to configure:
    • LAN and WAN interfaces.
    • System hostname and domain.
    • Timezone.
    • Admin password (make sure to set a strong password here).
    • Network settings for your environment.

  4. Configure Network Interfaces:
    You will need to configure the interfaces for your network. By default, OPNsense will detect the LAN and WAN interfaces, but you can modify them to fit your needs. Assign the correct interfaces for the internal (LAN) and external (WAN) networks.

    I would also use an additional (management) LAN port without any rules for fallback reasons: If you manage to lock you out of the web interface, you need to use the terminal (HDMI/Serial Port) to fix things. With a local (management) LAN port you may also have the chance to access the webinterface in this case!

Step 5: Finalizing the Setup

  1. Enable Firewall Rules:
    OPNsense will create basic firewall rules during the installation process, but you can customize these rules further from the Firewall section in the web interface. By default, OPNsense allows all traffic from the LAN interface and blocks all incoming traffic from the WAN interface.

  2. Set Up VPN (Optional):
    If you plan to use a VPN for remote access to your network, OPNsense has built-in support for OpenVPN, IPsec, and other VPN protocols. You can set up a VPN by navigating to VPN > OpenVPN and following the configuration wizard.

  3. Install Additional Packages (Optional):
    You can install additional packages such as Snort (intrusion detection), Suricata (network monitoring), and AdGuardHome (ad-blocking) through the System > Firmware > Plugins section.

Step 6: Secure and Maintain the Firewall

  1. Change the Default Admin Password:
    If you haven’t already, change the default admin password to something strong and unique. You can do this by going to System > Access > Users and editing the root account.

  2. Backup Your Configuration:
    After completing the initial setup, it’s always a good idea to back up your configuration. Go to System > Configuration > Backups and create a backup of your current configuration.

  3. Set Up Automatic Updates:
    OPNsense allows you to automatically update the system and packages. To enable this, go to System > Settings > Administration and configure the update settings.

  4. Monitor the Firewall:
    Use the Dashboard and System Logs to monitor the health and activity of your firewall. OPNsense provides a user-friendly interface to keep track of network traffic, system health, and firewall logs.

Final words

You have now successfully built a powerful and secure firewall using OPNsense on a Protetcli FW4B device. This setup provides a robust solution for protecting your network and managing your internet traffic. I managed to send > 1 Gbit/s on LAN to LAN (from one VLAN to another - routed by OPNsense) and also > 300 Mbit/s LAN to WAN using this appliance without even generating any noteworthy load.

OPNsense also offers a wide range of features that will allow you to fine-tune your network security, and with the combination of high-quality hardware and OPNsense, you can ensure that your firewall runs efficiently and securely for years to come.

homeserver, hardware
opnsense protectli networking
This post is licensed under CC BY 4.0 by the author.