A detailed lab guide to setting up an OPNsense Lab with a real-world environment topology. This guide assumes you are using virtualization software (e.g., VMware Workstation, VirtualBox, or Proxmox) to emulate the environment. It is divided into logical steps:
Lab Objectives
1. Learn to install and configure OPNsense as a firewall.
2. Create a simulated network environment for testing NAT, VLANs, VPN, and filtering policies.
3. Implement a realistic topology including LAN, DMZ, and WAN.
Lab Topology Overview
Environment
WAN: Simulates an external ISP (Internet).
LAN: Represents internal private network.
DMZ: Hosts public services (e.g., a web server).
Components
OPNsense Firewall: The central firewall for routing and filtering.
LAN Client: Internal workstation (Windows/Linux VM).
Web Server in DMZ: Hosts a public-facing service.
Router/Gateway for WAN: Simulates an ISP connection.
Hardware/Software Requirements
1. Virtualization software (VMware/VirtualBox/Proxmox).
2. OPNsense ISO (downloadable from OPNsense.org).
3. VM instances for the LAN client and DMZ server (any OS).
4. Minimum specifications for OPNsense VM:
2 vCPUs.
4 GB RAM.
20 GB disk space.
3 Network Interfaces (WAN, LAN, DMZ).
Step-by-Step Guide
Step 1: Set up the Virtual Environment
1. Create Virtual Networks:
WAN Network: Assign a NAT or bridged adapter to connect to the internet.
LAN Network: Set as an internal network (isolated from the host).
DMZ Network: Another internal network separate from LAN.
2. Deploy OPNsense VM:
Attach three network adapters (WAN, LAN, DMZ).
Configure the VM with the OPNsense ISO to boot from.
Start the VM and follow the installation wizard.
Step 2: Install OPNsense
1. Boot from the ISO and follow the steps:
Select Install.
Choose the appropriate keyboard layout.
Partition the disk using Auto (ZFS) or another preferred method.
Set the root password.
2. After installation, reboot the system and remove the ISO.
Step 3: Initial Configuration
1. Access Console Menu:
Use the console to assign interfaces:
WAN → em0
LAN → em1
DMZ → em2
2. Assign IP Addresses:
WAN: Configure DHCP or use a static IP (e.g., 192.168.100.2).
LAN: Set to 192.168.1.1/24.
DMZ: Set to 192.168.2.1/24.
3. Save and apply changes.
Step 4: Configure OPNsense via Web Interface
1. Open a browser on the host and navigate to https://192.168.1.1.
2. Log in using the default credentials:
Username: root
Password: (the one set during installation).
3. Follow the Setup Wizard:
Change the LAN and WAN IPs if needed.
Configure DNS and gateway (for internet access).
Enable WAN access if required.
Step 5: Create Firewall Rules
1. LAN to WAN Rule:
Allow all outgoing traffic from LAN to WAN.
Navigate to Firewall > Rules > LAN.
Add a rule: Source: LAN net → Destination: any.
2. DMZ Rules:
Allow HTTP/HTTPS to DMZ from WAN.
Block DMZ access to LAN.
3. NAT Port Forwarding:
Forward incoming traffic on port 80/443 from WAN to the DMZ web server.
Step 6: Set Up VLANs (Optional)
1. Go to Interfaces > Other Types > VLAN.
2. Create VLANs (e.g., VLAN 10 for management, VLAN 20 for guests).
3. Assign the VLANs to a parent interface (e.g., LAN).
Step 7: Verify Connectivity
1. LAN Client:
Deploy a VM connected to the LAN network.
Test internet access and access the DMZ web server.
2. DMZ Web Server:
Deploy a server (e.g., Ubuntu/Windows).
Host a sample web service and test external accessibility.
3. External Access:
Test accessing the web server in the DMZ from the WAN interface.
Step 8: Advanced Configuration (Optional)
1. VPN Setup:
Configure OpenVPN or IPsec for secure remote access.
2. IPS/IDS:
Enable intrusion detection/prevention in Services > Intrusion Detection.
3. Traffic Shaping:
Implement QoS to prioritize traffic in Firewall > Traffic Shaper.
Lab Testing Checklist
✅ Internet access for LAN clients.
✅ DMZ services accessible from the WAN.
✅ DMZ isolation from the LAN.
✅ Firewall rules correctly applied.
This lab can be expanded further by integrating additional features such as High Availability (HA) or integrating third-party monitoring tools.