This page covers common configuration steps for OPNsense deployments.
Use the same configuration file referenced in the setup guide for your installation.
OPNsense is mainly managed through its web UI.
Typical management URL:
https://<opnsense-lan-ip>/
- Interfaces, VLANs, and routing
- Firewall rules and NAT policies
- VPN and remote access settings
- Logging and monitoring options
Recommended initial baseline:
- Configure WAN (DHCP/static) and LAN subnet explicitly.
- Restrict GUI and SSH management to trusted internal networks.
- Keep default deny behavior on WAN inbound traffic.
- Configure DNS resolver/forwarder and NTP.
- Create admin MFA flow (if available in deployment policy).
¶ Firewall and NAT Baseline
- Add explicit allow rules for required internal-to-external traffic.
- Keep inbound NAT/port-forward entries minimal and documented.
- Use aliases for networks/hosts to simplify rule management.
- Keep interface assignments aligned with physical/virtual NIC mapping.
- Audit rule order and quick-match behavior to avoid unintended access.
- Segment sensitive services in dedicated VLANs where possible.
- Back up running configuration before upgrades and policy changes.
Apply or reload the configuration via the UI or CLI.
In OPNsense workflows, apply pending config changes from UI and verify service status widgets.
Test connectivity and firewall rules to confirm configuration is valid.
Validation checklist:
- LAN clients receive expected DHCP and DNS.
- WAN inbound traffic is blocked by default.
- Port-forwarded services are reachable only as intended.
- VPN tunnels establish and route according to policy.
- Review firewall live logs for deny/allow anomalies.
- Keep IDS/IPS policies tuned to hardware capacity.
- Test restore from config backup after major updates.