Part 1 of this article series was about why you want to build your own router, and how to assemble the APU2 that I chose as the hardware to build this on. Part 2 gave some Unix history and explained what a serial console is. Part 3 demonstrated serial access to the APU and showed how to update its firmware. The previous article detailed installing pfSense.
This post will show how to install OPNsense, a great alternative to pfSense.
OPNsense was forked from pfSense (more on than in the next post) and thus you will find lots of similarities if you have read the post on installing pfSense. The OPNsense team decided to move forward more quickly and did lots of interesting but invasive changes. One strong point for example is that it is already based on FreeBSD 11.0. There is one drawback to this, however: a problem with the XHCI (USB3) driver can lead to the installation media not being able to mount the filesystem and boot up. This makes installing OPNsense a little bit more complicated since the APU2 only has UBS3 ports.
Well, the board does have an internal USB2 controller, too. Therefore I suggest getting a cable that allows connecting USB devices to it. If this is not for you, take a look at the end of the post, I’ve prepared a section “alternative installation methods” there.
First download an image (select amd64 + serial). Then dd it onto an unused memstick and prepare the serial connection (take a look at the previous posts if you need help with dd’ing or attaching the serial console).
As you can see, I’ve attached a memstick with OPNsense via USB2 and made a serial connection. That way the installation works just fine.
Step 1: Installation
Hit F10 to go to the boot menu as soon as SeaBIOS offers it.
Since we’ve attached the memstick over USB2, the internal drive would take precedence over it in the default boot order. So in this case I have to select 2 to boot off of the memstick.
The OPNsense boot loader looks fine. If you’re installing 17.1 using USB2 you don’t need to do anything here.
One notable difference from pfSense is the early configuration importer. If you have a saved configuration XML file, you can put e.g. a UFS2 filesystem on a memstick, create a directory conf on it and copy config.xml there. That makes it available in the importer.
Then you have the option to assign roles to your interfaces (like WAN and LAN).
OPNsense gives you the choice to start the installer or to use a live system. Log in as user installer to perform an installation or as root in the other case. The password for both users is opnsense.
The OPNsense installer is black and white only when using the console. But that’s fine. The installer greets you with the welcome message.
The next screen lets you customize the console. You probably don’t need to do that.
Then you need to select the installation type. You could do advanced partitioning here or setup a softraid (gmirror). We’re going with the simple installation for this post.
Now you need to choose where to install to. The mSATA drive is ada0 whereas the memstick is da0.
OPNsense also lets you choose which partition scheme to use. In case of our router this is not terribly important, especially not with our sample installation that puts everything in one partition. But since stone age is over, you might as well choose GPT anyway.
While the progress meter was broken with pfSense, this has obviously been fixed for OPNsense. Not that you should reinstall all that often, but still…
Once the installation is finished, you of course want to reboot to your new system.
Before rebooting, OPNsense tells you how to access the Web GUI. However the IP address that it uses by default is already taken by my ISP’s modem/router box. We’re going to change that next.
Step 2: Text mode configuration
When the system has started up, you are prompted to log in. This is the default behavior which can be changed to allow unprotected login over the console like with pfSense. But in general I like that bit of extra security.
The text-mode configuration menu looks much like that of pfSense.
And the interface configuration works right the same.
As does the DHCP configuration.
Since OPNsense required a login, you can also log out when you’re done. Now disconnect the serial console – we’re done with it.
Step 3: Web GUI configuration
Just like pfSense, OPNsense offers a nice Web GUI to configure all the settings. Fire up your browser on a PC that is in the same subnet (or got its IP address via DHCP from the new router) and enter the router’s LAN IP address in the URL bar.
OPNsense uses https to create a secure connection, too. Of course a self-signed certificate is used which is not trusted by my Firefox. Therefore a permanent exception needs to be made.
Once you have confirmed the exception, you will see the login screen. Log in as root with the password opnsense.
On the first login you will be greeted by the configuration wizard. It will present you about the same choices as pfSense does (without the advertizing of the commercial version, of course).
First it’s some general information like hostname and DNS. What OPNsense offers over pfSense is i18n options: Chances are that you can configure the Web GUI to speak your language! That’s pretty nice.
Time server settings are just like those from pfSense.
WAN configuration offers you a lot of options. Take a close look at those. Fortunately you very likely don’t need most of what is there.
Same thing for the LAN configuration: You know that from pfSense.
Also with the password changing part there’s no surprise here.
That’s it. Reload the config now and you’re done with the wizard. OPNsense now has a basic configuration and is ready to be used.
Alternative installation methods
OK, you don’t have a cable to connect to the USB2 pins but you want OPNsense? There are several things that you can try. I’ve documented my attempts (including several solutions) on the OPNsense forums in case anybody needs them.
Here are a few things that you can try:
- Install from SD card (I didn’t try that but it should indeed work)
- Install 16.7 from USB3 with increase boot_delay and then update
- Install 17.1 using a USB cdrom, manually enabling the console and importing a pre-made configuration
Should you install 16.7 using a USB3 port, press ESC before the loader countdown runs out. This will drop you to the loader prompt. Then enter the following:
set kern.cam.boot_delay=10000 boot
That did the trick and made the system boot up for me. The actual installation is quite similar to what I covered above.
You could also use a USB cdrom to boot the installation – of course use the OPNsense cdrom ISO in this case! However the cdrom image does not have the serial console enabled by default. So escape to the loader prompt, set some variables to enable the serial console and boot:
set boot_multicons=YES set boot_serial=YES set comconsole_speed=115200 set console=comconsole,vidconsole
This will work, too. But there’s one little problem with that: The TTYs are configured on their own using a configuration file – and they are not ready for serial connection! Since this is a CD, we cannot really do much about that. What we can do, however, is using the configuration importer. I will upload a basic configuration xml and add it to this post when I next install a clean OPNsense.
The next post will be pfSense vs. OPNsense! It will discuss some of the notable differences and when to use which one.