Overview
For this project, we will be looking at Opnsense and its use case in our networking / malware lab. I chose Opnsense mainly because of the way the documentation is formatted and displayed. After a quick glance, it appears that problem solving will be easier due to the docs if I run into any issues later. For my setup, I have already configured the bridges between Proxmox and my home network and will be setting up Opnsense to sit between my virtual machine labs and my home network.
Opnsense Download
Navigate to the Opnsense download page and select the amd64 system architecture, the dvd image type, and any mirror that you want to use for download. Once downloaded, go ahead and store the .iso in a folder for all of your .iso's.
.png)
Opnsense download page — selecting amd64 and DVD image
.png)
Choose a mirror and download the ISO
Linking and Uploading ISO's to Proxmox
Navigate to Datacenter → Node → local(node name) → ISO Images and click upload. From here, we will be selecting the Opnsense .iso that we downloaded and choosing "none" for the hash (unless you want to hash for verification). Finally, select Upload to get the .iso image into Proxmox. If you already downloaded more operating system .iso's, then you can go ahead and upload the rest here.
Creating the Opnsense VM
In Proxmox, create a new VM with the following settings: allocate sufficient resources (CPU cores, RAM). Attach the Opnsense ISO image. Configure the network interfaces to match your bridge setup. Boot from the ISO and proceed with the Opnsense installation wizard.
Initial Opnsense Configuration
Once Opnsense boots, you'll be guided through the installation process. Configure your network interfaces, set static IPs, and access the web interface. The web GUI is the primary management tool for firewall rules, DNS, DHCP, and security policies.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
Once your options are configured, make sure you update and restart Opnsense, after which you are done! You can move on to other OS VM's safely knowing Opnsense has your back!
✓ FINISHED!
Problems Encountered
The majority of my problems came from trying to access Opnsense from a computer that was not on the same LAN. Since I am segmenting Proxmox into two separate LANs that need different security containment, I chose not to run a physical RJ45 cable from the Proxmox node to the accessing machine. However, I thought I could get by with accessing the Opnsense management GUI over WAN. After an hour or so of troubleshooting and diagnosing why I could not access the Opnsense GUI from other desktop web browsers, I discovered that for security reasons, Opnsense blocks management access to the firewall itself from the WAN side. Many commands were used that showed lighttpd was open and talking on port 80, but I still could not access it.
Since Opnsense can't be accessed from the WAN, a forum tip led me to creating a light Debian OS virtual machine that was in the same LAN Opnsense was managing. With the Debian VM started up, we could open a web browser and navigate to the Opnsense web GUI and access it correctly. This led me to re-think my malware lab setup and decide (at least for now) that the light Debian VM will also need to start on boot and will stay on (during lab practice) for the duration of the exercise to manage firewall rules.
.png)
.png)
.png)
What Worked Well
The Opnsense documentation is thorough and easy to follow. The web interface is intuitive for managing firewall rules, NAT configurations, and security policies. The integration with Proxmox through bridged networking worked smoothly once properly configured.
What I'd Do Differently
I would have planned the network architecture more carefully before starting. Having a management VM on the same LAN from the beginning would have saved troubleshooting time. I would also document the network topology and firewall rules as I build them.
Terms & Concepts Used
Opnsense
A free, open-source firewall and routing platform based on FreeBSD, used to manage network traffic, security policies, and VPN connections.
ISO Image
A disc image file format (.iso) used to distribute operating systems and software for installation on virtual or physical machines.
amd64
The 64-bit x86 architecture, also known as x86-64 or Intel 64, used in most modern computers and servers.
Bridge
A networking component that connects two network segments, allowing virtual machines to communicate with the physical network as if directly connected.
LAN (Local Area Network)
A network of computers and devices in a limited geographical area (like a home or office) connected via switches or routers.
WAN (Wide Area Network)
A network that spans a large geographical area, such as the Internet, connecting multiple LANs together.
Firewall
A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Web GUI (Graphical User Interface)
A web-based interface accessed through a browser that allows users to configure and manage system settings and firewall rules.
lighttpd
A lightweight, open-source web server used in Opnsense to host the web management interface.
Debian
A free and open-source Linux distribution known for stability, used to create lightweight VMs for management and administration tasks.
Virtual Machine (VM)
A software emulation of a physical computer that runs an operating system and applications independently on a host machine.
Static IP
A fixed IP address assigned to a device that does not change, useful for servers and firewalls that need consistent addressing.
DHCP (Dynamic Host Configuration Protocol)
A network protocol that automatically assigns IP addresses and network configuration settings to devices on a network.
DNS (Domain Name System)
A system that translates human-readable domain names (like example.com) into IP addresses for network communication.
NAT (Network Address Translation)
A networking technique that maps private IP addresses to public IP addresses, allowing internal network devices to communicate externally.
Firewall Rules
Configured policies that determine which network traffic is allowed or blocked based on source, destination, port, and protocol.