OPNsense on a Mini PC: Firewall Router Setup Guide

By LK Wood IV · 2026-06-13 · ~15 min read · St. Louis County, MO

Your ISP’s combined modem/router is a black box with unknown firmware update schedules, weak default credentials, and no visibility into what’s happening on your network. OPNsense on a $150–300 mini PC gives you a fully open-source firewall, a real IDS/IPS system, proper VLAN support, and complete visibility — for less than a year of a commercial UTM subscription.

This guide takes you from zero to a working OPNsense installation with DHCP, DNS, IDS, and your homelab devices connected.

Hardware requirements

OPNsense is FreeBSD-based and runs on x86-64 hardware. You need:

Minimum: 2-NIC machine, 2GB RAM, 8GB storage (a 16GB USB drive or SSD)

Recommended for homelab:

  • Protectli VP2420 or VP4630 — 4× Intel i225 2.5GbE NICs, N6005 or N100 CPU, 4–8GB RAM, designed for this purpose. $200–350.
  • Topton N100 4-NIC box — similar to Protectli but cheaper Chinese equivalent. $100–180 on AliExpress/Amazon. Uses Intel i226 NICs which have driver quirks in FreeBSD — check OPNsense forum for current status before buying.
  • Any N100/N5105 mini PC + USB NIC — not recommended for main router (USB reliability), fine for testing.

For a homelab with gigabit internet and 8–16 devices, an N100 machine with 4GB RAM handles line-rate forwarding comfortably. IDS/IPS (Suricata) adds meaningful CPU load at high traffic rates — at 500Mbps sustained, an N100 handles basic IDS with 10–15% CPU.

Step 1: Download and install OPNsense

Download the OPNsense ISO from opnsense.org/download. Choose:

  • Architecture: amd64
  • Image type: dvd (for installation media)

Write to a USB drive:

# Linux/macOS
dd if=OPNsense-*.iso of=/dev/sdX bs=4M status=progress

Or use Balena Etcher on Windows.

Boot your mini PC from the USB. OPNsense boots to a live environment. Log in as installer / opnsense.

The installer (option 1 from the menu) asks:

  1. Keymap — US unless you’re on a different layout
  2. Install mode — ZFS (recommended for hardware with NVMe/SSD) or UFS
  3. Target disk — your main storage device
  4. Partition scheme — GPT (UEFI) for modern hardware

Installation takes 2–5 minutes. Remove the USB when prompted and reboot.

Step 2: Initial console setup

After reboot, OPNsense boots to a console menu. Before touching the web UI:

Option 1: Assign interfaces. Tell OPNsense which physical NIC is WAN and which is LAN:

Do you want to configure VLANs now? [y/N]: N

Enter the WAN interface name: igc0  (or igb0, em0 — depends on your hardware)
Enter the LAN interface name: igc1

The NIC names shown are from FreeBSD drivers:

  • igc — Intel i225/i226 (common in modern mini PCs)
  • igb — Intel i210/i211/i350 (older enterprise NICs)
  • em — Intel older NICs
  • re — Realtek (avoid for WAN if possible — driver reliability)

Option 2: Set interface IPs. OPNsense defaults to 192.168.1.1 for LAN. If your current network uses 192.168.1.x, change LAN to 192.168.0.1 to avoid conflicts:

Configure IPv4 address LAN interface via DHCP? No
Enter new LAN IPv4 address: 192.168.0.1
Enter new LAN IPv4 subnet bit count: 24

After setting the LAN IP, OPNsense shows the web UI URL: https://192.168.0.1.

Step 3: First login and basic configuration

Connect a laptop to the LAN port of your OPNsense machine. Open https://192.168.0.1 in a browser. Accept the self-signed certificate warning.

Default credentials: root / opnsense

The setup wizard runs automatically:

  1. General — set hostname (opnsense), domain (lan), DNS servers (leave blank to use the DNS resolver, or set to 1.1.1.1, 8.8.8.8)
  2. Time — set timezone and enable NTP
  3. WAN — set WAN type based on your ISP:
    • DHCP: ISP assigns IP dynamically (most cable/fiber)
    • PPPoE: DSL, fiber with separate modem (enter ISP username/password)
    • Static: if your ISP gave you a fixed IP
  4. LAN — confirm your LAN IP and subnet (the one you set in console)
  5. Password — change the root password

After completing the wizard, your internet connection should be working. Test: System → Diagnostics → Ping → ping 8.8.8.8 from the WAN interface.

Step 4: Configure DHCP

Navigate to Services → DHCPv4 → [LAN]:

  • Enable: checked
  • Range: set the DHCP pool (e.g., 192.168.0.100 to 192.168.0.199, leaving .1–.99 for static IPs)
  • DNS Servers: leave blank to use OPNsense’s built-in resolver, or enter your Pi-hole IP

Under DHCP Static Mappings, add entries for devices you want fixed IPs (your Proxmox nodes, NAS, printers):

  • Enter the MAC address and the IP you want to assign
  • Optionally set hostname — makes OPNsense’s logs more readable

Step 5: DNS — Unbound resolver

OPNsense includes Unbound DNS Resolver, which handles DNS resolution locally rather than forwarding everything to your ISP’s resolver.

Navigate to Services → Unbound DNS:

  • Enable: checked
  • Listen Port: 53
  • Network Interfaces: LAN (and any VLANs you create)
  • DNSSEC: enable for DNS validation

Under Query Forwarding (optional): if you want DNS queries forwarded to a specific server (Pi-hole, NextDNS, Quad9) rather than resolved locally by Unbound, add forwarders here. Without forwarders, Unbound resolves recursively from root servers — this is the most private option.

Local host overrides. Under Unbound DNS → Host Overrides, add entries for local services:

pve01    lan    192.168.0.10
pve02    lan    192.168.0.11
nas01    lan    192.168.0.20

Now pve01.lan resolves to 192.168.0.10 from any device on your network.

Step 6: Enable IDS/IPS with Suricata

OPNsense includes Suricata for intrusion detection and prevention (IDS/IPS). Installing it adds deep packet inspection that flags and optionally blocks known malicious traffic patterns.

Install Suricata: System → Firmware → Plugins → search "os-suricata" → Install

After install, navigate to Services → Intrusion Detection:

  • Enable: checked
  • IPS mode: checked (actually blocks threats, not just alerts — start with unchecked/detection-only for a week to see what it flags)
  • Interfaces: WAN (intrude detection on inbound traffic)
  • Pattern matcher: Hyperscan (fastest, requires AVX2 — check your CPU supports it), or AC-BS for compatibility

Rulesets. Under the Download tab, enable:

  • ET Open (Emerging Threats Open) — free, good coverage
  • ET Pro Telemetry (free tier) — better coverage, requires registration

After enabling rulesets, click Download & Update Rules.

Under the Rules tab, you’ll see thousands of individual rules. Start with all enabled and tune from there as you see false positives. Most home network traffic won’t trigger legitimate rules.

Schedule updates. Under Schedule, set Suricata to update rules daily. Threat intelligence is only useful if it’s current.

Step 7: Firewall rules review

OPNsense’s default ruleset after setup:

  • WAN: block all inbound (correct)
  • LAN: allow all outbound (permissive default)

For a homelab, the default LAN rule (allow all) is usually fine to start. Tighten it after you understand your traffic patterns:

Block private RFC1918 ranges on WAN (should be auto-configured but verify):

Firewall → Rules → WAN → look for “Block private networks” rule. OPNsense adds this automatically when you run the setup wizard.

Add a rule to block IoT devices from reaching your main LAN (after setting up VLANs — see the VLAN guide):

  • Source: IoT_VLAN net
  • Destination: LAN net
  • Action: Block

Step 8: Connect your homelab

With OPNsense handling DHCP and DNS, connect your Proxmox nodes, NAS, and other homelab devices to the LAN port’s switch. They’ll get IPs from OPNsense’s DHCP pool and use OPNsense as their gateway.

Set static DHCP mappings for your homelab nodes so their IPs don’t change. In Proxmox, set the gateway on each node’s network config to OPNsense’s LAN IP.

Check connectivity: from a Proxmox node, ping 1.1.1.1 should succeed through OPNsense’s WAN. ping pve02.lan should resolve and succeed through Unbound.

Ongoing maintenance

OPNsense pushes updates frequently. Apply them under System → Firmware → Updates. Security patches often come weekly. Unlike pfSense Plus, OPNsense community edition has no paywall on updates.

Backups. Export OPNsense config: System → Configuration → Backups → Download. Store this off the firewall — if the unit fails, you can restore the full config to a new box in minutes.

Once OPNsense is routing your homelab, set up VLANs to isolate IoT devices from your main network. AdGuard Home + Local DNS pairs naturally with OPNsense — run AdGuard in an LXC and point OPNsense’s DHCP DNS setting at it for network-wide ad blocking and local hostname resolution. OPNsense’s built-in WireGuard plugin (WireGuard self-hosted VPN guide) gives you remote access without a separate VPN host. The homelab firewall stack guide covers the broader architecture decision between OPNsense, pfSense, and MikroTik.