OPNsense on the Vault

OPNsense Overview

OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform.  It is a popular choice for those interested in an open source firewall.  More information about OPNsense can be found on the OPNsense website https://opnsense.org/


Pre-Installed information

OPNsense can now be selected as a pre-installed option during checkout. By default, OPNsense assigns the LAN port to the first Ethernet port and the WAN port to the second Ethernet port.

WAN and LAN are assigned to correctly match the ports as labeled on the Vault. The VP2410 has numbered ports, not specifically labelled “WAN” and “LAN”. The VP2410 uses the OPNsense defaults and  LAN is assigned to “1” and WAN is assigned to “2”.

LAN default IP address is with DHCP enabled

WebUI access via

Default login credentials: 




Install OPNsense

Note:  A previous article was published at this link regarding an important issue and workaround in OPNsense due to the fact that it is based on FreeBSD 11.2 . Both of these issues can be resolved by setting BIOS to UEFI mode on the Vault. This article supersedes that one and following the instructions below eliminates the need to refer to the previous article. See the BIOS Compatibility table at the bottom of this article for more information.

Note: The serial image uses the MBR partition scheme, which requires legacy BIOS. If using UEFI only mode the USB installer will not appear in the boot menu.

Obtain the Installation Image and Uncompress it

The OPNsense installation image can be downloaded from https://www.opnsense.org/download/. The same image can be used to install OPNsense on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Architecture” and “Image Type”.  The proper selections are as follows and shown in the screenshot below.

Architecture: AMD64 (64 bit) Note: The 32 bit version will not work.  Be sure to download the 64 bit version.

Image Type: VGA or Serial as needed.  What you choose here depends on how you want to access the OPNsense console.  This is NOT how you will manage your OPNsense installation on a daily basis, but rather the way that you will access OPNsense in the event that you cannot log into the web UI.  A Serial console installation allows you to interface with the OPNsense console without a physical keyboard or monitor.  In order to use the serial connection, you will need to use the blue RJ45 to serial cable provided with your vault.  If your computer does not have a DB9 serial connection, you will need a USB to serial adapter.  A VGA installation will require a USB keyboard and HDMI monitor (FW2B, FW4B, FW6, VP) or VGA monitor (FW1, FW2, FW4A).

protectli opnsense select image type

OPNsense Download Page

This article shows an example installation with version 19.1 of OPNsense.  Unless advised to the contrary, we recommend downloading the latest available version.

Now that the compressed image file has been downloaded, you will need to use a program like “7zip” or “winzip” on Windows to decompress the file.  The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.gz”.

Burn the Installation Image to a USB Drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “balenaEtcher” on Apple OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or balenaEtcher.

Note: If using the Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and the USB keyboard with a plug that is relatively skinny.  The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

Verify the BIOS Mode

As mentioned above there is a simple fix to the bug introduced in 11.2. By changing the BIOS mode to UEFI the issue is resolved. We have a Knowledge Base article which gives step by step instructions linked here. If the unit is a VP2410 and has coreboot installed, it will be in UEFI mode by default.

Install the Operating System on the Vault

Once the OPNsense installation image is properly copied to the USB drive, it is ready to be installed on the Vault.

Important Note: The ports marked “WAN” and “LAN” are reversed when using OPNsense. In order to correct this issue see the PORT REVERSAL section below. For the VP2410, the ports are numbered, not specifically “WAN” and “LAN”, so port reversal is not needed, but the configuration steps are shown below.

  • Verify the Vault is powered down
  • Verify the monitor is connected
  • Verify the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
  • While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.
  • Select “Advanced” tab
  • Select “CSM Configuration”
  • Select “Boot option filter”
  • Select “UEFI only”
  • Press “F4” to save and exit the BIOS
  • Power off the unit and insert the USB install drive into the other USB port on the Vault
  • While powering up the Vault again, press “F11” key and verify that it boots to the BIOS boot options screen.
    • NOTE: If using the serial installer, F11 commonly will not show the boot options menu.  In this case, use the “DEL” key to enter the BIOS.  In the BIOS, a specific boot device can be chosen from the last, or rightmost tab.
  • Select the USB drive UEFI partition to boot from
  • Verify the Vault boots into a console menu/graphic and begins the installation process


As noted above to fix the WAN/LAN ports use the following:

When prompted during install to “Press any key to start the manual interface assignment”. Note you only have a few second before this times out.

  • Press any key to continue

When prompted “Do you want configure VLANs now?”

  • enter the following command:N

When prompted to “Enter the WAN interface name”

  • For FW1, FW2, FW4A, FW6A,B,C enter the following command:em0
  • For FW2B and FW4B enter the following command: igb0
  • For VP2410 enter the following command: igb1

When prompted to “Enter the LAN interface name”

  • For FW1, FW2, FW4A, FW6A,B,C enter the following command: em1
  • For FW2B and FW4B enter the following command: igb1
  • For VP2410 enter the following command: igb0
  • If you have additional interfaces those can be configured in the GUI after install is complete
  • Verify login prompt occurs. In order to finish install of OPNsense, login as user “installer” with password “opnsense”
  • Verify installation screen appears. Follow the prompts on the screen to complete the installation
  • When prompted, reboot the system
  • Verify unit reboots to login prompt
  • Browse to the OPNsense dashboard at login with the default credentials. Username: root Password: opnsense
  • Verify the dashboard is displayed

OPNsense has a comprehensive installation procedure that describes each step of the process here.

protectli opnsense dashboard

OPNsense Dashboard

When prompted, reboot the unit. If it is a VP2410 with coreboot, follow the instructions to edit the boot order at:


Once rebooted, OPNsense should be up and running on The Vault.

If you experience any issues, please feel free to reach out: support@protectli.com.


OPNsense BIOS Compatibility

The table below shows the compatibility of tested releases of OPNsense and BIOS on each of the Vaults.


VaultOPNsense VersionBIOS - LegacyBIOS - UEFIBIOS - coreboot
FW121.7.1Fail, Use UEFITestedN/A
FW221.7.1Fail, Use UEFITestedN/A
FW4A21.7.1Fail, Use UEFITestedN/A
FW121.1Fail, Use UEFITestedN/A
FW221.1Fail, Use UEFITestedN/A
FW4A21.1Fail, Use UEFITestedN/A