How to Install OPNsense on the Vault

Last Updated On March 22, 2019
You are here:

OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform.  It is a popular choice for those interested in an open source firewall.  More information about OPNsense can be found on the OPNsense website.

To either install or re-install a fresh instance of OPNsense onto the Vault, there is a relatively straight forward process that is very similar to installing any operating system onto any computer.

  1. Obtain the installation image
  2. ‘Burn’ the installation image to a USB drive
  3. Install the new image from the USB drive onto the Vault

The following article will detail how to install OPNsense onto your Protectli Vault.

Note: If using the Vault FW1x, FW2x, or FW4x, be sure to use a USB stick and the USB keyboard with a plug that is relatively skinny.  The 2 USB ports on the Vault are very close to each other and if either the USB stick or the USB keyboard plug is too wide, you will not be able to plug both in at the same time, which will prevent you from doing the installation.

opnSense 19.1 is based on FreeBSD 11.2. There is a known issue in FreeBSD 11.2 that causes console I/O not to work on some systems. The symptom is that the console will appear frozen with the message “Booting” on the screen. The unit is actually booting, but the console is frozen. This issue and the workaround for FreeBSD 11.2 were originally described at this link. The Vault FW1, FW2, and FW4A series are affected by this issue. The FW2B, FW4B, and FW6 series are not affected. This issue only affects the  “VGA” installation image. It does not affect the  “Serial”.  This article will describe how to fix the issue by changing the BIOS config. See instructions below.

Verify Hardware Recommendations and Installation Process

OPNSense has good documentation regarding hardware recommendations on their web site. Be sure to review this link to verify that  the proper memory and storage is available for the intended application.

OPNSense has a comprehensive installation procedure that describes each step of the process here.

Obtain the Installation Image and Uncompress it

The OPNsense installation image can be downloaded from The same image can be used to install OPNsense on any of the Vault platforms. It is important to choose the correct options when downloading the image including “Architecture” and “Image Type”.  The proper selections are as follows and shown in the screenshot below.

Architecture: AMD64 (64 bit)

Image Type: VGA or Serial as needed.  What you choose here depends on how you want to access the OPNsense console.  This is NOT how you will manage your OPNsense installation on a daily basis, but rather the way that you will access OPNsense in the event that you cannot log into the web UI.  A Serial console installation allows you to interface with the OPNsense console without a physical keyboard or monitor.  In order to use the serial connection, you will need to use the blue RJ45 to serial cable provided with your vault.  If your computer does not have a DB9 serial connection, you will need a USB to serial adapter.  A VGA installation will require a USB keyboard and HDMI monitor (FW2B, FW4B, FW6A, FW6B, FW6C) or VGA monitor (FW1, FW2, FW4A).

OPNsense Download Page

As of this writing, the Vault has been tested with version 19.1 of OPNsense.  Unless advised to the contrary, we recommend downloading the latest available version.  Your download should begin immediately and when it is completed you should have a compressed IMG file (an example file name is: OPNsense-18.7-OpenSSL-vga-amd64.img.bz2) downloaded that is ~300MB in size.

Now that the compressed image file has been downloaded, you will need to use a program like “7-zip” (Windows – link)  or built in tools like bz2 (MacOS Command Line – link) to decompress the file.  The resulting file should look the same, except that the file name will now end in “.img” instead of “.img.bz2”.

Burn the installation image to a USB drive

The easiest way to transfer the installation image to a USB drive is by using software called “Rufus” on Windows or “Etcher” on Apple OSX. See this link for detailed instructions on how to create a bootable USB drive using Rufus or Etcher.

Install the new image

Once the OPNsense installation image is properly copied to the USB drive, it is ready to be installed on the Vault.

  • Verify that the Vault is powered down
  • Verify that the VGA monitor or serial console is connected
  • Verify that the USB keyboard is plugged in (you can skip this step if you are using the serial installer)
  • While powering up the Vault, press “DEL” key and verify that it boots to the BIOS.
  • Select “Advanced” tab
  • Select “CSM Configuration”
  • Select “Boot option filter”
  • Select “UEFI only”
  • Press “F4” to save and exit the BIOS
  • Power off the unit and insert the USB install drive into the other USB port on the Vault
  • While powering up the Vault again, press “F11” key and verify that it boots to the BIOS boot options screen.
    • NOTE: If using the serial installer, F11 commonly will not show the boot options menu.  In this case, use the “DEL” key to enter the BIOS.  In the BIOS, a specific boot device can be chosen from the last, or rightmost tab.
  • Select the USB drive UEFI partition to boot from
  • Verify that the Vault boots and begins the installation process and when it finishes there is a “login” prompt.
  • In order to finish install of OPNsense onto the SSD, login as user “installer” with password “opnsense”
  • Follow the prompts on the screen to complete the installation of OPNsense from the USB

When OPNsense is installed, the USB can be removed, the Vault repowered and verify the system boots to the login prompt.

At this point, the user can browse to the OPNsense dashboard at the default IP address of and configure the system, other ports, services, etc.

Important Note: The ports marked “WAN” and “LAN” are reversed when using OPNsense. The LAN port with default IP address of is actually marked “WAN”. The WAN port that comes with some default rules applied is marked “LAN”.