Configuring OPNsense firewall in high availability cluster mode on Yandex BareMetal servers
This solution allows configuring an OPNsense
The idea of this solution is that only the OPNsense firewall
The solution must be fault-tolerant, so a high availability cluster
For the secure network segment clients to automatically get IP addresses and the correct gateway address, the solution employs an ISC DHCPv4 server in a high-availability configuration. With OPNsense, the list of DHCP addresses can be replicated between the cluster servers with the Master and Backup roles.
Solution diagram:
-
Public BareMetal subnet of the
ru-central1-m4
server pool. -
Private BareMetal subnet:
opnsense-private-subnet-m4
. -
Two BareMetal servers within the OPNsense cluster:
opnsense-master
andopnsense-backup
. This guide uses OPNsense firewall version25.1
. -
One BareMetal server,
vmware-esxi
running the VMware ESXi virtualization platform. This guide uses ESXi hypervisor version7.0U3g
. -
The
vmware-esxi
server runs a VM instance namedopnsense-tester-vm
. This guide uses a Linux Ubuntu 24.04 VM created without a graphical user interface (GUI). -
Installation server
,jump-server
, required for configuring your OPNsense and ESXi servers and accessing their private IP addresses.The installation server must have a GUI
and a web browser . To make the configuration process easier for you, in this guide, the role of the installation server will be played by a BareMetal server booted into recovery and diagnostics mode from the Rescue CD.Note
As an alternative to the Rescue CD, you can use a VPN connection to access the private IP addresses of your servers from outside the private subnet. Using a VPN connection on OPNsense servers requires configuring a static route to a network segment outside of the current private subnet.
To configure your OPNsense firewall in high availability cluster mode on Yandex BareMetal servers:
- Get your cloud ready.
- Create your boot images in BareMetal.
- Create a private BareMetal subnet.
- Lease BareMetal servers.
- Configure an OPNsense high availability cluster.
- Install a hypervisor and create a virtual machine.
- Test the solution.
If you no longer need the resources you created, delete them.
Getting started
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console
and log in to Yandex Cloud or register a new account. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of the proposed solution includes:
- Fee for leasing the BareMetal servers (see Yandex BareMetal pricing).
- Fee for data storage in Object Storage and data operations (see Yandex Object Storage pricing).
Create your boot images in BareMetal
The OPNsense firewall and ESXi hypervisor will be installed on your BareMetal servers from the custom BareMetal boot images you will prepare before you begin deploying the infrastructure.
Upload the software ISO images to Yandex Object Storage
To create the infrastructure proposed by this solution, you will need ISO images
Note
Yandex Cloud does not provide distributions of these software products; you should purchase them yourself.
Upload the OPNsense and ESXi distribution images to your Object Storage bucket:
- If you have no Object Storage bucket yet, create a bucket with limited access.
- Upload the images to your bucket via the management console, AWS CLI, or WinSCP. In Object Storage terms, the uploaded image files are objects.
- Get links to the images you uploaded. Use these links when creating the boot images in BareMetal.
Create your boot images in BareMetal
-
In the management console
, select the folder you are going to create your infrastructure in. -
From the list of services, select BareMetal.
-
In the left-hand panel, select
Boot images. -
Click Upload image.
-
Enter a name for your OPNsense image. The naming requirements are as follows:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
(Optional) Add a description for the image.
-
Paste the link to the OPNsense image you got in Object Storage.
-
Click Upload.
-
Similarly, create an ESXi boot image.
Create a private BareMetal subnet
- In the management console
, select the folder to create your infrastructure in. - From the list of services, select BareMetal.
- In the left-hand panel, select
Private subnets and click Create subnet. - In the Pool field, select the
ru-central1-m4
server pool. - In the Name field, enter a name for the subnet:
opnsense-private-subnet-m4
. - Without enabling the IP addressing and routing option, click Create subnet.
Lease BareMetal servers
-
In the management console
, select the folder to create your infrastructure in. -
In the list of services, select BareMetal and click Lease server.
-
In the Pool field, select the
ru-central1-m4
server pool. -
Under Configuration, select the appropriate server configuration.
To test the solution, a configuration with minimum hardware specifications will be enough.
-
Under Image, select
No OS
. -
In the Lease duration field, select a lease period:
1 day
,1 month
,3 months
,6 months
, or1 year
.When this period expires, server lease will be automatically renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.
-
Under Network settings:
- In the Private subnet field, select
opnsense-private-subnet-m4
, which you created earlier. - In the Public address field, select
Automatic
.
- In the Private subnet field, select
-
Under Server information in the Name field, enter a name for the server:
opnsense-master
. -
Click Lease server.
-
Similarly, lease one more server named
opnsense-backup
in theru-central1-m4
server pool. -
Similarly, lease two more servers named
vmware-esxi
andjump-server
in theru-central1-m4
server pool. But selectNo address
in the Public address field under Network settings when filling the lease form.
Note
It may take up to 20 minutes to get the servers ready. During this time, the servers will have the Provisioning
status, then switching to Ready
.
Configure an OPNsense high availability cluster
Configuring a high availability cluster involves installing the OPNsense firewall on two BareMetal servers, followed by creating and configuring an OPNsense cluster from those servers.
Install the OPNsense firewall on your servers
Tip
To save time, you can run the OPNsense installation on your opnsense-master
and opnsense-backup
servers in two different browser windows at the same time. On both of these servers, the installation is performed in the same way.
-
Connect to the
opnsense-master
server's KVM console.Note
You will perform all further actions under this configuration step in the KVM console window.
-
In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:
- In the CD/DVD Media1 section, click Browse and select the OPNsense image you saved earlier in the
user-iso
directory. - Click Connect CD/DVD.
- Check the Status section for the Virtual CD 1 device to make sure the Connected To field now gives the path to the image you selected, and click Close.
- In the CD/DVD Media1 section, click Browse and select the OPNsense image you saved earlier in the
-
To boot the server up from the selected image, click Reboot to cdrom in the top-right corner of the KVM console.
-
Wait for the server to boot up and for the OPNsense interactive shell to initialize – this can take up to ten minutes.
When the initialization is complete, the terminal screen in the KVM console will prompt you for authentication:
login:
-
Authenticate with the following credentials:
- Username:
installer
- Password:
opnsense
Tip
To paste text from the clipboard to the KVM console, use the Paste text here field in the upper right corner.
- Username:
-
In the Keymap Selection window, keep the default value,
Continue with default keymap
, and press Enter. -
In the action selection dialog box, select
Install (ZFS)
and press Enter. -
Under ZFS Configuration, select
mirror
and press Enter. -
In the next window dedicated to selecting block devices to create a virtual RAID array, use the up and down arrows and space to select the server HDDs or SSDs, e.g.,
sda0
andsda1
. Press Enter. -
In the potential data loss alert window, confirm you agreement to modify the partition table. Use the up and down arrows to select
YES
and press Enter.This will start OPNsense installation on the server.
Alert
During the installation, do not close or refresh the KVM console window. Otherwise, the installation image will be unmounted from the BareMetal server, and you will have to restart the installation.
The installation may take up to an hour.
-
Once the installation is complete, select
Root Password
in the Final Configuration window to set a password for theroot
user and press Enter. Enter and confirm the password. -
Once you set the password, select
Complete Install
in the Final Configuration window and press Enter. -
In the Installation Complete window, select
Reboot now
and press Enter. -
In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:
- Under CD/DVD Media1, click Disconnect. Check the Status section for the Virtual CD 1 device to make sure the Connected To field value has changed to
Not connected
. - Click Close.
- Under CD/DVD Media1, click Disconnect. Check the Status section for the Virtual CD 1 device to make sure the Connected To field value has changed to
-
Similarly, install OPNsense on the
opnsense-backup
server.
Pre-configure your OPNsense servers
Before proceeding to configure the OPNsense cluster, pre-configure the network interfaces of both your OPNsense servers:
-
Connect to the OPNsense server's KVM console.
Note
You will perform all further actions under this configuration step in the KVM console window.
-
Authenticate as the
root
user with the password you set when installing the server. If you had not set a password for theroot
user, the default one isopnsense
.If authenticated successfully, you will see a text menu of basic server settings with a list of possible actions.
-
Make sure that network interfaces are set up in the system:
Note
Depending on the BareMetal server configuration, it can be equipped with
Intel
orMellanox
network cards. While the OS kernel automatically configures network interfaces forIntel
cards, configuring network interfaces forMellanox
cards may involve additional steps.-
Type in
8
(Shell
option) and press Enter to open the OS terminal. -
Check for the network interfaces:
ifconfig
If the command output features network interfaces with the
LAN
andWAN
descriptions (description
), no additional actions are required.For example:
igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mt description: LAN (lan) options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG> ether 00:25:90:3:a1:fe inet 192.168.1.1 netmask Oxffffff00 broadcast 192.168.1.255 inet6 fe80::225:90ff:fee3:a1fe%igb0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseT ‹full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mt description: WAN (wan) options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG> ether 00:25:90:3:a1:ff inet 94.126.204.143 netmask Oxfffffffe broadcast 94.126.204.143 inet6 fe80::225:90ff:fee3:a1ff%igb1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
In the example above, the
igb0
andigb1
network interfaces have the descriptionsLAN
andWAN
, respectively, and IP addresses assigned. In which case you can proceed to the next step.What to do if the output features no
LAN
andWAN
interfaces with addresses assigned.-
Create and open an additional configuration file named
loader.conf.local
:ee /boot/loader.conf.local
-
Add the following line to the new configuration file:
mlx4en_load="YES"
-
Save the changes and close the file. To do this, press the Esc + Enter key combination and type
a
in the window that opens. -
Reboot the system:
reboot
-
Wait for the system to reboot, authenticate, and go to the OS terminal.
-
Re-run the
ifconfig
command to make sure the required network interfaces are now available in your system. TheMellanox
interfaces will have the following IDs:mlxen0
andmlxen1
.
-
-
Exit the OS terminal:
exit
-
-
Configure the server LAN interface:
-
Type
2
(Set interface IP address
option) and press Enter:1 - LAN (igb0 - static, track6) 2 - WAN (igb1 - dhcp, dhep6)
-
Type the LAN interface number and press Enter.
-
Configure IPv4 address LAN interface via DHCP? [y/N]
:Enter
n
to set a static IPv4 address for the interface. -
Enter the new LAN IPv4 address. Press <ENTER> for none
:MasterBackupEnter the address:
192.168.1.252
.Enter the address:
192.168.1.253
. -
Enter the new LAN IPv4 subnet bit count (1 to 32)
:Enter the subnet CIDR
prefix, e.g.,24
. -
For a WAN, enter the new LAN IPv4 upstream gateway address. For a LAN, press <ENTER> for none
:Press Enter not to set the gateway address.
-
Configure IPv6 address LAN interface via WAN tracking? [Y/n]
:Enter
n
not to configure an IPv6 address via the Track Interface function. -
Configure IPv6 address LAN interface via DHCP6? [y/N]
:Enter
n
not to configure getting an IPv6 address via DHCP6. -
Enter the new LAN IPv6 address. Press <ENTER> for none
:Press Enter not to set the IPv6 address.
-
Do you want to enable the DHCP server on LAN? [y/N]
:Enter
n
not to configure the DHCP server. You will configure the DHCP server later via the web interface. -
Do you want to change the web GUI protocol from HTTPS to HTTP? [y/N]
:Enter
y
to use HTTP to access the server configuration web interface. -
Restore web GUI access defaults? [y/N]
:Enter
y
to use default settings to access the server configuration web interface.
The OPNsense server settings will be updated; you can configure the OPNsense servers and cluster further via the web interface at the specified addresses:
MasterBackupYou can now access the web GUI by opening the following URL in your web browser: http://192.168.1.252
You can now access the web GUI by opening the following URL in your web browser: http://192.168.1.253
Additional settings for connection to the web interface via VPN.
-
Type in
8
(Shell
option) and press Enter to open the OS terminal. -
Configure the static route to the VPN segment of the network:
MasterBackuproute add <VPN_segment_CIDR> 192.168.1.252
route add <VPN_segment_CIDR> 192.168.1.253
Where
<VPN_segment_CIDR>
is the CIDR of a subnet in the VPN segment, e.g.,172.28.1.0/24
. -
Make sure the route has been added:
netstat -rn4
The command output should contain a routing entry in this format:
MasterBackup172.28.2.0/24 192.168.1.252. UGS. mlxen1
172.28.2.0/24 192.168.1.253. UGS. mlxen1
-
This concludes the OPNsense server pre-configuration procedures. To further configure the servers and cluster, access the web interface.
Set up an OPNsense server cluster
To set up an OPNsense server cluster, you need an installation server (jump server) with a graphical user interface and access to the private subnet the cluster hosts are connected to.
To make the configuration process easier for you, in this guide, the role of this installation server will be played by a jump-server
server leased earlier and booted into recovery and diagnostics mode from the Rescue CD.
Note
You will perform all further actions under this configuration step in the KVM console window.
-
Start
jump-server
from the Rescue CD by selecting the default boot option,Boot SystemRescue using default options
, from the SystemRescue main menu.Running SystemRescue will launch the SystemRescue OS terminal in the KVM console.
-
To start the SystemRescue GUI, run the
startx
command in the SystemRescue OS terminal. -
As the
opnsense-private-subnet-m4
private subnet has no DHCP server yet, configure the network interface manually:- In the bottom-right corner of the SystemRescue GUI, right-click the network icon and select
Edit Connections...
. - In the window that opens, under Ethernet, select
Wired connection 1
and click the gear icon. - In the settings window that opens, go to the IPv4 Settings tab and select
Manual
in the Method field. - Under Addresses, click Add. In the Address field, enter
192.168.1.20
; in the Netmask field,24
. - Click Save.
- In the bottom-right corner of the SystemRescue GUI, right-click the network icon and select
-
Make sure that network access to the OPNsense servers is now available. To do this, click the terminal icon in the bottom-left corner of the screen; in the window that opens, run this command:
ping 192.168.1.252 -c3
Result:
PING 192.168.1.252 (192.168.1.252) 56(84) bytes of data. 64 bytes from 192.168.1.252: icmp_seq=1 ttl=64 time=0.110 ms 64 bytes from 192.168.1.252: icmp_seq=2 ttl=64 time=0.127 ms 64 bytes from 192.168.1.252: icmp_seq=3 ttl=64 time=0.115 ms --- 192.168.1.252 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2024ms tt min/avg/max/mdev = 0.110/0.117/0.127/0.007 ms
Network connectivity with the OPNsense server has now been established.
Tip
If the
ping
command does not return packets from the server, try disabling theWired connection 1
network interface and configuring theWired connection 2
interface instead. -
In the bottom-right corner, click the Firefox icon to open the web browser.
-
Configure both your OPNsense servers in the browser window:
-
In the browser address bar, enter the server address:
MasterBackuphttp://192.168.1.252
http://192.168.1.253
-
On the authentication page, enter
root
for username and use the password you set when installing the server. If you had not set a password for theroot
user, the default one isopnsense
. -
Specify the high availability cluster settings:
-
In the main menu, go to the high availability cluster settings:
System
→High Availability
→Settings
. -
In the Synchronize all states via field, select the
LAN
interface. -
In the Sync compatibility field, select
OPNsense 24.7 or above
. -
In the Synchronize Peer IP and Synchronize Config fields:
MasterBackupSpecify the IP address for your Backup server:
192.168.1.253
.Specify the IP address for your Master server:
192.168.1.252
. -
In the Remote System Username field, enter
root
for username.Note
For synchronization purposes, you can create additional users on OPNsense servers in the
System
→Access
section of the main menu. -
In the Remote System Password field, enter the password to the account you specified above.
-
In the Services field, select the services for synchronization. Click
Select All
to select all services, which is a good option to demonstrate what the solution can do. -
Click Apply to save and apply the changes.
-
-
Specify the CARP virtual IP settings:
-
In the main menu, go to the virtual IP address settings:
Interfaces
→Virtual IPs
→Settings
. -
Click
to add a new virtual IP address and do the following in the window that opens:-
In the Mode field, select
CARP
. -
In the Interface field, select
LAN
. -
In the Network / Address field, specify
192.168.1.254/24
. -
In the Peer (ipv4) field:
MasterBackupSpecify the IP address for your Backup server:
192.168.1.253
.Specify the IP address for your Master server:
192.168.1.252
. -
In the Password field, set a password to protect your CARP group.
Use the same password when configuring both servers.
-
In the VHID Group field, set the group ID, e.g.,
101
.Use the same group ID when configuring both servers.
-
Click Save to save the virtual IP address settings.
-
-
Click Apply to apply the changes.
-
-
Configure the DHCP server in the private subnet:
-
In the main menu, go to the DHCP settings:
Services
→ISC DHCPv4
→LAN
. -
Turn on Enable DHCP server on the LAN interface.
-
In the Range field, specify the range of private subnet IP addresses available for clients through your DHCP server, e.g., from
192.168.1.100
to192.168.1.199
. -
In the DNS servers field, specify the domain name server addresses that will be issued to your clients, e.g.,
77.88.8.8
. -
In the Gateway field, specify the IP address for the CARP interface you configured earlier:
192.168.1.254
. -
In the Default lease time (seconds) field, specify the lease period for the provided IP address, in seconds, e.g.,
3600
. -
In the Failover peer IP field:
MasterBackupSpecify the IP address for your Backup server:
192.168.1.253
.Specify the IP address for your Master server:
192.168.1.252
. -
Click Save to save the DHCP server settings.
-
-
-
On the
Master
server, synchronize the cluster host settings:Note
With OPNsense in cluster mode, firewall settings should first be changed on the
Master
host. TheBackup
host will get the updated parameters through change synchronization.- In your web browser address bar, enter the server address:
http://192.168.1.252
. - In the main menu, go to the high availability cluster settings:
System
→High Availability
→Status
. - Scroll down the list of services and click
under Synchronize and reconfigure all (Restart all services
).
Warning
Change synchronization also restarts the services.
- In your web browser address bar, enter the server address:
-
Check the CARP group status on both hosts:
MasterBackup-
In your web browser address bar, enter the Master server address:
http://192.168.1.252
. -
In the main menu, go to the virtual IP address settings:
Interfaces
→Virtual IPs
→Status
. -
On the Addresses tab, view the Status column to make sure the server got the
Master
role.If the address status is
DISABLED
, click Temporarily disable CARP and then Enable CARP. As a result, the virtual address status should change to the right one. -
Navigate to the pfSync nodes tab to make sure there are two hosts in the list.
-
In your web browser address bar, enter the Backup server address:
http://192.168.1.253
. -
In the main menu, go to the virtual IP address settings:
Interfaces
→Virtual IPs
→Status
. -
On the Addresses tab, view the Status column to make sure the server got the
Backup
role.If the address status is
DISABLED
, click Temporarily disable CARP and then Enable CARP. As a result, the virtual address status should change to the right one. -
Navigate to the pfSync nodes tab to make sure there are two hosts in the list.
-
This concludes the bulk of the high availability cluster configuration procedures.
Further configuration may involve creating firewall rules. However, for the purposes of this guide, it is enough to have a basic set of rules plus automatically generated NAT rules that will allow your clients to access the internet, i.e., allow traffic to flow through the firewall between the LAN and WAN interfaces.
Install a hypervisor and create a virtual machine
Install a hypervisor
-
Connect to the
vmware-esxi
server's KVM console.Note
You will perform all further actions under this configuration step in the KVM console window.
-
In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:
- In the CD/DVD Media1 section, click Browse and select the VMware ESXi image you saved earlier in the
user-iso
directory. - Click Connect CD/DVD.
- Check the Status section for the Virtual CD 1 device to make sure the Connected To field now gives the path to the image you selected, and click Close.
- In the CD/DVD Media1 section, click Browse and select the VMware ESXi image you saved earlier in the
-
To boot the server up from the selected image, click Reboot to cdrom in the top-right corner of the KVM console.
-
Wait for the server to boot up and for the ESXi installer's interactive shell to initialize, start the installation process, and accept the terms and conditions of the license agreement (EULA).
-
Select the server disk to install the hypervisor on and the preferred keyboard layout.
-
Set the
root
user password for access to the hypervisor settings. -
To start the ESXi installation, confirm your agreement to modify the partition table.
-
Wait for the installation to complete and press Enter to restart your server.
-
In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:
- Under CD/DVD Media1, click Disconnect. Check the Status section for the Virtual CD 1 device to make sure the Connected To field value has changed to
Not connected
. - Click Close.
- Under CD/DVD Media1, click Disconnect. Check the Status section for the Virtual CD 1 device to make sure the Connected To field value has changed to
-
Wait for the hypervisor to start and configure the network settings as follows:
-
To go to settings, press F2 and enter the
root
user password you set during the installation.If no password was set during the installation, by default you log in to the
root
user account without any password. -
In the main settings menu, select
Configure Management Network
. -
In the menu that opens, select
IPv4 Configuration
. -
Use the space key to select
Set static IPv4 address and network configuration
and specify the following:- IPv4 Address: Any free IP address that is part of the
opnsense-private-subnet-m4
private subnet and is not in the range of addresses available for clients through the OPNsense DHCP server, e.g.,192.168.1.50
. - Subnet Mask: Subnet mask
,255.255.255.0
. - Default Gateway: CARP virtual IP address you created earlier in the OPNsense cluster,
192.168.1.254
.
- IPv4 Address: Any free IP address that is part of the
-
Press Enter to save the changes.
-
Press Esc to exit the settings menu and apply your changes.
-
In the window that opens, confirm that you want to apply the updated settings and restart the network interface.
-
Create a VM
To create and configure VMs, you need an installation server (jump server) with a graphical user interface and access to the private subnet with a hypervisor connected.
To make the configuration process easier for you, in this guide, the role of this installation server will be played by a jump-server
server leased earlier and booted into recovery and diagnostics mode from the Rescue CD.
Note
You will perform all further actions under this configuration step in the KVM console window.
-
Start
jump-server
from the Rescue CD by selecting the default boot option,Boot SystemRescue using default options
, from the SystemRescue main menu. -
To start the SystemRescue GUI, run the
startx
command in the SystemRescue OS terminal. -
In the bottom-right corner, click the Firefox icon to open the web browser.
-
Download to the server an ISO image of the OS you want installed on your VM.
Note
For the purposes of this guide, the VM will be running Linux Ubuntu 24.04
without a GUI (Server install image
). -
In the address bar, enter the hypervisor address, e.g.,
https://192.168.1.50/
. -
On the authentication page, enter
root
for username and use the password you set when installing ESXi. -
Download the image of the OS you want installed on your VM to the hypervisor file storage:
-
In the left-hand main menu, select Storage.
-
In the window that opens, select
datastore1
. -
In the menu at the top, click Datastore browser and do the following in the window that opens:
-
Click Create directory and create one named
ISO
. -
Select the new
ISO
directory and click Upload. -
In the window that opens, select the ISO image you downloaded earlier.
By default, downloaded files are saved to
/Home/Downloads/
. -
Wait for the image to download and click Close in the bottom-right corner of the window.
-
-
-
Create a virtual machine:
-
In the left-hand main menu, select Virtual Machines and click Create / Register VM.
-
In the Select creation type window, select
Create a new virtual machine
and click Next. -
Do the following in the Select a name and guest OS window:
- In the Name field, enter a name for the new VM, e.g.,
opnsense-tester-vm
. - In the Guest OS family field, select
Linux
. - In the Guest OS version field, select
Ubuntu Linux (64-bit)
. - Click Next.
- In the Name field, enter a name for the new VM, e.g.,
-
In the Select storage window, select
datastore1
and click Next. -
In the Customize setting window, do the following on the Virtual Hardware tab:
- In the CPU field, select the number of vCPUs you want to allocate to your VM, e.g.,
4
. - In the Memory field, select the amount of RAM you want to allocate to your VM, e.g.,
8 GB
. - In the Hard disk 1 field, select the hard disk volume you want to allocate to your VM, e.g.,
50 GB
. - In the CD/DVD Drive 1 field, select
Datastore ISO file
. In the window that opens, select the image you downloaded earlier. - Leave other parameters as they are and click Next.
- In the CPU field, select the number of vCPUs you want to allocate to your VM, e.g.,
-
In the Ready to complete window, check the parameters of the new VM and click Finish to create it.
-
In the left-hand main menu, select Virtual Machines. Select the
opnsense-tester-vm
VM. -
In the window that opens, click
Power on or the icon in the VM preview window. -
Click the VM preview window and expand it to full screen.
-
Follow through the OS installation procedure after selecting the preferred language, keyboard layout, installation type, etc. You can leave all settings at their defaults: this will be enough to test the proposed solution within the scope of this guide.
On the network settings screen, make sure that the VM was assigned a private IP address on the
opnsense-private-subnet-m4
subnet from the range specified in the OPNsense DHCP server settings.On the Profile configuration screen, set the name and password of the user who will have access to the VM.
-
Once the installation is complete, click Reboot Now.
-
Test the solution
The solution will be tested using a VM created earlier on a server running VMware ESXi.
The successful test criteria are as follows:
- The VM gets an IP address in the local network from the DHCP server created in the OPNsense cluster.
- The VM is able to access the internet through the OPNsense firewall.
Check whether the client got an IP address from the DHCP server
-
Connect to the
opnsense-master
server's KVM console. -
Authenticate to the OPNsense server as the
root
user with the password you set when installing the server. -
Type in
8
(Shell
option) and press Enter to open the OS terminal. -
Run this command:
tcpdump -i <interface_ID> -pvn port 67 and port 68
Where
<interface_ID>
is the ID of the server network interface connected to theopnsense-private-subnet-m4
private subnet, e.g.,igb0
.With the
tcpdump
command, you can listen to the network interface to visualize how the DHCP protocol works.Result:
10:45:50.180979 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:7a:bf:5c, length 300, xid 0x6094a655, Flags [none] Client-Ethernet-Address 00:0c:29:7a:bf:5c Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: Discover MSZ (57), length 2: 576 Parameter-Request (55), length 7: Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12) Domain-Name (15), BR (28), NTP (42) Hostname (12), length 8: "alp-vm-1" Vendor-Class (60), length 12: "udhcp 1.37.0" Client-ID (61), length 7: ether 00:0c:29:7a:bf:5c 10:45:51.229540 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 192.168.1.252.67 > 192.168.1.153.68: BOOTP/DHCP, Reply, length 300, xid 0x6094a655, Flags [none] Your-IP 192.168.1.153 Client-Ethernet-Address 00:0c:29:7a:bf:5c Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: Offer Server-ID (54), length 4: 192.168.1.252 Lease-Time (51), length 4: 600 Subnet-Mask (1), length 4: 255.255.255.0 Default-Gateway (3), length 4: 192.168.1.254 Domain-Name-Server (6), length 4: 77.88.8.8 Domain-Name (15), length 11: "localdomain" 10:45:51.280876 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 330) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:7a:bf:5c, length 302, xid 0x6094a655, secs 1, Flags [none] Client-Ethernet-Address 00:0c:29:7a:bf:5c Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: Request Requested-IP (50), length 4: 192.168.1.153 Server-ID (54), length 4: 192.168.1.252 MSZ (57), length 2: 576 Parameter-Request (55), length 7: Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12) Domain-Name (15), BR (28), NTP (42) Hostname (12), length 8: "alp-vm-1" Vendor-Class (60), length 12: "udhcp 1.37.0" Client-ID (61), length 7: ether 00:0c:29:7a:bf:5c 10:45:51.281467 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 192.168.1.252.67 > 192.168.1.153.68: BOOTP/DHCP, Reply, length 300, xid 0x6094a655, secs 1, Flags [none] Your-IP 192.168.1.153 Client-Ethernet-Address 00:0c:29:7a:bf:5c Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: ACK Server-ID (54), length 4: 192.168.1.252 Lease-Time (51), length 4: 600 Subnet-Mask (1), length 4: 255.255.255.0 Default-Gateway (3), length 4: 192.168.1.254 Domain-Name-Server (6), length 4: 77.88.8.8 Domain-Name (15), length 11: "localdomain"
Analyzing the result:
The result comprises these two main steps:
Client's requests for an IP addressDHCP server's offer of an IP address0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request DHCP-Message (53), length 1: Discover Client-ID (61), length 7: 00:0c:29:7a:bf:5c
192.168.1.252.67 > 192.168.1.153.68: BOOTP/DHCP, Reply Client-Ethernet-Address: 00:0c:29:7a:bf:5c DHCP-Message (53), length 1: Offer Server-ID (54), length 4: 192.168.1.252 Your-IP: 192.168.1.153 Subnet-Mask (1), length 4: 255.255.255.0 Default-Gateway (3), length 4: 192.168.1.254 Domain-Name-Server (6), length 4: 77.88.8.8
Check that your VM has internet access
-
Start
jump-server
from the Rescue CD by selecting the default boot option,Boot SystemRescue using default options
, from the SystemRescue main menu. -
Start the SystemRescue GUI by running the
startx
command. -
In the bottom-right corner of the GUI screen, click the Firefox icon to open the web browser.
-
In the address bar, enter the hypervisor address, e.g.,
https://192.168.1.50/
. -
On the authentication page, enter
root
for username and use the password you set when installing ESXi. -
In the left-hand main menu, select Virtual Machines. Select the
opnsense-tester-vm
VM. -
In the window that opens, click
in the VM preview box and expand it to full screen. Do the following in the VM terminal window:-
To authenticate, enter the username and password you set when creating the VM.
-
Make sure the VM has an IP address assigned:
ip a
Result:
1: 1o: «LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fa_codel state UP group default glen 1000 link/ether 00:0c:29:86:04:10 brd ffiff:ff:ff:ff:ff altname enp3s0 inet 192.168.1.153/24 metric 100 brd 192.168.1.255 scope global dynamic ens160 valid_lft 459sec preferred_lft 459sec inet6 fe80::20c:29ff:fe86:d410/64 scope link valid_lft forever preferred_lft forever
The
ens160
network interface got from the DHCP server the IP address192.168.1.153
. -
Install the
net-tools
andtraceroute
packages:sudo apt install net-tools traceroute
-
Check the routing table:
netstat -rn
Result:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 ens160 77.88.8.8 192.168.1.254 255.255.255.255 UGH 0 0 0 ens160 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens160 192.168.1.254 0.0.0.0 255.255.255.255 UH 0 0 0 ens160
-
Ping any external address, e.g.,
1.1.1.1
:ping -c 3 1.1.1.1
Result:
PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=55 time=2.252 ms 64 bytes from 1.1.1.1: seq=1 ttl=55 time=2.354 ms 64 bytes from 1.1.1.1: seq=2 ttl=55 time=2.363 ms --- 1.1.1.1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 2.252/2.323/2.363 ms
-
Check the route through to any external address, e.g.,
1.1.1.1
:traceroute -n 1.1.1.1
Result:
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 192.168.1.253 0.223 ms 0.176 ms 0.147 ms 2 94.126.204.142 2.914 ms 3.193 ms * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 195.208.209.7 2.697 ms * * 9 * 62.115.139.123 12.950 ms * 10 * * * 11 * * * 12 * * * 13 * * * 14 1.1.1.1 1.725 ms * *
-
The test results show that your VM has access to the internet.