Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • AI Studio
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex BareMetal
  • Getting started
    • All guides
    • Service overview
      • Overview
      • Server configurations
      • Overview
      • DHCP
      • Restrictions in BareMetal networks
    • Quotas and limits
    • All tutorials
    • Connecting an existing BareMetal server to Cloud Backup
    • Configuring VRRP for a cluster of BareMetal servers
    • Setting up network connectivity in a BareMetal subnet
    • Setting up network connectivity between BareMetal and Virtual Private Cloud subnets
    • Delivering USB devices to a BareMetal server or virtual machine
    • Configuring an OPNsense firewall in high availability cluster mode
  • Monitoring metrics
  • Audit Trails events
  • Access management
  • Pricing policy
  • FAQ

In this article:

  • Getting started
  • Required paid resources
  • Create your boot images in BareMetal
  • Upload the software ISO images to Yandex Object Storage
  • Create your boot images in BareMetal
  • Create a private BareMetal subnet
  • Lease BareMetal servers
  • Configure an OPNsense high availability cluster
  • Install the OPNsense firewall on your servers
  • Pre-configure your OPNsense servers
  • Set up an OPNsense server cluster
  • Install a hypervisor and create a virtual machine
  • Install a hypervisor
  • Create a VM
  • Test the solution
  • Check whether the client got an IP address from the DHCP server
  • Check that your VM has internet access
  • How to delete the resources you created
  1. Tutorials
  2. Configuring an OPNsense firewall in high availability cluster mode

Configuring OPNsense firewall in high availability cluster mode on Yandex BareMetal servers

Written by
Yandex Cloud
Improved by
Danila N.
Updated at June 3, 2025
  • Getting started
    • Required paid resources
  • Create your boot images in BareMetal
    • Upload the software ISO images to Yandex Object Storage
    • Create your boot images in BareMetal
  • Create a private BareMetal subnet
  • Lease BareMetal servers
  • Configure an OPNsense high availability cluster
    • Install the OPNsense firewall on your servers
    • Pre-configure your OPNsense servers
    • Set up an OPNsense server cluster
  • Install a hypervisor and create a virtual machine
    • Install a hypervisor
    • Create a VM
  • Test the solution
    • Check whether the client got an IP address from the DHCP server
    • Check that your VM has internet access
  • How to delete the resources you created

This solution allows configuring an OPNsense perimeter firewall on BareMetal servers. Apart from being the main gateway and a stateful firewall, OPNsense will also function as a DHCP server in a highly available configuration.

The idea of this solution is that only the OPNsense firewall servers are connected to the internet, thus ensuring a secure network segment behind them.

The solution must be fault-tolerant, so a high availability cluster is the proposed configuration. To achieve gateway fault tolerance, the Common Address Redundancy Protocol (CARP) is used.

For the secure network segment clients to automatically get IP addresses and the correct gateway address, the solution employs an ISC DHCPv4 server in a high-availability configuration. With OPNsense, the list of DHCP addresses can be replicated between the cluster servers with the Master and Backup roles.

Solution diagram:

  • Public BareMetal subnet of the ru-central1-m4 server pool.

  • Private BareMetal subnet: opnsense-private-subnet-m4.

  • Two BareMetal servers within the OPNsense cluster: opnsense-master and opnsense-backup. This guide uses OPNsense firewall version 25.1.

  • One BareMetal server, vmware-esxi running the VMware ESXi virtualization platform. This guide uses ESXi hypervisor version 7.0U3g.

  • The vmware-esxi server runs a VM instance named opnsense-tester-vm. This guide uses a Linux Ubuntu 24.04 VM created without a graphical user interface (GUI).

  • Installation server, jump-server, required for configuring your OPNsense and ESXi servers and accessing their private IP addresses.

    The installation server must have a GUI and a web browser. To make the configuration process easier for you, in this guide, the role of the installation server will be played by a BareMetal server booted into recovery and diagnostics mode from the Rescue CD.

    Note

    As an alternative to the Rescue CD, you can use a VPN connection to access the private IP addresses of your servers from outside the private subnet. Using a VPN connection on OPNsense servers requires configuring a static route to a network segment outside of the current private subnet.

To configure your OPNsense firewall in high availability cluster mode on Yandex BareMetal servers:

  1. Get your cloud ready.
  2. Create your boot images in BareMetal.
  3. Create a private BareMetal subnet.
  4. Lease BareMetal servers.
  5. Configure an OPNsense high availability cluster.
  6. Install a hypervisor and create a virtual machine.
  7. Test the solution.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The cost of the proposed solution includes:

  • Fee for leasing the BareMetal servers (see Yandex BareMetal pricing).
  • Fee for data storage in Object Storage and data operations (see Yandex Object Storage pricing).

Create your boot images in BareMetalCreate your boot images in BareMetal

The OPNsense firewall and ESXi hypervisor will be installed on your BareMetal servers from the custom BareMetal boot images you will prepare before you begin deploying the infrastructure.

Upload the software ISO images to Yandex Object StorageUpload the software ISO images to Yandex Object Storage

To create the infrastructure proposed by this solution, you will need ISO images with distributions to install OPNsense and VMware ESXi on your servers.

Note

Yandex Cloud does not provide distributions of these software products; you should purchase them yourself.

Upload the OPNsense and ESXi distribution images to your Object Storage bucket:

  1. If you have no Object Storage bucket yet, create a bucket with limited access.
  2. Upload the images to your bucket via the management console, AWS CLI, or WinSCP. In Object Storage terms, the uploaded image files are objects.
  3. Get links to the images you uploaded. Use these links when creating the boot images in BareMetal.

Create your boot images in BareMetalCreate your boot images in BareMetal

Management console
  1. In the management console, select the folder you are going to create your infrastructure in.

  2. From the list of services, select BareMetal.

  3. In the left-hand panel, select Boot images.

  4. Click Upload image.

  5. Enter a name for your OPNsense image. The naming requirements are as follows:

    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.
  6. (Optional) Add a description for the image.

  7. Paste the link to the OPNsense image you got in Object Storage.

  8. Click Upload.

  9. Similarly, create an ESXi boot image.

Create a private BareMetal subnetCreate a private BareMetal subnet

Management console
  1. In the management console, select the folder to create your infrastructure in.
  2. From the list of services, select BareMetal.
  3. In the left-hand panel, select Private subnets and click Create subnet.
  4. In the Pool field, select the ru-central1-m4 server pool.
  5. In the Name field, enter a name for the subnet: opnsense-private-subnet-m4.
  6. Without enabling the IP addressing and routing option, click Create subnet.

Lease BareMetal serversLease BareMetal servers

Management console
  1. In the management console, select the folder to create your infrastructure in.

  2. In the list of services, select BareMetal and click Lease server.

  3. In the Pool field, select the ru-central1-m4 server pool.

  4. Under Configuration, select the appropriate server configuration.

    To test the solution, a configuration with minimum hardware specifications will be enough.

  5. Under Image, select No OS.

  6. In the Lease duration field, select a lease period: 1 day, 1 month, 3 months, 6 months, or 1 year.

    When this period expires, server lease will be automatically renewed for the same period. You cannot terminate the lease during the specified lease period, but you can refuse to extend the server lease further.

  7. Under Network settings:

    1. In the Private subnet field, select opnsense-private-subnet-m4, which you created earlier.
    2. In the Public address field, select Automatic.
  8. Under Server information in the Name field, enter a name for the server: opnsense-master.

  9. Click Lease server.

  10. Similarly, lease one more server named opnsense-backup in the ru-central1-m4 server pool.

  11. Similarly, lease two more servers named vmware-esxi and jump-server in the ru-central1-m4 server pool. But select No address in the Public address field under Network settings when filling the lease form.

Note

It may take up to 20 minutes to get the servers ready. During this time, the servers will have the Provisioning status, then switching to Ready.

Configure an OPNsense high availability clusterConfigure an OPNsense high availability cluster

Configuring a high availability cluster involves installing the OPNsense firewall on two BareMetal servers, followed by creating and configuring an OPNsense cluster from those servers.

Install the OPNsense firewall on your serversInstall the OPNsense firewall on your servers

Tip

To save time, you can run the OPNsense installation on your opnsense-master and opnsense-backup servers in two different browser windows at the same time. On both of these servers, the installation is performed in the same way.

  1. Connect to the opnsense-master server's KVM console.

    Note

    You will perform all further actions under this configuration step in the KVM console window.

  2. In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:

    1. In the CD/DVD Media1 section, click Browse and select the OPNsense image you saved earlier in the user-iso directory.
    2. Click Connect CD/DVD.
    3. Check the Status section for the Virtual CD 1 device to make sure the Connected To field now gives the path to the image you selected, and click Close.
  3. To boot the server up from the selected image, click Reboot to cdrom in the top-right corner of the KVM console.

  4. Wait for the server to boot up and for the OPNsense interactive shell to initialize – this can take up to ten minutes.

    When the initialization is complete, the terminal screen in the KVM console will prompt you for authentication:

    login:
    
  5. Authenticate with the following credentials:

    • Username: installer
    • Password: opnsense

    Tip

    To paste text from the clipboard to the KVM console, use the Paste text here field in the upper right corner.

  6. In the Keymap Selection window, keep the default value, Continue with default keymap, and press Enter.

  7. In the action selection dialog box, select Install (ZFS) and press Enter.

  8. Under ZFS Configuration, select mirror and press Enter.

  9. In the next window dedicated to selecting block devices to create a virtual RAID array, use the up and down arrows and space to select the server HDDs or SSDs, e.g., sda0 and sda1. Press Enter.

  10. In the potential data loss alert window, confirm you agreement to modify the partition table. Use the up and down arrows to select YES and press Enter.

    This will start OPNsense installation on the server.

    Alert

    During the installation, do not close or refresh the KVM console window. Otherwise, the installation image will be unmounted from the BareMetal server, and you will have to restart the installation.

    The installation may take up to an hour.

  11. Once the installation is complete, select Root Password in the Final Configuration window to set a password for the root user and press Enter. Enter and confirm the password.

  12. Once you set the password, select Complete Install in the Final Configuration window and press Enter.

  13. In the Installation Complete window, select Reboot now and press Enter.

  14. In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:

    1. Under CD/DVD Media1, click Disconnect. Check the Status section for the Virtual CD 1 device to make sure the Connected To field value has changed to Not connected.
    2. Click Close.
  15. Similarly, install OPNsense on the opnsense-backup server.

Pre-configure your OPNsense serversPre-configure your OPNsense servers

Before proceeding to configure the OPNsense cluster, pre-configure the network interfaces of both your OPNsense servers:

  1. Connect to the OPNsense server's KVM console.

    Note

    You will perform all further actions under this configuration step in the KVM console window.

  2. Authenticate as the root user with the password you set when installing the server. If you had not set a password for the root user, the default one is opnsense.

    If authenticated successfully, you will see a text menu of basic server settings with a list of possible actions.

  3. Make sure that network interfaces are set up in the system:

    Note

    Depending on the BareMetal server configuration, it can be equipped with Intel or Mellanox network cards. While the OS kernel automatically configures network interfaces for Intel cards, configuring network interfaces for Mellanox cards may involve additional steps.

    1. Type in 8 (Shell option) and press Enter to open the OS terminal.

    2. Check for the network interfaces:

      ifconfig
      

      If the command output features network interfaces with the LAN and WAN descriptions (description), no additional actions are required.

      For example:

      igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mt
          description: LAN (lan)
          options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
          ether 00:25:90:3:a1:fe
          inet 192.168.1.1 netmask Oxffffff00 broadcast 192.168.1.255
          inet6 fe80::225:90ff:fee3:a1fe%igb0 prefixlen 64 scopeid 0x1
          media: Ethernet autoselect (1000baseT ‹full-duplex>)
          status: active
          nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
      
      igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mt
          description: WAN (wan)
          options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
          ether 00:25:90:3:a1:ff
          inet 94.126.204.143 netmask Oxfffffffe broadcast 94.126.204.143
          inet6 fe80::225:90ff:fee3:a1ff%igb1 prefixlen 64 scopeid 0x2
          media: Ethernet autoselect (1000baseT <full-duplex>)
          status: active
          nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
      

      In the example above, the igb0 and igb1 network interfaces have the descriptions LAN and WAN, respectively, and IP addresses assigned. In which case you can proceed to the next step.

      What to do if the output features no LAN and WAN interfaces with addresses assigned.
      1. Create and open an additional configuration file named loader.conf.local:

        ee /boot/loader.conf.local
        
      2. Add the following line to the new configuration file:

        mlx4en_load="YES"
        
      3. Save the changes and close the file. To do this, press the Esc + Enter key combination and type a in the window that opens.

      4. Reboot the system:

        reboot
        
      5. Wait for the system to reboot, authenticate, and go to the OS terminal.

      6. Re-run the ifconfig command to make sure the required network interfaces are now available in your system. The Mellanox interfaces will have the following IDs: mlxen0 and mlxen1.

    3. Exit the OS terminal:

      exit
      
  4. Configure the server LAN interface:

    1. Type 2 (Set interface IP address option) and press Enter:

      1 - LAN (igb0 - static, track6)
      2 - WAN (igb1 - dhcp, dhep6)
      
    2. Type the LAN interface number and press Enter.

    3. Configure IPv4 address LAN interface via DHCP? [y/N]:

      Enter n to set a static IPv4 address for the interface.

    4. Enter the new LAN IPv4 address. Press <ENTER> for none:

      Master
      Backup

      Enter the address: 192.168.1.252.

      Enter the address: 192.168.1.253.

    5. Enter the new LAN IPv4 subnet bit count (1 to 32):

      Enter the subnet CIDR prefix, e.g., 24.

    6. For a WAN, enter the new LAN IPv4 upstream gateway address. For a LAN, press <ENTER> for none:

      Press Enter not to set the gateway address.

    7. Configure IPv6 address LAN interface via WAN tracking? [Y/n]:

      Enter n not to configure an IPv6 address via the Track Interface function.

    8. Configure IPv6 address LAN interface via DHCP6? [y/N]:

      Enter n not to configure getting an IPv6 address via DHCP6.

    9. Enter the new LAN IPv6 address. Press <ENTER> for none:

      Press Enter not to set the IPv6 address.

    10. Do you want to enable the DHCP server on LAN? [y/N]:

      Enter n not to configure the DHCP server. You will configure the DHCP server later via the web interface.

    11. Do you want to change the web GUI protocol from HTTPS to HTTP? [y/N]:

      Enter y to use HTTP to access the server configuration web interface.

    12. Restore web GUI access defaults? [y/N]:

      Enter y to use default settings to access the server configuration web interface.

    The OPNsense server settings will be updated; you can configure the OPNsense servers and cluster further via the web interface at the specified addresses:

    Master
    Backup
    You can now access the web GUI by opening the following URL in your web browser:
    
    http://192.168.1.252
    
    You can now access the web GUI by opening the following URL in your web browser:
    
    http://192.168.1.253
    
    Additional settings for connection to the web interface via VPN.
    1. Type in 8 (Shell option) and press Enter to open the OS terminal.

    2. Configure the static route to the VPN segment of the network:

      Master
      Backup
      route add <VPN_segment_CIDR> 192.168.1.252
      
      route add <VPN_segment_CIDR> 192.168.1.253
      

      Where <VPN_segment_CIDR> is the CIDR of a subnet in the VPN segment, e.g., 172.28.1.0/24.

    3. Make sure the route has been added:

      netstat -rn4
      

      The command output should contain a routing entry in this format:

      Master
      Backup
      172.28.2.0/24  192.168.1.252. UGS. mlxen1
      
      172.28.2.0/24  192.168.1.253. UGS. mlxen1
      

This concludes the OPNsense server pre-configuration procedures. To further configure the servers and cluster, access the web interface.

Set up an OPNsense server clusterSet up an OPNsense server cluster

To set up an OPNsense server cluster, you need an installation server (jump server) with a graphical user interface and access to the private subnet the cluster hosts are connected to.

To make the configuration process easier for you, in this guide, the role of this installation server will be played by a jump-server server leased earlier and booted into recovery and diagnostics mode from the Rescue CD.

Note

You will perform all further actions under this configuration step in the KVM console window.

  1. Start jump-server from the Rescue CD by selecting the default boot option, Boot SystemRescue using default options, from the SystemRescue main menu.

    Running SystemRescue will launch the SystemRescue OS terminal in the KVM console.

  2. To start the SystemRescue GUI, run the startx command in the SystemRescue OS terminal.

  3. As the opnsense-private-subnet-m4 private subnet has no DHCP server yet, configure the network interface manually:

    1. In the bottom-right corner of the SystemRescue GUI, right-click the network icon and select Edit Connections....
    2. In the window that opens, under Ethernet, select Wired connection 1 and click the gear icon.
    3. In the settings window that opens, go to the IPv4 Settings tab and select Manual in the Method field.
    4. Under Addresses, click Add. In the Address field, enter 192.168.1.20; in the Netmask field, 24.
    5. Click Save.
  4. Make sure that network access to the OPNsense servers is now available. To do this, click the terminal icon in the bottom-left corner of the screen; in the window that opens, run this command:

    ping 192.168.1.252 -c3
    

    Result:

    PING 192.168.1.252 (192.168.1.252) 56(84) bytes of data.
    64 bytes from 192.168.1.252: icmp_seq=1 ttl=64 time=0.110 ms
    64 bytes from 192.168.1.252: icmp_seq=2 ttl=64 time=0.127 ms
    64 bytes from 192.168.1.252: icmp_seq=3 ttl=64 time=0.115 ms
    
    --- 192.168.1.252 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2024ms
    tt min/avg/max/mdev = 0.110/0.117/0.127/0.007 ms
    

    Network connectivity with the OPNsense server has now been established.

    Tip

    If the ping command does not return packets from the server, try disabling the Wired connection 1 network interface and configuring the Wired connection 2 interface instead.

  5. In the bottom-right corner, click the Firefox icon to open the web browser.

  6. Configure both your OPNsense servers in the browser window:

    1. In the browser address bar, enter the server address:

      Master
      Backup

      http://192.168.1.252

      http://192.168.1.253

    2. On the authentication page, enter root for username and use the password you set when installing the server. If you had not set a password for the root user, the default one is opnsense.

    3. Specify the high availability cluster settings:

      1. In the main menu, go to the high availability cluster settings: System → High Availability → Settings.

      2. In the Synchronize all states via field, select the LAN interface.

      3. In the Sync compatibility field, select OPNsense 24.7 or above.

      4. In the Synchronize Peer IP and Synchronize Config fields:

        Master
        Backup

        Specify the IP address for your Backup server: 192.168.1.253.

        Specify the IP address for your Master server: 192.168.1.252.

      5. In the Remote System Username field, enter root for username.

        Note

        For synchronization purposes, you can create additional users on OPNsense servers in the System → Access section of the main menu.

      6. In the Remote System Password field, enter the password to the account you specified above.

      7. In the Services field, select the services for synchronization. Click Select All to select all services, which is a good option to demonstrate what the solution can do.

      8. Click Apply to save and apply the changes.

    4. Specify the CARP virtual IP settings:

      1. In the main menu, go to the virtual IP address settings: Interfaces → Virtual IPs → Settings.

      2. Click to add a new virtual IP address and do the following in the window that opens:

        • In the Mode field, select CARP.

        • In the Interface field, select LAN.

        • In the Network / Address field, specify 192.168.1.254/24.

        • In the Peer (ipv4) field:

          Master
          Backup

          Specify the IP address for your Backup server: 192.168.1.253.

          Specify the IP address for your Master server: 192.168.1.252.

        • In the Password field, set a password to protect your CARP group.

          Use the same password when configuring both servers.

        • In the VHID Group field, set the group ID, e.g., 101.

          Use the same group ID when configuring both servers.

        • Click Save to save the virtual IP address settings.

      3. Click Apply to apply the changes.

    5. Configure the DHCP server in the private subnet:

      1. In the main menu, go to the DHCP settings: Services → ISC DHCPv4 → LAN.

      2. Turn on Enable DHCP server on the LAN interface.

      3. In the Range field, specify the range of private subnet IP addresses available for clients through your DHCP server, e.g., from 192.168.1.100 to 192.168.1.199.

      4. In the DNS servers field, specify the domain name server addresses that will be issued to your clients, e.g., 77.88.8.8.

      5. In the Gateway field, specify the IP address for the CARP interface you configured earlier: 192.168.1.254.

      6. In the Default lease time (seconds) field, specify the lease period for the provided IP address, in seconds, e.g., 3600.

      7. In the Failover peer IP field:

        Master
        Backup

        Specify the IP address for your Backup server: 192.168.1.253.

        Specify the IP address for your Master server: 192.168.1.252.

      8. Click Save to save the DHCP server settings.

  7. On the Master server, synchronize the cluster host settings:

    Note

    With OPNsense in cluster mode, firewall settings should first be changed on the Master host. The Backup host will get the updated parameters through change synchronization.

    1. In your web browser address bar, enter the server address: http://192.168.1.252.
    2. In the main menu, go to the high availability cluster settings: System → High Availability → Status.
    3. Scroll down the list of services and click under Synchronize and reconfigure all (Restart all services).

    Warning

    Change synchronization also restarts the services.

  8. Check the CARP group status on both hosts:

    Master
    Backup
    1. In your web browser address bar, enter the Master server address: http://192.168.1.252.

    2. In the main menu, go to the virtual IP address settings: Interfaces → Virtual IPs → Status.

    3. On the Addresses tab, view the Status column to make sure the server got the Master role.

      If the address status is DISABLED, click Temporarily disable CARP and then Enable CARP. As a result, the virtual address status should change to the right one.

    4. Navigate to the pfSync nodes tab to make sure there are two hosts in the list.

    1. In your web browser address bar, enter the Backup server address: http://192.168.1.253.

    2. In the main menu, go to the virtual IP address settings: Interfaces → Virtual IPs → Status.

    3. On the Addresses tab, view the Status column to make sure the server got the Backup role.

      If the address status is DISABLED, click Temporarily disable CARP and then Enable CARP. As a result, the virtual address status should change to the right one.

    4. Navigate to the pfSync nodes tab to make sure there are two hosts in the list.

This concludes the bulk of the high availability cluster configuration procedures.

Further configuration may involve creating firewall rules. However, for the purposes of this guide, it is enough to have a basic set of rules plus automatically generated NAT rules that will allow your clients to access the internet, i.e., allow traffic to flow through the firewall between the LAN and WAN interfaces.

Install a hypervisor and create a virtual machineInstall a hypervisor and create a virtual machine

Install a hypervisorInstall a hypervisor

  1. Connect to the vmware-esxi server's KVM console.

    Note

    You will perform all further actions under this configuration step in the KVM console window.

  2. In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:

    1. In the CD/DVD Media1 section, click Browse and select the VMware ESXi image you saved earlier in the user-iso directory.
    2. Click Connect CD/DVD.
    3. Check the Status section for the Virtual CD 1 device to make sure the Connected To field now gives the path to the image you selected, and click Close.
  3. To boot the server up from the selected image, click Reboot to cdrom in the top-right corner of the KVM console.

  4. Wait for the server to boot up and for the ESXi installer's interactive shell to initialize, start the installation process, and accept the terms and conditions of the license agreement (EULA).

  5. Select the server disk to install the hypervisor on and the preferred keyboard layout.

  6. Set the root user password for access to the hypervisor settings.

  7. To start the ESXi installation, confirm your agreement to modify the partition table.

  8. Wait for the installation to complete and press Enter to restart your server.

  9. In the KVM console window, select Media → Virtual Media Wizard... in the top menu or click the CD icon. In the window that opens:

    1. Under CD/DVD Media1, click Disconnect. Check the Status section for the Virtual CD 1 device to make sure the Connected To field value has changed to Not connected.
    2. Click Close.
  10. Wait for the hypervisor to start and configure the network settings as follows:

    1. To go to settings, press F2 and enter the root user password you set during the installation.

      If no password was set during the installation, by default you log in to the root user account without any password.

    2. In the main settings menu, select Configure Management Network.

    3. In the menu that opens, select IPv4 Configuration.

    4. Use the space key to select Set static IPv4 address and network configuration and specify the following:

      • IPv4 Address: Any free IP address that is part of the opnsense-private-subnet-m4 private subnet and is not in the range of addresses available for clients through the OPNsense DHCP server, e.g., 192.168.1.50.
      • Subnet Mask: Subnet mask, 255.255.255.0.
      • Default Gateway: CARP virtual IP address you created earlier in the OPNsense cluster, 192.168.1.254.
    5. Press Enter to save the changes.

    6. Press Esc to exit the settings menu and apply your changes.

    7. In the window that opens, confirm that you want to apply the updated settings and restart the network interface.

Create a VMCreate a VM

To create and configure VMs, you need an installation server (jump server) with a graphical user interface and access to the private subnet with a hypervisor connected.

To make the configuration process easier for you, in this guide, the role of this installation server will be played by a jump-server server leased earlier and booted into recovery and diagnostics mode from the Rescue CD.

Note

You will perform all further actions under this configuration step in the KVM console window.

  1. Start jump-server from the Rescue CD by selecting the default boot option, Boot SystemRescue using default options, from the SystemRescue main menu.

  2. To start the SystemRescue GUI, run the startx command in the SystemRescue OS terminal.

  3. In the bottom-right corner, click the Firefox icon to open the web browser.

  4. Download to the server an ISO image of the OS you want installed on your VM.

    Note

    For the purposes of this guide, the VM will be running Linux Ubuntu 24.04 without a GUI (Server install image).

  5. In the address bar, enter the hypervisor address, e.g., https://192.168.1.50/.

  6. On the authentication page, enter root for username and use the password you set when installing ESXi.

  7. Download the image of the OS you want installed on your VM to the hypervisor file storage:

    1. In the left-hand main menu, select Storage.

    2. In the window that opens, select datastore1.

    3. In the menu at the top, click Datastore browser and do the following in the window that opens:

      1. Click Create directory and create one named ISO.

      2. Select the new ISO directory and click Upload.

      3. In the window that opens, select the ISO image you downloaded earlier.

        By default, downloaded files are saved to /Home/Downloads/.

      4. Wait for the image to download and click Close in the bottom-right corner of the window.

  8. Create a virtual machine:

    1. In the left-hand main menu, select Virtual Machines and click Create / Register VM.

    2. In the Select creation type window, select Create a new virtual machine and click Next.

    3. Do the following in the Select a name and guest OS window:

      1. In the Name field, enter a name for the new VM, e.g., opnsense-tester-vm.
      2. In the Guest OS family field, select Linux.
      3. In the Guest OS version field, select Ubuntu Linux (64-bit).
      4. Click Next.
    4. In the Select storage window, select datastore1 and click Next.

    5. In the Customize setting window, do the following on the Virtual Hardware tab:

      1. In the CPU field, select the number of vCPUs you want to allocate to your VM, e.g., 4.
      2. In the Memory field, select the amount of RAM you want to allocate to your VM, e.g., 8 GB.
      3. In the Hard disk 1 field, select the hard disk volume you want to allocate to your VM, e.g., 50 GB.
      4. In the CD/DVD Drive 1 field, select Datastore ISO file. In the window that opens, select the image you downloaded earlier.
      5. Leave other parameters as they are and click Next.
    6. In the Ready to complete window, check the parameters of the new VM and click Finish to create it.

    7. In the left-hand main menu, select Virtual Machines. Select the opnsense-tester-vm VM.

    8. In the window that opens, click Power on or the icon in the VM preview window.

    9. Click the VM preview window and expand it to full screen.

    10. Follow through the OS installation procedure after selecting the preferred language, keyboard layout, installation type, etc. You can leave all settings at their defaults: this will be enough to test the proposed solution within the scope of this guide.

      On the network settings screen, make sure that the VM was assigned a private IP address on the opnsense-private-subnet-m4 subnet from the range specified in the OPNsense DHCP server settings.

      On the Profile configuration screen, set the name and password of the user who will have access to the VM.

    11. Once the installation is complete, click Reboot Now.

Test the solutionTest the solution

The solution will be tested using a VM created earlier on a server running VMware ESXi.

The successful test criteria are as follows:

  • The VM gets an IP address in the local network from the DHCP server created in the OPNsense cluster.
  • The VM is able to access the internet through the OPNsense firewall.

Check whether the client got an IP address from the DHCP serverCheck whether the client got an IP address from the DHCP server

  1. Connect to the opnsense-master server's KVM console.

  2. Authenticate to the OPNsense server as the root user with the password you set when installing the server.

  3. Type in 8 (Shell option) and press Enter to open the OS terminal.

  4. Run this command:

    tcpdump -i <interface_ID> -pvn port 67 and port 68
    

    Where <interface_ID> is the ID of the server network interface connected to the opnsense-private-subnet-m4 private subnet, e.g., igb0.

    With the tcpdump command, you can listen to the network interface to visualize how the DHCP protocol works.

    Result:

    10:45:50.180979 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:7a:bf:5c, length 300, xid 0x6094a655, Flags [none]
        Client-Ethernet-Address 00:0c:29:7a:bf:5c
        Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            MSZ (57), length 2: 576
            Parameter-Request (55), length 7:
            Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
            Domain-Name (15), BR (28), NTP (42)
            Hostname (12), length 8: "alp-vm-1"
            Vendor-Class (60), length 12: "udhcp 1.37.0"
            Client-ID (61), length 7: ether 00:0c:29:7a:bf:5c
    10:45:51.229540 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
        192.168.1.252.67 > 192.168.1.153.68: BOOTP/DHCP, Reply, length 300, xid 0x6094a655, Flags [none]
        Your-IP 192.168.1.153
        Client-Ethernet-Address 00:0c:29:7a:bf:5c
        Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Offer
            Server-ID (54), length 4: 192.168.1.252
            Lease-Time (51), length 4: 600
            Subnet-Mask (1), length 4: 255.255.255.0
            Default-Gateway (3), length 4: 192.168.1.254
            Domain-Name-Server (6), length 4: 77.88.8.8
            Domain-Name (15), length 11: "localdomain"
    10:45:51.280876 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 330)
        0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:7a:bf:5c, length 302, xid 0x6094a655, secs 1, Flags [none]
        Client-Ethernet-Address 00:0c:29:7a:bf:5c
        Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Request
            Requested-IP (50), length 4: 192.168.1.153
            Server-ID (54), length 4: 192.168.1.252
            MSZ (57), length 2: 576
            Parameter-Request (55), length 7:
            Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
            Domain-Name (15), BR (28), NTP (42)
            Hostname (12), length 8: "alp-vm-1"
            Vendor-Class (60), length 12: "udhcp 1.37.0"
            Client-ID (61), length 7: ether 00:0c:29:7a:bf:5c
    10:45:51.281467 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
        192.168.1.252.67 > 192.168.1.153.68: BOOTP/DHCP, Reply, length 300, xid 0x6094a655, secs 1, Flags [none]
        Your-IP 192.168.1.153
        Client-Ethernet-Address 00:0c:29:7a:bf:5c
        Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: ACK
            Server-ID (54), length 4: 192.168.1.252
            Lease-Time (51), length 4: 600
            Subnet-Mask (1), length 4: 255.255.255.0
            Default-Gateway (3), length 4: 192.168.1.254
            Domain-Name-Server (6), length 4: 77.88.8.8
            Domain-Name (15), length 11: "localdomain"
    

    Analyzing the result:

    The result comprises these two main steps:

    Client's requests for an IP address
    DHCP server's offer of an IP address
    0.0.0.0.68 > 255.255.255.255.67:     BOOTP/DHCP, Request
    DHCP-Message (53), length 1:         Discover
    Client-ID (61), length 7:            00:0c:29:7a:bf:5c
    
    192.168.1.252.67 > 192.168.1.153.68:   BOOTP/DHCP, Reply
    Client-Ethernet-Address:               00:0c:29:7a:bf:5c
    DHCP-Message (53), length 1:           Offer
    Server-ID (54), length 4:              192.168.1.252
    Your-IP:                               192.168.1.153
    Subnet-Mask (1), length 4:             255.255.255.0
    Default-Gateway (3), length 4:         192.168.1.254
    Domain-Name-Server (6), length 4:      77.88.8.8
    

Check that your VM has internet accessCheck that your VM has internet access

  1. Start jump-server from the Rescue CD by selecting the default boot option, Boot SystemRescue using default options, from the SystemRescue main menu.

  2. Start the SystemRescue GUI by running the startx command.

  3. In the bottom-right corner of the GUI screen, click the Firefox icon to open the web browser.

  4. In the address bar, enter the hypervisor address, e.g., https://192.168.1.50/.

  5. On the authentication page, enter root for username and use the password you set when installing ESXi.

  6. In the left-hand main menu, select Virtual Machines. Select the opnsense-tester-vm VM.

  7. In the window that opens, click in the VM preview box and expand it to full screen. Do the following in the VM terminal window:

    1. To authenticate, enter the username and password you set when creating the VM.

    2. Make sure the VM has an IP address assigned:

      ip a
      

      Result:

      1: 1o: «LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
          inet 127.0.0.1/8 scope host lo
              valid_lft forever preferred_lft forever
          inet6 ::1/128 scope host noprefixroute
              valid_lft forever preferred_lft forever
      2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fa_codel state UP group default glen 1000
          link/ether 00:0c:29:86:04:10 brd ffiff:ff:ff:ff:ff
          altname enp3s0
          inet 192.168.1.153/24 metric 100 brd 192.168.1.255 scope global dynamic ens160
              valid_lft 459sec preferred_lft 459sec
          inet6 fe80::20c:29ff:fe86:d410/64 scope link
              valid_lft forever preferred_lft forever
      

      The ens160 network interface got from the DHCP server the IP address 192.168.1.153.

    3. Install the net-tools and traceroute packages:

      sudo apt install net-tools traceroute
      
    4. Check the routing table:

      netstat -rn
      

      Result:

      Kernel IP routing table
      Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
      0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 ens160
      77.88.8.8       192.168.1.254   255.255.255.255 UGH       0 0          0 ens160
      192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens160
      192.168.1.254   0.0.0.0         255.255.255.255 UH        0 0          0 ens160
      
    5. Ping any external address, e.g., 1.1.1.1:

      ping -c 3 1.1.1.1
      

      Result:

      PING 1.1.1.1 (1.1.1.1): 56 data bytes
      64 bytes from 1.1.1.1: seq=0 ttl=55 time=2.252 ms
      64 bytes from 1.1.1.1: seq=1 ttl=55 time=2.354 ms
      64 bytes from 1.1.1.1: seq=2 ttl=55 time=2.363 ms
      
      --- 1.1.1.1 ping statistics ---
      3 packets transmitted, 3 packets received, 0% packet loss
      round-trip min/avg/max = 2.252/2.323/2.363 ms
      
    6. Check the route through to any external address, e.g., 1.1.1.1:

      traceroute -n 1.1.1.1
      

      Result:

      traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
       1  192.168.1.253  0.223 ms  0.176 ms  0.147 ms
       2  94.126.204.142  2.914 ms  3.193 ms  *
       3  *  *  *
       4  *  *  *
       5  *  *  *
       6  *  *  *
       7  *  *  *
       8  195.208.209.7  2.697 ms  *  *
       9  *  62.115.139.123  12.950 ms  *
      10  *  *  *
      11  *  *  *
      12  *  *  *
      13  *  *  *
      14  1.1.1.1  1.725 ms  *  *
      

The test results show that your VM has access to the internet.

How to delete the resources you createdHow to delete the resources you created

  1. Delete the objects you created in the bucket, then delete the bucket itself.
  2. You cannot delete BareMetal servers. Instead, cancel the renewal of their lease.

Was the article helpful?

Previous
Delivering USB devices to a BareMetal server or virtual machine
Next
API authentication
© 2025 Direct Cursus Technology L.L.C.