🪴 Zero's Garden

Running OPNsense in VMware Fusion

3 min read

Custom VM network

Create a custom network vmnetX in VMware settings. Uncheck “Provide addresses on this network via DHCP” and keep “Connect the host Mac to this network” checked before any VM connected to the network is started.

When the OPNsense VM is stared, VMware Fusion creates a bridge10Y network interface on the host. If you checked “Connect the host Mac to this network”, the second address in the DHCP subnet, usually .1, will be assigned to the host.

Note that the host does not run a DHCP client on the custom network, so an IP address cannot be auto-assigned by the DHCP server in your VM.

Create OPNsense VM

  1. Connect two network interfaces to the VM.
    1. Connect the first network adapter to your custom network vmnetX.
    2. Connect the second network adapter to NAT “Share with my Mac”.
  2. Boot the OPNsense VM.
  3. Configure WAN and LAN interfaces.
    1. Use the default on first boot, which is to assign em0 to LAN and em1 to WAN.
    2. Set LAN interface IP address to match the vmnetX DHCP settings, with the VM’s IP address set to .2 or later to avoid conflict with the host.
    3. Configure DHCP server on LAN.
      1. IPv4 client address range should be from .100 to .199.
      2. You can check the config in /config/config.xml before and after the change.
      3. If you don’t configure DHCP, it will continue to use the default range from 192.168.1.100 to 192.168.1.199.
    4. Select N for other options and finish the LAN interface setup.

Setup wizard

In Firefox’s Certificate Manager, add a permanent exception for the self-signed certficate at https://x.x.x.2.

Then, login to the web GUI with the default root account and follow the setup wizard. Default password is opnsense and should be changed in this process.

Unbound DNS

“Use system nameservers” in Services→Unbound DNS→Query Forwarding is disabled by default, meaning that Unbound will recursively resolve DNS queries from the root DNS servers.

If enabled, Unbound will use the DNS servers entered in System→Settings→General or those obtained via DHCP or PP on WAN if the “Allow DNS server list to be overriden by DHCP/PPP on WAN” is checked.

Block access to private networks on WAN

In order to block LAN from accessing private networks on WAN, first you need to create an alias in Firewall→Aliases that represents the networks you want to block.

Create a network type alias rfc1918_private_networks that includes all RFC 1918 private networks and click “Apply”.

Then, configure a firewall rule on the LAN interface, blocking incoming packets whose destination is rfc1918_private_networks. Move it above the default rules and click “Apply changes.”

You also need to add a firewall rule to allow access to the Unbound DNS server. Add a Pass rule that allows incoming TCP/UDP DNS packets for the LAN address. If you want to allow LAN hosts to communicate with each other, select “LAN net” as the destination and adjust the port range accordingly.

Graph View