This will guide you through the setup of OPNsense on a Protectli FW4C Vault.

• Download software from https://www.opnsense.org/download/
  • System architecture: amd64
  • image type: vga
• Use balenaEtcher or other usb boot drive creator to load the install image to usb.
• Turn on the device and boot from USB to load installer.
• login as 'installer' with password 'opnsense'
• select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.
• plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
  • NOTE: OPNsense defines ports right to left as LAN, WAN but the Protectli FW4C labels them right to left as WAN, LAN. So you'll have to plug into the WAN port for this initial login and we will switch the ports in software so that the labels are match up.
• log in using 'root' and the password you set during install

• Plug in using PoE injection or 12V 0.5Amp Power adapter
• Connect computer to ETH0
• Setup computer with 192.168.1.XXX address
• Connect to EdgeRouter at 192.168.1.1 (note: I don't actually use this IP block)
• Probably need to accept any exceptions / agree to connect
• Login with “ubnt” “ubnt”

• Run Wizards
• Choose WAN+2LAN2: This will make eth0 internet port and with “only use one LAN” checked will make the other 4 ports a network
  • DHCP
  • Enable the default firewall
  • Only use one LAN
• Apply, Apply Changes, Reboot
• Must now plug computer into port 1, 2, 3, or 4
• Must now plug internet connection into port 0
• Navigate back to 192.168.1.1
• Login with “ubnt” “ubnt”

• This service provider requires traffic from the ONT to go to a router set to VLAN 201
• From Dashboard click Add Interface –> Add VLAN
  • VLAN ID: 201
  • Interface: eth0
  • Description: Internet
  • MTU: 1500
  • Address: Use DHCP

• Download latest firmware
• Go to “System”
• Upload a file button in the “Upgrade System Image”
• Select file
• Reboot

• WAN interface: eth0 (or eth0.201 if applicable)
• Hairpin NAT: enabled
• LAN interface: switch0
• Port Forwarding rules if unraid/ Nginx:

  80      Both  192.168.1.X  180   HTTP tomcat
  443     Both  192.168.1.X  1443  HTTPS tomcat
  22      Both  192.168.1.X        SSH brimble

• Port Forwarding rules if standalone:

  80      Both  192.168.1.X  HTTP tomcat
  443     Both  192.168.1.X  HTTPS
  22      Both  192.168.1.X  SSH brimble
  32400   Both  192.168.1.X  Plex

• Setup VPN:
  • login to command line using CLI button or SSH
  • Enter configuration mode

    configure

  • Add firewall rules for the L2TP traffic

    set firewall name WAN_LOCAL rule 30 action accept
    set firewall name WAN_LOCAL rule 30 description ike
    set firewall name WAN_LOCAL rule 30 destination port 500
    set firewall name WAN_LOCAL rule 30 log disable
    set firewall name WAN_LOCAL rule 30 protocol udp
    
    set firewall name WAN_LOCAL rule 40 action accept
    set firewall name WAN_LOCAL rule 40 description esp
    set firewall name WAN_LOCAL rule 40 log disable
    set firewall name WAN_LOCAL rule 40 protocol esp
    
    set firewall name WAN_LOCAL rule 50 action accept
    set firewall name WAN_LOCAL rule 50 description nat-t
    set firewall name WAN_LOCAL rule 50 destination port 4500
    set firewall name WAN_LOCAL rule 50 log disable
    set firewall name WAN_LOCAL rule 50 protocol udp
    
    set firewall name WAN_LOCAL rule 60 action accept
    set firewall name WAN_LOCAL rule 60 description l2tp
    set firewall name WAN_LOCAL rule 60 destination port 1701
    set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
    set firewall name WAN_LOCAL rule 60 log disable
    set firewall name WAN_LOCAL rule 60 protocol udp

  • Configure the server authentication settings

    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
    
    set vpn l2tp remote-access authentication mode local
    set vpn l2tp remote-access authentication local-users username <username> password <secret>

  • Define the IP address pool

    set vpn l2tp remote-access client-ip-pool start 192.168.100.90
    set vpn l2tp remote-access client-ip-pool stop 192.168.100.99

  • Define DNS server(s) used by VPN

    set vpn l2tp remote-access dns-servers server-1 <address> (currently 8.8.8.8)
    set vpn l2tp remote-access dns-servers server-2 <address> (currently 8.8.4.4)

  • Define WAN interface which will receive L2TP requests (this one is for DHCP, see link for others)

    set vpn l2tp remote-access dhcp-interface eth0

  • Define IPsec interface

    set vpn ipsec ipsec-interfaces interface eth0

  • Commit changes and save

    commit ; save

  • Link: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

• Parental Controls
  • Add Ruleset
  • Add New Rule
    • Enter Description (Xbox)
    • Action: Drop
    • Protocol: All protocols
    • State: All checked
    • IPsec: Don't match on IPsec packets
    • P2P: None
    • Enter MAC Address of item in Source
    • Set Start Time and Stop Time (UTC)
  • Configuration
    • Description: Parental Controls
    • Default Action: Accept
  • Interfaces
    • Interface: switch0
    • Direction: in
  • Repeat for each device you would like to limit
    • Xbox
    • VizioTV
    • AppleTVLR
    • J3DS
    • M3DS
    • WiiU
    • NintendoSwitch
• NAT
  • default
• Firewall/NAT groups
  • default

• Guest network setup: Turn on Guest Hotspot in unifi, create new wifi network and select “guest” as type.

• DHCP Server
  • Static MAC/IP Mapping

    brimNAS          192.168.1.4
    BrimblecomAP     192.168.1.5
    BrimDownstairsAP 192.168.1.6
    hoobs            192.168.1.7

  • Details
    • Range Start 192.168.1.100
    • Range Stop 192.168.1.255
    • Router 192.168.1.1
    • DNS
      • 192.168.1.1 to use ISPs
      • 192.168.1.2 if using PiHole
      • 8.8.8.8 / 8.8.4.4 (or others) if hardcoding

• DNS
  • Cache Size 150
  • Interface switch0
  • Dynamic DNS (new)
    • Interface: eth0.201
    • Service: easydns
    • Hostname: brimble.com
    • Login: mdbrim
    • Password: “easydns token”
    • Protocol: easydns
    • Server: BLANK!
  • Dynamic DNS (old)
    • Interface: eth0
    • Service: noip
    • Hostname: brimble.com
    • Login: mdbrim
    • Password: “noip password”
    • Protocol: noip
    • Note: if more are needed (shouldn't be) do Custom for service and call them noip2, noip3, etc

• login to command line using CLI button or SSH
• Enter configuration mode

  configure

• enable hwnat offload

  set system offload hwnat enable

• commit and save

  commit ; save

• Link: https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading

• Use “Users” button to change username / password

• Use “Actions/PoE” button on eth4 line on “Dashboard”
  • PoE: Passthrough
  • Save