OPNsense Beginner to Professional E-Book

OPNsense Beginner to Professional

Protect networks and build next-generation firewalls easily with OPNsense

Julio Cesar Bueno de Camargo

BIRMINGHAM—MUMBAI

OPNsense Beginner to Professional

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Arun Nadar

Content Development Editor: Nihar Kapadia

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Prashant Ghare

Marketing Coordinator: Hemangi Lotlikar

First published: June 2022

Production reference: 1180522

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80181-687-8

www.packt.com

To the memory of my father, Nivaldo B. de Camargo, my life's sensei. To my wife, who always encourages and supports me with her unconditional love and dedication, and our daughter, Maria Catarina, our little angel! To all friends (especially the Cloudfence team!) and family who supported me during this journey! To God, for keeping me standing to face life's challenges.

– Julio Cesar B. de Camargo

Contributors

About the author

Julio Cesar Bueno de Camargo is a cybersecurity professional with 15+ years of experience working with open source software. He started with Conectiva Linux and later became the official instructor helping dozens of students. As an aviation enthusiast and airplane pilot, he strives to bring all the aviation best practices to his professional routine.

Julio started working with OPNsense in 2016, contributing to the project with code, official forum moderation, articles, a Udemy course, and promotions in Brazil and Europe. He founded CloudFence in 2018, a cybersecurity start-up and a Luso-Brazilian-managed security services firm with an open source DNA. As its CTO, Julio aims to spread open source security as a service to companies from different parts of the world.

First, I want to thank my wife, the love of my life, Maria Eugenia, she always makes me believe! To our baby, Maria Catarina, daddy loves you! Also, I want to thank tech reviewers Franz Fabian and Nicolas Goralski ... and all the Packt team! To the OPNsense community that maintains this fantastic open source security project! To my teammates at Cloudfence. Last but not least, my friends and family were essential in motivating me to write this book!

About the reviewers

Fabian Franz BSc is a senior software developer (mainly working in the Jakarta EE / Spring and JavaScript environment nowadays) who has a strong security background. He was a pupil at HTL Dornbirn when his team won the Austrian Cyber Security Challenge national final. He continued studying for a bachelor's degree in Sichere Informationssysteme (secure information systems) at the University of Applied Sciences Upper Austria – Campus Hagenberg.

While Fabian was studying at the university, at some point, he read an article about a new firewall appliance on the internet. He was interested and started contributing quite quickly. Since then, he has written a few OPNsense plugins (such as the os-nginx plugin, covered in this book).

I have to thank all my teachers, who always taught me more than needed, which helped me to learn more to become an expert in specific areas. I also have to thank all those developers of open source software / free software out there whose software I use daily and which makes a firewall distribution such as OPNsense or a Linux distribution possible. A special thanks also to Ad and Franco for all the help I got when I learned how OPNsense works.

Nicolas Goralski is a Linux system engineer with over 24 years of experience in various companies.

Nicolas has a global vision of IT architectures to better understand business projects and propose the best economic and technical approach to achieve customer satisfaction.

Motivated by the leitmotiv Keep It Simple, Stupid (KISS) and what can be automated must be automated, Nicolas uses open source technology as much as he can to fulfill his duty.

To my wife, Isabelle, who has believed in me for years and who supports me, I love you.

To my kids, who try to understand what I do, and the fact that I'm not always playing on my computer.

To my family and friends, thank you for everything you have given me.

To Packt Publishing, thank you for giving me the opportunity to review this book.

To all the network packets that I've blocked, it's not personal, it's business.

Table of Contents

Preface

Section 1: Initial Configuration

Chapter 1: An OPNsense Overview

About the OPNsense project

Project history

A new project with a lot of improvements on old code

Rock-solid FreeBSD – HardenedBSD

FreeBSD

Why OPNsense?

My personal experience

Features and common deployments

Core features

Common deployments

Where to get help?

Some facts

Summary

Chapter 2: Installing OPNsense

Technical requirements

Versions and requirements

Versioning

Hardware

Downloading and installing OPNsense

Configuring VirtualBox to install OPNsense

Mounting the OPNsense ISO file

Installing OPNsense

Unmounting the ISO installation file

Setting up a LAN network

Configuring network interfaces

Updating firmware

Checking for system updates in WebGUI

Checking system updates using the CLI

Installing plugins

Advanced – Accessing the CLI through SSH

FreeBSD packages

PKG basic operations

Summary

Chapter 3: Configuring an OPNsense Network

Technical requirements

Hardware considerations

FreeBSD NIC names

The ifconfig command

Basic network configuration

WebGUI – network interface configuration

Assigning network interfaces

Overview of the network interface

Types of interfaces

Bridge

GIF

GRE

LAGG

Loopback

VLAN

VXLAN

Proposed exercise – creating another type of network interface

Exploring virtual IPs

IP alias

CARP

Proxy ARP

Proposed exercise – creating a virtual IP address

Network diagnostics and troubleshooting

True story – how to use ARP Table diagnostics

Common issue – local network hosts can't open websites

Summary

Chapter 4: System Configuration

Technical requirements

Managing users and groups

Creating users and groups

External authentication

Certificates – a brief introduction

General settings

The administration page

The General page

About OPNsense logging

Advanced settings

Cryptography settings

Configuration backup

Summary

Section 2: Securing the Network

Chapter 5: Firewall

Technical requirements

Understanding firewalling concepts

A stateful firewall

The Packet Filter

Firewall aliases

Importing and exporting aliases

The firewall rules

The rule processing order

Rule actions

Firewall settings

Diagnostics and troubleshooting

Troubleshooting

Summary

Chapter 6: Network Address Translation (NAT)

Technical requirements

NAT concepts

Port forwarding

Caveats

Creating a port forwarding rule

Outbound NAT

NAT outbound modes

Adding an outbound NAT rule

One-to-one NAT

Adding a one-to-one NAT rule

Summary

Chapter 7: Traffic Shaping

Technical requirements

Introduction to traffic shaping

dummynet and ipfw – a brief introduction

Possible scenarios

Controlling hosts' and users' bandwidth usage

Protocol prioritization

Creating rules

Monitoring

Summary

Chapter 8: Virtual Private Networking

Technical requirements

OPNsense core VPN types

IPSec

OpenVPN

IPsec versus OpenVPN

Site-to-site deployments using IPsec

Phase 1 configuration

Phase 2 configuration

IPSec BINAT

IPSec diagnostics

VPN deployments using OpenVPN

Site-to-site deployment

Remote user deployment

OpenVPN diagnostics

OpenVPN is connected but the traffic is not reaching the tunnel's destinations

OpenVPN client is not connecting to the server/a site-to-site tunnel doesn't become up

A single user cannot connect

Summary

Chapter 9: Multi-WAN – Failover and Load Balancing

Technical requirements

Failover and load balancing

Failover

Creating gateway groups

Policy-based routing

Creating a firewall rule to enable the failover configuration

Load balance

Troubleshooting

Summary

Chapter 10: Reporting

Technical requirements

System health graphs

RRDtool and health graphs

Understanding Netflow and how to use it

Configuring Netflow in OPNsense

Exploring real-time traffic

Troubleshooting common problems in the network using Netflow and graphs

Summary

Section 3: Going beyond the Firewall

Chapter 11: Deploying DHCP in OPNsense

Technical requirements

DHCP concepts

DHCP server

DHCP relay

Diagnostics

Summary

Chapter 12: DNS Services

Technical requirements

Core DNS services

Default DNS resolvers on OPNsense

DNS plugins

DDNS

Troubleshooting

Making a DNS lookup using the CLI

Summary

Chapter 13: Web Proxy

Technical requirements

Web proxy fundamentals

The explicit method

The transparent method

Why use a web proxy?

OPNsense web proxy core features

Basic configuration

Custom error pages

Configuring a web proxy with the explicit method

Testing the web proxy

Transparent web proxy configuration

Additional web proxy configurations

Web filtering

Web filtering practice

Web filtering – final thoughts

Reading logs and troubleshooting

Log files

Web proxy service issues

Summary

Chapter 14: Captive Portal

Technical requirements

Captive Portal concepts

OPNsense Captive Portal implementation

Setting up a guest network

Testing the configuration

Using voucher authentication

Web proxy integration

Common issues

HTTPS page redirection while using the Captive Portal

Summary

Chapter 15: Network Intrusion (Detection and Prevention) Systems

Technical requirements

IDS and IPS definition

Suricata and Netmap

Rulesets

Configuration

Testing

SSL fingerprint

Troubleshooting

Summary

Chapter 16: Next-Generation Firewall with Zenarmor

Technical requirements

Layer7 application control with Zenarmor

Choosing a Zenarmor edition

Hardware requirements

Paid subscriptions

Installing and setting up the Zenarmor plugin

Summary

Chapter 17: Firewall High Availability

Technical requirements

High availability concepts

Active-active and active-passive modes

CARP – how it works

The preempt behavior

Configuring high availability

Proposed scenario

Testing the HA configuration

Caveats

Summary

Chapter 18: Website Protection with OPNsense

Technical requirements

Publishing websites to the world

About the NGINX plugin

NGINX

Installing and configuring the NGINX plugin

Adding WAF rules

Troubleshooting

Testing for configuration issues

Logs reading

Summary

Chapter 19: Command-Line Interface

Technical requirements

Directory structure

Managing the backend daemons

Useful system commands

Advanced customization

Customizing the XML configuration file

Filtering log files

Filtering logs

Summary

Chapter 20: API – Application Programming Interface

Technical requirements

Concepts

Setting up API keys

API calls

GET method example

POST method example

Summary

Other Books You May Enjoy

Section 1: Initial Configuration

In this part, we will explore OPNsense's characteristics and features, install and configure it, take a look at some networking concepts, configuration, troubleshooting, and see how to configure and manage the system.

This part of the book comprises the following chapters:

Chapter 1: An OPNsense Overview

This chapter will introduce you to the OPNsense project, tell you about its history, license, and fork motivations, and where you can find help if you need it. Before installing and configuring your own OPNsense installation, it is essential to learn about some concepts and how the OPNsense project was started. We will also learn about FreeBSD, and its fork, HardenedBSD, exploring OPNsense features and the typical deployments scenarios that we can use it.

In this chapter, we're going to cover the following main topics:

About the OPNsense project

To introduce you to the OPNsense project, I'll first need to tell a bit of my story and how I fell in love with it.

Project history

To tell the OPNsense story, we need to go back to 2003, when the initial release of m0n0wall was released. The main goal of this project was to have FreeBSD-based firewall software with an easy-to-use web interface (based on PHP) that worked on embedded PCs and old hardware with a good performance but that was just focused on Layer 3 and Layer 4 firewalling. m0n0wall was a good achievement. Still, picky network and security admins were claiming for other features such as web proxying, intrusion detection and prevention systems, and some other features that commercial firewalls were delivering as a default Unified Threat Management Solution (UTM). So, in 2004 a new project began, a m0n0wall fork, with its first public released in 2006. The fork's name? pfSense, and, as the name suggests, it used Packet Filter (PF) as a firewall-based system instead of the ipfilter (another FreeBSD packet filter)of its predecessor. For a long time, pfSense was a unique open source firewall solution, with a big active community and constant improvements. Many network and security administrators that only accepted Linux-based firewalls (yes, I was one of them too!) started to migrate to this FreeBSD-based firewall. These two projects coexisted until 2015, when m0n0wall was discontinued. There were signs of discontent back then; part of the pfSense community was not happy with some things such as changes in licenses and the direction the project was heading in.

Back in 2014, a brave group of developers decided to fork from pfSense and m0n0wall and started the OPNsense project. The first official release was in January 2015, inheriting a lot of code from its predecessors. Still, with a very ambitious plan to change how a lot of things were being done, OPNsense quickly rose as a pfSense alternative and received an important recommendation from the m0n0wall founder, Manuel Kasper, encouraging users from his project to migrate to OPNsense. It was the start of one of the best open source firewall projects.

A new project with a lot of improvements on old code

The following are some of the key features that OPNsense came with:

Talking about versions, we need to introduce you to the flavor available:

If you don't have any reason to choose LibreSSL, I'll advise you to pick the default one, OpenSSL. We will talk more about versions and installation media in the next chapter.

Talking about improvements, we must speak of the project architecture, starting with the frontend, the Phalcon PHP framework. This framework is used to implement webGUI and its APIs (another considerable improvement compared with its predecessors). It will do the work to render and control all that you can see and do using your web browser to manage your OPNsense.

The OPNsense framework also contains a backend, which is a Python-based service, also known as configd. This backend service will be in charge of controlling services, generating daemons and service config files from Jinja2 templates, and applying these configurations to an operating system.

With this architecture, OPNsense has a significant advantage – a secure way to manage and apply configurations to an operating system without executing root commands directly from the PHP web interface (as pfSense did, for example), reducing the risk of a flaw in webGUI compromising the whole firewall system.

So, now that we know how OPNsense evolved and its benefits, let's take a look at the operating system that serves as the base to this incredible firewall platform – FreeBSD's fork, HardenedBSD. It's essential to understand how the whole system and its components work to become a good OPNsense administrator. Let's go!

Rock-solid FreeBSD – HardenedBSD

Before exploring OPNsense, let's look at its kernel: the almighty FreeBSD, the operating system that has the power to serve!

FreeBSD

First, FreeBSD isn't Linux! If you are a long-time FreeBSD user, don't be mad with me, as you probably have heard this statement before! If not and you thought that FreeBSD and Linux were the same, no problem! That is a common mistake people make. Let's first find out what FreeBSD is in a short introduction.

FreeBSD is a free and open source operating system. It is a Unix-like system but different from Linux; it is a complete operating system, including the kernel, drivers, and other user utilities and applications. Linux only includes the kernel and drivers, and everything else is built as the distribution or just distro. The FreeBSD project has an outstanding security reputation, and it has a dedicated team taking care of this at the code level. This has built a well-known reputation for a very secure operating system!

If you have never installed FreeBSD before, you must be thinking that you will use it for the first time on OPNsense, right? Not necessarily! You have probably used FreeBSD a lot already. Don't believe me? One of the strong points of the FreeBSD project is its licensing model, which is considered permissive. Add to that the system liability, robust security, and good hardware support and you have a lot of reasons to choose FreeBSD as your new product base operating system. Many companies have – Apple's macOS, iOS, and other OSes are based on FreeBSD code, Sony PlayStations 3 and 4 use it, and many network appliances make use of it too! If you have an iPhone, that also runs a FreeBSD-based operating system!

Now that we are introduced to OPNsense's operating system, let's explore why we should consider it for our network firewall.

Why OPNsense?

To give a short answer – because it is the best genuinely open source firewall project currently available!

Not satisfied with this answer? Fair enough! Let's go to the long one!

My personal experience

Back in 2009, I was a pfSense user and enthusiast when I decided to move from Linux-based firewalls to FreeBSD. Back then, I created a managed firewall service for small and medium businesses using Linux firewall distros. At that time, I was using IPCop and SmoothWall Express, two Linux-based distros. I started this project with IPCop, but I decided to move to Smoothwall Express later, from which IPCop was forked. Both were good options to run in an embedded firewall appliance with limited resources. As a long-time Linux user, I was very comfortable using something based on this operating system. I am from a time when we built firewalls using ipchains and, later, iptables scripts, without any GUI help. I know – I'm getting old! Changes were happening and the service grew, with customers demanding bigger firewall appliances with high availability capability. At this point, Linux had a problem; there was no good support for this feature, so I needed to go back to the drawing board.

From research, I have found two possible alternatives – OpenBSD and FreeBSD. The first one was a well-known security-focused operating system with a strong reputation, which looked like a great option to run as a firewall solution. However, there were some hardware compatibility limitations and a lack of a GUI to manage it. It was a crucial need that customers were asking for. I couldn't find any firewall GUI option available back then, and developing a new one as a one-person development team was not a suitable option. It was time to look at the FreeBSD choices.

By doing a quick Google search, I found a good option – m0n0wall. So, I downloaded it and started the tests! It impressed me! It was a light operating system with a good WebGUI running on a solid operating system. But at the very beginning, I found a problem – reading the official documentation, specifically on the topic of what m0n0wall is not, I discovered that it wasn't a proxy server, an Intrusion Detection System (IDS), or an Intrusion Prevention System (IPS), and losing these features was not an option! So, it was back to square one!

Googling again, I found a m0n0wall fork – a project called pfSense. It looked like a promising one, with everything I needed to implement at that time – WebGUI, high availability, and some plugins such as Squid/SquidGuard for proxying and web filtering, Snort for IDS/IPS, pf as the packet filter. Bingo! I had found what I was looking for! My first impression when testing on the PC engine-based hardware was disappointing! The performance was too low compared with the Linux options and even with m0n0wall. There were too many features for a hardware platform with few resources. Another problem to solve was that even the more powerful hardware I was testing on used a compact flash disk as mass storage, and enabling a service such as Squid for proxying and web filtering with a lot of disk writing meant that the Compact Flash (CF) card got damaged very quickly. But there was another option – installing the NanoBSD flavor of pfSense made things easier for the embedded hardware to run more smoothly, and with some coding, I was able to bypass the CF card limitations. So, I ran this solution as a firewall to many customers until 2015. That was the year I became a little bit frustrated with how the project was being driven; a lot of ideas were popping into my head, but the project community was not the same anymore. It was time for a fresh start. I even talked with some project contributors about starting a new fork, but the idea was not accepted by most of them. It was time to go back to Google to look for a good open source firewall project.

On one of these rainy days, when your creativity is low and you have no intention to code or think of a new solution, I decided to google for some open source firewall alternatives, and the results surprised me! I found something, a project called OPNsense, and it was a pfSense fork! At that moment, the sun shined on my keyboard, and I thought, that's it!! The more I read about the project history, the more convinced I became that I had found the perfect solution backing!

So, I started the tests, and it was fascinating! It was pretty easy to convert pfSense's XML configuration file to OPNsense, so my first labs were based on production systems, and the results were very satisfying. It was time to migrate the first customers to this new firewall platform. However, it had a limitation – web filtering. We had developed a custom SquidGuard plugin for pfSense, but it wasn't easy to convert it, as the webGUI was different. Fortunately, our first customers didn't need this feature. The first migration to OPNsense was a success! So, it was decided that OPNsense was the new option for our firewall appliances! Later, I developed a SquidGuard-based plugin for OPNsense, and we were able to migrate all the customers. Since then, I have moved from this company to a new one, CloudFence, and we have decided to support the OPNsense project as much as possible.

Some of the key features that led me to dive into the OPNsense project were: genuine open source motivations with the freedom that an actual open-sourced project must have – an MVC-based webGUI without direct root access to the operating system (except for legacy components), IDS and IPS with netmap support, excellent available plugins, two-factor authentication for VPN, and cloud backups, to mention just a few! The list is increasing with each new version; later, we will see each feature in detail, so don't worry about it for now!

Okay, so this book isn't a novel, but I had to tell my personal history with OPNsense because choosing an open source project as a contributor and user isn't like buying a product. It is about personal life decisions; it's about what you want to support and are passionate about, and that project was right for me. I tried to help it! This is a little bit of my personal story with OPNsense; I hope it can inspire you somehow! The whole story might need an entire book, and it isn't the purpose of this one to tell stories but rather to improve your OPNsense skills, so let's move on to OPNsense's features!

Features and common deployments

Let's dive into OPNsense's core features and the most common scenarios to deploy it.

Core features

What are the core features? The OPNsense core features all come with the default OPNsense installation, without any additional plugins.

The core features are as follows:

Important Note

Dynamic DNS is a plugin installed by default on OPNsense.

Captive portal: Talking about guest networks and controlling users to join a network, this also applies to the captive portal in OPNsense. This feature can be used with the web proxy to authorize users to use the internet and has widespread usage in hotels, airports, shopping centers, and so on.

Here are some of the other great OPNsense features:

There are many other features that can be added in OPNsense through plugins, and we will see in detail each core function and some plugins later in this book.

Note

You can obtain a full list of features at https://opnsense.org/about/features//.

Common deployments

OPNsense is very powerful and versatile and can be used in many ways. I'll try to cover the most common deployments, as follows:

There are other possible deployments, such as a web application firewall, a next-generation firewall, an advanced network router, a DNS filtering appliance, and Software Defined WAN (SD-WAN). It's not possible to cover all the possibilities in one book, but we will explore the most common ones in the following chapters.

Where to get help?

Have you had trouble or don't know how to use a feature? Didn't understand what the official documentation says? Take it easy! We are a big and strong community, and someone in it will try to help you for sure!

Some facts

While selling OPNsense-based firewall solutions in comparison to commercial firewall closed-source solutions, customers commonly ask us a question such as, "Okay! It seems that this open source solution you are offering in your service can do anything that other closed source commercials listed in the 'some magic geometrical guide' (which I will not mention the name of here) solution can do, but what about support? When we need support or an urgent security fix, who are we going to call?" Our answer? "Not the Ghostbusters!"

Okay, just kidding – but let me tell you about some of the myths that the closed source firewall vendors teach customers about open source support and how to answer them!

So, after this introduction, let's see where else we can find help:

This brings us to the end of the chapter, which has provided an overview of OPNsense.

Summary

In this chapter, you were introduced to OPNsense, its project history, versions, and the improvements made by pfSense and m0n0wall. I also shared a little bit of my history with you and why I decided to use it, with some examples. We learned about FreeBSD and what it is and is not, and about its hardened fork, HardenedBSD. We explored the OPNsense core features and typical deployments, with some examples of how you can deploy them in your network environment. Finally, we dived into support options and how to use each of them. Now that we know how OPNsense works, we can find help if needed, which versions are available, and the most common scenarios to deploy it. We will now move on to the following chapters, which will help you better understand some of the concepts discussed in this chapter more practically. In the next chapter, we will see how to install OPNsense and explore some of its features!

Chapter 2: Installing OPNsense

This chapter will be more hands-on than the first one. We will see how to install OPNsense on VirtualBox, update it, install plugins, access it from Secure Shell (SSH) and a command-line interface (CLI), and explore FreeBSD packages.

In this chapter, we will cover the following topics:

Technical requirements

You will need VirtualBox, VMware, Parallels, Qemu, or another hypervisor installed and basic knowledge of a virtual machine installation to follow the instructions in this chapter. You also will need an SSH client installed on your host machine.

Versions and requirements

To start to talk about the installation process, we first need to know more about the OPNsense versions. First of all, it is important to know that in this book, we'll focus on the Community edition. The OPNsense Business edition has some advantages for those who want to be more selective in the upgrade path, as the official documentation defines it.

Versioning

As I briefly mentioned in the first chapter, the OPNsense versioning is very simple to understand. At the time of writing this chapter, the current version is 22.1, but what does it mean?

The first part, before the dot, is the Year of the version release: 2022.

The second part, after the dot, is the Month: January (1).

In the Community edition, the versions are always released in January (1) and July (7) every year. So, for example, the next version will be in January 2022: 22.1.

But what about the Business edition? Well, the first version released this year was the 22.4 version. The next one, according to Deciso, will be in October: 22.10.

In this way, it's easy and predictable to know and plan when you will need to upgrade your OPNsense firewall. While managing firewalls, it is important to have a plan to apply security fixes without compromising network availability.

As we discussed in the last chapter, this is the firmware flavor we have:

As I mentioned in the last chapter, if you don't have any special reason to choose LibreSSL, maybe it's better to pick the default one, OpenSSL, which we'll use in this book.

Hardware

OPNsense will install on most modern x86-based hardware, but it is important to understand some concepts before installing your future firewall. We will explore the minimum requirements to install it, how to choose a good network card, and how to choose the right install image depending on the kind of disk you want to use.

Architecture

Since version 20.1, i386, also known as Intel 32 - bit architecture, was dropped, the only currently supported architecture is x86-64 or amd64 while choosing on the Download page.

Disk

If you are installing on a disk or media with limited write cycles, such as SD or CF memory cards, then it's better to choose the nano image. OPNsense will write a lot of logs on disk and it isn't a good idea to use media with limited write cycles, as it will very quickly damage disk media that wasn't designed for that. So, the nano image will by default mount the /var and /tmp directories to a RAM disk. The same can be done with other images, such as DVD, VGA, or Serial. Let's talk about them here: