OPNsense - Xs4all with separate VLAN
 - on bare metal

Configuration of an OPNsense router / firewall for ISP Xs4all (former Kpn subsidiary)
This document is created based on various sources on the internet (see appendix).

1. Initial login and general setup

On the laptop, open your web browser and navigate to the General User Interface (GUI) of OPNsense, IP address by default is 192.168.1.1. OPNsense uses a self-signed certificate, so you will be prompted by the browser for a potential unsafe site. Follow the procedure to allow the site anyway.

Login

Once the site is loaded, you will be presented with the welcome screen and the can login. The username is root and the default password will be opnsense. Once granted access, the initial system wizard for the general setup will start.

Please note:
We will only address settings we are going to change, all others will keep their default values.

Initial configuration wizard

wizard-start

After this initial login, the configuration wizard will be started. Click Next to continue.

General Information

The first screen will ask for the hostname, the domain, which language you want to use and the primary and secondary DNS server.

wizard-general

For the language selection, we suggest to leave it at the default English language. Or at least until you are more familiar with OPNsense, since support on the internet and documentation will be in English for the greater part.

Domain

If you like, you can change the default hostname "OPNsense" to what ever you like, as long it is compliant (see this intro for details).

The FQDN of the domain must match the location of the router in your network. If you have a registered domain name, you will probably want to give it an extension with a subdomain of that registered domain, e.g. like home.mydomain.com, especially if you plan on hosting your own DNS servers or web sites.

If you don't own a registered domain, you could just use any fake domain, like lan.home to avoid potential conflicts. In any case, do not use local as is often suggested, because it is a reserved domain name.

DNS servers

For the DNS servers, you could fill in the IP addresses, that you have written down earlier. Bur for now leave them as default (none), which means we will use OPNsense's built-in Unbound DNS server, with fallback to the ISP's DNS servers.

Also make sure that the option Enable Resolver is checked.

When done, click Next to proceed.

Time Server Information

wizard-timezone

For the time server information, we just set the Timezone to the one that reflects our location.

When done, click Next to proceed.

Configure WAN Interface

The configuration of the WAN interface depends on the type of connection your ISP offers. For Xs4all this will be a PPPoE connection.

Ipv4 Configuration type

 ➀ Select PPPoE for the IPv4 Configuration Type.

wizard-pppoe-select
User info

Here we fill in the username and password, as we have discussed in the introduction.

 ➁ Enter FB7590@xs4all.nl for the PPPoE Username.

 ➂ Enter 7590 for the PPPoE Password.

wizard-pppoe-userinfo
RFC1918 and Bogon addresses

These options are set by default to true. Normally, it should not be necessary to change these settings.

wizard-pppoe-rfc1918-bogon

When done, click Next to proceed.

Configure LAN Interface

Here we will set the LAN interface's IPv4 address. Usually it is left at the default 192.168.1.1 but you might want to reconsider this. We have opted for a different, random IP address in the 172.16.0.0/12 range.

 ➃ Enter 172.18.25.1 for the LAN IP Address.

 ➄ Enter 24 for the Subnet Mask (using 255 nodes).

wizard-pppoe-ip-address

When done, click Next to proceed.

Set Root Password

You can set the root password now or later, but at least once everything is up and running. You probably don't want your "handy" family members tinker with it.

wizard-root-password

When done, click Next to proceed.

Reload

You are now asked to reload the configuration, to apply the changes you have made. Click the Reload button.

wizard-reload

Continue with the configuration

If you have opted to change the router's IP address, your connection will now be lost and need to reconnect to it on the new IP address. This will trow again a security warning.

new-ip-warning

Accept the risk warning again once more for our router, that now will be hosted on its new IP address, after which you can login to start with the configuration of OPNsense.

new-ip-login

20250217-02

⯇ ii. Prepare OPNSense installation

2. Setup the internet connection ⯈