Go to OPNsense downloads, select the nano image, copy the link. Download and convert the image:
wget https://mirror.ams1.nl.leaseweb.net/opnsense/releases/25.1/OPNsense-25.1-nano-amd64.img.bz2
bzip2 -d OPNsense-25.1-nano-amd64.img.bz2
qemu-img convert -f raw -O qcow2 OPNsense-25.1-nano-amd64.img opnsense.qcow2
qemu-img resize opnsense.qcow2 8G # you may choose another disk size, 8G is the minimum
mv opnsense.qcow2 /var/lib/libvirt/images/virt-install \
--name opnsense \
--os-variant freebsd14.0 \
--vcpus=2,sockets=1,cores=2,threads=1 \
--memory 4096 \
--disk path=/var/lib/libvirt/images/opnsense.qcow2 \
--network bridge=br0 \
--host-device=pci_0000_00_1f_6 \
--network type=direct,source=eth1 \
--graphics none \
--console pty,target_type=serial \
--import \
--autostart- Use
virt-install --os-variant listto see available values for--os-variant, pick FreeBSD (either matching or latest available version) - Use
--network bridge=br0to attach a bridge (useful for when you want the host to also have access to an interface, e.g. LAN)- Bridge must already exist when creating the VM
- Use
--host-device=pci_0000_00_1f_6to attach a NIC using PCI passthrough- Use
virsh nodedev-list --treeto see available device identifiers
- Use
- Use
--network type=direct,source=eth1to attach a NIC using macvtap. Can be useful if:- your host does not support PCI passthrough
- OPNsense does not support the NIC
- you want to power manage the NIC on the host
- use a single NIC for multiple VMs without a bridge
- A macvtap interface does not support VLANs. If you need VLANs on the interface (e.g. VLAN 7 on WAN for Deutsche Telekom), create a tagged interface on the host (e.g.
eth1.7) and attach the virtual interface to that instead. For managing multiple VLANs, create and attach multiple tagged interfaces, or use a VLAN-aware bridge.
The new VM's console will automatically be attached. Press Ctrl + ] to detach when you're done. Use virsh console opnsense to re-attach the console manually