Step1:

• Upload OPNSense ISO image to IONOS account.  OPNSense download location https://opnsense.org/download/
  • IONOS FTP upload instructions https://docs.ionos.com/dcd/administration/images-and-snapshots#uploading-an-image

Step2: Build FW instance and windows instance for initial bastion host access

• Create a single instance for OPNSense of 2 cores 4 Gig RAM 40 gig HDD (SSD is not required as the firewall see OPNSense Firewall hardware recommendations https://docs.opnsense.org/manual/hardware.html
• Add a CDROM drive to the instance and set image to OPNSense image previously uploaded to IONOS.  Set CDROM drive as boot device by checking box.
• Reserve an IP address within your IONOS account https://docs.ionos.com/dcd/administration/ip-addresses#ip-manager
• By clicking the plus sign on the instance, click and drag to internet connection to create WAN link
• Click plus sign on instance again and drag to internal server instance
• Click on the instance and then click on the network tab on the right side
• For NIC0 click the arrow next to “Primary IPv4” and select the previously reserved IP address from the list, scroll down and uncheck DHCP box
• Scrool down in network section and find NIC1, Uncheck the box next to DHCP
• //////////////// windows build here
• Provision the changes
• Once provisioning is complete right click on firewall instance and select console

Step 3: OPNSense basic configuration

• In the console, wait for OPNSense firewall to boot from ISO, you should now have a login prompt.  Login with user installer and password opnsense
• Go with defaults and select the first disk
• On final screen change the root password and then select “Apply the configuration and exit the installer”
• In DCD select firewall instance and right click on CD ROM and select “Detach CDROM drive”
• Select hard drive and change OS type on right side from Unknown to Linux 
• click “Provision Now” you will be prompted to acknowledge that this will reboot server, acknowledge and wait for reboot.
• Right click on firewall instance and go to console
• Wait for instance to boot and login with user root and previously set password
• Select option 1 “Assign interfaces”
  • Answer N to configure vlans
  • Enter vtnet0 for WAN interface and press enter
  • Then enter vtnet1 for LAN interface and press enter
  • Do not enter anything for Optional Interface, press enter
  • Answer y for wish to proceed question
• Select Option 2 “Set interface IP address
  • Select option 1- LAN
  • Answer N to configure IPv4 address via DHCP
  • Enter a private IP address space (recommended 10.10.10.x/24 or 192.168.10.x/24) 10.8.32.1
  • Enter 24 for subnet mask or 255.255.255.0
  • Leave blank at IPv4 upstream gateway address
  • Enter n for IPv6 LAN interface
  • Enter n for DHCP6
  • Leave blank IPv6 address
  • Enter y for DHCP server on LAN
  • Enter a desired DHCP range ie.. 10.8.32.100 to 10.8.32.200
  • Enter n for change GUI from https to http
  • Enter n for remaining questions on self signed certs
• Select option 2 “Set interface IP address”
  • Select option 2 WAN
  • Enter n for configure via DHCP
  • Enter the IONOS reserved IP (from NIC0 in instance configuration) ie 157.97.105.37
  • Enter 24 for the subnet address
  • Enter the WAN upstream gateway, this will be the same first 3 octets as your reserved IP address, the final octet will be .1 ie 157.97.105.1
  • Enter n for using as name server
  • Enter 1.1.1.1 (cloudflares DNS) 
  • Enter n for DHCP6
  • Leave blank wan IP6 address
  • Enter N for remaining GUI and cert questions
• Select option 7 “Ping Host”
  • Enter 1.1.1.1 for address to ping
  • Verify 3 packets transmitted and 3 packets received from ping, if packets timeout, reboot firewall instance from DCD.

Step 4 OPNSense GUI setup

• In IONOS DCD select previously created “Bastion server” and then select network from right side, note IP4 address
• On local machine open terminal services client ( can be done via start → run → mstsc → enter)
• Enter previously noted IP address and press enter
• Login with username administrator and previously set password
• Within initial server manager dashboard click on “Local Server” on the left nav
• On right hand side, find “IE Enhanced Security Configuration” and click “on” next to it
• In next screen set both options to off and click ok
• Open Internet explorer and then download your preferred browser
• In new browser, go to the LAN interface IP address of your firewall ex  https://10.8.32.1, acknowledge SSL warning for self signed certificate
• Enter root and previously set password
• Click next on guided setup prompt in dashboard
•  Make DNS changes if desired or click next
• Change NTP server if desired, set timezone as desired, click next
• Leave previously set configurations for WAN IP etc.. click next
• Make changes or click next on LAN configuration
• Change password or click next to keep current root password, click reload

Step 5: Nat configuration

• In OPNSense dashboard go to Firewall -> NAT -> Outbound.  Select “Manual outbound NAT rule generation” and click save then click apply changes
• In the rules section, click the plus sign to add a NAT rule
• In the next page, in order to apply a global outbound NAT for any device on the LAN segment, make only the following changes
  • Set “Source address” to Lan net
  • Set “Translation/target” to Wan Address
  • Click save
  • Click “Apply Changes” in upper right corner

Step 6: HA_Proxy setup

• Login to firewall and go to system → Routes → Configuration, add 0.0.0.0/0 route to gateway
• Got to system → firmware → status → check for updates
• Apply updates
• Once rebooted, go to system → firmware → plugins and install the os-haproxy plugin

Setup HA rules:

• Login to web gui and go to Services → HAProxy → settings
• Select real servers tab and click plus sign lower right
• For IP address, enter IP address of webserver1
• Got to health monitor and click plus sign in lower right
• Add health check for http port 80
• Go to virtual servers → backend pool click plus sign lower right
• Add real servers and health monitor, change persistence to none
• Add public serivce

Opnsense forum discussion on load balancing implementation with HA Proxy  https://forum.opnsense.org/index.php?topic=16484.0

https://github.com/opnsense