OPNsense: Installation, Configuration, and Usage
OPNsense is an open-source, FreeBSD-based firewall and routing platform forked from pfSense in 2015. It combines enterprise-grade security features — stateful packet inspection, intrusion detection, VPN, traffic shaping, and high availability — with a clean, modern web interface and a weekly release cadence that keeps it ahead of most commercial alternatives.
OPNsense runs on commodity hardware, virtual machines, and cloud instances, making it equally at home as a home lab gateway, a branch office firewall, or a data centre perimeter device.
OPNsense vs pfSense vs Commercial Firewalls
| Feature | OPNsense | pfSense CE | Fortinet / Palo Alto |
|---|---|---|---|
| License | BSD-2 open source | Apache 2.0 | Proprietary |
| Release cadence | Weekly | Irregular | Subscription |
| UI framework | MVC / Bootstrap | Legacy PHP | Proprietary |
| IDS/IPS engine | Suricata (inline) | Snort / Suricata | Built-in |
| HProxy / load balancer | HAProxy plugin | HAProxy plugin | Built-in |
| Netflow / logging | Elastic, Syslog, Netflow | Limited | Full SIEM |
| 2FA support | TOTP, RADIUS, LDAP | RADIUS, LDAP | Full |
| API | Full REST API | Partial | Full |
| Community support | Active forums + GitHub | Active forums | Vendor support |
| Cost | Free (business subscriptions available) | Free | Expensive |
Architecture Overview
OPNsense is built on HardenedBSD (a security-hardened FreeBSD fork) and uses a layered architecture:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──────────────────────────────────────────────────────┐
│ Web GUI (HTTPS / port 443) │
│ MVC Framework — Phalcon PHP │
├──────────────────────────────────────────────────────┤
│ configd │
│ (configuration daemon — applies changes) │
├──────────────┬──────────────┬────────────────────────┤
│ pf (packet │ Unbound DNS │ Suricata IDS/IPS │
│ filter) │ resolver │ │
├──────────────┼──────────────┼────────────────────────┤
│ DHCP │ OpenVPN / │ HAProxy / Nginx │
│ (Kea/ISC) │ WireGuard │ (plugins) │
├──────────────────────────────────────────────────────┤
│ HardenedBSD Kernel │
│ (pf firewall, VLAN, LAGG, CARP, IPsec) │
└──────────────────────────────────────────────────────┘
Key subsystems:
- pf — the BSD packet filter; handles stateful firewall rules, NAT, traffic shaping
- Unbound — recursive, validating DNS resolver with DNSSEC
- Suricata — inline IDS/IPS engine (can drop malicious traffic, not just alert)
- configd — the configuration daemon that translates GUI/API changes into system configuration files
- CARP — Common Address Redundancy Protocol for high-availability failover pairs
System Requirements
Minimum
| Component | Requirement |
|---|---|
| CPU | 64-bit (amd64) — Intel or AMD |
| RAM | 1 GB (4 GB recommended for IDS/IPS) |
| Storage | 8 GB (SSD strongly recommended) |
| Network | 2 NICs minimum (WAN + LAN) |
Recommended for Production
| Component | Recommendation |
|---|---|
| CPU | 4+ cores (AES-NI for VPN acceleration) |
| RAM | 8–16 GB (more for Suricata + logging) |
| Storage | 32+ GB SSD |
| Network | Intel or Realtek NICs (avoid Broadcom for BSDs) |
Important: Enable AES-NI in BIOS/UEFI before installing. OPNsense requires it and will warn prominently if it is absent. AES-NI dramatically accelerates IPsec and OpenVPN encryption.
Installation
Download
Visit opnsense.org/download and select:
- Architecture: amd64 (x86-64)
-
Image type:
dvd(ISO for bare metal/VM install) ornano(pre-installed image for flash/SD) - Mirror: Choose one geographically close to you
Verify the SHA256 checksum before writing:
1
2
sha256sum OPNsense-24.7-dvd-amd64.iso
# Compare with the checksum published on the download page
Write to USB (Linux)
1
2
sudo dd if=OPNsense-24.7-dvd-amd64.iso of=/dev/sdX bs=4M status=progress
# Replace /dev/sdX with your USB device — verify with lsblk first
Installation Steps
- Boot from the USB/ISO.
- Log in as
installer/ passwordopnsense. - Select Install (UFS) for single disk or Install (ZFS) for RAID/mirror setups (ZFS recommended for production).
- Choose the target disk.
- Select a swap partition size (4 GB is sufficient for most deployments).
- Wait for installation to complete and remove the installation media.
- Reboot.
First Boot — Console Assignment
On first boot, OPNsense presents a console menu. Before accessing the GUI, assign interfaces:
1
2
3
4
5
6
7
8
Select option 1: Assign interfaces
Do you want to configure LAGGs now? n
Do you want to configure VLANs now? n (configure later via GUI)
Enter WAN interface name: em0 (your internet-facing NIC)
Enter LAN interface name: em1 (your internal NIC)
Enter Optional interface: <Enter> (none for now)
OPNsense assigns the LAN interface 192.168.1.1/24 by default. Connect a computer to the LAN port and browse to https://192.168.1.1.
Default credentials: Username:
root— Password:opnsenseChange the password immediately after first login.
Web Interface Orientation
The GUI is organised into a top navigation bar with six main menus:
| Menu | Purpose |
|---|---|
| Lobby | Dashboard, changelog, firmware updates |
| System | General settings, certificates, users, high availability |
| Interfaces | WAN, LAN, VLANs, interface groups |
| Firewall | Rules, NAT, aliases, traffic shaper, schedules |
| Services | DHCP, DNS, NTP, Unbound, dynamic DNS |
| VPN | OpenVPN, WireGuard, IPsec, L2TP |
| Reporting | Health, traffic graphs, Netflow |
| Plugins | Installable extensions (HAProxy, Suricata, Zeek…) |
Initial System Configuration
General Settings
System → Settings → General:
-
Hostname: set a meaningful name (e.g.
fw01) -
Domain: your internal domain (e.g.
lan.example.com) - DNS Servers: leave blank to use Unbound (recommended), or set upstream resolvers
- Timezone: set to your local timezone for accurate log timestamps
Change the Root Password
System → Access → Users → click the root user → set a strong password.
Enable Two-Factor Authentication (TOTP)
System → Access → Users → edit your admin user → enable OTP seed → scan the QR code with an authenticator app (Google Authenticator, Authy).
Then enforce 2FA under System → Settings → Administration → Authentication → require MFA for GUI login.
Interface Configuration
WAN Interface
Interfaces → WAN:
- IPv4 Configuration Type: DHCP (most ISPs), PPPoE (DSL/fibre with authentication), or Static
- IPv6 Configuration Type: DHCP6, SLAAC, or Static
- Block private networks: ✓ (enabled — drops RFC 1918 addresses arriving on WAN)
- Block bogon networks: ✓ (enabled — drops unallocated/reserved IP space)
For PPPoE (DSL):
1
2
Username: your-isp-username@isp.example.com
Password: your-isp-password
LAN Interface
Interfaces → LAN:
- IPv4 Configuration Type: Static
-
IPv4 Address:
192.168.1.1 / 24(or your preferred subnet)
Assign Additional Interfaces
Interfaces → Assignments → select the physical NIC from the dropdown → click + → configure via the new interface menu item.
VLANs
VLANs let a single physical NIC carry multiple isolated networks — essential for separating IoT devices, a DMZ, a guest WiFi network, and your trusted LAN.
Create VLANs
Interfaces → Other Types → VLAN → +:
| Field | Value |
|---|---|
| Parent interface |
em1 (the LAN physical NIC) |
| VLAN tag | 10 |
| Description | VLAN10_TRUSTED |
Repeat for each VLAN (e.g. tag 20 for IoT, tag 30 for DMZ, tag 40 for guest).
Assign and Configure VLAN Interfaces
Interfaces → Assignments → select each new VLAN interface and assign it. Then configure each one:
- Enable: ✓
- IPv4 Type: Static
-
IPv4 Address:
10.10.10.1/24(gateway for that VLAN)
DHCP for Each VLAN
Services → DHCPv4 → select the VLAN interface:
- Enable: ✓
-
Range:
10.10.10.100–10.10.10.200 -
DNS:
10.10.10.1(point to OPNsense Unbound) -
Gateway:
10.10.10.1
VLAN-Aware Switch Configuration
OPNsense handles the tagging; the downstream managed switch must be configured to trunk the tagged VLANs on the port connected to OPNsense and access-mode the ports connected to end devices.
Firewall Rules
OPNsense processes firewall rules per interface, in order from top to bottom, with the first match winning. Rules on the LAN interface govern traffic originating from the LAN. Rules on WAN govern inbound traffic from the internet.
Rule Anatomy
Each rule has:
| Field | Description |
|---|---|
| Action | Pass / Block / Reject |
| Interface | Which interface the rule applies to |
| Direction | In (ingress) / Out (egress) — almost always In |
| Protocol | TCP, UDP, ICMP, any, etc. |
| Source | IP, network, alias, or interface subnet |
| Destination | IP, network, alias, or interface subnet |
| Destination port | Single port, range, or alias |
| Log | Log matching traffic to syslog |
| Description | Human-readable note |
Default Rule Behaviour
OPNsense ships with:
- LAN → any: a default allow-all rule (permits all LAN traffic outbound)
- WAN: no inbound rules (all unsolicited inbound traffic is blocked)
Creating Rules
Firewall → Rules → LAN → +:
1
2
3
4
5
6
7
# Allow LAN to access the internet (already exists by default)
Action: Pass
Interface: LAN
Protocol: any
Source: LAN net
Destination: any
Description: Default LAN to any
1
2
3
4
5
6
7
# Block IoT VLAN from reaching trusted LAN
Action: Block
Interface: VLAN20_IOT
Protocol: any
Source: VLAN20_IOT net
Destination: VLAN10_TRUSTED net
Description: Block IoT to Trusted LAN
1
2
3
4
5
6
7
8
# Allow only HTTPS from DMZ to internet
Action: Pass
Interface: VLAN30_DMZ
Protocol: TCP
Source: VLAN30_DMZ net
Destination: any
Dest Port: 443
Description: DMZ HTTPS outbound only
Aliases
Aliases are named groups of IPs, networks, or ports — they make rules readable and maintainable:
Firewall → Aliases → +:
1
2
3
4
5
Name: RFC1918_PRIVATE
Type: Network
Content: 10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
1
2
3
4
Name: WEB_PORTS
Type: Port
Content: 80
443
Use aliases in rules instead of raw IPs — one alias update propagates to every rule that references it.
Floating Rules
Firewall → Rules → Floating rules apply across all interfaces simultaneously — useful for global policies like blocking a known-bad IP list or enforcing QoS marks regardless of which interface traffic enters on.
NAT (Network Address Translation)
Outbound NAT
By default, OPNsense uses Automatic outbound NAT — it translates all private source IPs to the WAN IP when traffic exits the WAN interface. This is correct for most setups.
To switch to manual (for multiple WAN IPs or policy-based NAT):
Firewall → NAT → Outbound → select Manual → add rules:
1
2
3
4
Interface: WAN
Source: 192.168.1.0/24
Translation: Interface address
Description: LAN to WAN NAT
Port Forwarding (Inbound NAT)
To publish an internal service to the internet:
Firewall → NAT → Port Forward → +:
1
2
3
4
5
6
7
Interface: WAN
Protocol: TCP
Destination: WAN address
Dest port range: 443 to 443
Redirect target: 192.168.1.50 (internal server)
Redirect port: 443
Description: HTTPS to web server
OPNsense automatically creates an associated firewall rule — check Filter rule association to review it.
DHCP Server
Services → DHCPv4 → LAN:
- Enable: ✓
-
Range:
192.168.1.100–192.168.1.200 -
DNS:
192.168.1.1 -
Gateway:
192.168.1.1 -
NTP:
192.168.1.1
Static DHCP Leases (MAC Reservations)
Services → DHCPv4 → LAN → scroll to DHCP Static Mappings → +:
1
2
3
4
MAC: aa:bb:cc:dd:ee:ff
IP address: 192.168.1.50
Hostname: web-server
Description: Web server static lease
DNS — Unbound Resolver
OPNsense uses Unbound as a recursive, validating DNS resolver — it queries root servers directly rather than forwarding to an upstream resolver, which improves privacy and eliminates a dependency on your ISP’s DNS.
Services → Unbound DNS → General:
- Enable: ✓
- DNSSEC: ✓ (validates DNS responses)
- DHCP Registration: ✓ (automatically registers DHCP hostnames in DNS)
-
Local Zone Type:
static(prevents internal names leaking to the internet)
DNS over TLS (DoT)
To forward queries to an upstream resolver over an encrypted channel:
Services → Unbound DNS → DNS over TLS → +:
1
2
3
Server: 1.1.1.1
Port: 853
Verify CN: cloudflare-dns.com
Host Overrides
Services → Unbound DNS → Host Overrides → + for split-horizon DNS (internal name resolves differently inside vs outside):
1
2
3
Host: web
Domain: example.com
IP: 192.168.1.50
VPN
WireGuard (Recommended for Modern Deployments)
WireGuard is faster and simpler than OpenVPN, using modern cryptography (ChaCha20, Curve25519).
VPN → WireGuard → Local → +:
1
2
3
Name: wg0
Listen port: 51820
Generate keys (click the generate button)
VPN → WireGuard → Peers → + for each client:
1
2
3
4
Name: laptop
Public key: <client's public key>
Allowed IPs: 10.20.0.2/32
Endpoint address: (leave blank for road warrior)
Enable the WireGuard instance and add a firewall rule on the WireGuard interface to permit traffic.
OpenVPN (Road Warrior — Remote Access)
VPN → OpenVPN → Servers → +:
1
2
3
4
5
6
7
Server mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Port: 1194
Tunnel network: 10.8.0.0/24
Local network: 192.168.1.0/24
Auth algorithm: SHA256
Encryption: AES-256-GCM
Use System → Trust → Certificates to generate a CA and server certificate first. The VPN → OpenVPN → Client Export plugin generates ready-to-import .ovpn profiles for Windows, macOS, Linux, and mobile clients.
IPsec (Site-to-Site)
VPN → IPsec → Tunnel Settings → +:
Phase 1 (IKE):
1
2
3
4
5
6
Remote gateway: 203.0.113.1 (remote peer WAN IP)
Authentication: Mutual PSK
Pre-shared key: <strong-random-key>
Encryption: AES-256
Hash: SHA-256
DH Group: 14 (2048-bit)
Phase 2 (ESP):
1
2
3
Local network: 192.168.1.0/24
Remote network: 10.0.0.0/24
Encryption: AES-256-GCM
Add a firewall rule on the IPsec interface to permit traffic from the remote subnet.
Intrusion Detection and Prevention (IDS/IPS)
OPNsense uses Suricata in inline mode — traffic passes through Suricata before reaching pf, so malicious packets can be dropped (IPS), not just logged (IDS).
Enable IDS/IPS
Services → Intrusion Detection → Administration:
- Enabled: ✓
- IPS mode: ✓ (enable to drop, not just alert)
- Interfaces: select WAN (and any other untrusted interfaces)
- Pattern matcher: Hyperscan (fastest) or Aho-Corasick
Download Rulesets
Services → Intrusion Detection → Download:
| Ruleset | Description |
|---|---|
| ET Open | Emerging Threats — free, updated daily |
| ET Pro | Emerging Threats Pro — paid, more rules |
| Abuse.ch | SSL/TLS certificate blocklist, Feodo botnet C2 |
| OISF | Suricata-specific traffic rules |
Enable and schedule automatic updates: Services → Intrusion Detection → Schedule.
Custom Rules
Services → Intrusion Detection → User defined:
1
2
3
4
5
6
7
# Drop traffic to a known C2 server
drop ip any any -> 198.51.100.1 any (msg:"Known C2 traffic"; sid:9000001; rev:1;)
# Alert on SSH brute force
alert tcp any any -> $HOME_NET 22 (msg:"SSH brute force attempt"; \
flags:S; threshold:type both,track by_src,count 5,seconds 60; \
sid:9000002; rev:1;)
Traffic Shaping (QoS)
Firewall → Traffic Shaper → Queues:
OPNsense supports HFSC (Hierarchical Fair Service Curve) and PRIQ (Priority Queuing) schedulers.
Simple Bandwidth Limit Example
Firewall → Traffic Shaper → Pipes:
1
2
Name: WAN_UP_10MBPS
Bandwidth: 10 Mbps
Firewall → Traffic Shaper → Queues:
1
2
3
Name: VOIP_PRIORITY
Pipe: WAN_UP_10MBPS
Weight: 100
Firewall → Traffic Shaper → Rules:
1
2
3
4
5
Interface: WAN
Protocol: UDP
Source port: 5060 (SIP)
Target: VOIP_PRIORITY
Description: Prioritise VoIP
High Availability (CARP)
OPNsense supports active/passive HA using CARP (Common Address Redundancy Protocol) — two firewalls share virtual IP addresses; if the primary fails, the secondary takes over within seconds.
Prerequisites
- Two identical OPNsense systems
- A dedicated sync/heartbeat interface (cross-cable or dedicated VLAN)
- Matching interface names on both nodes
Configuration (Primary Node)
System → High Availability → Settings:
1
2
3
4
5
6
Synchronise states: ✓
Synchronise interface: em2 (dedicated sync NIC)
Synchronise peer IP: 10.254.254.2 (secondary's sync IP)
Remote system username: root
Remote system password: <secondary root password>
Services to sync: Firewall rules, NAT, DHCP, certificates
Interfaces → Virtual IPs → + (CARP VIP):
1
2
3
4
5
Type: CARP
Interface: WAN
Address: 203.0.113.10/30 (shared WAN VIP)
Password: <shared CARP password>
VHID: 1
1
2
3
4
5
Type: CARP
Interface: LAN
Address: 192.168.1.1/24 (shared LAN gateway VIP)
Password: <shared CARP password>
VHID: 2
The secondary node mirrors the primary’s configuration via xmlrpc sync. Clients use the CARP VIPs as their gateway — these float between nodes automatically.
HAProxy — Load Balancing and Reverse Proxy
Install the HAProxy plugin: System → Firmware → Plugins → search haproxy → install os-haproxy.
Services → HAProxy → Real Servers → +:
1
2
3
Name: web01
Address: 192.168.1.51
Port: 443
Services → HAProxy → Backend Pools → +:
1
2
3
4
5
Name: web_backend
Mode: HTTP
Servers: web01, web02
Balance: roundrobin
Health check: HTTP GET /health
Services → HAProxy → Frontend → +:
1
2
3
4
5
6
Name: https_frontend
Listen addr: WAN address
Port: 443
SSL offload: ✓
Certificate: <select Let's Encrypt cert>
Backend: web_backend
Let’s Encrypt Certificates
Install the ACME plugin: System → Firmware → Plugins → os-acme-client.
Services → ACME Client → Accounts → create a Let’s Encrypt account.
Services → ACME Client → Certificates → +:
1
2
3
Common name: example.com
Alt names: www.example.com
Validation: HTTP-01 (requires port 80 accessible) or DNS-01
Certificates auto-renew and can be referenced in HAProxy, OpenVPN, and the GUI.
Monitoring and Logging
Dashboard Widgets
The default dashboard includes widgets for interface traffic, gateway status, firewall state table, CPU/memory, and services. Add or rearrange via the + widget button.
Firewall Logs
Firewall → Log Files → Live View — real-time stream of firewall decisions with colour-coded pass/block. Filter by interface, source IP, destination, or protocol.
1
2
3
4
# Useful filters in Live View:
dst_port:443 # All HTTPS traffic
src:192.168.1.50 # Traffic from one host
action:block # Only blocked traffic
System Logs
System → Log Files — subsystem logs (DNS, DHCP, VPN, authentication, NTP).
Netflow / Traffic Analysis
Install Softflowd: System → Firmware → Plugins → os-softflowd.
Configure it to export Netflow v9 data to a collector (ntopng, Elastic/Kibana, Grafana + GoFlow2).
SNMP
Services → SNMP — export interface counters and system metrics to a monitoring platform (Zabbix, Prometheus via SNMP exporter, LibreNMS).
Firmware Updates
OPNsense releases updates every week (minor) and every six months (major — January and July).
System → Firmware → Updates:
- Check for updates — shows available version
- Update — downloads and installs; requires reboot
Best practice: take a configuration backup before every major update.
1
System → Configuration → Backups → Download configuration
For HA pairs, update the secondary node first, verify it is healthy, then update the primary (which triggers a CARP failover to the secondary during the update window).
Backup and Restore
Export Configuration
System → Configuration → Backups → Download configuration XML.
The XML file contains all settings — firewall rules, NAT, VPN, certificates, DHCP leases. Store it securely (it contains pre-shared keys and hashed passwords).
Automate Backups
System → Configuration → Backups → Google Drive / Nextcloud — configure automatic cloud backup after each change.
Alternatively, use the REST API:
1
2
3
curl -u 'root:password' -k \
https://192.168.1.1/api/core/backup/download/this \
-o opnsense-backup-$(date +%Y%m%d).xml
Restore
System → Configuration → Backups → Upload configuration → reboot when prompted.
Useful CLI Commands
Access the shell via System → Shell in the GUI or SSH (System → Settings → Administration → enable SSH).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Show interface status
ifconfig
# Show routing table
netstat -rn
# Show firewall state table
pfctl -ss | head -50
# Show pf rules
pfctl -sr
# Flush all firewall states
pfctl -F states
# Reload firewall rules
pfctl -f /tmp/rules.debug
# Show CARP status
ifconfig | grep carp
# Test DNS resolution via Unbound
dig @127.0.0.1 example.com
# Show active VPN tunnels (IPsec)
ipsec statusall
# Show WireGuard peers
wg show
# OPNsense config tool (runs GUI-equivalent actions)
configctl interface reconfigure
configctl filter reload
configctl dns reconfigure
Common Issues and Solutions
| Problem | Cause | Solution |
|---|---|---|
| Cannot access GUI after install | Assigned wrong interfaces | Console menu → Option 1: re-assign interfaces |
WAN shows as down
|
PPPoE credentials wrong / DHCP not leasing | Check ISP credentials; verify MAC address if ISP locks by MAC |
| LAN clients have no internet | Missing outbound NAT rule | Firewall → NAT → Outbound → verify automatic NAT covers LAN subnet |
| IPsec tunnel up but no traffic | Missing firewall rule on IPsec interface | Add pass rule on IPsec interface for remote subnet |
| Suricata dropping legitimate traffic | Rule false positive | Add the source IP to the Pass List in Intrusion Detection settings |
| CARP secondary not syncing | Firewall blocking xmlrpc on sync interface | Allow TCP 443 between primary and secondary on sync interface |
| High CPU on Suricata | Too many rules or high traffic | Disable unused rulesets; enable Hyperscan pattern matcher |
| Let’s Encrypt renewal fails | Port 80 not forwarded | Create a port forward for TCP 80 to OPNsense LAN IP during renewal |
Quick Reference
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Default LAN IP: 192.168.1.1
Default credentials: root / opnsense
GUI: https://192.168.1.1
SSH: disabled by default (enable in System → Settings → Administration)
Key menus:
Interfaces → Assignments Assign NICs
Interfaces → Other Types → VLAN Create VLANs
Firewall → Rules Firewall rules (per interface, first match wins)
Firewall → NAT → Port Forward Inbound port forwarding
Firewall → Aliases Named IP/port groups
Services → DHCPv4 DHCP server per interface
Services → Unbound DNS Recursive DNS resolver
VPN → WireGuard Modern VPN (recommended)
VPN → OpenVPN SSL/TLS VPN
VPN → IPsec Site-to-site VPN
Services → Intrusion Detection Suricata IDS/IPS
System → Firmware Updates and plugins
System → Configuration Backup and restore
Useful plugins:
os-haproxy Load balancer / reverse proxy
os-acme-client Let's Encrypt certificates
os-wireguard WireGuard VPN
os-softflowd Netflow exporter
os-zeek Network security monitor
os-siproxd SIP proxy for VoIP behind NAT
os-freeradius RADIUS server for 802.1X / VPN auth
Conclusion
OPNsense delivers enterprise firewall capabilities on commodity hardware with a weekly security release cadence that keeps it current with emerging threats. The combination of pf’s stateful inspection, Suricata’s inline IPS, Unbound’s validating DNS resolver, and flexible VPN options (WireGuard, OpenVPN, IPsec) makes it a complete network security platform rather than just a firewall.
For home labs it replaces a consumer router with something you can actually understand and control. For small and medium businesses it replaces costly commercial appliances. And for those building more complex environments, CARP high availability, HAProxy load balancing, and the REST API make it a serious production platform.
The natural progression from here is exploring OPNsense’s REST API for infrastructure-as-code deployments, Zenarmor (formerly Sensei) for deep-packet inspection and application-layer filtering, and OPNcentral for managing multiple OPNsense instances from a single pane of glass.
Additional Resources
- OPNsense Official Documentation
- OPNsense Download
- OPNsense GitHub
- OPNsense Forum
- Suricata Rule Writing Guide
- WireGuard Protocol
- CARP Protocol (FreeBSD)
- HAProxy Documentation