OPNsense Firewall Configuration

This page details my OPNsense firewall setup, used for advanced traffic management, VPN, DNS filtering, and monitoring in my home lab. Sensitive data is redacted for privacy while still providing insight into my secure architecture.

System Overview

Firewall Rules

Rules are defined per interface: WAN, LAN, VLANs. Highlights include:

Aliases and schedules simplify rule management and enforce policies like screen time for certain devices.

Step-by-Step Instructions

STEP 1: Configure Default WAN “Deny All”

  1. Go to Firewall > Rules > WAN.
  2. Delete any "allow all" default rule (if it exists).
  3. Confirm there is a default "block all" rule at the bottom (gray background). This will drop unsolicited inbound traffic.
  4. Result: WAN blocks all unsolicited inbound unless explicitly allowed (e.g., for port forwards).

STEP 2: Create Aliases for Devices & Services

  1. Go to Firewall > Aliases > IP..
  2. Click + Add.
  3. Fill in:
    • Name: IOT_DEVICES
    • Type: Host(s)
    • Content: Add IPs or hostnames (e.g., 192.168.10.10, 192.168.10.11)
    • Description: "IoT devices group"
  4. Repeat for other groups like GUEST_DEVICES, WORK_DEVICES, etc.
  5. Create aliases for services like DNS, HTTPS, VPN:
    • Name: DNS_SERVICES
    • Type: Port(s)
    • Content: 53 (DNS)
    • Description: "DNS services"
  6. Result: Aliases simplify rule management by grouping devices/services.

STEP 3: Configure LAN & VLAN Rules (Allow List Approach)

  1. Go to Firewall > Rules > [Your VLAN Interface] (e.g., VLAN_IOT)
  2. Fill in:
    • Action: Pass
    • Interface: VLAN_IOT
    • Source: IOT_DEVICES (or any if not using aliases yet)
    • Destination: any
    • Destination Port: DNS (alias)
    • Protocol: TCP/UDP
    • Description: "Allow DNS for IOT"
  3. Add rule for HTTPS
    • Action: Pass
    • Interface: VLAN_IOT
    • Source: IOT_DEVICES
    • Destination: any
    • Destination Port: HTTPS (alias)
    • Protocol: TCP
    • Description: "Allow HTTPS for IOT"
  4. Add rule to allow access to specific VLANs (Granular Inter-VLAN):
    • Source: IOT_DEVICES
    • Destination: WORK_DEVICES (or just VLAN20 subnet)
    • Protocol: any
    • Description: "Allow IOT access to Work VLAN Devices"
  5. Tip: Only create access rules where required. Avoid wide-open any-to-any rules between VLANs.

STEP 4: Enforce Rules by Time (Schedules like “Screen Time”)

  1. Go to Firewall > Schedules.
  2. Click + Add.
  3. Set a name like SCREEN_TIME_KIDS.
  4. Click in the time grid to select allowed hours (e.g., weekdays 4–7 PM).
  5. Go to Firewall > Rules > VLAN_KIDS.
  6. In the rule, scroll down to Schedule and select SCREEN_TIME_KIDS.
  7. Below that, make sure "State Type" is sloppy state or none to avoid lingering states after block.
  8. Add a "Block all" rule without a schedule below the scheduled "pass" rule.
  9. Result: This blocks internet access outside allowed times.

STEP 5: Apply, Test & Monitor

  1. Apply changes at the top after adding or editing rules.
  2. Use Firewall > Diagnostics > States Dump to clear states if testing (especially with schedules).
  3. Monitor live traffic via:
    • Firewall > Log Files > Live View
    • Firewall > Rules > [Your VLAN Interface] to see rule hits
    • Filter by source IP to test if access is working/blocked as expected.

DNS & DHCP

VPN Configuration

Monitoring & Reporting

Security Enhancements

Backup & Restore