OPNsense Firewall Configuration

This page details my OPNsense firewall setup, used for advanced traffic management, VPN, DNS filtering, and monitoring in my home lab. Sensitive data is redacted for privacy while still providing insight into my secure architecture.

System Overview

Firewall Rules

Rules are defined per interface (WAN, LAN, VLANs). Highlights:

Step-by-Step Instructions

STEP 1: Harden WAN (Implicit Deny)

  1. Go to Interfaces > [WAN] and enable:
    • Block private networks
    • Block bogon networks
  2. Go to Firewall > Rules > WAN and ensure you have no broad “allow all” rules.
  3. Remember: OPNsense has an implicit block at the end of every ruleset (gray line). You only add explicit WAN “pass” rules when you need inbound access (usually created automatically by NAT Port Forwards).
  4. Result: Unsolicited inbound is blocked by default; only explicit services are reachable.

STEP 2: Create Aliases (Devices, Subnets, Ports)

  1. Go to Firewall > Aliases.
  2. Device groups (Type: Host(s) or Network(s)):
    • IOT_DEVICES: 192.168.10.10, 192.168.10.11
    • WORK_SUBNET: 192.168.20.0/24
    • RFC1918_NETWORKS: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  3. Service/port groups (Type: Port(s)):
    • DNS_PORTS: 53
    • WEB_PORTS: 80, 443
    • NTP_PORT: 123
  4. Tip: Use descriptive names & descriptions—aliases keep rules simple and reusable.

STEP 3: Per-VLAN Allow-List Rules (Example: VLAN_IOT)

  1. Go to Firewall > Rules > VLAN_IOT. Rules are processed top-down; anything unmatched is blocked by the implicit deny.
  2. If you run DNS on the firewall (Unbound/AdGuard):
    • Pass Source: IOT_DEVICES → Destination: This Firewall → Port: DNS_PORTS → Proto: TCP/UDP → Desc: “IOT → Firewall DNS”
  3. Allow web to the Internet:
    • Pass Source: IOT_DEVICES → Destination: !RFC1918_NETWORKS (not private) → Port: WEB_PORTS → Proto: TCP → Desc: “IOT → Internet Web”
  4. (Optional) Allow NTP to the firewall:
    • Pass Source: IOT_DEVICES → Destination: This Firewall → Port: NTP_PORT → Desc: “IOT → Firewall NTP”
  5. Block inter-VLAN by default (place below the passes above):
    • Block Source: IOT_DEVICES → Destination: RFC1918_NETWORKS → Proto: Any → Desc: “IOT block to local subnets” (log this)
  6. (Only if required) Add narrow exceptions above the block:
    • Pass Source: IOT_DEVICES → Destination: WORK_SUBNET → Port: 443 → Desc: “IOT to Work API (HTTPS only)”
  7. Notes:
    • Avoid “any → any”. Keep destinations to This Firewall, !RFC1918_NETWORKS, or specific subnets/hosts.
    • DHCP is handled by the DHCP service, not a pass rule (you generally do not add a special firewall rule for it on interface tabs).

STEP 4: Schedules (e.g., “Screen Time”)

  1. Create a schedule in Firewall > Schedules (e.g., SCREEN_TIME_KIDS).
  2. On VLAN_KIDS, add a Pass rule for Internet access and set Schedule = SCREEN_TIME_KIDS.
  3. Add a Block rule below it (no schedule) to deny outside the allowed hours.
  4. Set the scheduled pass rules State Type to None so sessions do not linger after cutoff.

STEP 5: Apply, Test & Monitor

  1. Click Apply Changes after edits.
  2. When testing schedules or rule changes, clear old sessions: Firewall > Diagnostics > States > Reset States.
  3. Use:
    • Firewall > Log Files > Live View (filter by source IP; enable logging on key rules)
    • Rule counters under Firewall > Rules > [Interface] to verify hits

DNS & DHCP

Step-by-Step Instructions

STEP 1: Enable & Harden Unbound

  1. Go to Services > Unbound DNS > General and check Enable Unbound.
  2. Set Network Interfaces to your LAN/VLANs (avoid All if you want tighter scope). Set Outgoing Network Interfaces to WAN.
  3. Enable:
    • DNSSEC Support
    • QNAME Minimization
    • Prefetch Support (optional performance)
    • Harden DNSSEC Data (if available)
    • Register DHCP leases and Register DHCP static mappings
  4. (Optional) Access Lists: Services > Unbound DNS > Access Lists → ensure each LAN/VLAN subnet is Allow.
  5. Click Save and Apply.

STEP 2: Upstream Resolvers (Standard or Encrypted)

  1. Go to System > Settings > General and set upstream DNS servers (prefer hostnames). Uncheck “Allow DNS server list to be overridden by DHCP/PPP on WAN”.
  2. (Optional) Encrypted DNS:
    • DoT/Custom forwarders: Use Unbound Domain Overrides / Custom Options to forward to resolvers on port 853 with TLS, or run a local filtering resolver (e.g., AdGuard Home) and forward Unbound to it.
  3. Keep the firewall itself using 127.0.0.1 for name resolution so services benefit from Unbound cache.

STEP 3: Internal DNS – Host & Domain Overrides

  1. Go to Services > Unbound DNS > Overrides.
  2. Host Overrides (A/AAAA):
    • Example: vaultwarden.home192.168.20.15
    • Add aliases (CNAME) if you serve the same host by multiple names.
  3. Domain Overrides:
    • Forward a specific domain to an internal DNS server (e.g., an AD DNS) for split-brain or lab domains.
  4. Save & Apply, then test lookups under Diagnostics > DNS Lookup.

STEP 4: DHCPv4 Scopes per VLAN

  1. For each interface, go to Services > DHCPv4 > [Interface] and check Enable DHCP Server.
  2. Configure:
    • Range: e.g., 192.168.10.50 – 192.168.10.200
    • Gateway (Router): Firewall IP on that VLAN (e.g., 192.168.10.1)
    • DNS Servers: The firewall interface IP (e.g., 192.168.10.1) so clients use Unbound
    • NTP Server: Firewall IP (if you run NTP) or a trusted public NTP
    • Domain Name: e.g., home or lan
    • Default Lease Time / Max Lease Time: e.g., 3600 / 86400
  3. Static Mappings:
    • Add by MAC → fixed IP + hostname for key devices (servers, NAS, APs).
    • Check Create ARP Table Static Entry (or equivalent) to reduce IP spoofing.
  4. Save & Apply for each VLAN scope.

STEP 5: Prevent DNS Bypass (Clients hardcoding 8.8.8.8, etc.)

  1. Strict block approach (per VLAN, place near top of rules):
    • Block Source: VLAN_SUBNET → Destination: !This Firewall → Port: 53 (TCP/UDP) → Desc: “Block external DNS” (log)
    • (Optional) repeat for 853/TCP (DoT) → “Block external DoT”
  2. Redirect approach (NAT Port Forward, useful for captive/guest):
    • Firewall > NAT > Port Forward:
      • Interface: VLAN
      • Proto: TCP/UDP
      • Src: VLAN_SUBNET
      • Dst: any, Dst Port: 53 → Redirect target IP: This Firewall, Port: 53
  3. Ensure Unbound is listening on that interface (Step 1) so redirected DNS resolves.

STEP 6: (Optional) DHCPv6 & RA

  1. If you use IPv6, configure Services > DHCPv6 per VLAN and Services > Router Advertisements to the desired mode (Managed/Assisted/Stateless).
  2. Point IPv6 DNS to the firewalls IPv6 on that VLAN; mirror the anti-bypass strategy for port 53 and 853.

STEP 7: Apply, Test & Troubleshoot

  1. Apply Changes after edits, and restart Unbound if prompted.
  2. DNS tests:
    • Diagnostics > DNS Lookup to test A/AAAA lookups and overrides
    • Services > Unbound DNS > Log File for query logs/errors
  3. DHCP tests:
    • Services > DHCPv4 > Leases confirm clients receive the correct scope and options
    • Release/renew on client; check that DNS = firewall IP
  4. If changing schedules or anti-bypass rules, clear states for the testing host under Firewall > Diagnostics > States.

Notes & Tips

  • Keep Unbound as the single source of truth: DHCP registers hostnames; Unbound answers locally and forwards upstream for everything else.
  • Prefer hostnames for upstream resolvers; avoid mixing many public DNS IPs across multiple places.
  • If you run a local filtering resolver (e.g., AdGuard Home), point Unbound upstream to it or vice versa, avoid circular forwarding.

VPN Configuration

Step-by-Step Instructions

STEP 1: Install and Enable WireGuard

  1. Go to System > Firmware > Plugins. Install os-wireguard if not already present.
  2. Go to VPN > WireGuard > General. Check Enable WireGuard. Click Save.

STEP 2: Create the WireGuard Local Instance

  1. Go to VPN > WireGuard > Local and click Add.
  2. Set:
    • Name VPN_Server
    • Listen Port 51820
    • Interface Keys Click Generate to create public and private keys
    • Tunnel Address 10.14.0.1/24
    • Peers leave empty for now
  3. Click Save. Then click Apply at the top.

STEP 3: Assign the WireGuard Interface

  1. Go to Interfaces > Assignments. Add the new WireGuard interface that appears as wg0.
  2. Click the new interface name and configure:
    • Enable checked
    • Description WG_VPN
    • IPv4 Configuration Type None
  3. Click Save and then Apply Changes.

STEP 4: Create Peers and Keys

  1. On the client device, generate a WireGuard keypair. Keep the private key on the client. Copy the public key for use below.
  2. Back on OPNsense, go to VPN > WireGuard > Peers and click Add.
  3. Set:
    • Name laptop_andrew or phone_andrew
    • Public Key paste the client public key
    • Allowed IPs 10.14.0.10/32 for a unique client address
    • Endpoint leave empty for roaming clients
    • Persistent Keepalive 25
  4. Click Save. Repeat for additional clients with unique 10.14.0.x addresses.
  5. Go to VPN > WireGuard > Local, edit VPN_Server, and attach the created peers. Click Save and Apply.

STEP 5: Firewall Rules and NAT

  1. Interface rules Go to Firewall > Rules > WG_VPN and add:
    • Pass Source WG_VPN net to Destination This Firewall on port 53 if using local DNS
    • Pass Source WG_VPN net to Destination any on ports 80 and 443 or as required
    • Block Source WG_VPN net to Destination RFC1918 networks if you want Internet only
    • Place any narrow inter VLAN allows above the RFC1918 block if needed
  2. Outbound NAT Go to Firewall > NAT > Outbound.
    • If using Automatic mode, OPNsense will typically create NAT for WG_VPN automatically.
    • If using Hybrid or Manual, add a rule to translate Source 10.14.0.0/24 to WAN address for Internet egress.

STEP 6: Client Config Examples

  1. Full tunnel route all traffic through VPN.
    • On the client, set AllowedIPs to 0.0.0.0/0 and ::/0.
    • Set DNS to the firewall interface IP for the target LAN or to 10.14.0.1 if Unbound listens on WireGuard.
  2. Split tunnel route only internal networks.
    • On the client, set AllowedIPs to your internal subnets such as 192.168.10.0/24, 192.168.20.0/24 and the clients own 10.14.0.10/32.
    • Leave public Internet to break out locally.
  3. DNS choices
    • If Unbound runs on the firewall, point clients to 10.14.0.1 or to the appropriate LAN interface IP.
    • Block external DNS from WG_VPN if you want to enforce your resolver.

STEP 7: Mobile Onboarding and QR Codes

  1. For iOS or Android, create a peer with a static 10.14.0.x. Export a config snippet or a QR code from your password manager or admin notes.
  2. Client fields:
    • Address 10.14.0.11/32
    • DNS 10.14.0.1
    • PrivateKey generated on device
    • Peer PublicKey the server public key
    • Endpoint your WAN FQDN and port 51820
    • AllowedIPs per your split or full tunnel choice

STEP 8: Optional Site to Site

  1. Create a peer for the remote firewall and set AllowedIPs to that sites LAN subnets.
  2. On both sides, add static routes if needed or ensure WireGuard interface is in the routing table.
  3. Allow inter site traffic in each firewall ruleset with narrow ports or hosts.

STEP 9: Apply, Test and Troubleshoot

  1. Click Apply in WireGuard pages and Apply Changes in Interfaces or Firewall after edits.
  2. Connectivity checks:
    • VPN > WireGuard > Status to verify handshakes and latest handshake time
    • Firewall > Log Files > Live View filter by client IP to confirm passes or blocks
    • Diagnostics > Ping from the firewall to the client address and to LAN hosts
  3. Performance and reliability:
    • If on cellular or CGNAT, keep Persistent Keepalive at 25 seconds.
    • If you see fragmentation, set client MTU to 1280 or 1320 and test again.

Notes and Tips

  • Create an alias per VPN role such as WG_ADMIN, WG_FAMILY. Use these in WG_VPN rules to keep policy readable.
  • Prefer FQDN on the client endpoint so home WAN IP changes do not break the tunnel.
  • Combine with your DNS bypass prevention so VPN clients cannot sidestep internal DNS policy.

Monitoring & Reporting

Step-by-Step Instructions

STEP 1: Health Graphs and RRD

  1. Go to Reporting > Health. Confirm graphs populate for System, Interfaces, and Firewall metrics.
  2. Go to System > Settings > Miscellaneous. In the RRD section, ensure data collection is enabled. Keep default storage unless you have space limits.
  3. Use the time range selector to view historical trends. Export graphs as needed for documentation.

STEP 2: Traffic Insight and Flow Collection

  1. Go to Reporting > NetFlow.
  2. Check Enable. Select your inside interfaces for Capture such as LAN and VLANs. Avoid enabling on WAN unless required.
  3. Set Aggregation to the default unless you have a specific reporting need. Higher aggregation reduces storage cost.
  4. Leave Exporters empty for local Insight. If you send flows to an external collector, add the target host and port.
  5. Click Apply. Verify under Reporting > Traffic that Top Talkers and Top Applications populate.

STEP 3: Live Firewall Logs and Rule Counters

  1. Go to Firewall > Log Files > Live View. Filter by source IP or interface to follow specific hosts.
  2. On critical rules, enable logging so passes and blocks appear. Edit the rule and check Log.
  3. Go to Firewall > Rules > [Interface]. Watch the hit counters. Use these to confirm that the intended rules are matching first.

STEP 4: System Logs and Retention

  1. Go to System > Settings > Logging. Set retention that fits your disk capacity and compliance needs.
  2. Separate application logs that grow quickly. If you run IDS or VPN with verbose logs, consider shorter retention for those facilities.
  3. Use System > Log Files to inspect General, DHCP, DNS, VPN, and IPS logs as needed.

STEP 5: Remote Logging to SIEM or Syslog

  1. Go to System > Settings > Logging and find the Remote Logging section.
  2. Add your remote collector: set Transport, Server, and Port. Choose facilities to send such as firewall, DHCP, DNS, VPN, IDS.
  3. Apply and confirm on the collector side that events are received. Consider TLS if your collector supports it.

STEP 6: Monit Service Checks and Alerts

  1. Go to Services > Monit > Settings. Check Enable.
  2. Go to Services > Monit > Service Tests. Add tests for process status, ping, and network link.
  3. Go to Services > Monit > Services. Create checks for:
    • Unbound process: restart on failure
    • WireGuard process if used
    • Interface link state on key uplinks
    • Disk space thresholds
  4. Go to System > Settings > Notifications. Configure SMTP or other channels so Monit can alert you.

STEP 7: IDS and Security Visibility

  1. If using Suricata, go to Services > Intrusion Detection. Confirm it is enabled and in the desired mode.
  2. Use the Alerts tab for signatures that trigger. Suppress noisy signatures only after review.
  3. If forwarding logs to a SIEM, include Suricata EVE JSON for deeper analysis.

STEP 8: Dashboard Widgets

  1. Go to the main dashboard. Click Unlock then Plus to add widgets.
  2. Add: Traffic Graphs, Interface Statistics, System Information, Gateways, Firewall Logs, and WireGuard status if available.
  3. Arrange widgets to surface CPU spikes, link issues, and blocked traffic quickly.

STEP 9: Apply, Test, and Troubleshoot

  1. After enabling new collectors or Monit checks, click Apply on their pages.
  2. Generate traffic from a test host. Verify visibility in Live View, Health graphs, and Traffic Insight.
  3. If data is missing, check interface selection in NetFlow, logging flags on rules, and retention settings.
  4. Use Diagnostics > Activity and Diagnostics > Services to confirm daemons are running.

Notes and Tips

  • Enable logging only where it is useful. Excessive logging can fill disks quickly.
  • Use role based dashboards. Create a view for security focus and another for operations focus.
  • Baseline normal bandwidth by VLAN. Investigate deviations in Top Talkers and Top Applications.
  • Back up Monit settings and remote logging configuration along with your main config export.

Security Enhancements

Step-by-Step Instructions

STEP 1: Enable Anti Spoofing and Replay Protection

  1. Go to Interfaces > Settings.
  2. Check Enable Spoof Checking to ensure packets are valid for their interface.
  3. Go to Firewall > Settings > Advanced. Enable Disable Firewall Scrub only if you need performance testing. Otherwise leave scrub active for fragment protection.
  4. Check Stateful connection tracking with syncookies and IPsec anti replay if you use VPN tunnels.

STEP 2: Intrusion Detection and Prevention

  1. Go to Services > Intrusion Detection.
  2. Check Enabled. Select the inside interfaces you want to protect such as LAN and VLANs.
  3. Set IPS Mode to Enabled so packets are blocked inline.
  4. Choose rule sets. Download and enable Emerging Threats Open or your subscribed rules.
  5. Apply. Then view Alerts tab to see matches. Suppress or disable noisy signatures that are safe to ignore.

STEP 3: Harden the Web UI

  1. Go to System > Settings > Administration.
  2. Set Listen Interfaces to LAN only or a dedicated management VLAN. Avoid exposing the Web UI on WAN.
  3. Enable HTTPS only. Upload a valid certificate if available. Otherwise use the self signed certificate.
  4. Force TLS version 1.2 or higher. Disable weak ciphers.
  5. Go to System > Access > Users. Enable Two Factor Authentication under the user settings and configure the TOTP server under System > Access > Servers.

STEP 4: GeoIP and Reputation Blocking

  1. Go to Firewall > Aliases > GeoIP. Download the MaxMind database under System > Firmware > Settings if not already present.
  2. Create aliases for blocked regions. Example: Block_China, Block_Russia.
  3. Use these aliases in WAN rules. Example: Block any inbound from Block_China before port forwards are matched.
  4. (Optional) Install plugins for reputation feeds and create aliases tied to known bad IP lists.

STEP 5: Secure Remote Access

  1. Never allow SSH or HTTPS on WAN unless absolutely required.
  2. If needed, restrict by source alias of trusted IPs only. Add a port knock or port change if exposure is temporary.
  3. Prefer VPN such as WireGuard or OpenVPN for admin access.

STEP 6: Logging and Alerting for Security

  1. Enable logging on critical firewall rules such as blocks for RFC1918 on WAN and GeoIP rules.
  2. Send logs to a SIEM or syslog collector for long term analysis.
  3. Configure Monit alerts for failed services such as Unbound and Intrusion Detection.

STEP 7: Apply and Test

  1. Click Apply on Intrusion Detection and on any Firewall or Interface settings you change.
  2. Use Shields Up or Nmap from an external host to confirm that only intended ports are open.
  3. Review Intrusion Detection alerts for blocked attacks and confirm no false positives are breaking traffic.
  4. Verify 2FA login to the Web UI before disabling other login methods.

Notes and Tips

  • Use strict aliasing and never rely on any to any rules in security zones.
  • Consider enabling DNS blacklists in Unbound or with a filtering resolver for ad and malware blocking.
  • Keep plugins and rule sets updated. Outdated signatures reduce IDS effectiveness.
  • Audit your rule base quarterly to remove exceptions no longer needed.

Backup & Restore

Step-by-Step Instructions

STEP 1: Manual Configuration Backup

  1. Go to System > Configuration > Backups.
  2. Click Download Configuration. Check Encrypt this configuration file and enter a strong password.
  3. Save the file to secure storage such as an encrypted drive or password manager file vault.
  4. Verify the SHA256 checksum of the downloaded file if you need to prove integrity later.

STEP 2: Automated Backups

  1. Go to System > Configuration > Backups.
  2. Enable Periodic Local Backup. Choose a schedule such as daily or weekly.
  3. Set the maximum number of backups to retain to avoid filling the disk.
  4. (Optional) Enable Nextcloud or Google Drive if you use cloud backup plugins. Enter credentials and confirm backups upload successfully.

STEP 3: Pre-Update Snapshots

  1. Before a major upgrade, go to System > Firmware > Status.
  2. Click Backup Now to create a restore point before the update.
  3. If you use ZFS, take a system snapshot. Roll back if an update causes issues.
  4. Keep the backup exported offline in case the upgrade fails and you need to reinstall.

STEP 4: Restore Configuration

  1. Go to System > Configuration > Backups and choose Restore.
  2. Upload the encrypted configuration file. Enter the decryption password if required.
  3. Click Restore. The firewall will reload with the imported configuration.
  4. Test critical services such as DHCP, DNS, and VPN after restore to confirm all services come back correctly.

STEP 5: Remote Backup Integration

  1. If you want offsite protection, configure a secure method:
    • Cloud storage with encryption (Nextcloud, Google Drive plugin)
    • Remote rsync to a trusted host
    • Manual export to encrypted media stored offsite
  2. Confirm permissions are strict. Limit which accounts can access backups.

STEP 6: Test Restore Regularly

  1. Schedule quarterly or biannual restore tests on a lab firewall or virtual machine.
  2. Import the latest backup and confirm DHCP leases, DNS overrides, firewall rules, and VPN settings apply correctly.
  3. Document restore procedures so they are usable during an emergency.

STEP 7: Apply and Monitor

  1. After enabling automated backups or remote sync, click Apply on the settings page.
  2. Check the backup log for success or errors. Go to System > Log Files > General if troubleshooting.
  3. Verify remote targets receive new backups on schedule.

Notes and Tips

  • Always encrypt exported backups before saving outside the firewall.
  • Keep at least one offline copy that cannot be overwritten by malware.
  • After major configuration changes such as adding VLANs or VPN peers, generate a new manual backup immediately.
  • Label backups with date and firewall name if you manage multiple environments.