OPNsense — Open Source Firewall and Routing Platform

Introduction

OPNsense is a FreeBSD-based firewall and routing platform forked from pfSense in 2015. It provides a polished web interface, weekly security updates, and a plugin system covering intrusion detection, VPN, DNS filtering, and traffic shaping — suitable for home labs through enterprise edge deployments.

What OPNsense Does

• Stateful packet filtering with NAT, port forwarding, and floating rules
• Runs Suricata-based intrusion detection and prevention (IDS/IPS) with ET and Abuse.ch rulesets
• Provides VPN connectivity via WireGuard, OpenVPN, and IPsec with GUI configuration
• Shapes and prioritizes traffic using CoDel, FQ-CoDel, and HFSC queuing disciplines
• Manages DNS with Unbound resolver, DHCP, and optional DNS-over-TLS/HTTPS forwarding

Architecture Overview

OPNsense runs on HardenedBSD (a security-focused FreeBSD fork) with pf as its packet filter. The web UI is built with PHP (Phalcon MVC framework) and communicates with the backend via a configd service that applies configuration changes to system daemons. Plugins extend functionality through the OPNsense package repository. The configuration is stored as a single XML file, making backup and version control straightforward.

Self-Hosting & Configuration

• Install from ISO on bare metal (x86-64) or in a VM with at least two network interfaces
• Complete initial setup via the web wizard: WAN, LAN, DNS, and admin password
• Configure firewall rules, NAT, and aliases through the Rules section
• Enable IDS/IPS under Services > Intrusion Detection with one-click ruleset downloads
• Install plugins (WireGuard, HAProxy, Crowdsec, etc.) from System > Firmware > Plugins

Key Features

• Weekly security updates and a transparent release process with changelogs
• Plugin ecosystem with 80+ packages including HAProxy, FRR routing, Crowdsec, and Telegraf
• Configuration backup and restore from a single XML file
• Multi-WAN failover and load balancing with gateway groups
• API access for automation via REST endpoints with key-based authentication

Comparison with Similar Tools

• pfSense — The project OPNsense forked from; similar features but less frequent updates and a more restrictive license
• VyOS — Linux-based network OS with CLI-first configuration; no web UI in the free edition
• MikroTik RouterOS — Proprietary router OS with powerful features; not open source
• IPFire — Linux-based firewall; simpler feature set, Pakfire package manager
• Untangle — Commercial firewall with limited free tier; more appliance-focused

FAQ

Q: What hardware does OPNsense support? A: Any x86-64 system with at least 2 GB RAM and two NICs. Popular choices include Protectli, Netgate, and Minisforum mini PCs.

Q: Can OPNsense replace a commercial firewall? A: Yes. It supports enterprise features like HA (CARP), multi-WAN, IDS/IPS, and centralized logging via syslog or Elasticsearch.

Q: How does OPNsense differ from pfSense? A: OPNsense has a more modern UI, weekly security updates, a broader plugin ecosystem, and uses HardenedBSD with ASLR and other mitigations.

Q: Does it support VLANs? A: Yes. Configure 802.1Q VLANs under Interfaces > Other Types > VLAN and assign them to firewall zones.

Sources

• https://github.com/opnsense/core
• https://opnsense.org