Running OPNsense as a Home Firewall

My experience moving from Smoothwall and consumer routers to OPNsense, with notes on hardware and features.

OPNsense: Enterprise Firewall for Everyone

After years of running various firewall solutions—starting with Smoothwall back in the day, then consumer routers, and eventually landing on OPNsense—I've finally found a setup that just works.

1. It's a Real Firewall

Unlike consumer routers masquerading as security devices, OPNsense is built from the ground up as a proper firewall. Based on FreeBSD, it brings decades of battle-tested networking code to your home or business.

2. Hardware Flexibility

Run it on anything with x86 and a couple NICs:

  • Repurposed desktop or workstation
  • Protectli Vault or similar mini PCs
  • Whatever you have laying around

My setup is a ConnectX-4 LX I picked up cheap on eBay, paired with a Brocade 7150-48ZP switch (2.5GbE ports, 10Gbps SFP+, and PoE). I'm also using Intel X550 and Mellanox enterprise-grade NICs throughout the setup.

One thing I've noticed with these enterprise NICs: on my symmetric fiber connection, the larger buffers seem to make latency noticeably more stable. Throughput is the same as consumer NICs—gigabit is gigabit—but the consistency is better. Whether it's the buffer sizes or just better packet handling, subjectively it feels smoother.

3. Core Features

VPN:

  • WireGuard (fast, modern)
  • OpenVPN (compatible with everything)
  • IPSec (for site-to-site)

IDS/IPS:

  • Suricata built-in
  • Block threats in real-time
  • Regular rule updates

Traffic Shaping:

  • Smart Queue Management (SQM)
  • Prioritize video calls over downloads
  • Does what it's supposed to

4. The Dashboard Tells You Everything

Real-time visibility into:

  • Which devices are using bandwidth
  • Active connections
  • Firewall hits
  • System resources
  • VPN status

No more wondering why Netflix is buffering - you can see exactly what's happening.

5. DNS Control

Built-in Unbound DNS with:

  • DNS over TLS (DoT)
  • Ad blocking
  • Split DNS for local services
  • DNSSEC validation

6. Plugin Ecosystem

Available plugins include:

  • HAProxy for reverse proxy
  • Let's Encrypt for automatic SSL
  • FreeRADIUS for enterprise WiFi
  • Ntopng for deep packet inspection

7. Updates That Don't Break Things

OPNsense updates regularly but conservatively. I've never had an update break my network. The rollback option is there if you need it.

Real-World Setup

My OPNsense handles:

  • 3 VLANs (IoT, trusted, guest)
  • WireGuard VPN for remote access
  • Suricata IDS monitoring all traffic
  • DNS filtering for the entire network
  • Multiple WiFi networks via VLANs

Uptime: 127 days (only down for hardware maintenance)

OPNsense vs Alternatives

vs pfSense: Cleaner UI, more frequent updates, similar feature set vs Untangle: Fully free, no license tiers vs Ubiquiti Dream Machine: Full control, no cloud dependencies vs Consumer Router: Different league entirely

The Bottom Line

OPNsense gives you enterprise-grade networking without the enterprise price tag. There's a learning curve, but the Reddit and forum communities are helpful.

Coming from Smoothwall years ago, then through various consumer routers, OPNsense feels like the spiritual successor to those early Linux firewall distros—but with modern features and active development. If you need more control than a consumer router provides, it's worth checking out.

💬 Comments Setup Required

To enable comments on your blog:

  1. Create a public GitHub repository (or use an existing one)
  2. Enable GitHub Discussions in the repo settings
  3. Visit giscus.app to configure
  4. Add the generated values to your .env.local file:
NEXT_PUBLIC_GISCUS_REPO=username/repo
NEXT_PUBLIC_GISCUS_REPO_ID=your-repo-id
NEXT_PUBLIC_GISCUS_CATEGORY=General
NEXT_PUBLIC_GISCUS_CATEGORY_ID=your-category-id