OPNsense is a powerful firewall software package that can take your local area network (LAN) from zero to hero, replacing ISP-provided hardware with a custom device you have full control over. One advantage of replacing your ISP router with an OPNsense-powered firewall is the unlocking of many advanced features, many of which are often omitted from ISP router firmware. Here are some OPNsense features you're likely not using that could massively improve your home network, some involving a single setting change.
5 Virtual Private Network
And not just for accessing certain sites
You've likely heard of a VPN, and they're a great tool for maintaining a private connection between your device and a remote server, be it Facebook, YouTube, your favorite streaming platform, or some random website. SSL certifications and HTTPS are a must-have for secure links to other locations, but these won't prevent others from snooping on your connection, seeing just what you're up to when online. That's where a virtual private network comes into play, and it's incredibly useful.
I understand it can prove troublesome having to set up and connect to your VPN provider on every device, which is where OPNsense can make a difference by handling the VPN connection itself. Instead of adding the VPN client link on each device, you can leave it to OPNsense to handle credentials, handshakes, and everything else the VPN requires for a private link to be established. And this protects every device on the network, even those only connecting temporarily.
Additionally, through the use of rules and the like, OPNsense can even use the VPN for specific IP addresses, which means you can choose whether you wish for certain hardware to be covered by the VPN or to connect externally as usual. Don't want to have the VPN running for your gaming PC to avoid lag and higher latency? Add it to the pool of IP addresses that aren't covered by the VPN, and you're good to go!
4 Traffic shaping (QoS)
Setting priorities for improved bandwidth
Traffic shaping is the process of prioritizing traffic traveling through your LAN. Should you have more than one device connected to the network and actively using bandwidth, such as one PC playing an MMORPG and a mobile device streaming YouTube videos, you may wish to prioritize one over the other to ensure maximum performance for specific hardware and tasks. For the absolute best online in-game experience, you'll want to consider some traffic shaping.
Also known as Smart Queue Management and some other names on routers not running OPNsense, traffic shaping will let you configure pipes with bandwidth limits. These are used for traffic to move between devices, taking part in a carefully planned queue system. Think of traffic shaping much like waiting for an amusement ride. You'll have most traffic moving through the normal queue, while those with priority can use the faster lane.
Every packet sent through your network will be handled eventually and in due course, but those with higher priority status will be processed slightly quicker.
3 DNS (and DDNS)
Cache the web and external access
Why on earth would you want to run your own DNS using OPNsense? That's a good question! While your ISP DNS will be proficient enough to handle the traffic load placed upon it, it's also a great way for blocking access to content, serving advertisements, and general tracking. A domain name system is a fairly simple concept that essentially caches IP addresses for domains you wish to visit. When loading xda-developers.com in your browser, your ISP DNS will check for the IP and provide it for quick access.
This is because it would be almost impossible for everyone to remember all the different IP addresses for everything they wish to visit on a daily basis. That's why we created domains to make it slightly easier and human-readable. Your PC and other devices don't care for domains; all they need is the IP. This is why when you're making changes to domains and IP addresses, it can take a while for it to take effect since the DNS may still be caching the old settings.
By taking full control of your own DNS, you will be able to manage the client, the DNS, and everything else on your LAN, completely cutting out the middleman. Doing so will allow you to enjoy a more private connection, quicker DNS resolution, improved flexibility, and be more resilient to external issues. Although extremely rare, your ISP could encounter a problem with its own DNS servers, which would affect those wanting to connect to new domains in their browser.
2 AdGuard
Block all the trackers
This may be cheating slightly since AdGuard isn't part of OPNsense, but it's more a point on the versatility of the firewall firmware, thanks to its expansive collection of community-made plugins. AdGuard is one of my favorites, essentially turning your OPNsense installation into a Pi-hole, just without the required additional hardware. Are you tired of dealing with intrusive advertisements, tracking, and other nefarious actions of big giants? AdGuard can help clear your network.
It's difficult to put into words just how useful these solutions are for any LAN. Using the Internet as it was originally intended is fantastic. A VPN can help slightly by masking your connection between locations, but AdGuard takes this to an entirely new level. As well as filtering out advertisements and blocking trackers, here are some other things the plugin can help you set up on your OPNsense firewall:
- Support for encrypted upstream servers using DNS-over-HTTPS, DNS-over-TLS, or DNSCrypt.
- Parental controls.
- Can force Safe Search on search engines used by your browsers.
- Per-client configuration.
- Access controls.
- Blocks phishing and malware domains.
If I had to choose just one recommendation from this list, it would be AdGuard.
1 Logging tools
Ntopng, sFlow, and more
OPNsense is becoming increasingly popular as more businesses, enthusiasts, and general consumers look at new networking solutions. If you're new to OPNsense and have yet to fully explore the web admin interface, you may not know about the robust and extensive logging OPNsense carries out. Everything is tracked on the LAN, including local system performance of the OPNsense hardware itself, alongside network traffic, applications (VPNs, DDNS, etc.), and security events.
Once you start using these tools within OPNsense, you can track traffic flow and patterns, network payload, and client-server communications. There are also some great community plugins that can extend this functionality and monitor security features.
OPNsense is incredibly versatile
It's not simply firewall software. Although at its core, OPNsense does everything your ISP router can do, it's versatile enough to become your DNS server, ad blocker, VPN client, traffic enhancer, and more. When installing OPNsense, a fresh installation will already protect you from most threats, but there are a few easy ways to enhance your experience further.