Congratulations! You've just installed one of the best firewall solutions out there. OPNsense is a robust platform for securing and managing your local area network (LAN), with features (and more) comparable to those of your existing ISP and aftermarket router. From shaping traffic to overriding DNS lookups with local rules through Unbound, you can completely change your network makeup with a few small tweaks within the OPNsense web UI. If there's one thing that OPNsense struggles with, it's its learning curve for beginners.

The web UI can be daunting at first, but here are some ways you can improve your OPNsense installation with a few quick changes.

Traffic shaping

Improve your bufferbloat

You'd be forgiven if you've never heard of traffic shaping or bufferbloat. These aren't terms frequently positioned at the center of router and OPNsense dashboards, but they can prove useful if your connection has some issues that affect ping and latency. It can be quite the problem, and there's a good chance you didn't even know your network was suffering from it. Experienced unforeseen lag in a video call or some heightened latency while playing online games? It could be due to bufferbloat, which is excessive buffering in network devices like routers and modems, making the network feel sluggish.

It's what makes you suddenly shout, "I have gigabit fiber! How am I suffering from lag?" What's worse is speed tests won't pick up on bufferboat, though thankfully, there are tools that can be used to score your connection. But because it's often caused by your router, the issues can be present on multiple clients, making it quite the experience for everyone involved. OPNsense has the ability to reduce bufferbloat, which consists of activating Smart Queue Management (SQM). That's all there is to it. The software should then optimize network traffic and reduce bufferbloat.

Realize the potential of Unbound

It's one powerful tool for your LAN

If there's one feature I love using within OPNsense, it would have to be Unbound. This is a powerful domain name service (DNS) tool that's fully integrated into OPNsense. With Unbound activated and configured, you can set up reverse proxy overrides for custom domain usage. This is vital for my homelab, where we use subdomains per public-facing self-hosted service. From Jellyfin to Immich, having Unbound managing overrides allows everyone to use friendly names instead of IP addresses.

Then there's the fact that it can handle DNS over TLS (DoT) for more secure and private connections. If you're tired of being bombarded by advertising and tracked everywhere, Unbound can even help filter out known domains using publicly available blocklists. This is a fantastic way to provide network-wide protection against more intrusive advertising strategies that would typically have to be configured locally per device. Don't leave Unbound as a simple resolver.

Secure guest access

Captive portals aren't just for hotels

If you've used public Wi-Fi networks before, you'll know what captive portals are. They're small web pages that allow clients to log in and connect to the LAN, being provided internet access in exchange for a room number or email address (and sometimes payment details). You can create captive portals at home with OPNsense with very little effort. It's a good way to ensure your guests aren't someone outside the property gaining access.

OPNsense provides the means to offer voucher-based access and RADIUS authentication. It can even be used alongside bandwidth limits per guest, so you don't encounter the situation of someone getting a little too carried away with some downloads. But the best part is how easy these are to customize and make them truly yours. By editing HTML and other files, it's possible to create an enticing login page that fits in with the home and wider LAN.

Keep unwanted guests out

It takes a few minutes

There's one thing creating a guest network using VLANs, a captive portal, and clever firewall rules, but it's a whole different beast to keeping unwanted parties from gaining access to your LAN. That's where Intrusion Detection Systems and Intrusion Prevention Systems (IDS and IPS, respectively) come into play. It's easy to activate (make sure you do, as it's disabled by default), but you need to configure it a little more than hitting the enable button. For example, using IPS mode is recommended for inline blocking instead of simple alerts.

Specific rule sets should be chosen, which could be anything from ET Pro to abuse.ch, depending on which you prefer for the home network. But most importantly, time should be spent fine-tuning false positives with policies to avoid OPNsense being a little too trigger-happy with this protection. There's really no reason not to configure IPS or IDS with OPNsense. It's why we move from ISP-provided hardware to such a solution ... for more control.

Get the most from OPNsense

OPNsense is a powerful tool in securing your home network and opening up access to those who visit, and it keeps everything segmented for maximum performance. It's an invaluable piece of my home LAN puzzle and is used extensively to manage VLANs, reverse proxies, traffic shaping, intrusion protection, network firewall, monitoring, and more. All it takes is some time and a little reading on the official documentation to configure all the necessary settings.

Much of it is enabled by default, but going a little further can take your OPNsense install from good to great.