I pulled the plug on my ISP-supplied all-in-one router earlier this year, replacing it with an OPNsense firewall and router running on the Ugreen DXP4800 Plus NAS. While it was certainly a network overhaul with a deep learning curve, the benefits were immediately apparent. It's faster (from a network management point of view), more reliable, and gives me far more control when it comes to my home network.

As for why I did it, there are a few reasons. I'll walk through my thought process, the pitfalls that I hit along the way, and what services I can effortlessly deploy as a part of my network stack that I couldn't before I made the switch.

What was wrong with my ISP router?

It was very barebones

First and foremost, let's be clear: ISP-provided routers are convenient. They're fantastic, but they’re designed for one thing: ease of deployment at scale. That convenience comes with compromises, and those compromises simply didn't cut it anymore as I scaled my home lab. With that said, I used it for more than three years, and only recently did I need the capabilities of a more powerful networking platform.

With an ISP router, one of the biggest compromises is the limited configuration options that are available to you. While ISP routers differ by provider and equipment manufacturer, it's almost unheard of that all of the power-user tools would be there. Previously, I had a Vodafone Gigabox, which, here in Ireland, is the bane of any home networking enthusiast's existence. There's no WPA3 either, it lacks features such as bridge mode, and it's widely regarded as unstable. While I didn't mind using mine as a bridge of sorts to my mesh network (and disabled the SSID entirely), I totally understand why people were frustrated with it. Even something as simple as a split SSID requires calling up Vodafone and specifically requesting that they set it for you.

On top of that, more advanced features like dynamic DNS, VLANs, advanced firewall rules, and traffic shaping were completely missing. The DHCP wasn't all that customizable, and in the entire time that I had it, there were no firmware updates to be seen. I'm not saying that there were exploits or vulnerabilities present, but not a single update in several years would make anyone a tad skeptical. My new ISP sent me a FritzBox 7530 a couple of months ago, which is a big step up in terms of features and security updates, though I already had my OPNsense deployment at this stage.

With all of these issues, I eventually reached a point where I wanted granular control and a way to combine my network-related services with the core of my network itself. Things like running a secure VPN endpoint to my home, inspecting traffic for threats using IDS/IPS, and dynamic DNS for updating my domains to point to my current IP address when it changes. The ISP router no longer cut it.

Why OPNsense?

The best for my needs

OPNsense is an open-source firewall/router distribution based on FreeBSD and designed for clarity and extensibility. I chose it for a few reasons, after installing both pfSense and OPNsense before settling on the latter.

For starters, it has a modern UI and active development. It looks great, receives frequent updates (but not too frequent that it's annoying), and it's easy to navigate and set up. I thrust myself in the deep end when I installed it, and I had everything set up and working in a couple of hours. It has a ton of features that allow you to build your network exactly the way you want it, but in a way that doesn't get in the way. If you don't use a feature, it's not "bloat" taking up space on your screen, but it's also not a million clicks away to use it, either.

For example, the firewall controls are immense. You can do basically anything with it; you control your NAT, your VLANs, your DHCP and DNS, and there are lots of plugins that you can use if you want. The beauty of these plugins, as well, is that they're specifically built for OPNsense and maintained either by Deciso or community developers. You don't have to use any of them if you don't want to, and the vanilla, out-of-the-box version of OPNsense has everything you need and the documentation, while it can be lacking in some instances, is pretty good, and chances are, any problem you experience has been answered on the official forums.

As for why I didn't stay with pfSense, I tried it just to get a feel for it, but the issues surrounding the company and its practices put me off entirely.

The hardware I used, my deployment, and my network design

It's really simple

Link Image

I had been trying for a while to figure out what to do with the Ugreen DXP4800 Plus NAS that I had been using on my network. I used it as storage, of course, but I knew that I could do even more with it than just use it as a basic machine to store files, run Docker, and tinker with UGOS. I had already been playing around with Proxmox, and I knew that Proxmox and OPNsense play nicely when it comes to PPPoE, and given that it's one of the few machines I have with dual NICs, it just made sense to turn it into an OPNsense machine with a lot of storage.

Those two NICs are a 2.5 GbE Intel I226V and a 10 GbE Aquantia AQC 113. The Irish FTTH networking infrastructure only goes to 2Gbps currently, so I use the Intel NIC to connect to my Optical Network Terminal (ONT), and the Aquantia NIC goes to my switch. With the Aquantia, too, FreeBSD support is currently lacking, though there is a feature request for it. This posed a problem if I were to deploy a native solution, hence why Proxmox would be perfect. Using a Proxmox virtual network adapter, the OPNsense VM can utilize the NIC, and Proxmox handles the hardware interaction.

The network switch that I'm using is the 2.5 GbE YuanLey 6-port managed switch. I've written about this switch before, and people have been understandably skeptical of these so-called "no-name" network switches, both from a hardware and a security vulnerability. I've been monitoring it since I purchased it, and I'm happy to report that I've seen no outbound requests made from it at all. In terms of hardware, I've had no issues, and I've had no connectivity problems, overheating issues, or anything else to suggest that this switch could pose a risk to your network security or your home. With that said, I'm not saying that you shouldn't have concerns, and it's always important to be careful about the devices you allow into your network. That switch provides network access to my PC, home server, and wireless access point.

The wireless access point is provided by the TP-Link XE75 mesh network, and I have two individual nodes. The combination of the network switch, the DXP4800 Plus, and the single mesh node idles at just under 50W of power. The DXP4800 Plus packs a Pentium Gold 8505 CPU, and I upgraded the RAM from the included 8GB DDR5 to 32GB. I also added a 1TB NVMe drive for storage, as it only comes with a 128GB boot drive.

Features I can't get from my ISP router

Network security is so much easier

As already mentioned, there are plenty of features that I couldn't get through my ISP router, but obviously, some ISPs might supply some of these features on their routers. Your mileage may vary, and while it's a substantial upgrade for me, it may not be for you. With that said, I now have the following:

  • VLANs and network segmentation: I can split the network into LAN (trusted) and IoT, each with its own VLAN and DHCP scope, made possible through the managed switch. Each can have its own VLAN and DHCP scope. I haven't configured this yet, but it's something I'm looking forward to deploying.
  • Firewall rules: On OPNsense, the firewall is set to default deny all traffic, and you allow the traffic that you need. It's not uncommon to essentially override this by allowing all traffic and then blocking what you don't want, but it's different for everyone. I have an alias that contains a table of IPs for my IoT devices, and I only allow them to connect to my Home Assistant instance and block everything else.
  • DNS and DHCP: I'm currently in the process of moving my DNS to OPNsense using Unbound, and forwarding queries through a DNS-over-HTTPS pipeline to improve privacy and caching.
    • I can also set DNS servers for individual devices in the DHCP, which I do for some devices.
  • VPN: I set up Tailscale with OPNsense enabled as an exit node, so that I can easily VPN to my home and access all of my local services. WireGuard is lightweight and can reach near-native speeds if the CPU supports it. I also deployed an interface that exclusively connects to a VPN provider, and I can force certain devices to use it.
  • IDS/IPS: I use ZenArmor and CrowdSec for intrusion detection and prevention. This proactively protects my network, and I can see requests that are blocked by ZenArmor. With CrowdSec, I occasionally see port scanning attacks being blocked, and an instance of a SYN flood (DoS) being blocked, too.

All of these are incredibly useful features, and I'm so happy that for my networking-related services, I can encapsulate them all in one place. When my network goes down, I don't need these features anyway, so it's not as if I need to worry about my OPNsense instance going down, taking Tailscale with it, and then not being able to use it as an exit node. If OPNsense is down, I have bigger issues, and the exit node wouldn't work, no matter what device on my network provided it.

On top of that, my dynamic DNS operates via Caddy in OPNsense. It has a great UI to add domains, access controls, and forwarding rules, so it's a nice quality of life upgrade to my reverse proxy setup, too.

Is it worth replacing your ISP router with OPNsense?

For me, without question

Not everyone needs OPNsense or its many features, but if you want control, privacy, and capabilities beyond basic NAT and Wi‑Fi, it's worth considering. I won't pretend it's not overkill for a lot of people, and if you only want internet for your phone, laptop, and consoles, it's probably not worth the hassle. There's a lot to learn, and people often understate how hard it can be to know where to start. There's nothing wrong with being happy with your ISP router: zero maintenance is a valuable convenience.

I couldn't go back to an ISP router. I'd miss the control, the security, and the privacy OPNsense gives me. It's one of the best home‑networking upgrades I've made and pushed me further down the rabbit hole of self‑hosted software and networking tweaks. If you want to improve your network and reclaim control, it's absolutely worth it... provided you have the hardware.