OPNsense: turning a PC into a serious firewall

May 3, 2026

networkingfirewallsecurityservice-spotlight

Most people’s home network looks like this: an ISP-provided modem-router combo, everything on one flat network, and “security” that amounts to a Wi-Fi password. It works well enough until it doesn’t — until a compromised IoT gadget can reach your NAS, or you want to isolate a guest network without buying a separate router, or you realize your ISP box has firmware from 2019 that nobody is updating.

The alternative is putting real firewall software between your internet connection and everything else. OPNsense is one of the best ways to do that, and it runs on hardware you can buy for under a hundred dollars.

What OPNsense actually is

OPNsense is an open-source firewall and router platform built on FreeBSD. It started as a fork of pfSense in 2015, with a stated commitment to more frequent releases, a cleaner codebase, and a modern web UI. Today it handles everything a network needs at the edge: NAT, stateful packet inspection, DHCP, DNS, VLAN routing, VPN endpoints, traffic shaping, intrusion detection, and more.

The web interface is genuinely good — not “good for open source,” just good. It’s organized, it has sensible defaults, and most things you want to do are discoverable without reading documentation first.

Underneath the UI is pf, the packet filter that has been OpenBSD’s and FreeBSD’s firewall engine for over two decades. It is battle-tested, performant, and well understood. OPNsense adds a configuration layer, a plugin ecosystem, and a predictable release cadence on top of it.

The problem a proper firewall solves

Think of your network as a building. Your ISP router is a lobby door — it keeps the outside out, mostly. But inside, every room can reach every other room, and anyone who makes it through the front door can wander freely.

A proper firewall lets you divide the building into zones with controlled doorways between them. Smart TVs and thermostats go in one zone. Work laptops go in another. Your server infrastructure goes in a third. The firewall decides which zones can talk to each other and in what direction, and it logs when something unexpected tries to cross.

This is called network segmentation, and it is the difference between a flat home network and something approaching how enterprise networks are designed. When one device is compromised — and eventually one will be — segmentation limits how far an attacker can move.

OPNsense handles this through VLAN support. A VLAN (Virtual LAN) is a logical network that shares physical cables with other VLANs but is isolated at the switch level. You can have a dozen separate networks running over the same hardware, each with its own rules about who can reach whom. OPNsense acts as the router between them, enforcing those rules.

The commercial equivalent

The features OPNsense provides out of the box are what you’d pay for in a Fortinet FortiGate, a Cisco Meraki MX, or a SonicWall appliance. These are not bad products — they are used in enterprise environments for good reasons, including dedicated support contracts and a single vendor to call when something breaks.

They are also expensive. Entry-level Fortinet and SonicWall appliances for a small business run into the hundreds of dollars for hardware alone, plus annual subscription fees for threat intelligence, deep packet inspection signatures, and support. A mid-tier Meraki MX carries annual licensing that costs more than most home lab servers.

For a homelab, you don’t need a support contract. You are the support team. And the features that cost thousands of dollars in a managed appliance are available in OPNsense for the price of a mini PC and your time.

The self-hosted options worth considering

If you go looking for open-source firewall software, you’ll find a few serious contenders:

pfSense (Netgate) is OPNsense’s sibling — they share a common ancestor (m0n0wall) and many architectural similarities. pfSense has a larger install base and more third-party documentation, which helps when you’re learning. The community edition is free; the commercial variant (pfSense Plus) is tied to Netgate hardware. Netgate’s 2021 relicensing of the pfSense source code was what drove many operators toward OPNsense.

VyOS is a network operating system rather than a firewall appliance — it’s more at home in data center routing roles, and its configuration is done via a CLI that will feel familiar if you’ve used Juniper or Cisco gear. It’s powerful and flexible, but it has a steeper learning curve and a smaller plugin ecosystem than OPNsense for home use cases.

OpenWrt is optimized for embedded hardware — routers with 256 MB of RAM and no hardware acceleration. It’s excellent for flashing onto a consumer router to extend its life or add features. For a homelab where you have real hardware available, OpenWrt doesn’t have the same feature surface as OPNsense for firewall rules, VPN management, and intrusion detection.

OPNsense hits the sweet spot for homelab use: a polished UI, active development with a regular release cadence, a plugin ecosystem that includes Suricata for IDS/IPS, WireGuard and OpenVPN integrations, and enough community documentation to get unstuck when you inevitably get stuck. It also ships with sensible defaults that are easy to harden further, rather than defaults that require you to understand the full system before you can make them safe.

How it runs in this lab

The setup here runs OPNsense as a virtual machine pair — a primary and a secondary — rather than on dedicated hardware. This is an intentional tradeoff worth explaining.

The alternative is a physical appliance: a small x86 box or mini PC running OPNsense on bare metal, completely independent of the virtualization cluster. That approach eliminates one dependency (the hypervisor) but adds hardware cost and a separate box to manage. For most failure scenarios — a single host going down, a VM needing a restart — a pair of VMs on separate physical hosts with CARP failover handles it better than a single bare-metal box would. The only scenario where bare metal clearly wins is if both hypervisor nodes go down simultaneously, which is rare and usually means everything else is also down.

CARP (Common Address Redundancy Protocol) is OPNsense’s high-availability mechanism. One instance acts as primary and holds the network’s gateway address. The secondary monitors the primary, and if it stops responding, the secondary claims the gateway address and traffic resumes — in well under a second. Clients on the network never see the failover. Their default gateway just starts answering from a different physical host.

The configuration sync between nodes is handled by OPNsense’s built-in HA sync feature, which pushes changes from the primary to the secondary automatically. You configure the primary, and the secondary follows.

This lab’s OPNsense installation handles:

  • Edge firewalling — all traffic from the internet enters through OPNsense. Rules decide what comes in and what gets blocked by default (everything, unless explicitly allowed).
  • NAT — translating private addresses behind a single public IP, which is how most home internet connections work.
  • VLAN routing — multiple network segments, each isolated from the others, with controlled routing between them for services that need cross-segment access.
  • DHCP — handing out addresses on each network segment via Kea (the modern DHCP server that replaced ISC DHCP in OPNsense’s recent versions).
  • Dynamic DNS — keeping a public DNS record updated as the ISP address changes, via a Cloudflare integration.
  • Tailscale — OPNsense acts as a subnet router and exit node for the Tailscale overlay network, making the whole lab reachable remotely without punching holes in the firewall.

The Suricata IDS/IPS plugin is installed and ready. It monitors traffic for known threat signatures and can block malicious flows inline. It’s CPU-intensive at scale, which is one reason the secondary node was provisioned with extra cores — so the primary can be upgraded to match when needed.

One detail worth noting: OPNsense’s own backup mechanism stores configuration history on the device itself. For a production setup, you want a copy of that configuration somewhere off-box — an external backup destination, a USB stick in the rack, or both. If the VM hosting OPNsense is destroyed and the configuration is gone with it, rebuilding from scratch against live infrastructure is a frustrating experience. A labeled USB stick with the installer and a fresh config export is cheap insurance.

Who should run this

OPNsense makes sense if you:

  • Have more than a handful of devices and want to stop treating them all as equally trusted
  • Are running services you want to expose externally and need fine-grained control over what traffic reaches them
  • Want to learn how networks actually work — there is no better teacher than having to configure the rules yourself
  • Have a spare PC or mini PC sitting around (any x86 machine with two network interfaces can run it)

It’s probably overkill if you:

  • Have a simple setup with no servers, no IoT devices, and no interest in network topology
  • Can accomplish what you need with a consumer router’s firewall rules and a guest SSID
  • Are not ready to be the person who troubleshoots it when something breaks

The learning curve is real. The first time you misconfigure a firewall rule and lose access to the UI from behind it, you will learn something you will not forget. Plan for that. Give yourself a Saturday, have a backup access method ready, and treat the first few hours as an exercise in understanding what you’re building rather than a race to make it work.

The honest tradeoff

Running your own firewall means you are responsible for keeping it updated, responding to security advisories, and debugging outages. OPNsense’s development team is active, and the platform receives regular updates. But applying those updates, testing that nothing broke, and maintaining the configuration over time — that’s on you.

For some people, that’s a feature. Understanding how your network works, having visibility into what’s actually flowing across it, being able to lock down a misbehaving device in sixty seconds rather than logging into a cloud portal and hoping the setting exists — that’s satisfying in a way that a black-box appliance never is.

For others, it’s a burden. If your goal is a network that requires no maintenance and never asks anything of you, OPNsense is probably not the answer.

If your goal is a network that behaves exactly the way you configured it, and you want to understand why, it’s one of the best tools available at any price point.

Next up: how VLAN segmentation actually works in practice, and why your smart TV should never be on the same network as your file server.

← all posts

Comments

No comments yet — be the first.

Leave a comment

Moderated before it appears.
Theme
Font