OPNsense on FreeBSD: Firewall Distribution Review

OPNsense on FreeBSD: Firewall Distribution Review

OPNsense is a FreeBSD-based firewall and routing platform forked from pfSense in 2015 by Deciso, a Dutch network security company. It shares the same m0n0wall/pfSense heritage but has diverged significantly in architecture, update philosophy, and feature set. This review covers the current state of OPNsense, its plugin system, IDS/IPS integration, VPN capabilities, REST API, and the practical differences from pfSense that matter for deployment decisions.

What OPNsense Is

OPNsense is a complete operating system image built on FreeBSD with HardenedBSD security enhancements. Like pfSense, it takes over the entire machine and provides firewall, routing, and network services through a web interface.

Core characteristics:

• Based on FreeBSD with HardenedBSD security patches (ASLR, PIE, SafeStack)
• MVC-based web GUI using the Phalcon PHP framework
• Stateful packet filtering via pf
• Full REST API for automation
• Weekly security updates, bi-annual major releases
• Plugin system with over 80 available plugins
• BSD 2-Clause license

The HardenedBSD integration is worth noting. OPNsense incorporates address space layout randomization (ASLR), position-independent executables (PIE), and other exploit mitigations that are not present in stock FreeBSD or pfSense. This does not make OPNsense invulnerable, but it raises the bar for exploitation.

Hardware Requirements

OPNsense runs on x86-64 hardware and has experimental ARM64 support (for specific Deciso appliances).

Minimum Hardware

• 64-bit CPU (AMD64)
• 2 GB RAM
• 8 GB SSD/eMMC (120 GB recommended for IDS rulesets and logging)
• 2 network interfaces

Recommended for Production

• Multi-core CPU with AES-NI
• 8 GB RAM (16 GB if running Suricata with full rulesets plus Zenarmor)
• 120+ GB SSD
• Intel NICs (igb, ix, ixl)

sh
# Check hardware from OPNsense shell
sysctl hw.model
sysctl hw.physmem
pciconf -lv | grep -A3 network

Hardware compatibility mirrors FreeBSD. Intel NICs are preferred. Realtek NICs function but may drop packets under sustained high throughput. Deciso sells official OPNsense appliances (DEC series) with guaranteed compatibility.

Installation

Download the OPNsense image (DVD, VGA, serial, or nano), write it to a USB drive, and boot.

sh
# Write image to USB drive on a FreeBSD workstation
dd if=OPNsense-25.1-vga-amd64.img of=/dev/da0 bs=4m status=progress

The installer is text-based and simple. Select the target disk, choose UFS or ZFS, and let it install. First login to the web interface is at https://192.168.1.1 with credentials root / opnsense.

Post-Install Checklist

1. Change the root password
2. Run the update check: System > Firmware > Status
3. Assign interfaces (WAN, LAN, optional)
4. Configure WAN connectivity
5. Set DNS servers or enable Unbound DNS
6. Review default firewall rules

sh
# Check OPNsense version from shell
opnsense-version -v

The Web Interface

The OPNsense GUI is built on the Phalcon PHP MVC framework, and it shows. The interface is cleaner and more responsive than pfSense's. Navigation uses a left sidebar with collapsible categories: Lobby, Interfaces, Firewall, Services, VPN, Reporting, System.

Strengths:

• Modern MVC architecture with clean separation of logic and presentation
• Responsive design that works on tablets and phones
• Built-in dark mode
• Inline help with links to documentation
• Search bar for finding settings quickly
• Configuration history with rollback capability

Weaknesses:

• Some advanced settings require navigating deep into submenus
• Less community documentation than pfSense (though improving)
• Occasional UI inconsistencies between core and plugin interfaces

The dashboard is widget-based. You can add system health, interface statistics, traffic graphs, gateway status, IDS alerts, and service status. Widgets are draggable and resizable.

Plugin System

OPNsense uses a proper plugin architecture rather than a curated package list. Plugins are managed under System > Firmware > Plugins.

Notable Plugins

| Plugin | Purpose |

|--------|---------|

| os-suricata | IDS/IPS (included in base but configured as plugin) |

| os-wireguard | WireGuard VPN |

| os-haproxy | Layer 7 reverse proxy and load balancer |

| os-nginx | NGINX reverse proxy with WAF (NAXSI) |

| os-crowdsec | CrowdSec collaborative IPS |

| os-telegraf | Metrics export to InfluxDB/Grafana |

| os-theme-cicada | Alternative dark theme |

| os-zabbix-agent | Zabbix monitoring integration |

| os-acme-client | Let's Encrypt certificate automation |

| os-frr | FRRouting for BGP, OSPF, and dynamic routing |

| os-zenarmor | Next-gen firewall features (Sensei replacement) |

Installing a Plugin

From the GUI: System > Firmware > Plugins. Find the plugin, click the install icon. From the shell:

sh
# Install WireGuard plugin
pkg install os-wireguard
# Reconfigure after plugin install
configctl firmware resync

The plugin ecosystem is more open than pfSense's package system. Third-party developers can create and distribute plugins. This results in a wider selection but occasionally less polish than pfSense's curated approach.

IDS/IPS with Suricata

Suricata is deeply integrated into OPNsense. It is not a bolt-on package but a core component with dedicated GUI pages and tight firewall integration.

Configuration

Navigate to Services > Intrusion Detection. Enable the service and configure:

• Interfaces: Select which interfaces to monitor (typically WAN and LAN)
• Pattern Matcher: Choose between Hyperscan (fast, requires compatible CPU) and AC (default)
• Rulesets: Enable rule sources (ET Open, ET Pro, Abuse.ch, Snort VRT)
• Mode: IDS (alert only) or IPS (alert and block)

sh
# Check Suricata status
service suricata status
# View Suricata logs
tail -f /var/log/suricata/eve.json | python3 -m json.tool

Rule Management

OPNsense provides per-rule control. You can enable, disable, or modify the action (alert, drop, reject) for individual rules. Rule categories can be bulk-enabled or disabled.

sh
# Count loaded rules
suricatasc -c "ruleset-stats" | python3 -m json.tool

Performance Impact

Running Suricata in IPS mode on all interfaces reduces throughput. On a 4-core Intel Atom C3558:

• Without Suricata: ~2.5 Gbps routing
• Suricata IDS mode: ~1.5 Gbps
• Suricata IPS mode: ~800 Mbps to 1.2 Gbps (depends on ruleset size)

For multi-gigabit deployments, use Hyperscan pattern matching and a CPU with sufficient cores. 8+ cores are recommended for 10G with full IPS.

VPN Capabilities

OPNsense supports OpenVPN, IPsec (strongSwan), and WireGuard.

OpenVPN

Configuration is under VPN > OpenVPN. OPNsense provides wizard-based setup for both server and client configurations. The certificate management is integrated under System > Trust > Certificates.

Features include:

• TLS and static key modes
• Multi-factor authentication via TOTP plugin
• Client-specific overrides
• CSO (Client Specific Overrides) for per-client routing
• Status monitoring under VPN > OpenVPN > Connection Status

sh
# Check OpenVPN instances
ps aux | grep openvpn
sockstat -4 -l | grep 1194

IPsec

IPsec uses strongSwan and supports IKEv1, IKEv2, and MOBIKE. Configuration is under VPN > IPsec.

• Site-to-site with PSK or certificate authentication
• Road warrior / mobile client support with IKEv2 EAP
• Multiple child SAs (Phase 2 entries) per connection
• VTI (route-based) and policy-based modes

sh
# View active IPsec SAs
ipsec statusall

WireGuard

WireGuard is available as a plugin (os-wireguard) and uses the FreeBSD kernel module.

sh
# Install WireGuard plugin from shell
pkg install os-wireguard

Configuration is under VPN > WireGuard. The interface provides:

• Server and client (peer) configuration
• Endpoint management with keepalive settings
• Integration with OPNsense firewall rules via WireGuard interface assignment
• Key generation in the GUI

sh
# Verify WireGuard interface
wg show
ifconfig wg0

WireGuard on OPNsense is performant. On modern hardware with kernel-level WireGuard, expect near-line-rate throughput on gigabit and 3-5 Gbps on 10G.

The REST API

The REST API is one of OPNsense's strongest differentiators from pfSense. Every configuration element exposed in the GUI is also accessible via API.

API Authentication

API keys are generated under System > Access > Users. Each key pair (key + secret) authenticates API requests.

sh
# List firewall aliases via API
curl -k -u "API_KEY:API_SECRET" \
  https://192.168.1.1/api/firewall/alias/searchItem

Common API Operations

sh
# Get system status
curl -k -u "API_KEY:API_SECRET" \
  https://192.168.1.1/api/core/system/status

# Add a firewall alias entry
curl -k -u "API_KEY:API_SECRET" -X POST \
  -d '{"alias":{"name":"blocklist","type":"host","content":"10.0.0.5"}}' \
  https://192.168.1.1/api/firewall/alias/addItem

# Apply firewall changes
curl -k -u "API_KEY:API_SECRET" -X POST \
  https://192.168.1.1/api/firewall/alias/reconfigure

# Download configuration backup
curl -k -u "API_KEY:API_SECRET" \
  https://192.168.1.1/api/core/backup/download/this -o config-backup.xml

The API enables Infrastructure-as-Code workflows. You can manage OPNsense with Ansible (using the community collection), Terraform (via API provider), or custom scripts. This is a significant advantage for organizations managing multiple firewalls.

High Availability

OPNsense supports CARP-based high availability with state synchronization, similar to pfSense.

Requirements:

• Two OPNsense installations with identical interface configurations
• Dedicated sync interface between nodes
• CARP virtual IPs on each interface
• Configuration synchronization enabled

sh
# Check CARP status
ifconfig | grep carp
sysctl net.inet.carp.allow

Configuration synchronization in OPNsense uses its own mechanism (not XMLRPC like pfSense). Settings are synchronized from primary to secondary under System > High Availability > Settings.

Reporting and Monitoring

OPNsense includes built-in reporting that is more comprehensive than pfSense CE's.

• Insight: NetFlow/IPFIX-based traffic analysis with per-host breakdowns
• Health: RRD graphs for CPU, memory, disk, and interface traffic
• Firewall Log: Real-time log viewer with filtering
• IDS Alerts: Suricata alert dashboard with drill-down

For external monitoring, use the Telegraf plugin to export metrics to InfluxDB and visualize in Grafana.

sh
# Install Telegraf plugin
pkg install os-telegraf

Backup and Restore

Configuration is stored in XML format, similar to pfSense.

sh
# Backup configuration from shell
cp /conf/config.xml /tmp/config-backup-$(date +%Y%m%d).xml

From the GUI: System > Configuration > Backups. OPNsense provides:

• Manual download of configuration XML
• Automatic local backups with configurable retention
• Google Drive backup integration
• Nextcloud backup integration
• Configuration diff viewer showing changes between backups

OPNsense vs pfSense

| Aspect | OPNsense | pfSense CE |

|--------|----------|-----------|

| Update Frequency | Weekly patches, bi-annual majors | Less frequent |

| Security Hardening | HardenedBSD (ASLR, PIE) | Stock FreeBSD |

| API | Full REST API | Limited (XMLRPC) |

| IDS/IPS | Suricata (core) | Snort or Suricata (package) |

| GUI | Phalcon MVC, dark mode | PHP custom, no dark mode |

| WireGuard | Plugin (kernel module) | Package (kernel module) |

| Plugin Count | 80+ | ~30 packages |

| DNS Blocking | No built-in equivalent to pfBlockerNG | pfBlockerNG |

| Commercial | Business Edition (Deciso) | pfSense Plus (Netgate) |

| Documentation | Good, improving | Extensive, mature |

Choose OPNsense if you need API automation, prefer frequent updates, or want Suricata as a first-class citizen. Choose pfSense if you depend on pfBlockerNG, need the larger community knowledge base, or have existing pfSense infrastructure. See the pfSense review for the other perspective.

Common Issues

Plugin Conflicts After Upgrade

Major version upgrades occasionally break plugin compatibility. Always check release notes before upgrading. Disable non-essential plugins before a major upgrade and re-enable afterward.

sh
# List installed plugins
opnsense-version -l

Suricata High CPU Usage

If Suricata consumes excessive CPU, reduce the number of enabled rulesets or switch to Hyperscan pattern matching. Also verify you are not running in IPS mode on interfaces that do not require it.

API Authentication Failures

Ensure your API key has the correct privileges. API users need explicit group membership with the required permissions. Check System > Access > Groups for API-relevant privileges.

Frequently Asked Questions

Is OPNsense free?

Yes. OPNsense is free and open-source under the BSD 2-Clause license. The Business Edition adds commercial support and some additional features (e.g., centralized management), but the community edition is fully functional.

Can I migrate from pfSense to OPNsense?

Yes. OPNsense includes a pfSense configuration importer. Back up your pfSense config.xml, install OPNsense, and import during initial setup. Manual review is recommended after import, as not every setting maps perfectly.

Does OPNsense support VLANs?

Yes. VLAN configuration is under Interfaces > Other Types > VLAN. Each VLAN creates a virtual interface that can be assigned and configured independently.

Can I run OPNsense in a VM?

Yes. OPNsense runs on VMware ESXi, Proxmox/KVM, bhyve, and Hyper-V. Use virtio NICs for best performance on KVM/bhyve. VMware requires VMXNET3 adapters.

How does Zenarmor (formerly Sensei) work?

Zenarmor is a deep packet inspection plugin that adds application-level visibility and filtering. It identifies applications (Netflix, YouTube, BitTorrent, etc.) and allows policy-based blocking. The free tier provides basic features; paid tiers add reporting and policy options.

Does OPNsense support multi-WAN?

Yes. Configure multiple WAN gateways under System > Gateways and set up gateway groups for failover or load balancing. Policy-based routing allows directing specific traffic to specific WANs.

How often should I update OPNsense?

OPNsense publishes weekly security and bug-fix updates. Apply these promptly. Major releases (e.g., 25.1 to 25.7) should be tested on a non-production system first if possible.

Can I use OPNsense for BGP routing?

Yes. Install the os-frr plugin for FRRouting. It supports BGP, OSPF, OSPFv3, RIP, and BFD. Configuration is available through the GUI and the FRR shell (vtysh).

sh
# Access FRR CLI
vtysh
show bgp summary

Is OPNsense suitable for enterprise deployments?

Yes. The Business Edition includes centralized management (OPNcentral) for managing multiple firewalls from a single pane. The REST API enables integration with enterprise automation tools. Deciso provides commercial support contracts.

What logging backends does OPNsense support?

OPNsense can send logs via syslog to any remote collector. The Telegraf plugin supports InfluxDB, Elasticsearch, and other backends. Suricata's eve.json output can be ingested by ELK, Splunk, or Graylog.