I was recently assigned a laptop to use for work so I wanted to create a new VLAN only for my work laptop to keep it segregated from my own network. On my OPNsense box, I have extra unused interfaces. I decided to take the opportunity to utilize one of those extra interfaces instead of adding yet another VLAN to my main LAN interface. There are two ways I could utilize the unused interface: use the physical interface with no VLAN tagging or assign a VLAN to the physical interface.
WireGuard is a modern designed VPN that uses the latest cryptography for stronger security, is very lightweight, and is relatively easy to set up (mostly). I say ‘mostly’ because I found setting up WireGuard in OPNsense to be more difficult than I anticipated. The basic setup of the WireGuard VPN itself was not overly difficult, but I did struggle with getting everything working together in the same way that I had my OpenVPN configured.
Have you wanted to take a look at OPNsense without installing it to a dedicated machine and/or deploying it as your primary home router/firewall? The easiest way to evaluate OPNsense without installing it on separate hardware is to virtualize it. I wrote about running OPNsense in VirtualBox. Now that I run Proxmox on my server instead of Ubuntu (I still use Ubuntu for many of my LXCs/VMs on Proxmox), I wanted to run OPNsense on Proxmox so I may use when writing content for this site.
Sunny Valley Networks is a company that has partnered with Deciso, the creators of OPNsense, to create a plugin called Sensei which adds deep packet inspection and more to OPNsense. These features add greater visibility into your network. Sensei also has built-in cloud threat intelligence that can be used to block web/application traffic and to prevent known malware attacks. For users who wish to have a low cost option yet have advanced network monitoring and protection, OPNsense with Sensei is a great option to consider.
When I first set up my home network using my OPNsense router and was learning firewall rules, I took the approach of allowing only the Unbound DNS service on OPNsense to be accessed and blocking access to all other DNS servers. This simplistic approach works well enough since any rogue access to external DNS servers are simply blocked. Only the DNS resolver on the local network is allowed (unless the DNS requests are encrypted, of course – see note below).