20250429 push notes

projects/OPNsense/STANDARDS/Feature-Capability.md

@@ -0,0 +1,113 @@
+# OPNsense Feature Capability Overview (Industry Use)
+
+This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments.
+
+---
+
+## ✅ Stable / Industry-Proven Core Features
+
+These features are well-supported, reliable, and commonly used in production deployments.
+
+### 🔧 Core Networking & Routing
+- VLANs (tagged, untagged)
+- Static and dynamic routing (OSPF, BGP via FRR plugin)
+- Multi-WAN with load balancing / failover
+- NAT (1:1, port forward, outbound NAT)
+- DHCP/DHCPv6 Server & Relay
+- DNS Resolver (Unbound) with DoT, conditional forwarding
+- NTP Server
+
+### 🔐 Firewall & Security
+- Stateful firewall with alias system
+- Schedule-based rules
+- GeoIP blocking
+- Packet logging and rule hit counters
+
+### 👥 Authentication
+- Local user DB
+- LDAP / Active Directory (GPO support)
+- Two-Factor Authentication (TOTP)
+- Captive Portal with LDAP/RADIUS integration
+
+### 🌍 VPN Services
+- OpenVPN (with client export)
+- IPsec (strongSwan)
+- WireGuard (kernel module; fast & stable)
+
+### 🔐 SSL Certificates
+- ACME/Let's Encrypt support
+- DNS-01, HTTP-01
+- Auto-renewal + deploy to services
+
+### 💾 Backup & Management
+- Local and remote encrypted backup
+- OPNcentral for multi-firewall config, update, backup
+- High Availability (CARP-based)
+
+---
+
+## ⚠️ Moderately Reliable / Needs Case-by-Case Testing
+
+These features are usable but require testing or tuning to ensure stability.
+
+### 🛡️ Intrusion Detection / Prevention
+- Suricata (IDS/IPS)
+  - Can impact performance on low-RAM systems (≥8GB recommended)
+  - Inline mode works but may be unstable with certain NICs
+  - Regular ruleset updates supported
+
+### 🌐 Web Filtering / Proxy
+- Squid Proxy + ICAP/ClamAV
+  - SSL inspection fragile; requires CA deployment to clients
+  - Transparent mode unstable on some NICs
+  - Basic caching stable; filtering can be unreliable
+  - ICAP antivirus adds CPU load
+
+### 🔄 Dynamic DNS
+- DDNS client with broad provider support
+- Stable and scriptable
+
+### ☁️ Remote Backups
+- Supported to Google Drive, Git, Nextcloud (via plugin/scripting)
+- Manual testing of restore process recommended
+
+---
+
+## ❌ Experimental / Immature Features
+
+Avoid these for now in production or industrial deployments.
+
+### 📬 Mail Gateway / Relay
+- Basic Postfix relay plugin
+- No spam filtering or advanced mail security
+- Not recommended for secure mail handling
+
+### 🌐 Web Application Firewall (WAF)
+- Nginx WAF plugin exists
+- No full ModSecurity/OWASP integration
+- Better to isolate on a dedicated reverse proxy
+
+### 📦 OPNProxy Plugin
+- Adds fine-grained Squid-based user/group URL access control
+- Inherits Squid’s instability
+- Use with caution or for testing only
+
+---
+
+## Summary Table
+
+| **Feature**                    | **Production Readiness** | **Notes**                                                   |
+|-------------------------------|---------------------------|-------------------------------------------------------------|
+| Core firewall, routing        | ✅ Yes                    | Fully stable                                                |
+| VPN (OpenVPN, WireGuard)      | ✅ Yes                    | Strong support and maturity                                 |
+| Suricata                      | ⚠️ With caution           | Test on hardware; monitor CPU/RAM                           |
+| Web Proxy / Filtering         | ❌ Avoid or isolate        | Only basic use; SSL filtering often unstable                |
+| Antivirus (clamav)            | ⚠️ Optional               | High CPU use; best supplemented by endpoint AV              |
+| DNS & DHCP                    | ✅ Yes                    | Mature and reliable                                         |
+| Mail Relay                    | ❌ No                      | Lacks required filtering and logging for industrial use     |
+| WAF (nginx)                   | ❌ No                      | Too limited for meaningful protection                       |
+| DDNS, Backups, Certs          | ✅ Yes                    | Useful and stable                                           |
+
+---
+
+_This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._