# OPNsense Feature Capability Overview (Industry Use) This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments. --- ## ✅ Stable / Industry-Proven Core Features These features are well-supported, reliable, and commonly used in production deployments. ### 🔧 Core Networking & Routing - VLANs (tagged, untagged) - Static and dynamic routing (OSPF, BGP via FRR plugin) - Multi-WAN with load balancing / failover - NAT (1:1, port forward, outbound NAT) - DHCP/DHCPv6 Server & Relay - DNS Resolver (Unbound) with DoT, conditional forwarding - NTP Server ### 🔐 Firewall & Security - Stateful firewall with alias system - Schedule-based rules - GeoIP blocking - Packet logging and rule hit counters ### 👥 Authentication - Local user DB - LDAP / Active Directory (GPO support) - Two-Factor Authentication (TOTP) - Captive Portal with LDAP/RADIUS integration ### 🌍 VPN Services - OpenVPN (with client export) - IPsec (strongSwan) - WireGuard (kernel module; fast & stable) ### 🔐 SSL Certificates - ACME/Let's Encrypt support - DNS-01, HTTP-01 - Auto-renewal + deploy to services ### 💾 Backup & Management - Local and remote encrypted backup - OPNcentral for multi-firewall config, update, backup - High Availability (CARP-based) --- ## ⚠️ Moderately Reliable / Needs Case-by-Case Testing These features are usable but require testing or tuning to ensure stability. ### 🛡️ Intrusion Detection / Prevention - Suricata (IDS/IPS) - Can impact performance on low-RAM systems (≥8GB recommended) - Inline mode works but may be unstable with certain NICs - Regular ruleset updates supported ### 🌐 Web Filtering / Proxy - Squid Proxy + ICAP/ClamAV - SSL inspection fragile; requires CA deployment to clients - Transparent mode unstable on some NICs - Basic caching stable; filtering can be unreliable - ICAP antivirus adds CPU load ### 🔄 Dynamic DNS - DDNS client with broad provider support - Stable and scriptable ### ☁️ Remote Backups - Supported to Google Drive, Git, Nextcloud (via plugin/scripting) - Manual testing of restore process recommended --- ## ❌ Experimental / Immature Features Avoid these for now in production or industrial deployments. ### 📬 Mail Gateway / Relay - Basic Postfix relay plugin - No spam filtering or advanced mail security - Not recommended for secure mail handling ### 🌐 Web Application Firewall (WAF) - Nginx WAF plugin exists - No full ModSecurity/OWASP integration - Better to isolate on a dedicated reverse proxy ### 📦 OPNProxy Plugin - Adds fine-grained Squid-based user/group URL access control - Inherits Squid’s instability - Use with caution or for testing only --- ## Summary Table | **Feature** | **Production Readiness** | **Notes** | |-------------------------------|---------------------------|-------------------------------------------------------------| | Core firewall, routing | ✅ Yes | Fully stable | | VPN (OpenVPN, WireGuard) | ✅ Yes | Strong support and maturity | | Suricata | ⚠️ With caution | Test on hardware; monitor CPU/RAM | | Web Proxy / Filtering | ❌ Avoid or isolate | Only basic use; SSL filtering often unstable | | Antivirus (clamav) | ⚠️ Optional | High CPU use; best supplemented by endpoint AV | | DNS & DHCP | ✅ Yes | Mature and reliable | | Mail Relay | ❌ No | Lacks required filtering and logging for industrial use | | WAF (nginx) | ❌ No | Too limited for meaningful protection | | DDNS, Backups, Certs | ✅ Yes | Useful and stable | --- _This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._