# OPNsense Recommended Plugins & Features (Industrial / Office Use)

This list outlines reliable, useful, and practical plugins and features for deploying OPNsense firewalls in professional and industrial environments. Features are grouped by purpose and marked by their trust level.

---

## 🔍 Monitoring & Logging

### ✅ Telegraf Plugin
- **Purpose:** Exports system metrics (CPU, RAM, interfaces) for external monitoring.
- **Integration:** Grafana, InfluxDB, Prometheus.
- **Notes:** Lightweight and reliable.

### ✅ Netflow / Insight (built-in)
- **Purpose:** Provides traffic flow analytics, top talkers, and interface usage.
- **Use Case:** Bandwidth monitoring and anomaly detection.
- **Notes:** Data can be archived for audit purposes.

### ✅ Zabbix Agent
- **Purpose:** Integrates OPNsense into existing Zabbix NMS environments.
- **Notes:** Trusted in enterprise and industrial networks.

---

## 🔐 Access Control & Identity

### ⚠️ FreeRADIUS Plugin
- **Purpose:** Local RADIUS server for VPN, 802.1X WiFi, or Captive Portal.
- **Notes:** Complex to configure; powerful in the right hands.

### ✅ TOTP / 2FA for Web GUI
- **Purpose:** Adds two-factor authentication for admin access.
- **Notes:** Uses Google Authenticator or similar apps.

---

## 🛠️ Configuration & Deployment

### ✅ Shellcmd Plugin
- **Purpose:** Runs custom shell scripts/commands at boot or service start.
- **Use Case:** Advanced sysctl, cron jobs, or plugin fixes.
- **Notes:** Excellent for hotfixes or automation in production.

### ✅ Smart Plugin (S.M.A.R.T. Monitoring)
- **Purpose:** Monitors local disk health if firewall is installed on SSD/HDD.
- **Notes:** Essential for long-term reliability.

---

## 🧱 Firewall Enhancements

### ⚠️ GeoIP Aliases
- **Purpose:** Block/allow traffic by country.
- **Notes:** Requires MaxMind license (free with registration).

### ✅ Policy-Based Routing
- **Purpose:** Custom WAN selection per VLAN/service/source.
- **Notes:** Use for traffic shaping, failover, or VoIP priority.

---

## 📡 Edge / Optional Features

### ✅ NTP Daemon
- **Purpose:** Acts as internal time server for LAN devices.
- **Use Case:** Environments without external NTP access.
- **Notes:** Stable and lightweight.

### ✅ mDNS Repeater
- **Purpose:** Repeats multicast DNS between VLANs (Bonjour/AirPrint).
- **Use Case:** Offices with Apple devices or smart printers.
- **Notes:** Requires proper VLAN firewall rules.

---

## ✅ Recommended Baseline Set for Industrial Use

| **Category**       | **Feature**            | **Plugin**        | **Trust Level** |
|--------------------|------------------------|-------------------|-----------------|
| Monitoring         | Telegraf, Netflow      | `telegraf`        | ✅ Stable       |
| Logging/NMS        | Zabbix Agent           | `os-zabbix-agent` | ✅ Stable       |
| Automation         | Boot Scripting         | `shellcmd`        | ✅ Stable       |
| Identity/VPN       | FreeRADIUS (optional)  | `freeradius`      | ⚠️ Moderate     |
| Access Security    | TOTP 2FA               | Built-in          | ✅ Stable       |
| Routing Control    | Policy Routing         | Built-in          | ✅ Stable       |
| Geo Restrictions   | GeoIP Aliases          | MaxMind required  | ⚠️ Moderate     |
| Time Sync          | NTP Server             | Built-in          | ✅ Stable       |
| Edge VLAN Utility  | mDNS Repeater          | `mdns-repeater`   | ✅ Stable       |

---

_This list is curated for environments that require high uptime, low maintenance, and avoid fragile or poorly maintained features like Squid or Zenarmor._