CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
notes/projects/OPNsense/STANDARDS/Feature-Capability.md
Petar Cubela 0cb3f588fa 20250429 push notes
2025-04-29 16:29:52 +02:00

114 lines
4.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# OPNsense Feature Capability Overview (Industry Use)
This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments.
---
## ✅ Stable / Industry-Proven Core Features
These features are well-supported, reliable, and commonly used in production deployments.
### 🔧 Core Networking & Routing
- VLANs (tagged, untagged)
- Static and dynamic routing (OSPF, BGP via FRR plugin)
- Multi-WAN with load balancing / failover
- NAT (1:1, port forward, outbound NAT)
- DHCP/DHCPv6 Server & Relay
- DNS Resolver (Unbound) with DoT, conditional forwarding
- NTP Server
### 🔐 Firewall & Security
- Stateful firewall with alias system
- Schedule-based rules
- GeoIP blocking
- Packet logging and rule hit counters
### 👥 Authentication
- Local user DB
- LDAP / Active Directory (GPO support)
- Two-Factor Authentication (TOTP)
- Captive Portal with LDAP/RADIUS integration
### 🌍 VPN Services
- OpenVPN (with client export)
- IPsec (strongSwan)
- WireGuard (kernel module; fast & stable)
### 🔐 SSL Certificates
- ACME/Let's Encrypt support
- DNS-01, HTTP-01
- Auto-renewal + deploy to services
### 💾 Backup & Management
- Local and remote encrypted backup
- OPNcentral for multi-firewall config, update, backup
- High Availability (CARP-based)
---
## ⚠️ Moderately Reliable / Needs Case-by-Case Testing
These features are usable but require testing or tuning to ensure stability.
### 🛡️ Intrusion Detection / Prevention
- Suricata (IDS/IPS)
- Can impact performance on low-RAM systems (≥8GB recommended)
- Inline mode works but may be unstable with certain NICs
- Regular ruleset updates supported
### 🌐 Web Filtering / Proxy
- Squid Proxy + ICAP/ClamAV
- SSL inspection fragile; requires CA deployment to clients
- Transparent mode unstable on some NICs
- Basic caching stable; filtering can be unreliable
- ICAP antivirus adds CPU load
### 🔄 Dynamic DNS
- DDNS client with broad provider support
- Stable and scriptable
### ☁️ Remote Backups
- Supported to Google Drive, Git, Nextcloud (via plugin/scripting)
- Manual testing of restore process recommended
---
## ❌ Experimental / Immature Features
Avoid these for now in production or industrial deployments.
### 📬 Mail Gateway / Relay
- Basic Postfix relay plugin
- No spam filtering or advanced mail security
- Not recommended for secure mail handling
### 🌐 Web Application Firewall (WAF)
- Nginx WAF plugin exists
- No full ModSecurity/OWASP integration
- Better to isolate on a dedicated reverse proxy
### 📦 OPNProxy Plugin
- Adds fine-grained Squid-based user/group URL access control
- Inherits Squids instability
- Use with caution or for testing only
---
## Summary Table
| **Feature** | **Production Readiness** | **Notes** |
|-------------------------------|---------------------------|-------------------------------------------------------------|
| Core firewall, routing | ✅ Yes | Fully stable |
| VPN (OpenVPN, WireGuard) | ✅ Yes | Strong support and maturity |
| Suricata | ⚠️ With caution | Test on hardware; monitor CPU/RAM |
| Web Proxy / Filtering | ❌ Avoid or isolate | Only basic use; SSL filtering often unstable |
| Antivirus (clamav) | ⚠️ Optional | High CPU use; best supplemented by endpoint AV |
| DNS & DHCP | ✅ Yes | Mature and reliable |
| Mail Relay | ❌ No | Lacks required filtering and logging for industrial use |
| WAF (nginx) | ❌ No | Too limited for meaningful protection |
| DDNS, Backups, Certs | ✅ Yes | Useful and stable |
---
_This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._
Reference in New Issue View Git Blame Copy Permalink