94 lines
3.6 KiB
Markdown
94 lines
3.6 KiB
Markdown
# OPNsense Recommended Plugins & Features (Industrial / Office Use)
|
|
|
|
This list outlines reliable, useful, and practical plugins and features for deploying OPNsense firewalls in professional and industrial environments. Features are grouped by purpose and marked by their trust level.
|
|
|
|
---
|
|
|
|
## 🔍 Monitoring & Logging
|
|
|
|
### ✅ Telegraf Plugin
|
|
- **Purpose:** Exports system metrics (CPU, RAM, interfaces) for external monitoring.
|
|
- **Integration:** Grafana, InfluxDB, Prometheus.
|
|
- **Notes:** Lightweight and reliable.
|
|
|
|
### ✅ Netflow / Insight (built-in)
|
|
- **Purpose:** Provides traffic flow analytics, top talkers, and interface usage.
|
|
- **Use Case:** Bandwidth monitoring and anomaly detection.
|
|
- **Notes:** Data can be archived for audit purposes.
|
|
|
|
### ✅ Zabbix Agent
|
|
- **Purpose:** Integrates OPNsense into existing Zabbix NMS environments.
|
|
- **Notes:** Trusted in enterprise and industrial networks.
|
|
|
|
---
|
|
|
|
## 🔐 Access Control & Identity
|
|
|
|
### ⚠️ FreeRADIUS Plugin
|
|
- **Purpose:** Local RADIUS server for VPN, 802.1X WiFi, or Captive Portal.
|
|
- **Notes:** Complex to configure; powerful in the right hands.
|
|
|
|
### ✅ TOTP / 2FA for Web GUI
|
|
- **Purpose:** Adds two-factor authentication for admin access.
|
|
- **Notes:** Uses Google Authenticator or similar apps.
|
|
|
|
---
|
|
|
|
## 🛠️ Configuration & Deployment
|
|
|
|
### ✅ Shellcmd Plugin
|
|
- **Purpose:** Runs custom shell scripts/commands at boot or service start.
|
|
- **Use Case:** Advanced sysctl, cron jobs, or plugin fixes.
|
|
- **Notes:** Excellent for hotfixes or automation in production.
|
|
|
|
### ✅ Smart Plugin (S.M.A.R.T. Monitoring)
|
|
- **Purpose:** Monitors local disk health if firewall is installed on SSD/HDD.
|
|
- **Notes:** Essential for long-term reliability.
|
|
|
|
---
|
|
|
|
## 🧱 Firewall Enhancements
|
|
|
|
### ⚠️ GeoIP Aliases
|
|
- **Purpose:** Block/allow traffic by country.
|
|
- **Notes:** Requires MaxMind license (free with registration).
|
|
|
|
### ✅ Policy-Based Routing
|
|
- **Purpose:** Custom WAN selection per VLAN/service/source.
|
|
- **Notes:** Use for traffic shaping, failover, or VoIP priority.
|
|
|
|
---
|
|
|
|
## 📡 Edge / Optional Features
|
|
|
|
### ✅ NTP Daemon
|
|
- **Purpose:** Acts as internal time server for LAN devices.
|
|
- **Use Case:** Environments without external NTP access.
|
|
- **Notes:** Stable and lightweight.
|
|
|
|
### ✅ mDNS Repeater
|
|
- **Purpose:** Repeats multicast DNS between VLANs (Bonjour/AirPrint).
|
|
- **Use Case:** Offices with Apple devices or smart printers.
|
|
- **Notes:** Requires proper VLAN firewall rules.
|
|
|
|
---
|
|
|
|
## ✅ Recommended Baseline Set for Industrial Use
|
|
|
|
| **Category** | **Feature** | **Plugin** | **Trust Level** |
|
|
|--------------------|------------------------|-------------------|-----------------|
|
|
| Monitoring | Telegraf, Netflow | `telegraf` | ✅ Stable |
|
|
| Logging/NMS | Zabbix Agent | `os-zabbix-agent` | ✅ Stable |
|
|
| Automation | Boot Scripting | `shellcmd` | ✅ Stable |
|
|
| Identity/VPN | FreeRADIUS (optional) | `freeradius` | ⚠️ Moderate |
|
|
| Access Security | TOTP 2FA | Built-in | ✅ Stable |
|
|
| Routing Control | Policy Routing | Built-in | ✅ Stable |
|
|
| Geo Restrictions | GeoIP Aliases | MaxMind required | ⚠️ Moderate |
|
|
| Time Sync | NTP Server | Built-in | ✅ Stable |
|
|
| Edge VLAN Utility | mDNS Repeater | `mdns-repeater` | ✅ Stable |
|
|
|
|
---
|
|
|
|
_This list is curated for environments that require high uptime, low maintenance, and avoid fragile or poorly maintained features like Squid or Zenarmor._
|
|
|