4.2 KiB
4.2 KiB
OPNsense Feature Capability Overview (Industry Use)
This document lists the capabilities of the OPNsense firewall system, categorized by their real-world stability and trustworthiness in professional or industrial environments.
✅ Stable / Industry-Proven Core Features
These features are well-supported, reliable, and commonly used in production deployments.
🔧 Core Networking & Routing
- VLANs (tagged, untagged)
- Static and dynamic routing (OSPF, BGP via FRR plugin)
- Multi-WAN with load balancing / failover
- NAT (1:1, port forward, outbound NAT)
- DHCP/DHCPv6 Server & Relay
- DNS Resolver (Unbound) with DoT, conditional forwarding
- NTP Server
🔐 Firewall & Security
- Stateful firewall with alias system
- Schedule-based rules
- GeoIP blocking
- Packet logging and rule hit counters
👥 Authentication
- Local user DB
- LDAP / Active Directory (GPO support)
- Two-Factor Authentication (TOTP)
- Captive Portal with LDAP/RADIUS integration
🌍 VPN Services
- OpenVPN (with client export)
- IPsec (strongSwan)
- WireGuard (kernel module; fast & stable)
🔐 SSL Certificates
- ACME/Let's Encrypt support
- DNS-01, HTTP-01
- Auto-renewal + deploy to services
💾 Backup & Management
- Local and remote encrypted backup
- OPNcentral for multi-firewall config, update, backup
- High Availability (CARP-based)
⚠️ Moderately Reliable / Needs Case-by-Case Testing
These features are usable but require testing or tuning to ensure stability.
🛡️ Intrusion Detection / Prevention
- Suricata (IDS/IPS)
- Can impact performance on low-RAM systems (≥8GB recommended)
- Inline mode works but may be unstable with certain NICs
- Regular ruleset updates supported
🌐 Web Filtering / Proxy
- Squid Proxy + ICAP/ClamAV
- SSL inspection fragile; requires CA deployment to clients
- Transparent mode unstable on some NICs
- Basic caching stable; filtering can be unreliable
- ICAP antivirus adds CPU load
🔄 Dynamic DNS
- DDNS client with broad provider support
- Stable and scriptable
☁️ Remote Backups
- Supported to Google Drive, Git, Nextcloud (via plugin/scripting)
- Manual testing of restore process recommended
❌ Experimental / Immature Features
Avoid these for now in production or industrial deployments.
📬 Mail Gateway / Relay
- Basic Postfix relay plugin
- No spam filtering or advanced mail security
- Not recommended for secure mail handling
🌐 Web Application Firewall (WAF)
- Nginx WAF plugin exists
- No full ModSecurity/OWASP integration
- Better to isolate on a dedicated reverse proxy
📦 OPNProxy Plugin
- Adds fine-grained Squid-based user/group URL access control
- Inherits Squid’s instability
- Use with caution or for testing only
Summary Table
| Feature | Production Readiness | Notes |
|---|---|---|
| Core firewall, routing | ✅ Yes | Fully stable |
| VPN (OpenVPN, WireGuard) | ✅ Yes | Strong support and maturity |
| Suricata | ⚠️ With caution | Test on hardware; monitor CPU/RAM |
| Web Proxy / Filtering | ❌ Avoid or isolate | Only basic use; SSL filtering often unstable |
| Antivirus (clamav) | ⚠️ Optional | High CPU use; best supplemented by endpoint AV |
| DNS & DHCP | ✅ Yes | Mature and reliable |
| Mail Relay | ❌ No | Lacks required filtering and logging for industrial use |
| WAF (nginx) | ❌ No | Too limited for meaningful protection |
| DDNS, Backups, Certs | ✅ Yes | Useful and stable |
This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings.