You installed OPNsense. The WAN is up, traffic is flowing, and you feel good. Then you realize the firewall logs show only raw IPs, your kids hit gambling sites from the family VLAN, and the admin panel is still reachable on port 443 from anywhere. Time to fix all three.
This post covers the four tasks that should happen right after a fresh OPNsense deployment:
- Block a specific website using aliases and firewall rules
- Resolve LAN IP addresses to hostnames in firewall logs
- Apply category-based DNS blocking (gambling, malware, torrents)
- Harden OPNsense itself against misconfiguration and unauthorized access
This post is a follow-up to OPNsense on Proxmox: Build a Dedicated Home Firewall on a MiniPC N100. The steps here assume OPNsense is already installed and has a working WAN and LAN setup.
Environment: OPNsense 26.1.2, Unbound DNS Resolver, single LAN subnet 10.10.1.0/24.
1. Block a Specific Website
There are two approaches. Use Option 1 (Firewall Alias) for blocking specific sites — it works and is the most direct. Use Option 2 (DNS override) as a complementary layer or when you want a lightweight block without a firewall rule.
Option 1 — Block via Firewall Alias (Recommended)
Step 1 — Create the Alias
Navigate to Firewall → Aliases → click +:
| Field | Value |
|---|---|
| Name | BLOCK_REDDIT |
| Type | Host(s) |
| Description | Block Reddit on LAN |
In the Content field, add all domains the site depends on — the main domain alone is not enough for CDN-backed sites:
reddit.com
www.reddit.com
old.reddit.com
redd.it
redditstatic.com
redditmedia.comClick Save → Apply changes.
Including asset/CDN domains (redditstatic.com, redditmedia.com) is what makes this work. Blocking only reddit.com leaves the CDN endpoints open and the site partially loads. For other sites, open DevTools → Network tab and identify which domains the page calls.
[Firewall → Aliases showing BLOCK_REDDIT with all domains listed]
Step 2 — Create the Block Rule
Navigate to Firewall → Rules → LAN → click +:
| Field | Value |
|---|---|
| Action | Block |
| Interface | LAN |
| Direction | in |
| TCP/IP Version | IPv4+IPv6 |
| Protocol | any |
| Source | LAN net |
| Destination | BLOCK_REDDIT (alias) |
| Description | Block Reddit from LAN |
Move this rule above your default allow rules — OPNsense evaluates rules top-down and stops at the first match.
Click Save → Apply changes.
This approach relies on DNS resolution to populate the alias IPs. OPNsense refreshes alias IPs on its own schedule. For most sites this is reliable, but a client that has already cached an IP before the rule was added may still connect until that cache expires (typically under 5 minutes for most sites).
2. Resolve LAN IPs to Hostnames in Firewall Logs
By default, OPNsense firewall logs show raw IPs like 10.10.1.21. You want them to display as gitlab or gitlab.home.lab. This matters when you’re triaging traffic at 2 AM.
The solution is Unbound Host Overrides — static DNS entries that map your LAN IPs to friendly names. Once set, the firewall log display picks up the names automatically.
Step 1 — Add Host Overrides in Unbound
Navigate to Services → Unbound DNS → Overrides → Host Overrides → click + for each LAN host:
| Host | Domain | Type | IP | Description |
|---|---|---|---|---|
gitlab | home.lab | A | 10.10.1.21 | GitLab server |
proxmox | home.lab | A | 10.10.1.10 | Proxmox hypervisor |
grafana | home.lab | A | 10.10.1.30 | Grafana monitoring |
nas | home.lab | A | 10.10.1.50 | NAS storage |
Click Save after each entry, then Apply once all are added.
Step 2 — Enable Reverse DNS in Unbound
To have OPNsense resolve 10.10.1.21 → gitlab.home.lab, you also need PTR records. Unbound can generate these automatically.
Navigate to Services → Unbound DNS → General:
- Enable Register DHCP leases — adds PTR records for DHCP clients
- Enable Register DHCP static mappings — adds PTR records for static DHCP entries
Click Save → Apply.
[Firewall → Live Log showing gitlab.home.lab in the source column instead of 10.10.1.21]
Step 3 — Verify Resolution
From any LAN host, confirm the name resolves:
nslookup gitlab.home.lab 10.10.1.1
# Expected: 10.10.1.21
nslookup 10.10.1.21 10.10.1.1
# Expected: gitlab.home.lab (reverse lookup)You can also set 10.10.1.1 as the DNS server in your DHCP settings so all LAN clients query Unbound directly, picking up these local names automatically.
3. Category-Based DNS Blocking with DNSBL
Blocking individual sites by hand does not scale. For gambling, malware, tracking, and torrent sites you want feed-based blocking — thousands of domains updated automatically. OPNsense includes a built-in DNSBL (DNS Block List) feature in Unbound.
How It Works
Step 1 — Enable DNSBL in Unbound
Navigate to Services → Unbound DNS → Blocklist:
- Check Enable
- Set Type to
Unbound(native mode, no extra packages)
Step 2 — Add Block List Feeds
In the same Blocklist tab, scroll to URLs and add the feeds you want. These are well-maintained, free lists:
| Category | Feed URL |
|---|---|
| Ads & Tracking | https://adaway.org/hosts.txt |
| Malware | https://malware-filter.pages.dev/malware-filter-hosts.txt |
| Gambling | https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/gambling.txt |
| Torrent sites | https://raw.githubusercontent.com/nickspaargaren/pihole-google/master/categories/torrent.txt |
| Adult content | https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/porn.txt |
A more curated starting point is the Hagezi DNS Blocklists. The multi.hosts list combines ads, tracking, and malware. Start there and add categories as needed.
Add each URL, then click Save → Apply.
Step 3 — Configure the Sinkhole Response
In the Blocklist settings, set Block action to one of:
Return NXDOMAIN— simplest, client sees “domain not found”Return NODATA— similar to NXDOMAIN, some clients handle it betterRedirect to sinkhole— return0.0.0.0or a custom block page IP
Return NXDOMAIN works for most homelabs.
Step 4 — Force Update the Lists
After saving, click Force Update to download the feeds immediately. OPNsense will schedule automatic refreshes from that point.
[Unbound DNS → Blocklist tab showing list URLs, enabled status, and the total blocked domain count after the first update]
Verify Blocking Works
nslookup gambling-site.com 10.10.1.1
# Expected: NXDOMAIN or 0.0.0.0
nslookup google.com 10.10.1.1
# Expected: resolves normallyAllowlisting Exceptions
If a legitimate domain gets caught by a blocklist:
Navigate to Services → Unbound DNS → Blocklist → Allowlist → click +:
| Field | Value |
|---|---|
| Domain | legitimate-site.com |
| Type | Domain |
This permanently whitelists the domain regardless of which list blocks it.
4. Hardening OPNsense Itself
The firewall protects your network — but who protects the firewall? These are the steps I run on every fresh OPNsense install before it handles real traffic.
4.1 Restrict Admin Interface Access
By default, the web GUI listens on all interfaces. Lock it down to LAN only and move it off port 443.
Navigate to System → Settings → Administration:
| Setting | Recommended Value |
|---|---|
| Protocol | HTTPS |
| SSL Certificate | Your own cert or self-signed |
| TCP port | 8443 (or any non-standard port) |
| Listen Interfaces | LAN only (uncheck WAN) |
| HTTP Redirect | Enable (redirect 80 → HTTPS) |
| Anti-lockout rule | Keep enabled during setup |
Click Save.
After saving, the GUI moves to the new port. Reconnect at https://10.10.1.1:8443. If you lose access, the anti-lockout rule lets you recover from the console.
4.2 Harden SSH Access
If you use SSH for remote access or automation:
Navigate to System → Settings → Administration → Secure Shell:
- Enable SSH only if you actually use it
- Set Login Group to
adminsonly - Enable SSH Authentication Method — set to
Public Key Only - Change the port from
22to something less common (e.g.2222)
Add your public key under System → Access → Users → your user → Authorized keys.
ssh -p 2222 -i ~/.ssh/id_ed25519 admin@10.10.1.1Disable password authentication entirely once key access is confirmed.
4.3 Enable Automatic Updates
Navigate to System → Firmware → Settings:
- Set Release type to
Production - Enable Automatic updates
- Set schedule to weekly (e.g. Sunday 03:00)
OPNsense will download and stage updates. For critical security patches, enable Auto-reboot after update during off-hours.
4.4 Disable Unused Services
Every enabled service is an attack surface. Disable what you do not use.
Navigate to System → Settings → Administration:
| Service | Disable if… |
|---|---|
| SSH | You manage OPNsense only via GUI |
| Console menu | Physical access is not a concern |
| mDNS repeater | You do not need Bonjour/Avahi across VLANs |
Navigate to VPN and disable any VPN services (OpenVPN, WireGuard, IPsec) not in active use.
Navigate to Services and stop/disable services not relevant to your setup (e.g. Dyndns, Proxy, Stunnel).
4.5 Enable Intrusion Detection (Suricata)
If you expose any service to the internet — a VPN, a port forward to a home server — Suricata adds a critical layer of protection.
Navigate to Services → Intrusion Detection → Administration:
- Enable IDS on WAN interface
- Download Emerging Threats Open rulesets
- Start in IDS (alert-only) mode first, graduate to IPS after observing traffic for a week
Full IDS/IPS setup, rule tuning, and safe attack simulation are covered in detail in OPNsense Intrusion Detection: Detecting and Simulating Real-World Attacks.
4.6 Check the Firewall Ruleset for Loose Rules
Navigate to Firewall → Rules → inspect each interface.
Common mistakes after initial setup:
- Any-to-any allow rule on LAN — left over from the default install. Replace it with explicit rules for each permitted destination
- WAN rules allowing inbound on broad port ranges — each open port should have a documented reason
- No outbound rules — add source-based rules so IoT devices can only reach the internet, not your LAN servers
4.7 Verify the Backup Configuration
Navigate to System → Configuration → Backups → Download configuration.
Store the config XML somewhere safe (a password manager, encrypted USB, or your NAS). After any major change, re-download it.
End State: What You Now Have
After completing this guide, your OPNsense install does the following:
- Specific sites blocked via Firewall Alias rules (all CDN/asset domains included)
- Optional DNS layer block via Unbound host overrides for deeper coverage
- LAN hosts show as hostnames in firewall logs
- Category blocklists (gambling, malware, torrents) applied via DNSBL
- Admin interface locked to LAN, on a non-standard port
- SSH using keys only, password auth disabled
- Automatic firmware updates scheduled
- Suricata watching WAN traffic
What to Do Next
If you have not set up monitoring yet, the Grafana + Prometheus homelab stack pairs well with OPNsense — you can export firewall and Suricata metrics and build dashboards that surface blocked domains, top talkers, and alert trends over time.
For IDS deep-dive — rule tuning, IPS mode, and simulating attacks safely — continue to the OPNsense Intrusion Detection Guide.
Have a question or a different blocklist you swear by? Drop it in the comments.