OPNsense protects your network. But out of the box, the admin GUI listens on every interface including WAN, SSH accepts passwords, and the default firewall ruleset has loose allow-all rules left over from the install wizard. The firewall itself needs hardening.
These are the seven steps I run on every fresh OPNsense install before it handles real traffic.
Follow-up to OPNsense on Proxmox: Build a Dedicated Home Firewall. For blocking websites and DNS control, see OPNsense: Block Websites and Force DNS Through Your Firewall.
Environment: OPNsense 26.1.2, single LAN subnet 10.10.1.0/24, OPNsense LAN IP 10.10.1.3.
1. Restrict the Admin Interface to LAN Only
By default, the web GUI listens on all interfaces — including WAN. Anyone who can reach your WAN IP can attempt to log in.
Navigate to System → Settings → Administration:
| Setting | Recommended Value |
|---|---|
| Protocol | HTTPS |
| SSL Certificate | Your own cert or self-signed |
| TCP port | 8443 (or any non-standard port) |
| Listen Interfaces | LAN only (uncheck WAN and any others) |
| HTTP Redirect | Enable (redirect port 80 → HTTPS) |
| Anti-lockout rule | Keep enabled during setup |
Click Save.
After saving, the GUI moves to the new port. Reconnect at https://10.10.1.3:8443. If you lose access, the anti-lockout rule lets you recover from the Proxmox console.
2. Harden SSH Access
Navigate to System → Settings → Administration → Secure Shell:
- Enable SSH only if you actually use it — disable it otherwise
- Set Login Group to
adminsonly - Set SSH Authentication Method to
Public Key Only - Change the port from
22to something non-standard (e.g.2222)
Add your public key under System → Access → Users → your user → Authorized keys.
ssh -p 2222 -i ~/.ssh/id_ed25519 root@10.10.1.3Once key access is confirmed, disable password authentication entirely.
If you only manage OPNsense via the web GUI, leave SSH disabled. Every open service is an additional attack surface.
3. Enable Automatic Firmware Updates
Navigate to System → Firmware → Settings:
- Set Release type to
Production - Enable Automatic updates
- Set the update schedule to weekly (e.g. Sunday at 03:00)
OPNsense downloads and stages updates. For critical security patches, also enable Auto-reboot after update to apply them during off-hours automatically.
4. Disable Unused Services
Every enabled service is an attack surface. Navigate to System → Settings → Administration and disable what you don’t use:
| Service | Disable if… |
|---|---|
| SSH | You manage OPNsense only via the web GUI |
| Console menu | Physical access to the machine is restricted |
| mDNS repeater | You don’t need Bonjour/Avahi across VLANs |
Also check:
- VPN — disable OpenVPN, WireGuard, and IPsec if none are in active use
- Services — stop/disable
Dyndns,Proxy,Stunnel, and anything else not relevant to your setup
5. Audit the Firewall Ruleset
The install wizard creates permissive rules that are fine for getting started but should be tightened before going live.
Navigate to Firewall → Rules and inspect each interface.
Common issues to look for:
| Problem | Fix |
|---|---|
| Any-to-any allow rule on LAN — leftover from install defaults | Replace with explicit rules per permitted destination |
| WAN rules allowing inbound on broad port ranges | Each open port needs a documented reason and should be as specific as possible |
| No outbound NAT rules | Add source-based rules so IoT devices can reach the internet but not your LAN servers |
A good baseline: LAN clients get an explicit allow rule for HTTP/HTTPS outbound. IoT devices on a separate VLAN get internet-only (block LAN destinations). Everything else is blocked by default.
6. Enable Intrusion Detection (Suricata)
If you expose any service to the internet — a VPN endpoint, a port forward to a home server — Suricata adds a critical detection layer. It watches traffic for known attack signatures and can drop malicious packets before they reach your services.
Navigate to Services → Intrusion Detection → Administration:
- Enable IDS on the WAN interface
- Download Emerging Threats Open rulesets
- Start in IDS mode (alert-only) for a week to observe traffic without blocking, then graduate to IPS mode
Full IDS/IPS setup, rule tuning, and safe attack simulation are covered in OPNsense Intrusion Detection: Detecting and Simulating Real-World Attacks.
7. Back Up the Configuration
Navigate to System → Configuration → Backups → Download configuration.
Store the config XML somewhere safe — a password manager, an encrypted USB, or your NAS. Re-download it after any major change. If OPNsense ever needs to be rebuilt, this file restores everything in minutes.
End State
After completing this guide:
- Web GUI locked to LAN, on a non-standard port
- SSH key-only, password auth disabled (or SSH disabled entirely)
- Firmware updates scheduled weekly
- Unused services disabled
- Firewall ruleset audited and tightened
- Suricata watching WAN traffic
What to Do Next
For visibility into what OPNsense and Suricata are alerting on over time, the Grafana + Prometheus homelab stack exports firewall and IDS metrics into dashboards — top blocked domains, alert trends, and traffic by host.
For IDS deep-dive — rule tuning, IPS mode, and safely simulating attacks — continue to the OPNsense Intrusion Detection Guide.