Setting Up OPNsense as a Private DNS Server with Intrusion Detection in a Proxmox VM

Transform your network security with a dedicated DNS server and real-time threat detection

Introduction

Are you concerned about your internet privacy? Tired of ads tracking your every move? Want to protect your network from malware and intrusions? In this comprehensive guide, I'll show you how to deploy OPNsense in Proxmox as a powerful DNS server with built-in intrusion detection.

This setup gives you enterprise-grade security without replacing your existing router. You'll get:

Private DNS - No logging by ISPs or third-party DNS providers
DNSSEC validation - Protection against DNS spoofing
Ad and malware blocking at the DNS level
Real-time threat detection with Suricata IDS
Multi-network support - Serve multiple VLANs or subnets

Best of all: Your existing UniFi (or other) router stays as your main gateway. OPNsense simply handles DNS and security monitoring.

Network Topology

Internet
    ↓
Main Router/Gateway (YOUR_GATEWAY_IP)
    ↓
OPNsense VM (YOUR_OPNSENSE_IP) - DNS & IDS
    ↓
LAN Devices

Example with common home network:

Internet
    ↓
Main Router (192.168.1.1)
    ↓
OPNsense VM (192.168.1.53) - DNS & IDS
    ↓
LAN Devices (192.168.1.x)

Key concept: OPNsense sits on your LAN as a specialized server, not as your main firewall/router.

Before You Begin: Know Your Network

You'll need to know these details about YOUR network:

Your network range (examples):
- 192.168.1.0/24 (common home network)
- 192.168.0.0/24 (another common range)
- 10.0.1.0/24 (common for prosumer routers)
- 10.0.0.0/24 (UniFi default)
Your gateway/router IP (examples):
- 192.168.1.1
- 192.168.0.1
- 10.0.1.1
- 10.0.0.1
A free IP for OPNsense - Pick any unused IP in your range:
- Example: If your network is 192.168.1.0/24, pick something like 192.168.1.53
- Common DNS-themed choices: .53 (DNS port number), .10, .254

Throughout this guide:

YOUR_GATEWAY_IP = Your router's IP address
YOUR_OPNSENSE_IP = The IP you chose for OPNsense
YOUR_NETWORK = Your network range (e.g., 192.168.1.0/24)

Write these down before starting!

Prerequisites

Before starting, ensure you have:

Proxmox server with adequate resources
Main router/gateway handling routing and DHCP (UniFi, pfSense, consumer router, etc.)
Network information (listed above)
VM Resources:
- 16GB RAM (minimum 4GB, but IDS needs more)
- 2-4 CPU cores
- 50GB storage
- 2 virtual network interfaces

Time required: 1-2 hours

Part 1: Proxmox VM Setup

Step 1: Create the OPNsense VM

In Proxmox Web Interface:

Click Create VM (top right)
General:
- VM ID: (your choice)
- Name: OPNsense-DNS
OS:
- Use OPNsense ISO image
System:
- Default settings OK
Disks:
- Size: 50GB
- Storage: Your preferred datastore
CPU:
- Cores: 2-4
- Type: host
Memory:
- RAM: 16384 MB (16GB)
- Minimum: 1024
- Ballooning: Enabled
Network:
- Bridge: vmbr0 (or your main bridge)
- Model: Intel E1000 ⚠️ IMPORTANT!
- Firewall: Unchecked
Add second network interface:
- Hardware → Add → Network Device
- Bridge: vmbr0 (same bridge as first)
- Model: Intel E1000 ⚠️ IMPORTANT!
- Firewall: Unchecked
Click Finish

Why Intel E1000 Network Adapters?

This is critical for proper operation!

VirtIO vs E1000:

VirtIO (paravirtualized) - Faster performance, but can have compatibility issues with OPNsense
Intel E1000 - Proven compatibility and stability with OPNsense/FreeBSD

In my testing:

VirtIO caused intermittent network drops
Interfaces would show as "up" but not pass traffic correctly
E1000 worked flawlessly from the start

Recommendation: Always use Intel E1000 for OPNsense VMs unless you have specific reasons and experience to use VirtIO.

Both network interfaces must:

Use the same bridge (usually vmbr0)
Use E1000 model
Have firewall unchecked (we'll control firewall in OPNsense)

Step 2: Install OPNsense

Start the VM
Follow the OPNsense installation wizard
Use default settings
Reboot when complete

Part 2: Initial OPNsense Configuration

Step 3: Configure Network Interfaces

After reboot, you'll see the console menu.

Select Option 1 - Assign Interfaces

Answer the prompts:

Should VLANs be set up now? → Type n and press Enter
Should LAGGs be set up now? → Type n and press Enter
Enter WAN interface name: → Type em1 and press Enter
Enter LAN interface name: → Type em0 and press Enter
Enter Optional interface 1 name: → Just press Enter (leave blank)
Do you want to proceed? → Type y and press Enter

Why WAN + LAN? Even though we're not using traditional WAN routing, having both interfaces gives us clean separation: LAN receives DNS queries, WAN sends them out to the internet.

Note: em0 and em1 are the FreeBSD interface names for Intel E1000 adapters. They'll always be named this way.

Step 4: Configure LAN IP Address

Select Option 2 - Set interface IP address

Select interface: Type 2 (for LAN) and press Enter
Configure IPv4 address LAN interface via DHCP? → Type n and press Enter
Enter the new LAN IPv4 address: → Type YOUR_OPNSENSE_IP
- Example: If your network is 192.168.1.x, you might use 192.168.1.53
- Press Enter
Enter the new LAN IPv4 subnet bit count: → Type 24 (most common) and press Enter
- 24 = 255.255.255.0 subnet mask
- For most home/office networks, use 24
For a WAN, enter the new LAN IPv4 upstream gateway address: → Just press Enter (leave blank)
Configure IPv6 address LAN interface via DHCP6? → Type n and press Enter
Enter the new LAN IPv6 address: → Just press Enter (skip IPv6)
Do you want to enable the DHCP server on LAN? → Type n and press Enter
- Critical: We do NOT want OPNsense handling DHCP. Your main router does that.
Do you want to revert to HTTP as the web GUI protocol? → Type n and press Enter
Enter the new LAN IPv4 upstream DNS server address: → Type 1.1.1.1 and press Enter
Enter another LAN IPv4 upstream DNS server address: → Type 8.8.8.8 and press Enter
Enter another LAN IPv4 upstream DNS server address: → Just press Enter (done)

Note: These DNS servers (1.1.1.1 and 8.8.8.8) are only for OPNsense's own use (system updates, etc.). Your clients will use Unbound on OPNsense for DNS.

Step 5: Configure Default Gateway

OPNsense needs to know how to reach the internet.

Select Option 8 - Shell

You'll see a command prompt. Type these commands (replacing with YOUR gateway IP):

# Set your router as the default gateway
# Replace YOUR_GATEWAY_IP with your actual router IP
route add default YOUR_GATEWAY_IP

# Example: route add default 192.168.1.1

# Make it permanent across reboots
echo 'defaultrouter="YOUR_GATEWAY_IP"' >> /etc/rc.conf.local

# Example: echo 'defaultrouter="192.168.1.1"' >> /etc/rc.conf.local

# Test connectivity to internet
ping -c 4 8.8.8.8

You should see ping replies. If not, check:

Your gateway IP is correct
The Proxmox network bridge is connected to your LAN
Your router is operational

Test DNS resolution:

ping -c 4 google.com

If both tests work, you're ready to continue!

Step 6: Update OPNsense

Before proceeding, update the system:

opnsense-update -f

This will take 5-15 minutes. Let it complete fully. You may see some warnings about socket buffers - these are harmless.

After completion, the system may need to reboot. If prompted, reboot.

Part 3: Web Interface Configuration

Step 7: Access the Web GUI

From another computer on your network:

Open a web browser
Navigate to: https://YOUR_OPNSENSE_IP
- Example: https://192.168.1.53
You'll see a security warning (self-signed certificate) - accept it
Login:
- Username: root
- Password: opnsense

Setup Wizard will appear - Skip it!

Click Skip or close the wizard
We'll configure manually for better control

Step 8: Configure System Gateway

System → Gateways → Configuration

Click Add (+ icon, top right):

Name: MAIN_GW (or whatever makes sense to you)
Interface: LAN
Address Family: IPv4
IP Address: YOUR_GATEWAY_IP
- Example: 192.168.1.1
Far Gateway: Leave unchecked
Disable Gateway Monitoring: ✅ Check this
- (Prevents unnecessary monitoring traffic)
Leave other settings as default

Click Save

Click Apply changes (top right)

This tells OPNsense where to send all internet-bound traffic.

Step 9: System DNS Settings

System → Settings → General

Scroll to DNS Servers section:

Primary DNS Server: 1.1.1.1
Secondary DNS Server: 8.8.8.8
Allow DNS server list to be overridden by DHCP/PPP on WAN: ✅ Check this

Scroll down further:

Prefer to use IPv4 even if IPv6 is available: ✅ Check this
- (Prevents IPv6-related issues)

Click Save (bottom of page)

Part 4: Unbound DNS Configuration

This is where the magic happens - configuring your private DNS resolver.

Step 10: Enable Unbound DNS

Services → Unbound DNS → General

Basic Settings:

Enable Unbound: ✅ Check this
Listen Port: 53 (default DNS port - don't change)
Network Interfaces: Select LAN from the dropdown
- This is where DNS queries come IN
Outgoing Network Interfaces: Select WAN from the dropdown
- This is where DNS queries go OUT to root servers

Advanced Settings (scroll down):

DNSSEC: ✅ Check this
- Provides cryptographic validation of DNS responses
DNSSEC Validation: Yes (should be selected)
DNS Query Forwarding: ❌ Leave UNCHECKED
- Very important! Unchecked means recursive DNS (we query root servers directly)
- Checked would forward to upstream DNS (not what we want)

Other settings:

Register ISC DHCP4 Leases: Leave unchecked (we're not running DHCP)
Register DHCP Static Mappings: Leave unchecked

Click Save (bottom of page)

Step 11: Configure Access Control Lists

Access lists determine which networks can use your DNS server.

Services → Unbound DNS → Access Lists

You'll likely see an empty list. Let's add your network(s).

Click + Add (top left):

For your primary network:

Access List Name: Allow_Primary_Network
Action: Allow
Networks: YOUR_NETWORK
- Examples:
  - 192.168.1.0/24 (192.168.1.0 - 192.168.1.255)
  - 192.168.0.0/24 (192.168.0.0 - 192.168.0.255)
  - 10.0.1.0/24 (10.0.1.0 - 10.0.1.255)
  - 10.0.0.0/24 (10.0.0.0 - 10.0.0.255)

Click Save

If you have additional networks (VLANs, guest network, etc.), add them too:

Click + Add again:

Access List Name: Allow_Guest_Network (or appropriate name)
Action: Allow
Networks: YOUR_SECOND_NETWORK
- Example: 192.168.2.0/24 (guest network)

Click Save

After adding all networks, click Apply (top right, orange button)

Without access control entries, clients won't be able to query your DNS server!

Tip: If you're unsure of your network range, check your router's DHCP settings or run ipconfig /all (Windows) or ip addr (Linux) on a client device.

Step 12: Verify DHCP is Disabled

Services → DHCPv4 → [LAN]

Make absolutely sure:

Enable DHCP server on LAN interface: ❌ UNCHECKED

If it's checked, uncheck it and click Save.

Your main router handles DHCP, not OPNsense.

Part 5: Firewall Rules

Firewall rules control what traffic can flow where. We need to allow DNS queries and ping for testing.

Step 13: LAN Firewall Rules

Firewall → Rules → LAN

You'll see some default rules. We need to add specific rules for DNS.

Add DNS Rule - Click + Add (top left):

Action: Pass ✅
Quick: Leave checked
Interface: LAN
Direction: in
TCP/IP Version: IPv4
Protocol: TCP/UDP
- Important: Select TCP/UDP from dropdown, not just one
Source / Invert: Leave unchecked
Source: Select LAN net from dropdown
Source Port Range: any to any
Destination / Invert: Leave unchecked
Destination: Select This Firewall from dropdown
Destination Port Range: From (other) → type 53, To (other) → type 53
- Or select DNS from the dropdown if available
Description: Allow DNS queries from LAN

Click Save

Add ICMP (Ping) Rule - Click + Add:

Action: Pass ✅
Interface: LAN
TCP/IP Version: IPv4
Protocol: ICMP
ICMP Type: Leave as any
Source: LAN net
Destination: This Firewall
Description: Allow ICMP from LAN

Click Save

If you have multiple networks, add similar rules for each:

For each additional network:

DNS Rule:

Same settings as above, but:
Source: Select Single host or Network
Source Network: Type YOUR_SECOND_NETWORK
- Example: 192.168.2.0/24
Description: Allow DNS from guest network (or appropriate name)

ICMP Rule:

Same settings as above, but:
Source: Select Single host or Network
Source Network: Type YOUR_SECOND_NETWORK
Description: Allow ICMP from guest network

After adding all rules, click Apply Changes (top right)

Step 14: WAN Firewall Rule

This allows OPNsense to query DNS servers on the internet.

Firewall → Rules → WAN

Click + Add:

Action: Pass ✅
Interface: WAN
Direction: out
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: Select This Firewall from dropdown
Source Port: any to any
Destination: any
Destination Port: DNS (53) or custom 53
Description: Allow DNS queries to internet

Click Save

Click Apply Changes

Part 6: Testing DNS Functionality

Let's verify everything is working before moving to intrusion detection.

Step 15: Test DNS from OPNsense

Go back to console (Proxmox → Console)

Select Option 8 - Shell

# Test DNS resolution on localhost
drill google.com @127.0.0.1

# Test DNS on LAN interface
drill google.com @YOUR_OPNSENSE_IP

# Example: drill google.com @192.168.1.53

# Both should return IP addresses for google.com

If you see IP addresses, DNS is working on OPNsense!

Step 16: Test from a Client Device

From your Windows/Mac/Linux computer:

Windows (Command Prompt):

nslookup google.com YOUR_OPNSENSE_IP

Example: nslookup google.com 192.168.1.53

Mac/Linux (Terminal):

nslookup google.com YOUR_OPNSENSE_IP

Example: nslookup google.com 192.168.1.53

You should see:

Server: YOUR_OPNSENSE_IP
Name: google.com
Address: (IP addresses)

If this works, your DNS server is operational! ✅

If it fails:

Check firewall rules are enabled
Verify the client can ping YOUR_OPNSENSE_IP
Check access lists include the client's network
Review firewall logs: Firewall → Log Files → Live View

Step 17: Configure Your Router's DHCP

Now we tell all clients to use OPNsense for DNS.

The exact steps vary by router. Here are examples:

UniFi Controller:

Settings → Networks → [Your Network Name]

DHCP Name Server: Change from Auto to Manual
DNS Server 1: YOUR_OPNSENSE_IP (e.g., 192.168.1.53)
DNS Server 2: 1.1.1.1 (backup)
Click Apply Changes

Consumer Router (Web Interface):

Look for LAN Settings, DHCP Settings, or Network Settings
Find DNS Server or Primary/Secondary DNS
Set Primary DNS: YOUR_OPNSENSE_IP
Set Secondary DNS: 1.1.1.1
Save/Apply

pfSense/OPNsense Main Router:

Services → DHCP Server
Scroll to DNS Servers
Set servers to YOUR_OPNSENSE_IP and 1.1.1.1
Save

Repeat for each network/VLAN you want to use OPNsense DNS.

Renew DHCP on client devices:

Windows:
```
ipconfig /releaseipconfig /renew
```
Mac: Turn WiFi off, wait 5 seconds, turn WiFi on
Linux:
```
sudo dhclient -r && sudo dhclient
```

Verify clients are using OPNsense:

# Windows
ipconfig /all
# Look for "DNS Servers" - should show YOUR_OPNSENSE_IP

# Mac/Linux
cat /etc/resolv.conf
# Should show: nameserver YOUR_OPNSENSE_IP

Test general internet connectivity:

Browse to any website
It should load normally
DNS queries are now going through your private server!

Part 7: Optional - DNS Blocklists

Want to block ads and malware at the DNS level? Enable blocklists!

Step 18: Enable Ad and Malware Blocking

Services → Unbound DNS → Blocklists

Enable these recommended lists:

✅ Steven Black's hosts - Ads + malware
✅ Malware Domain List - Known malware domains
✅ URLhaus - Malware distribution sites
✅ EasyList - Popular ad blocking list (if available)

Click Save

Click Apply

Test ad blocking:

nslookup doubleclick.net YOUR_OPNSENSE_IP
# Should return 0.0.0.0 or be blocked

Ads will now be blocked network-wide for all devices!

Part 8: Intrusion Detection System (Suricata)

Now for the advanced part - real-time threat detection. This is where we catch malware, exploits, and malicious traffic.

Step 19: Verify Suricata is Available

Good news: Modern OPNsense includes Suricata IDS by default. No plugin installation needed!

Verify it's available:

Go to Services in the menu
You should see Intrusion Detection
Click on it - you'll see tabs: Administration, Download, Rules, Policy, etc.

If you don't see it, you may need to install the plugin:

System → Firmware → Plugins
Find os-suricata and install it

Step 20: Download Threat Intelligence (CRITICAL FIRST STEP!)

IMPORTANT: You must select and download your blocklists BEFORE configuring policies!

Services → Intrusion Detection → Download

You'll see a long list of available rulesets. Here's what to enable for comprehensive protection:

Abuse.ch Feeds (Enable ALL 5):

✅ abuse.ch/Feodo Tracker - Banking trojans and botnets
✅ abuse.ch/SSL Fingerprint Blacklist - Malicious SSL certificates
✅ abuse.ch/SSL IP Blacklist - IPs using malicious SSL
✅ abuse.ch/ThreatFox - Current indicators of compromise
✅ abuse.ch/URLhaus - Malware distribution URLs

ET Open Rules (Select these core security rules):

✅ ET open/emerging-malware - Malware detection
✅ ET open/emerging-phishing - Phishing sites
✅ ET open/emerging-shellcode - Exploit attempts
✅ ET open/emerging-worm - Worm activity
✅ ET open/emerging-scan - Port scans
✅ ET open/emerging-web_client - Browser exploits
✅ ET open/threatview_CS_c2 - Command & control servers
✅ ET open/emerging-exploit (if available)

What NOT to enable (to avoid false positives and performance issues):

❌ emerging-info (too noisy)
❌ emerging-icmp_info (flags normal traffic)
❌ emerging-imap, pop3, smtp (unless you run mail servers)
❌ emerging-dos (your router handles this)
❌ All the OPNsense-App-detect rules (add overhead)

After selecting your rulesets:

Click Download & Update Rules (bottom of page)

Wait 5-10 minutes. The page will show progress. This downloads thousands of threat signatures.

Do not proceed until download completes!

Step 21: Configure Suricata Basic Settings

Services → Intrusion Detection → Administration

General Settings:

Enable IDS/IPS: ✅ Check this box
IPS mode: ❌ Leave UNCHECKED for now
- Unchecked = Alert mode (monitoring only)
- Checked = Block mode (will actively block threats)
- Start with alerts only until you're confident
Promiscuous mode: ✅ Check this
- Allows Suricata to see all network traffic
Pattern matcher: Select Hyperscan from dropdown
- Fastest pattern matching engine

Interfaces:

✅ LAN - Check this box
✅ WAN - Check this box

Both interfaces should be monitored.

Leave other settings as default for now.

Click Save (bottom of page)

Don't click Apply yet - we need to fix the configuration file first!

Step 22: Fix Interface Configuration in YAML (CRITICAL!)

This is the most important step! The Suricata configuration file defaults to wrong interface names and will not work without manual correction.

Why this is necessary:

OPNsense generates a default config using eth0 (Linux naming)
But FreeBSD (which OPNsense runs on) uses em0, em1 for Intel E1000 adapters
Without this fix, Suricata will start but see ZERO traffic

From console (Option 8 - Shell):

First, create required directories:

# Create log directory
mkdir -p /var/log/suricata
chmod 755 /var/log/suricata

# Create runtime directory
mkdir -p /var/run/suricata
chmod 755 /var/run/suricata

# Verify they exist
ls -la /var/log/suricata/
ls -la /var/run/suricata/

Now check the Suricata configuration:

# View the af-packet section (network interface config)
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"

You will almost certainly see:

af-packet:
  - interface: eth0

This is WRONG! Your interfaces are em0 (LAN) and em1 (WAN), not eth0.

We must edit the configuration file:

# Open the config file in editor
ee /usr/local/etc/suricata/suricata.yaml

Use arrow keys to scroll down. Find this section:

af-packet:
  - interface: eth0
    threads: auto

Delete the entire af-packet section and replace with:

af-packet:
  - interface: em0
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes
  - interface: em1
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes

Critical details:

em0 = LAN interface (these are the FreeBSD names for Intel E1000 adapters)
em1 = WAN interface
Different cluster-id for each interface (98 and 99)
Both must be present for traffic inspection

While you're in the file, scroll down and find the vars: section (about 20-30 lines down):

Look for:

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Modify HOME_NET to match YOUR ACTUAL networks:

Examples:

If you have single network (192.168.1.0/24):

  address-groups:
    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

If you have multiple networks:

  address-groups:
    HOME_NET: "[192.168.1.0/24,192.168.2.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

Replace with YOUR network ranges:

192.168.1.0/24 (common home network)
192.168.0.0/24 (another common range)
10.0.1.0/24 (prosumer routers)
10.0.0.0/24 (UniFi default)

This tells Suricata which IPs are "yours" vs "external threats."

Save the file:

Press Ctrl+C
You'll see options at the bottom
Select "a - save file"
Press Enter to confirm filename
The editor will close

Verify your changes:

# Check interfaces
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"

# Should now show em0 and em1, not eth0

# Check HOME_NET
cat /usr/local/etc/suricata/suricata.yaml | grep -A 5 "address-groups:"

# Should show YOUR networks

Step 23: Create Policy with Selected Rulesets (CRITICAL!)

This step activates your downloaded rules! Without this, rules are downloaded but disabled.

Services → Intrusion Detection → Policy

You'll likely see an empty page. That's normal.

Click + Add (top left):

Policy Configuration:

Enabled: ✅ Check this
Priority: 1 (or leave default)
Action: alert
- This makes rules generate alerts (not block yet)

Rulesets - THIS IS THE KEY:

You'll see a list of all the rulesets you downloaded. You MUST select EVERY ruleset you want active!

Scroll through and check:

✅ abuse.ch/Feodo Tracker
✅ abuse.ch/SSL Fingerprint Blacklist
✅ abuse.ch/SSL IP Blacklist
✅ abuse.ch/ThreatFox
✅ abuse.ch/URLhaus
✅ ET open/emerging-malware
✅ ET open/emerging-phishing
✅ ET open/emerging-shellcode
✅ ET open/emerging-worm
✅ ET open/emerging-scan
✅ ET open/emerging-web_client
✅ ET open/threatview_CS_c2
✅ ET open/emerging-exploit (if you downloaded it)

Select ALL the rulesets you downloaded in Step 20.

Click Save (bottom of page)

Why is this so important?

Downloaded rules start in "disabled" state
Creating a policy and selecting rulesets enables them
Without this, Suricata runs but catches nothing!

Step 24: Start Suricata

Now we're ready to start the IDS!

Go back to: Services → Intrusion Detection → Administration

Click Apply (top right, orange button)

Wait 30-60 seconds for Suricata to fully initialize.

Verify from console:

# Check if service is running
service suricata status

# Should show: "suricata is running as pid XXXX"

Check the logs:

# List log files
ls -la /var/log/suricata/

# Should see files like:
# - suricata_20251007.log
# - stats.log
# - eve.json

# Read the main log
tail -100 /var/log/suricata/suricata_*.log

Look for this at the end:

Threads created -> W: 4 FM: 1 FR: 1  Engine started

If you see "Engine started" - Suricata is operational! ✅

You may see warnings about "flowbit checked but not set" - these are harmless. They just mean some rules reference other rules you didn't enable.

Step 25: Test Intrusion Detection

Time for the moment of truth!

CRITICAL: You MUST test from a CLIENT device, NOT from OPNsense itself!

Suricata cannot inspect traffic originating from the OPNsense box. You need to test from a computer on your network.

From your Windows/Mac/Linux computer:

Windows (Command Prompt or PowerShell):

curl http://testmynids.org/uid/index.html

Mac/Linux (Terminal):

curl http://testmynids.org/uid/index.html

Or simply open a web browser and go to:

http://testmynids.org/uid/index.html

You should see:

uid=0(root) gid=0(root) groups=0(root)

This is a harmless test that triggers IDS rules.

Step 26: Check for Alerts

In OPNsense Web GUI:

Services → Intrusion Detection → Alerts

You should see an alert entry like:

Alert: "GPL ATTACK_RESPONSE id check returned root"
Source IP: Your client's IP (e.g., 192.168.1.100)
Destination IP: testmynids.org IP
Timestamp: Just now
Classification: Potentially Bad Traffic

If you see this alert: 🎉 SUCCESS! Your IDS is working perfectly!

Part 9: Troubleshooting IDS

No alerts appearing after running the test? Here's how to debug:

Problem: Interface Configuration

# Verify interfaces are correct in config
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"

# MUST show em0 and em1, NOT eth0

If it still shows eth0, go back to Step 22 and fix it.

Problem: HOME_NET Not Set

# Check HOME_NET includes your networks
cat /usr/local/etc/suricata/suricata.yaml | grep -A 5 "address-groups:"

# Should show YOUR actual IP ranges

If it shows generic ranges (192.168.0.0/16, etc.), edit and specify your exact networks.

Problem: Policy Not Created

Services → Intrusion Detection → Policy

Should show at least one policy entry
With all your selected rulesets listed
If empty, go back to Step 23

Problem: Rules Not Downloaded

Services → Intrusion Detection → Download

Should show dates next to enabled rulesets
If showing errors, click Download & Update Rules again

Problem: Suricata Not Running

# Check service
service suricata status

# If stopped, check logs for errors
tail -100 /var/log/suricata/suricata_*.log | grep -i error

# Common error: "Cannot find interface em0"
# Solution: Edit YAML file (Step 22)

# Restart service
service suricata restart
sleep 10
service suricata status

Problem: Tested from OPNsense Itself

You cannot test from OPNsense! Suricata can only inspect traffic passing THROUGH the box, not originating FROM it.

Solution: Test from any client device on your network.

Problem: Client Can't Reach Test Site

# From client, test basic connectivity
ping YOUR_OPNSENSE_IP
nslookup testmynids.org
curl http://testmynids.org/uid/index.html

If DNS or connectivity fails, fix those first before troubleshooting IDS.

Part 10: Optional Enhancements

Email Alerts

Want to get notified of threats via email?

System → Settings → Notifications

For Gmail (easiest option):

Enable 2-Factor Authentication on your Gmail account
Create an App Password:
- Go to: https://myaccount.google.com/security
- Click "App passwords"
- Generate password for "Mail" / "Other"
- Copy the 16-character password
Configure in OPNsense:
- Enabled: ✅ Check
- From email: youremail@gmail.com
- Notification recipient: youremail@gmail.com
- SMTP Host: smtp.gmail.com
- SMTP Port: 587
- Secure SMTP Connection: STARTTLS
- SMTP Username: youremail@gmail.com
- SMTP Password: [Your 16-char app password]
Click Save
Click Test - you should receive an email within 1-2 minutes

For IDS alerts:

Services → Intrusion Detection → Administration
Look for alert settings
Configure to send alerts above certain severity

Enable IPS Mode (Blocking)

After running in Alert mode for 1-2 weeks with NO false positives:

Services → Intrusion Detection → Administration

IPS mode: ✅ Check this box

Click Save

Click Apply

Now Suricata will actively BLOCK detected threats instead of just alerting!

Warning: Start with Alert mode. IPS mode can block legitimate traffic if rules are too aggressive. Monitor alerts for at least a week before enabling blocking.

DNS over TLS (DoT)

Want encrypted DNS queries to upstream servers?

Services → Unbound DNS → General

Enable: DNS over TLS
Configure upstream: Cloudflare, Quad9, or other DoT providers

This encrypts your outbound DNS queries for maximum privacy.

Part 11: Monitoring and Maintenance

Daily Monitoring

Dashboard (Lobby):

Add widgets for System, Interfaces, Firewall
Quick health check at a glance

Services → Intrusion Detection → Alerts:

Check daily for threats
Investigate any critical alerts
Look for patterns or repeated attacks

Firewall → Log Files:

Review blocked connections
Look for scan attempts
Monitor unusual traffic patterns

Weekly Tasks

Review IDS alerts:

Services → Intrusion Detection → Alerts
Sort by severity
Investigate high-priority alerts
Note repeat offenders (IPs, countries)

Check system resources:

System → Activity
Monitor CPU, RAM, disk usage
Ensure Suricata isn't overloading the system
If CPU > 80% sustained, consider reducing rulesets

Verify DNS is functioning:

Test from various devices
Check query logs: Services → Unbound DNS → Query Log
Ensure no DNS-related errors

Monthly Maintenance

Update OPNsense:

System → Firmware → Updates
Check for updates
Read release notes
Apply updates (usually safe, but backup first)

Update Threat Rules:

Services → Intrusion Detection → Download
Click Download & Update Rules
Verify update completes successfully

Backup Configuration:

System → Configuration → Backups
Download configuration
Store safely (encrypted USB, cloud storage)
Keep 3 recent backups

Review logs:

Check for recurring issues
Look for performance problems
Identify false positives

Test DNS functionality:

From multiple devices
From multiple networks (if applicable)
Verify ad blocking is working

Conclusion

Congratulations! You've built an enterprise-grade DNS and security monitoring system. Here's what you accomplished:

✅ Private DNS Server

No tracking by ISPs or third-party DNS providers
DNSSEC validation protects against DNS spoofing
Recursive DNS queries for maximum privacy

✅ Multi-Network Support

Serve multiple VLANs or subnets
Centralized DNS for entire network
Easy management from one interface

✅ Ad and Malware Blocking

DNS-level blocking (all devices protected)
No per-device configuration needed
Blocks ads, trackers, and malware domains

✅ Real-Time Threat Detection

Suricata IDS monitoring 24/7
Multiple threat intelligence feeds
Alerts on exploits, malware, C&C traffic

✅ Comprehensive Logging

See all DNS queries
Monitor security events
Track network activity

Your network is now significantly more secure and private!

What's Next?

Explore Additional Features:

Custom DNS overrides for local services
Split DNS for internal domains
Conditional forwarding
Additional blocklists
GeoIP blocking

Fine-Tune Security:

Review IDS alerts weekly
Adjust rules based on your environment
Enable IPS mode after confidence builds
Add custom Suricata rules

Expand Monitoring:

Add Grafana for visualization
Set up syslog forwarding
Configure detailed alerting
Integrate with SIEM tools

Key Takeaways

What Made This Work:

Intel E1000 network adapters - Critical for compatibility with OPNsense/FreeBSD
Correct interface configuration - The YAML file MUST use your actual interfaces (em0/em1), not default (eth0)
HOME_NET configuration - Suricata must know which IPs are yours vs. external
Policy creation - Downloaded rules are disabled by default; you MUST create a policy and select rulesets to activate them
Multi-network support - Access lists and firewall rules for each network segment
Testing methodology - Test from CLIENT devices, not from OPNsense itself

Final Thoughts

This setup provides security and privacy that most consumer routers can't match. You're now:

Private: No one logs your DNS queries
Secure: Threats detected in real-time
Informed: Complete visibility into network activity
Protected: Multiple layers of defense

The time investment pays off with peace of mind and network control.

Questions? Issues? Leave a comment below and I'll help troubleshoot!

Found this helpful? Share with others looking to improve their network security!

Quick Reference Card

Replace these with YOUR values:

YOUR_GATEWAY_IP = Your router's IP (e.g., 192.168.1.1)
YOUR_OPNSENSE_IP = IP you chose for OPNsense (e.g., 192.168.1.53)
YOUR_NETWORK = Your network range (e.g., 192.168.1.0/24)

Common Network Ranges:

192.168.1.0/24 (192.168.1.1-254)
192.168.0.0/24 (192.168.0.1-254)
10.0.1.0/24 (10.0.1.1-254)
10.0.0.0/24 (10.0.0.1-254)

Key Commands:

# DNS testing
drill google.com @YOUR_OPNSENSE_IP

# Suricata status
service suricata status

# View alerts
tail -50 /var/log/suricata/suricata_*.log

# Restart services
service unbound restart
service suricata restart

Key Config Files:

Suricata: /usr/local/etc/suricata/suricata.yaml
Unbound: Auto-generated by web GUI

Important URLs:

Web GUI: https://YOUR_OPNSENSE_IP
Test IDS: http://testmynids.org/uid/index.html

Critical Ports:

53 = DNS (don't change)
443 = HTTPS web interface
22 = SSH (if enabled)

Good luck with your deployment! 🚀🔒

Created & Maintained by Pacific Northwest Computers

Pacific NW Computers

www.linktr.ee/pnwcomputers

www.pacificnwcomputers.com

📞 Pacific Northwest Computers offers remote and onsite support across:
Vancouver WA, Battle Ground WA, Camas WA, Washougal WA, Longview WA, Kelso WA, and Portland OR

Wednesday, October 8, 2025

Setting Up OPNsense as a Private DNS Server with Intrusion Detection (ProxMoxVE)

Setting Up OPNsense as a Private DNS Server with Intrusion Detection in a Proxmox VM

Introduction

Network Topology

Before You Begin: Know Your Network

Prerequisites

Part 1: Proxmox VM Setup

Step 1: Create the OPNsense VM

Why Intel E1000 Network Adapters?

Step 2: Install OPNsense

Part 2: Initial OPNsense Configuration

Step 3: Configure Network Interfaces

Step 4: Configure LAN IP Address

Step 5: Configure Default Gateway

Step 6: Update OPNsense

Part 3: Web Interface Configuration

Step 7: Access the Web GUI

Step 8: Configure System Gateway

Step 9: System DNS Settings

Part 4: Unbound DNS Configuration

Step 10: Enable Unbound DNS

Step 11: Configure Access Control Lists

Step 12: Verify DHCP is Disabled

Part 5: Firewall Rules

Step 13: LAN Firewall Rules

Step 14: WAN Firewall Rule

Part 6: Testing DNS Functionality

Step 15: Test DNS from OPNsense

Step 16: Test from a Client Device

Step 17: Configure Your Router's DHCP

Part 7: Optional - DNS Blocklists

Step 18: Enable Ad and Malware Blocking

Part 8: Intrusion Detection System (Suricata)

Step 19: Verify Suricata is Available

Step 20: Download Threat Intelligence (CRITICAL FIRST STEP!)

Step 21: Configure Suricata Basic Settings

Step 22: Fix Interface Configuration in YAML (CRITICAL!)

Step 23: Create Policy with Selected Rulesets (CRITICAL!)

Step 24: Start Suricata

Step 25: Test Intrusion Detection

Step 26: Check for Alerts

Part 9: Troubleshooting IDS

Problem: Interface Configuration

Problem: HOME_NET Not Set

Problem: Policy Not Created

Problem: Rules Not Downloaded

Problem: Suricata Not Running

Problem: Tested from OPNsense Itself

Problem: Client Can't Reach Test Site

Part 10: Optional Enhancements

Email Alerts

Enable IPS Mode (Blocking)

DNS over TLS (DoT)

Part 11: Monitoring and Maintenance

Daily Monitoring

Weekly Tasks

Monthly Maintenance

Conclusion

What's Next?

Key Takeaways

Final Thoughts

Quick Reference Card

Good luck with your deployment! 🚀🔒

Created & Maintained by Pacific Northwest Computers

No comments:

Post a Comment