Wednesday, October 8, 2025

Setting Up OPNsense as a Private DNS Server with Intrusion Detection (ProxMoxVE)



Setting Up OPNsense as a Private DNS Server with Intrusion Detection in a Proxmox VM

Transform your network security with a dedicated DNS server and real-time threat detection


Introduction

Are you concerned about your internet privacy? Tired of ads tracking your every move? Want to protect your network from malware and intrusions? In this comprehensive guide, I'll show you how to deploy OPNsense in Proxmox as a powerful DNS server with built-in intrusion detection.

This setup gives you enterprise-grade security without replacing your existing router. You'll get:

  • Private DNS - No logging by ISPs or third-party DNS providers
  • DNSSEC validation - Protection against DNS spoofing
  • Ad and malware blocking at the DNS level
  • Real-time threat detection with Suricata IDS
  • Multi-network support - Serve multiple VLANs or subnets

Best of all: Your existing UniFi (or other) router stays as your main gateway. OPNsense simply handles DNS and security monitoring.


Network Topology

Internet
    ↓
Main Router/Gateway (YOUR_GATEWAY_IP)
    ↓
OPNsense VM (YOUR_OPNSENSE_IP) - DNS & IDS
    ↓
LAN Devices

Example with common home network:

Internet
    ↓
Main Router (192.168.1.1)
    ↓
OPNsense VM (192.168.1.53) - DNS & IDS
    ↓
LAN Devices (192.168.1.x)

Key concept: OPNsense sits on your LAN as a specialized server, not as your main firewall/router.


Before You Begin: Know Your Network

You'll need to know these details about YOUR network:

  1. Your network range (examples):

    • 192.168.1.0/24 (common home network)
    • 192.168.0.0/24 (another common range)
    • 10.0.1.0/24 (common for prosumer routers)
    • 10.0.0.0/24 (UniFi default)
  2. Your gateway/router IP (examples):

    • 192.168.1.1
    • 192.168.0.1
    • 10.0.1.1
    • 10.0.0.1
  3. A free IP for OPNsense - Pick any unused IP in your range:

    • Example: If your network is 192.168.1.0/24, pick something like 192.168.1.53
    • Common DNS-themed choices: .53 (DNS port number), .10, .254

Throughout this guide:

  • YOUR_GATEWAY_IP = Your router's IP address
  • YOUR_OPNSENSE_IP = The IP you chose for OPNsense
  • YOUR_NETWORK = Your network range (e.g., 192.168.1.0/24)

Write these down before starting!


Prerequisites

Before starting, ensure you have:

  • Proxmox server with adequate resources
  • Main router/gateway handling routing and DHCP (UniFi, pfSense, consumer router, etc.)
  • Network information (listed above)
  • VM Resources:
    • 16GB RAM (minimum 4GB, but IDS needs more)
    • 2-4 CPU cores
    • 50GB storage
    • 2 virtual network interfaces

Time required: 1-2 hours


Part 1: Proxmox VM Setup

Step 1: Create the OPNsense VM

In Proxmox Web Interface:

  1. Click Create VM (top right)

  2. General:

    • VM ID: (your choice)
    • Name: OPNsense-DNS
  3. OS:

    • Use OPNsense ISO image
  4. System:

    • Default settings OK
  5. Disks:

    • Size: 50GB
    • Storage: Your preferred datastore
  6. CPU:

    • Cores: 2-4
    • Type: host
  7. Memory:

    • RAM: 16384 MB (16GB)
    • Minimum: 1024
    • Ballooning: Enabled
  8. Network:

    • Bridge: vmbr0 (or your main bridge)
    • Model: Intel E1000 ⚠️ IMPORTANT!
    • Firewall: Unchecked
  9. Add second network interface:

    • Hardware → Add → Network Device
    • Bridge: vmbr0 (same bridge as first)
    • Model: Intel E1000 ⚠️ IMPORTANT!
    • Firewall: Unchecked
  10. Click Finish


Why Intel E1000 Network Adapters?

This is critical for proper operation!

VirtIO vs E1000:

  • VirtIO (paravirtualized) - Faster performance, but can have compatibility issues with OPNsense
  • Intel E1000 - Proven compatibility and stability with OPNsense/FreeBSD

In my testing:

  • VirtIO caused intermittent network drops
  • Interfaces would show as "up" but not pass traffic correctly
  • E1000 worked flawlessly from the start

Recommendation: Always use Intel E1000 for OPNsense VMs unless you have specific reasons and experience to use VirtIO.

Both network interfaces must:

  • Use the same bridge (usually vmbr0)
  • Use E1000 model
  • Have firewall unchecked (we'll control firewall in OPNsense)

Step 2: Install OPNsense

  1. Start the VM
  2. Follow the OPNsense installation wizard
  3. Use default settings
  4. Reboot when complete

Part 2: Initial OPNsense Configuration

Step 3: Configure Network Interfaces

After reboot, you'll see the console menu.

Select Option 1 - Assign Interfaces

Answer the prompts:

  1. Should VLANs be set up now? → Type n and press Enter
  2. Should LAGGs be set up now? → Type n and press Enter
  3. Enter WAN interface name: → Type em1 and press Enter
  4. Enter LAN interface name: → Type em0 and press Enter
  5. Enter Optional interface 1 name: → Just press Enter (leave blank)
  6. Do you want to proceed? → Type y and press Enter

Why WAN + LAN? Even though we're not using traditional WAN routing, having both interfaces gives us clean separation: LAN receives DNS queries, WAN sends them out to the internet.

Note: em0 and em1 are the FreeBSD interface names for Intel E1000 adapters. They'll always be named this way.


Step 4: Configure LAN IP Address

Select Option 2 - Set interface IP address

  1. Select interface: Type 2 (for LAN) and press Enter

  2. Configure IPv4 address LAN interface via DHCP? → Type n and press Enter

  3. Enter the new LAN IPv4 address: → Type YOUR_OPNSENSE_IP

    • Example: If your network is 192.168.1.x, you might use 192.168.1.53
    • Press Enter
  4. Enter the new LAN IPv4 subnet bit count: → Type 24 (most common) and press Enter

    • 24 = 255.255.255.0 subnet mask
    • For most home/office networks, use 24
  5. For a WAN, enter the new LAN IPv4 upstream gateway address: → Just press Enter (leave blank)

  6. Configure IPv6 address LAN interface via DHCP6? → Type n and press Enter

  7. Enter the new LAN IPv6 address: → Just press Enter (skip IPv6)

  8. Do you want to enable the DHCP server on LAN? → Type n and press Enter

    • Critical: We do NOT want OPNsense handling DHCP. Your main router does that.
  9. Do you want to revert to HTTP as the web GUI protocol? → Type n and press Enter

  10. Enter the new LAN IPv4 upstream DNS server address: → Type 1.1.1.1 and press Enter

  11. Enter another LAN IPv4 upstream DNS server address: → Type 8.8.8.8 and press Enter

  12. Enter another LAN IPv4 upstream DNS server address: → Just press Enter (done)

Note: These DNS servers (1.1.1.1 and 8.8.8.8) are only for OPNsense's own use (system updates, etc.). Your clients will use Unbound on OPNsense for DNS.


Step 5: Configure Default Gateway

OPNsense needs to know how to reach the internet.

Select Option 8 - Shell

You'll see a command prompt. Type these commands (replacing with YOUR gateway IP):

# Set your router as the default gateway
# Replace YOUR_GATEWAY_IP with your actual router IP
route add default YOUR_GATEWAY_IP

# Example: route add default 192.168.1.1

# Make it permanent across reboots
echo 'defaultrouter="YOUR_GATEWAY_IP"' >> /etc/rc.conf.local

# Example: echo 'defaultrouter="192.168.1.1"' >> /etc/rc.conf.local

# Test connectivity to internet
ping -c 4 8.8.8.8

You should see ping replies. If not, check:

  • Your gateway IP is correct
  • The Proxmox network bridge is connected to your LAN
  • Your router is operational

Test DNS resolution:

ping -c 4 google.com

If both tests work, you're ready to continue!


Step 6: Update OPNsense

Before proceeding, update the system:

opnsense-update -f

This will take 5-15 minutes. Let it complete fully. You may see some warnings about socket buffers - these are harmless.

After completion, the system may need to reboot. If prompted, reboot.


Part 3: Web Interface Configuration

Step 7: Access the Web GUI

From another computer on your network:

  1. Open a web browser
  2. Navigate to: https://YOUR_OPNSENSE_IP
    • Example: https://192.168.1.53
  3. You'll see a security warning (self-signed certificate) - accept it
  4. Login:
    • Username: root
    • Password: opnsense

Setup Wizard will appear - Skip it!

  • Click Skip or close the wizard
  • We'll configure manually for better control

Step 8: Configure System Gateway

System → Gateways → Configuration

Click Add (+ icon, top right):

  • Name: MAIN_GW (or whatever makes sense to you)
  • Interface: LAN
  • Address Family: IPv4
  • IP Address: YOUR_GATEWAY_IP
    • Example: 192.168.1.1
  • Far Gateway: Leave unchecked
  • Disable Gateway Monitoring: ✅ Check this
    • (Prevents unnecessary monitoring traffic)
  • Leave other settings as default

Click Save

Click Apply changes (top right)

This tells OPNsense where to send all internet-bound traffic.


Step 9: System DNS Settings

System → Settings → General

Scroll to DNS Servers section:

  • Primary DNS Server: 1.1.1.1
  • Secondary DNS Server: 8.8.8.8
  • Allow DNS server list to be overridden by DHCP/PPP on WAN: ✅ Check this

Scroll down further:

  • Prefer to use IPv4 even if IPv6 is available: ✅ Check this
    • (Prevents IPv6-related issues)

Click Save (bottom of page)


Part 4: Unbound DNS Configuration

This is where the magic happens - configuring your private DNS resolver.

Step 10: Enable Unbound DNS

Services → Unbound DNS → General

Basic Settings:

  • Enable Unbound: ✅ Check this
  • Listen Port: 53 (default DNS port - don't change)
  • Network Interfaces: Select LAN from the dropdown
    • This is where DNS queries come IN
  • Outgoing Network Interfaces: Select WAN from the dropdown
    • This is where DNS queries go OUT to root servers

Advanced Settings (scroll down):

  • DNSSEC: ✅ Check this
    • Provides cryptographic validation of DNS responses
  • DNSSEC Validation: Yes (should be selected)
  • DNS Query Forwarding:Leave UNCHECKED
    • Very important! Unchecked means recursive DNS (we query root servers directly)
    • Checked would forward to upstream DNS (not what we want)

Other settings:

  • Register ISC DHCP4 Leases: Leave unchecked (we're not running DHCP)
  • Register DHCP Static Mappings: Leave unchecked

Click Save (bottom of page)


Step 11: Configure Access Control Lists

Access lists determine which networks can use your DNS server.

Services → Unbound DNS → Access Lists

You'll likely see an empty list. Let's add your network(s).

Click + Add (top left):

For your primary network:

  • Access List Name: Allow_Primary_Network
  • Action: Allow
  • Networks: YOUR_NETWORK
    • Examples:
      • 192.168.1.0/24 (192.168.1.0 - 192.168.1.255)
      • 192.168.0.0/24 (192.168.0.0 - 192.168.0.255)
      • 10.0.1.0/24 (10.0.1.0 - 10.0.1.255)
      • 10.0.0.0/24 (10.0.0.0 - 10.0.0.255)

Click Save

If you have additional networks (VLANs, guest network, etc.), add them too:

Click + Add again:

  • Access List Name: Allow_Guest_Network (or appropriate name)
  • Action: Allow
  • Networks: YOUR_SECOND_NETWORK
    • Example: 192.168.2.0/24 (guest network)

Click Save

After adding all networks, click Apply (top right, orange button)

Without access control entries, clients won't be able to query your DNS server!

Tip: If you're unsure of your network range, check your router's DHCP settings or run ipconfig /all (Windows) or ip addr (Linux) on a client device.


Step 12: Verify DHCP is Disabled

Services → DHCPv4 → [LAN]

Make absolutely sure:

  • Enable DHCP server on LAN interface:UNCHECKED

If it's checked, uncheck it and click Save.

Your main router handles DHCP, not OPNsense.


Part 5: Firewall Rules

Firewall rules control what traffic can flow where. We need to allow DNS queries and ping for testing.

Step 13: LAN Firewall Rules

Firewall → Rules → LAN

You'll see some default rules. We need to add specific rules for DNS.

Add DNS Rule - Click + Add (top left):

  • Action: Pass
  • Quick: Leave checked
  • Interface: LAN
  • Direction: in
  • TCP/IP Version: IPv4
  • Protocol: TCP/UDP
    • Important: Select TCP/UDP from dropdown, not just one
  • Source / Invert: Leave unchecked
  • Source: Select LAN net from dropdown
  • Source Port Range: any to any
  • Destination / Invert: Leave unchecked
  • Destination: Select This Firewall from dropdown
  • Destination Port Range: From (other) → type 53, To (other) → type 53
    • Or select DNS from the dropdown if available
  • Description: Allow DNS queries from LAN

Click Save

Add ICMP (Ping) Rule - Click + Add:

  • Action: Pass
  • Interface: LAN
  • TCP/IP Version: IPv4
  • Protocol: ICMP
  • ICMP Type: Leave as any
  • Source: LAN net
  • Destination: This Firewall
  • Description: Allow ICMP from LAN

Click Save

If you have multiple networks, add similar rules for each:

For each additional network:

DNS Rule:

  • Same settings as above, but:
  • Source: Select Single host or Network
  • Source Network: Type YOUR_SECOND_NETWORK
    • Example: 192.168.2.0/24
  • Description: Allow DNS from guest network (or appropriate name)

ICMP Rule:

  • Same settings as above, but:
  • Source: Select Single host or Network
  • Source Network: Type YOUR_SECOND_NETWORK
  • Description: Allow ICMP from guest network

After adding all rules, click Apply Changes (top right)


Step 14: WAN Firewall Rule

This allows OPNsense to query DNS servers on the internet.

Firewall → Rules → WAN

Click + Add:

  • Action: Pass
  • Interface: WAN
  • Direction: out
  • TCP/IP Version: IPv4
  • Protocol: TCP/UDP
  • Source: Select This Firewall from dropdown
  • Source Port: any to any
  • Destination: any
  • Destination Port: DNS (53) or custom 53
  • Description: Allow DNS queries to internet

Click Save

Click Apply Changes


Part 6: Testing DNS Functionality

Let's verify everything is working before moving to intrusion detection.

Step 15: Test DNS from OPNsense

Go back to console (Proxmox → Console)

Select Option 8 - Shell

# Test DNS resolution on localhost
drill google.com @127.0.0.1

# Test DNS on LAN interface
drill google.com @YOUR_OPNSENSE_IP

# Example: drill google.com @192.168.1.53

# Both should return IP addresses for google.com

If you see IP addresses, DNS is working on OPNsense!


Step 16: Test from a Client Device

From your Windows/Mac/Linux computer:

Windows (Command Prompt):

nslookup google.com YOUR_OPNSENSE_IP

Example: nslookup google.com 192.168.1.53

Mac/Linux (Terminal):

nslookup google.com YOUR_OPNSENSE_IP

Example: nslookup google.com 192.168.1.53

You should see:

  • Server: YOUR_OPNSENSE_IP
  • Name: google.com
  • Address: (IP addresses)

If this works, your DNS server is operational!

If it fails:

  • Check firewall rules are enabled
  • Verify the client can ping YOUR_OPNSENSE_IP
  • Check access lists include the client's network
  • Review firewall logs: Firewall → Log Files → Live View

Step 17: Configure Your Router's DHCP

Now we tell all clients to use OPNsense for DNS.

The exact steps vary by router. Here are examples:

UniFi Controller:

Settings → Networks → [Your Network Name]

  • DHCP Name Server: Change from Auto to Manual
  • DNS Server 1: YOUR_OPNSENSE_IP (e.g., 192.168.1.53)
  • DNS Server 2: 1.1.1.1 (backup)
  • Click Apply Changes

Consumer Router (Web Interface):

  • Look for LAN Settings, DHCP Settings, or Network Settings
  • Find DNS Server or Primary/Secondary DNS
  • Set Primary DNS: YOUR_OPNSENSE_IP
  • Set Secondary DNS: 1.1.1.1
  • Save/Apply

pfSense/OPNsense Main Router:

  • Services → DHCP Server
  • Scroll to DNS Servers
  • Set servers to YOUR_OPNSENSE_IP and 1.1.1.1
  • Save

Repeat for each network/VLAN you want to use OPNsense DNS.


Renew DHCP on client devices:

  • Windows:
    ipconfig /releaseipconfig /renew
    
  • Mac: Turn WiFi off, wait 5 seconds, turn WiFi on
  • Linux:
    sudo dhclient -r && sudo dhclient
    

Verify clients are using OPNsense:

# Windows
ipconfig /all
# Look for "DNS Servers" - should show YOUR_OPNSENSE_IP

# Mac/Linux
cat /etc/resolv.conf
# Should show: nameserver YOUR_OPNSENSE_IP

Test general internet connectivity:

  • Browse to any website
  • It should load normally
  • DNS queries are now going through your private server!

Part 7: Optional - DNS Blocklists

Want to block ads and malware at the DNS level? Enable blocklists!

Step 18: Enable Ad and Malware Blocking

Services → Unbound DNS → Blocklists

Enable these recommended lists:

  • Steven Black's hosts - Ads + malware
  • Malware Domain List - Known malware domains
  • URLhaus - Malware distribution sites
  • EasyList - Popular ad blocking list (if available)

Click Save

Click Apply

Test ad blocking:

nslookup doubleclick.net YOUR_OPNSENSE_IP
# Should return 0.0.0.0 or be blocked

Ads will now be blocked network-wide for all devices!


Part 8: Intrusion Detection System (Suricata)

Now for the advanced part - real-time threat detection. This is where we catch malware, exploits, and malicious traffic.

Step 19: Verify Suricata is Available

Good news: Modern OPNsense includes Suricata IDS by default. No plugin installation needed!

Verify it's available:

  • Go to Services in the menu
  • You should see Intrusion Detection
  • Click on it - you'll see tabs: Administration, Download, Rules, Policy, etc.

If you don't see it, you may need to install the plugin:

  • System → Firmware → Plugins
  • Find os-suricata and install it

Step 20: Download Threat Intelligence (CRITICAL FIRST STEP!)

IMPORTANT: You must select and download your blocklists BEFORE configuring policies!

Services → Intrusion Detection → Download

You'll see a long list of available rulesets. Here's what to enable for comprehensive protection:

Abuse.ch Feeds (Enable ALL 5):

  • abuse.ch/Feodo Tracker - Banking trojans and botnets
  • abuse.ch/SSL Fingerprint Blacklist - Malicious SSL certificates
  • abuse.ch/SSL IP Blacklist - IPs using malicious SSL
  • abuse.ch/ThreatFox - Current indicators of compromise
  • abuse.ch/URLhaus - Malware distribution URLs

ET Open Rules (Select these core security rules):

  • ET open/emerging-malware - Malware detection
  • ET open/emerging-phishing - Phishing sites
  • ET open/emerging-shellcode - Exploit attempts
  • ET open/emerging-worm - Worm activity
  • ET open/emerging-scan - Port scans
  • ET open/emerging-web_client - Browser exploits
  • ET open/threatview_CS_c2 - Command & control servers
  • ET open/emerging-exploit (if available)

What NOT to enable (to avoid false positives and performance issues):

  • ❌ emerging-info (too noisy)
  • ❌ emerging-icmp_info (flags normal traffic)
  • ❌ emerging-imap, pop3, smtp (unless you run mail servers)
  • ❌ emerging-dos (your router handles this)
  • ❌ All the OPNsense-App-detect rules (add overhead)

After selecting your rulesets:

Click Download & Update Rules (bottom of page)

Wait 5-10 minutes. The page will show progress. This downloads thousands of threat signatures.

Do not proceed until download completes!


Step 21: Configure Suricata Basic Settings

Services → Intrusion Detection → Administration

General Settings:

  • Enable IDS/IPS:Check this box

  • IPS mode:Leave UNCHECKED for now

    • Unchecked = Alert mode (monitoring only)
    • Checked = Block mode (will actively block threats)
    • Start with alerts only until you're confident
  • Promiscuous mode:Check this

    • Allows Suricata to see all network traffic
  • Pattern matcher: Select Hyperscan from dropdown

    • Fastest pattern matching engine

Interfaces:

  • LAN - Check this box
  • WAN - Check this box

Both interfaces should be monitored.

Leave other settings as default for now.

Click Save (bottom of page)

Don't click Apply yet - we need to fix the configuration file first!


Step 22: Fix Interface Configuration in YAML (CRITICAL!)

This is the most important step! The Suricata configuration file defaults to wrong interface names and will not work without manual correction.

Why this is necessary:

  • OPNsense generates a default config using eth0 (Linux naming)
  • But FreeBSD (which OPNsense runs on) uses em0, em1 for Intel E1000 adapters
  • Without this fix, Suricata will start but see ZERO traffic

From console (Option 8 - Shell):

First, create required directories:

# Create log directory
mkdir -p /var/log/suricata
chmod 755 /var/log/suricata

# Create runtime directory
mkdir -p /var/run/suricata
chmod 755 /var/run/suricata

# Verify they exist
ls -la /var/log/suricata/
ls -la /var/run/suricata/

Now check the Suricata configuration:

# View the af-packet section (network interface config)
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"

You will almost certainly see:

af-packet:
  - interface: eth0

This is WRONG! Your interfaces are em0 (LAN) and em1 (WAN), not eth0.

We must edit the configuration file:

# Open the config file in editor
ee /usr/local/etc/suricata/suricata.yaml

Use arrow keys to scroll down. Find this section:

af-packet:
  - interface: eth0
    threads: auto

Delete the entire af-packet section and replace with:

af-packet:
  - interface: em0
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes
  - interface: em1
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes

Critical details:

  • em0 = LAN interface (these are the FreeBSD names for Intel E1000 adapters)
  • em1 = WAN interface
  • Different cluster-id for each interface (98 and 99)
  • Both must be present for traffic inspection

While you're in the file, scroll down and find the vars: section (about 20-30 lines down):

Look for:

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Modify HOME_NET to match YOUR ACTUAL networks:

Examples:

If you have single network (192.168.1.0/24):

  address-groups:
    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

If you have multiple networks:

  address-groups:
    HOME_NET: "[192.168.1.0/24,192.168.2.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

Replace with YOUR network ranges:

  • 192.168.1.0/24 (common home network)
  • 192.168.0.0/24 (another common range)
  • 10.0.1.0/24 (prosumer routers)
  • 10.0.0.0/24 (UniFi default)

This tells Suricata which IPs are "yours" vs "external threats."

Save the file:

  • Press Ctrl+C
  • You'll see options at the bottom
  • Select "a - save file"
  • Press Enter to confirm filename
  • The editor will close

Verify your changes:

# Check interfaces
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"

# Should now show em0 and em1, not eth0

# Check HOME_NET
cat /usr/local/etc/suricata/suricata.yaml | grep -A 5 "address-groups:"

# Should show YOUR networks

Step 23: Create Policy with Selected Rulesets (CRITICAL!)

This step activates your downloaded rules! Without this, rules are downloaded but disabled.

Services → Intrusion Detection → Policy

You'll likely see an empty page. That's normal.

Click + Add (top left):

Policy Configuration:

  • Enabled: ✅ Check this
  • Priority: 1 (or leave default)
  • Action: alert
    • This makes rules generate alerts (not block yet)

Rulesets - THIS IS THE KEY:

You'll see a list of all the rulesets you downloaded. You MUST select EVERY ruleset you want active!

Scroll through and check:

  • ✅ abuse.ch/Feodo Tracker
  • ✅ abuse.ch/SSL Fingerprint Blacklist
  • ✅ abuse.ch/SSL IP Blacklist
  • ✅ abuse.ch/ThreatFox
  • ✅ abuse.ch/URLhaus
  • ✅ ET open/emerging-malware
  • ✅ ET open/emerging-phishing
  • ✅ ET open/emerging-shellcode
  • ✅ ET open/emerging-worm
  • ✅ ET open/emerging-scan
  • ✅ ET open/emerging-web_client
  • ✅ ET open/threatview_CS_c2
  • ✅ ET open/emerging-exploit (if you downloaded it)

Select ALL the rulesets you downloaded in Step 20.

Click Save (bottom of page)

Why is this so important?

  • Downloaded rules start in "disabled" state
  • Creating a policy and selecting rulesets enables them
  • Without this, Suricata runs but catches nothing!

Step 24: Start Suricata

Now we're ready to start the IDS!

Go back to: Services → Intrusion Detection → Administration

Click Apply (top right, orange button)

Wait 30-60 seconds for Suricata to fully initialize.

Verify from console:

# Check if service is running
service suricata status

# Should show: "suricata is running as pid XXXX"

Check the logs:

# List log files
ls -la /var/log/suricata/

# Should see files like:
# - suricata_20251007.log
# - stats.log
# - eve.json

# Read the main log
tail -100 /var/log/suricata/suricata_*.log

Look for this at the end:

Threads created -> W: 4 FM: 1 FR: 1  Engine started

If you see "Engine started" - Suricata is operational!

You may see warnings about "flowbit checked but not set" - these are harmless. They just mean some rules reference other rules you didn't enable.


Step 25: Test Intrusion Detection

Time for the moment of truth!

CRITICAL: You MUST test from a CLIENT device, NOT from OPNsense itself!

Suricata cannot inspect traffic originating from the OPNsense box. You need to test from a computer on your network.

From your Windows/Mac/Linux computer:

Windows (Command Prompt or PowerShell):

curl http://testmynids.org/uid/index.html

Mac/Linux (Terminal):

curl http://testmynids.org/uid/index.html

Or simply open a web browser and go to:

http://testmynids.org/uid/index.html

You should see:

uid=0(root) gid=0(root) groups=0(root)

This is a harmless test that triggers IDS rules.


Step 26: Check for Alerts

In OPNsense Web GUI:

Services → Intrusion Detection → Alerts

You should see an alert entry like:

  • Alert: "GPL ATTACK_RESPONSE id check returned root"
  • Source IP: Your client's IP (e.g., 192.168.1.100)
  • Destination IP: testmynids.org IP
  • Timestamp: Just now
  • Classification: Potentially Bad Traffic

If you see this alert: 🎉 SUCCESS! Your IDS is working perfectly!


Part 9: Troubleshooting IDS

No alerts appearing after running the test? Here's how to debug:

Problem: Interface Configuration

# Verify interfaces are correct in config
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"

# MUST show em0 and em1, NOT eth0

If it still shows eth0, go back to Step 22 and fix it.

Problem: HOME_NET Not Set

# Check HOME_NET includes your networks
cat /usr/local/etc/suricata/suricata.yaml | grep -A 5 "address-groups:"

# Should show YOUR actual IP ranges

If it shows generic ranges (192.168.0.0/16, etc.), edit and specify your exact networks.

Problem: Policy Not Created

Services → Intrusion Detection → Policy

  • Should show at least one policy entry
  • With all your selected rulesets listed
  • If empty, go back to Step 23

Problem: Rules Not Downloaded

Services → Intrusion Detection → Download

  • Should show dates next to enabled rulesets
  • If showing errors, click Download & Update Rules again

Problem: Suricata Not Running

# Check service
service suricata status

# If stopped, check logs for errors
tail -100 /var/log/suricata/suricata_*.log | grep -i error

# Common error: "Cannot find interface em0"
# Solution: Edit YAML file (Step 22)

# Restart service
service suricata restart
sleep 10
service suricata status

Problem: Tested from OPNsense Itself

You cannot test from OPNsense! Suricata can only inspect traffic passing THROUGH the box, not originating FROM it.

Solution: Test from any client device on your network.

Problem: Client Can't Reach Test Site

# From client, test basic connectivity
ping YOUR_OPNSENSE_IP
nslookup testmynids.org
curl http://testmynids.org/uid/index.html

If DNS or connectivity fails, fix those first before troubleshooting IDS.


Part 10: Optional Enhancements

Email Alerts

Want to get notified of threats via email?

System → Settings → Notifications

For Gmail (easiest option):

  1. Enable 2-Factor Authentication on your Gmail account

  2. Create an App Password:

    • Go to: https://myaccount.google.com/security
    • Click "App passwords"
    • Generate password for "Mail" / "Other"
    • Copy the 16-character password
  3. Configure in OPNsense:

    • Enabled: ✅ Check
    • From email: youremail@gmail.com
    • Notification recipient: youremail@gmail.com
    • SMTP Host: smtp.gmail.com
    • SMTP Port: 587
    • Secure SMTP Connection: STARTTLS
    • SMTP Username: youremail@gmail.com
    • SMTP Password: [Your 16-char app password]
  4. Click Save

  5. Click Test - you should receive an email within 1-2 minutes

For IDS alerts:

  • Services → Intrusion Detection → Administration
  • Look for alert settings
  • Configure to send alerts above certain severity

Enable IPS Mode (Blocking)

After running in Alert mode for 1-2 weeks with NO false positives:

Services → Intrusion Detection → Administration

  • IPS mode:Check this box

Click Save

Click Apply

Now Suricata will actively BLOCK detected threats instead of just alerting!

Warning: Start with Alert mode. IPS mode can block legitimate traffic if rules are too aggressive. Monitor alerts for at least a week before enabling blocking.


DNS over TLS (DoT)

Want encrypted DNS queries to upstream servers?

Services → Unbound DNS → General

  • Enable: DNS over TLS
  • Configure upstream: Cloudflare, Quad9, or other DoT providers

This encrypts your outbound DNS queries for maximum privacy.


Part 11: Monitoring and Maintenance

Daily Monitoring

Dashboard (Lobby):

  • Add widgets for System, Interfaces, Firewall
  • Quick health check at a glance

Services → Intrusion Detection → Alerts:

  • Check daily for threats
  • Investigate any critical alerts
  • Look for patterns or repeated attacks

Firewall → Log Files:

  • Review blocked connections
  • Look for scan attempts
  • Monitor unusual traffic patterns

Weekly Tasks

Review IDS alerts:

  • Services → Intrusion Detection → Alerts
  • Sort by severity
  • Investigate high-priority alerts
  • Note repeat offenders (IPs, countries)

Check system resources:

  • System → Activity
  • Monitor CPU, RAM, disk usage
  • Ensure Suricata isn't overloading the system
  • If CPU > 80% sustained, consider reducing rulesets

Verify DNS is functioning:

  • Test from various devices
  • Check query logs: Services → Unbound DNS → Query Log
  • Ensure no DNS-related errors

Monthly Maintenance

Update OPNsense:

  • System → Firmware → Updates
  • Check for updates
  • Read release notes
  • Apply updates (usually safe, but backup first)

Update Threat Rules:

  • Services → Intrusion Detection → Download
  • Click Download & Update Rules
  • Verify update completes successfully

Backup Configuration:

  • System → Configuration → Backups
  • Download configuration
  • Store safely (encrypted USB, cloud storage)
  • Keep 3 recent backups

Review logs:

  • Check for recurring issues
  • Look for performance problems
  • Identify false positives

Test DNS functionality:

  • From multiple devices
  • From multiple networks (if applicable)
  • Verify ad blocking is working

Conclusion

Congratulations! You've built an enterprise-grade DNS and security monitoring system. Here's what you accomplished:

Private DNS Server

  • No tracking by ISPs or third-party DNS providers
  • DNSSEC validation protects against DNS spoofing
  • Recursive DNS queries for maximum privacy

Multi-Network Support

  • Serve multiple VLANs or subnets
  • Centralized DNS for entire network
  • Easy management from one interface

Ad and Malware Blocking

  • DNS-level blocking (all devices protected)
  • No per-device configuration needed
  • Blocks ads, trackers, and malware domains

Real-Time Threat Detection

  • Suricata IDS monitoring 24/7
  • Multiple threat intelligence feeds
  • Alerts on exploits, malware, C&C traffic

Comprehensive Logging

  • See all DNS queries
  • Monitor security events
  • Track network activity

Your network is now significantly more secure and private!


What's Next?

Explore Additional Features:

  • Custom DNS overrides for local services
  • Split DNS for internal domains
  • Conditional forwarding
  • Additional blocklists
  • GeoIP blocking

Fine-Tune Security:

  • Review IDS alerts weekly
  • Adjust rules based on your environment
  • Enable IPS mode after confidence builds
  • Add custom Suricata rules

Expand Monitoring:

  • Add Grafana for visualization
  • Set up syslog forwarding
  • Configure detailed alerting
  • Integrate with SIEM tools

Key Takeaways

What Made This Work:

  1. Intel E1000 network adapters - Critical for compatibility with OPNsense/FreeBSD

  2. Correct interface configuration - The YAML file MUST use your actual interfaces (em0/em1), not default (eth0)

  3. HOME_NET configuration - Suricata must know which IPs are yours vs. external

  4. Policy creation - Downloaded rules are disabled by default; you MUST create a policy and select rulesets to activate them

  5. Multi-network support - Access lists and firewall rules for each network segment

  6. Testing methodology - Test from CLIENT devices, not from OPNsense itself


Final Thoughts

This setup provides security and privacy that most consumer routers can't match. You're now:

  • Private: No one logs your DNS queries
  • Secure: Threats detected in real-time
  • Informed: Complete visibility into network activity
  • Protected: Multiple layers of defense

The time investment pays off with peace of mind and network control.

Questions? Issues? Leave a comment below and I'll help troubleshoot!

Found this helpful? Share with others looking to improve their network security!


Quick Reference Card

Replace these with YOUR values:

  • YOUR_GATEWAY_IP = Your router's IP (e.g., 192.168.1.1)
  • YOUR_OPNSENSE_IP = IP you chose for OPNsense (e.g., 192.168.1.53)
  • YOUR_NETWORK = Your network range (e.g., 192.168.1.0/24)

Common Network Ranges:

  • 192.168.1.0/24 (192.168.1.1-254)
  • 192.168.0.0/24 (192.168.0.1-254)
  • 10.0.1.0/24 (10.0.1.1-254)
  • 10.0.0.0/24 (10.0.0.1-254)

Key Commands:

# DNS testing
drill google.com @YOUR_OPNSENSE_IP

# Suricata status
service suricata status

# View alerts
tail -50 /var/log/suricata/suricata_*.log

# Restart services
service unbound restart
service suricata restart

Key Config Files:

  • Suricata: /usr/local/etc/suricata/suricata.yaml
  • Unbound: Auto-generated by web GUI

Important URLs:

  • Web GUI: https://YOUR_OPNSENSE_IP
  • Test IDS: http://testmynids.org/uid/index.html

Critical Ports:

  • 53 = DNS (don't change)
  • 443 = HTTPS web interface
  • 22 = SSH (if enabled)


Good luck with your deployment! 🚀🔒




Created & Maintained by Pacific Northwest Computers



📞 Pacific Northwest Computers offers remote and onsite support across: 
Vancouver WA, Battle Ground WA, Camas WA, Washougal WA, Longview WA, Kelso WA, and Portland OR

No comments:

Post a Comment