Setting Up OPNsense as a Private DNS Server with Intrusion Detection in a Proxmox VM
Transform your network security with a dedicated DNS server and real-time threat detection
Introduction
Are you concerned about your internet privacy? Tired of ads tracking your every move? Want to protect your network from malware and intrusions? In this comprehensive guide, I'll show you how to deploy OPNsense in Proxmox as a powerful DNS server with built-in intrusion detection.
This setup gives you enterprise-grade security without replacing your existing router. You'll get:
- Private DNS - No logging by ISPs or third-party DNS providers
- DNSSEC validation - Protection against DNS spoofing
- Ad and malware blocking at the DNS level
- Real-time threat detection with Suricata IDS
- Multi-network support - Serve multiple VLANs or subnets
Best of all: Your existing UniFi (or other) router stays as your main gateway. OPNsense simply handles DNS and security monitoring.
Network Topology
Internet
↓
Main Router/Gateway (YOUR_GATEWAY_IP)
↓
OPNsense VM (YOUR_OPNSENSE_IP) - DNS & IDS
↓
LAN Devices
Example with common home network:
Internet
↓
Main Router (192.168.1.1)
↓
OPNsense VM (192.168.1.53) - DNS & IDS
↓
LAN Devices (192.168.1.x)
Key concept: OPNsense sits on your LAN as a specialized server, not as your main firewall/router.
Before You Begin: Know Your Network
You'll need to know these details about YOUR network:
-
Your network range (examples):
192.168.1.0/24
(common home network)192.168.0.0/24
(another common range)10.0.1.0/24
(common for prosumer routers)10.0.0.0/24
(UniFi default)
-
Your gateway/router IP (examples):
192.168.1.1
192.168.0.1
10.0.1.1
10.0.0.1
-
A free IP for OPNsense - Pick any unused IP in your range:
- Example: If your network is
192.168.1.0/24
, pick something like192.168.1.53
- Common DNS-themed choices:
.53
(DNS port number),.10
,.254
- Example: If your network is
Throughout this guide:
YOUR_GATEWAY_IP
= Your router's IP addressYOUR_OPNSENSE_IP
= The IP you chose for OPNsenseYOUR_NETWORK
= Your network range (e.g., 192.168.1.0/24)
Write these down before starting!
Prerequisites
Before starting, ensure you have:
- Proxmox server with adequate resources
- Main router/gateway handling routing and DHCP (UniFi, pfSense, consumer router, etc.)
- Network information (listed above)
- VM Resources:
- 16GB RAM (minimum 4GB, but IDS needs more)
- 2-4 CPU cores
- 50GB storage
- 2 virtual network interfaces
Time required: 1-2 hours
Part 1: Proxmox VM Setup
Step 1: Create the OPNsense VM
In Proxmox Web Interface:
-
Click Create VM (top right)
-
General:
- VM ID: (your choice)
- Name:
OPNsense-DNS
-
OS:
- Use OPNsense ISO image
-
System:
- Default settings OK
-
Disks:
- Size: 50GB
- Storage: Your preferred datastore
-
CPU:
- Cores: 2-4
- Type: host
-
Memory:
- RAM: 16384 MB (16GB)
- Minimum: 1024
- Ballooning: Enabled
-
Network:
- Bridge:
vmbr0
(or your main bridge) - Model: Intel E1000 ⚠️ IMPORTANT!
- Firewall: Unchecked
- Bridge:
-
Add second network interface:
- Hardware → Add → Network Device
- Bridge:
vmbr0
(same bridge as first) - Model: Intel E1000 ⚠️ IMPORTANT!
- Firewall: Unchecked
-
Click Finish
Why Intel E1000 Network Adapters?
This is critical for proper operation!
VirtIO vs E1000:
- VirtIO (paravirtualized) - Faster performance, but can have compatibility issues with OPNsense
- Intel E1000 - Proven compatibility and stability with OPNsense/FreeBSD
In my testing:
- VirtIO caused intermittent network drops
- Interfaces would show as "up" but not pass traffic correctly
- E1000 worked flawlessly from the start
Recommendation: Always use Intel E1000 for OPNsense VMs unless you have specific reasons and experience to use VirtIO.
Both network interfaces must:
- Use the same bridge (usually vmbr0)
- Use E1000 model
- Have firewall unchecked (we'll control firewall in OPNsense)
Step 2: Install OPNsense
- Start the VM
- Follow the OPNsense installation wizard
- Use default settings
- Reboot when complete
Part 2: Initial OPNsense Configuration
Step 3: Configure Network Interfaces
After reboot, you'll see the console menu.
Select Option 1 - Assign Interfaces
Answer the prompts:
- Should VLANs be set up now? → Type
n
and press Enter - Should LAGGs be set up now? → Type
n
and press Enter - Enter WAN interface name: → Type
em1
and press Enter - Enter LAN interface name: → Type
em0
and press Enter - Enter Optional interface 1 name: → Just press Enter (leave blank)
- Do you want to proceed? → Type
y
and press Enter
Why WAN + LAN? Even though we're not using traditional WAN routing, having both interfaces gives us clean separation: LAN receives DNS queries, WAN sends them out to the internet.
Note: em0
and em1
are the FreeBSD interface names for Intel E1000 adapters. They'll always be named this way.
Step 4: Configure LAN IP Address
Select Option 2 - Set interface IP address
-
Select interface: Type
2
(for LAN) and press Enter -
Configure IPv4 address LAN interface via DHCP? → Type
n
and press Enter -
Enter the new LAN IPv4 address: → Type
YOUR_OPNSENSE_IP
- Example: If your network is 192.168.1.x, you might use
192.168.1.53
- Press Enter
- Example: If your network is 192.168.1.x, you might use
-
Enter the new LAN IPv4 subnet bit count: → Type
24
(most common) and press Enter24
= 255.255.255.0 subnet mask- For most home/office networks, use
24
-
For a WAN, enter the new LAN IPv4 upstream gateway address: → Just press Enter (leave blank)
-
Configure IPv6 address LAN interface via DHCP6? → Type
n
and press Enter -
Enter the new LAN IPv6 address: → Just press Enter (skip IPv6)
-
Do you want to enable the DHCP server on LAN? → Type
n
and press Enter- Critical: We do NOT want OPNsense handling DHCP. Your main router does that.
-
Do you want to revert to HTTP as the web GUI protocol? → Type
n
and press Enter -
Enter the new LAN IPv4 upstream DNS server address: → Type
1.1.1.1
and press Enter -
Enter another LAN IPv4 upstream DNS server address: → Type
8.8.8.8
and press Enter -
Enter another LAN IPv4 upstream DNS server address: → Just press Enter (done)
Note: These DNS servers (1.1.1.1 and 8.8.8.8) are only for OPNsense's own use (system updates, etc.). Your clients will use Unbound on OPNsense for DNS.
Step 5: Configure Default Gateway
OPNsense needs to know how to reach the internet.
Select Option 8 - Shell
You'll see a command prompt. Type these commands (replacing with YOUR gateway IP):
# Set your router as the default gateway
# Replace YOUR_GATEWAY_IP with your actual router IP
route add default YOUR_GATEWAY_IP
# Example: route add default 192.168.1.1
# Make it permanent across reboots
echo 'defaultrouter="YOUR_GATEWAY_IP"' >> /etc/rc.conf.local
# Example: echo 'defaultrouter="192.168.1.1"' >> /etc/rc.conf.local
# Test connectivity to internet
ping -c 4 8.8.8.8
You should see ping replies. If not, check:
- Your gateway IP is correct
- The Proxmox network bridge is connected to your LAN
- Your router is operational
Test DNS resolution:
ping -c 4 google.com
If both tests work, you're ready to continue!
Step 6: Update OPNsense
Before proceeding, update the system:
opnsense-update -f
This will take 5-15 minutes. Let it complete fully. You may see some warnings about socket buffers - these are harmless.
After completion, the system may need to reboot. If prompted, reboot.
Part 3: Web Interface Configuration
Step 7: Access the Web GUI
From another computer on your network:
- Open a web browser
- Navigate to:
https://YOUR_OPNSENSE_IP
- Example:
https://192.168.1.53
- Example:
- You'll see a security warning (self-signed certificate) - accept it
- Login:
- Username:
root
- Password:
opnsense
- Username:
Setup Wizard will appear - Skip it!
- Click Skip or close the wizard
- We'll configure manually for better control
Step 8: Configure System Gateway
System → Gateways → Configuration
Click Add (+ icon, top right):
- Name:
MAIN_GW
(or whatever makes sense to you) - Interface:
LAN
- Address Family:
IPv4
- IP Address:
YOUR_GATEWAY_IP
- Example:
192.168.1.1
- Example:
- Far Gateway: Leave unchecked
- Disable Gateway Monitoring: ✅ Check this
- (Prevents unnecessary monitoring traffic)
- Leave other settings as default
Click Save
Click Apply changes (top right)
This tells OPNsense where to send all internet-bound traffic.
Step 9: System DNS Settings
System → Settings → General
Scroll to DNS Servers section:
- Primary DNS Server:
1.1.1.1
- Secondary DNS Server:
8.8.8.8
- Allow DNS server list to be overridden by DHCP/PPP on WAN: ✅ Check this
Scroll down further:
- Prefer to use IPv4 even if IPv6 is available: ✅ Check this
- (Prevents IPv6-related issues)
Click Save (bottom of page)
Part 4: Unbound DNS Configuration
This is where the magic happens - configuring your private DNS resolver.
Step 10: Enable Unbound DNS
Services → Unbound DNS → General
Basic Settings:
- Enable Unbound: ✅ Check this
- Listen Port:
53
(default DNS port - don't change) - Network Interfaces: Select
LAN
from the dropdown- This is where DNS queries come IN
- Outgoing Network Interfaces: Select
WAN
from the dropdown- This is where DNS queries go OUT to root servers
Advanced Settings (scroll down):
- DNSSEC: ✅ Check this
- Provides cryptographic validation of DNS responses
- DNSSEC Validation:
Yes
(should be selected) - DNS Query Forwarding: ❌ Leave UNCHECKED
- Very important! Unchecked means recursive DNS (we query root servers directly)
- Checked would forward to upstream DNS (not what we want)
Other settings:
- Register ISC DHCP4 Leases: Leave unchecked (we're not running DHCP)
- Register DHCP Static Mappings: Leave unchecked
Click Save (bottom of page)
Step 11: Configure Access Control Lists
Access lists determine which networks can use your DNS server.
Services → Unbound DNS → Access Lists
You'll likely see an empty list. Let's add your network(s).
Click + Add (top left):
For your primary network:
- Access List Name:
Allow_Primary_Network
- Action:
Allow
- Networks:
YOUR_NETWORK
- Examples:
192.168.1.0/24
(192.168.1.0 - 192.168.1.255)192.168.0.0/24
(192.168.0.0 - 192.168.0.255)10.0.1.0/24
(10.0.1.0 - 10.0.1.255)10.0.0.0/24
(10.0.0.0 - 10.0.0.255)
- Examples:
Click Save
If you have additional networks (VLANs, guest network, etc.), add them too:
Click + Add again:
- Access List Name:
Allow_Guest_Network
(or appropriate name) - Action:
Allow
- Networks:
YOUR_SECOND_NETWORK
- Example:
192.168.2.0/24
(guest network)
- Example:
Click Save
After adding all networks, click Apply (top right, orange button)
Without access control entries, clients won't be able to query your DNS server!
Tip: If you're unsure of your network range, check your router's DHCP settings or run ipconfig /all
(Windows) or ip addr
(Linux) on a client device.
Step 12: Verify DHCP is Disabled
Services → DHCPv4 → [LAN]
Make absolutely sure:
- Enable DHCP server on LAN interface: ❌ UNCHECKED
If it's checked, uncheck it and click Save.
Your main router handles DHCP, not OPNsense.
Part 5: Firewall Rules
Firewall rules control what traffic can flow where. We need to allow DNS queries and ping for testing.
Step 13: LAN Firewall Rules
Firewall → Rules → LAN
You'll see some default rules. We need to add specific rules for DNS.
Add DNS Rule - Click + Add (top left):
- Action:
Pass
✅ - Quick: Leave checked
- Interface:
LAN
- Direction:
in
- TCP/IP Version:
IPv4
- Protocol:
TCP/UDP
- Important: Select TCP/UDP from dropdown, not just one
- Source / Invert: Leave unchecked
- Source: Select
LAN net
from dropdown - Source Port Range:
any
toany
- Destination / Invert: Leave unchecked
- Destination: Select
This Firewall
from dropdown - Destination Port Range: From
(other)
→ type53
, To(other)
→ type53
- Or select
DNS
from the dropdown if available
- Or select
- Description:
Allow DNS queries from LAN
Click Save
Add ICMP (Ping) Rule - Click + Add:
- Action:
Pass
✅ - Interface:
LAN
- TCP/IP Version:
IPv4
- Protocol:
ICMP
- ICMP Type: Leave as
any
- Source:
LAN net
- Destination:
This Firewall
- Description:
Allow ICMP from LAN
Click Save
If you have multiple networks, add similar rules for each:
For each additional network:
DNS Rule:
- Same settings as above, but:
- Source: Select
Single host or Network
- Source Network: Type
YOUR_SECOND_NETWORK
- Example:
192.168.2.0/24
- Example:
- Description:
Allow DNS from guest network
(or appropriate name)
ICMP Rule:
- Same settings as above, but:
- Source: Select
Single host or Network
- Source Network: Type
YOUR_SECOND_NETWORK
- Description:
Allow ICMP from guest network
After adding all rules, click Apply Changes (top right)
Step 14: WAN Firewall Rule
This allows OPNsense to query DNS servers on the internet.
Firewall → Rules → WAN
Click + Add:
- Action:
Pass
✅ - Interface:
WAN
- Direction:
out
- TCP/IP Version:
IPv4
- Protocol:
TCP/UDP
- Source: Select
This Firewall
from dropdown - Source Port:
any
toany
- Destination:
any
- Destination Port:
DNS (53)
or custom53
- Description:
Allow DNS queries to internet
Click Save
Click Apply Changes
Part 6: Testing DNS Functionality
Let's verify everything is working before moving to intrusion detection.
Step 15: Test DNS from OPNsense
Go back to console (Proxmox → Console)
Select Option 8 - Shell
# Test DNS resolution on localhost
drill google.com @127.0.0.1
# Test DNS on LAN interface
drill google.com @YOUR_OPNSENSE_IP
# Example: drill google.com @192.168.1.53
# Both should return IP addresses for google.com
If you see IP addresses, DNS is working on OPNsense!
Step 16: Test from a Client Device
From your Windows/Mac/Linux computer:
Windows (Command Prompt):
nslookup google.com YOUR_OPNSENSE_IP
Example: nslookup google.com 192.168.1.53
Mac/Linux (Terminal):
nslookup google.com YOUR_OPNSENSE_IP
Example: nslookup google.com 192.168.1.53
You should see:
- Server: YOUR_OPNSENSE_IP
- Name: google.com
- Address: (IP addresses)
If this works, your DNS server is operational! ✅
If it fails:
- Check firewall rules are enabled
- Verify the client can ping YOUR_OPNSENSE_IP
- Check access lists include the client's network
- Review firewall logs: Firewall → Log Files → Live View
Step 17: Configure Your Router's DHCP
Now we tell all clients to use OPNsense for DNS.
The exact steps vary by router. Here are examples:
UniFi Controller:
Settings → Networks → [Your Network Name]
- DHCP Name Server: Change from
Auto
toManual
- DNS Server 1:
YOUR_OPNSENSE_IP
(e.g., 192.168.1.53) - DNS Server 2:
1.1.1.1
(backup) - Click Apply Changes
Consumer Router (Web Interface):
- Look for LAN Settings, DHCP Settings, or Network Settings
- Find DNS Server or Primary/Secondary DNS
- Set Primary DNS:
YOUR_OPNSENSE_IP
- Set Secondary DNS:
1.1.1.1
- Save/Apply
pfSense/OPNsense Main Router:
- Services → DHCP Server
- Scroll to DNS Servers
- Set servers to
YOUR_OPNSENSE_IP
and1.1.1.1
- Save
Repeat for each network/VLAN you want to use OPNsense DNS.
Renew DHCP on client devices:
- Windows:
ipconfig /releaseipconfig /renew
- Mac: Turn WiFi off, wait 5 seconds, turn WiFi on
- Linux:
sudo dhclient -r && sudo dhclient
Verify clients are using OPNsense:
# Windows
ipconfig /all
# Look for "DNS Servers" - should show YOUR_OPNSENSE_IP
# Mac/Linux
cat /etc/resolv.conf
# Should show: nameserver YOUR_OPNSENSE_IP
Test general internet connectivity:
- Browse to any website
- It should load normally
- DNS queries are now going through your private server!
Part 7: Optional - DNS Blocklists
Want to block ads and malware at the DNS level? Enable blocklists!
Step 18: Enable Ad and Malware Blocking
Services → Unbound DNS → Blocklists
Enable these recommended lists:
- ✅ Steven Black's hosts - Ads + malware
- ✅ Malware Domain List - Known malware domains
- ✅ URLhaus - Malware distribution sites
- ✅ EasyList - Popular ad blocking list (if available)
Click Save
Click Apply
Test ad blocking:
nslookup doubleclick.net YOUR_OPNSENSE_IP
# Should return 0.0.0.0 or be blocked
Ads will now be blocked network-wide for all devices!
Part 8: Intrusion Detection System (Suricata)
Now for the advanced part - real-time threat detection. This is where we catch malware, exploits, and malicious traffic.
Step 19: Verify Suricata is Available
Good news: Modern OPNsense includes Suricata IDS by default. No plugin installation needed!
Verify it's available:
- Go to Services in the menu
- You should see Intrusion Detection
- Click on it - you'll see tabs: Administration, Download, Rules, Policy, etc.
If you don't see it, you may need to install the plugin:
- System → Firmware → Plugins
- Find
os-suricata
and install it
Step 20: Download Threat Intelligence (CRITICAL FIRST STEP!)
IMPORTANT: You must select and download your blocklists BEFORE configuring policies!
Services → Intrusion Detection → Download
You'll see a long list of available rulesets. Here's what to enable for comprehensive protection:
Abuse.ch Feeds (Enable ALL 5):
- ✅ abuse.ch/Feodo Tracker - Banking trojans and botnets
- ✅ abuse.ch/SSL Fingerprint Blacklist - Malicious SSL certificates
- ✅ abuse.ch/SSL IP Blacklist - IPs using malicious SSL
- ✅ abuse.ch/ThreatFox - Current indicators of compromise
- ✅ abuse.ch/URLhaus - Malware distribution URLs
ET Open Rules (Select these core security rules):
- ✅ ET open/emerging-malware - Malware detection
- ✅ ET open/emerging-phishing - Phishing sites
- ✅ ET open/emerging-shellcode - Exploit attempts
- ✅ ET open/emerging-worm - Worm activity
- ✅ ET open/emerging-scan - Port scans
- ✅ ET open/emerging-web_client - Browser exploits
- ✅ ET open/threatview_CS_c2 - Command & control servers
- ✅ ET open/emerging-exploit (if available)
What NOT to enable (to avoid false positives and performance issues):
- ❌ emerging-info (too noisy)
- ❌ emerging-icmp_info (flags normal traffic)
- ❌ emerging-imap, pop3, smtp (unless you run mail servers)
- ❌ emerging-dos (your router handles this)
- ❌ All the OPNsense-App-detect rules (add overhead)
After selecting your rulesets:
Click Download & Update Rules (bottom of page)
Wait 5-10 minutes. The page will show progress. This downloads thousands of threat signatures.
Do not proceed until download completes!
Step 21: Configure Suricata Basic Settings
Services → Intrusion Detection → Administration
General Settings:
-
Enable IDS/IPS: ✅ Check this box
-
IPS mode: ❌ Leave UNCHECKED for now
- Unchecked = Alert mode (monitoring only)
- Checked = Block mode (will actively block threats)
- Start with alerts only until you're confident
-
Promiscuous mode: ✅ Check this
- Allows Suricata to see all network traffic
-
Pattern matcher: Select
Hyperscan
from dropdown- Fastest pattern matching engine
Interfaces:
- ✅ LAN - Check this box
- ✅ WAN - Check this box
Both interfaces should be monitored.
Leave other settings as default for now.
Click Save (bottom of page)
Don't click Apply yet - we need to fix the configuration file first!
Step 22: Fix Interface Configuration in YAML (CRITICAL!)
This is the most important step! The Suricata configuration file defaults to wrong interface names and will not work without manual correction.
Why this is necessary:
- OPNsense generates a default config using
eth0
(Linux naming) - But FreeBSD (which OPNsense runs on) uses
em0
,em1
for Intel E1000 adapters - Without this fix, Suricata will start but see ZERO traffic
From console (Option 8 - Shell):
First, create required directories:
# Create log directory
mkdir -p /var/log/suricata
chmod 755 /var/log/suricata
# Create runtime directory
mkdir -p /var/run/suricata
chmod 755 /var/run/suricata
# Verify they exist
ls -la /var/log/suricata/
ls -la /var/run/suricata/
Now check the Suricata configuration:
# View the af-packet section (network interface config)
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"
You will almost certainly see:
af-packet:
- interface: eth0
This is WRONG! Your interfaces are em0
(LAN) and em1
(WAN), not eth0
.
We must edit the configuration file:
# Open the config file in editor
ee /usr/local/etc/suricata/suricata.yaml
Use arrow keys to scroll down. Find this section:
af-packet:
- interface: eth0
threads: auto
Delete the entire af-packet section and replace with:
af-packet:
- interface: em0
threads: auto
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
- interface: em1
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
Critical details:
em0
= LAN interface (these are the FreeBSD names for Intel E1000 adapters)em1
= WAN interface- Different cluster-id for each interface (98 and 99)
- Both must be present for traffic inspection
While you're in the file, scroll down and find the vars:
section (about 20-30 lines down):
Look for:
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
Modify HOME_NET to match YOUR ACTUAL networks:
Examples:
If you have single network (192.168.1.0/24):
address-groups:
HOME_NET: "[192.168.1.0/24]"
EXTERNAL_NET: "!$HOME_NET"
If you have multiple networks:
address-groups:
HOME_NET: "[192.168.1.0/24,192.168.2.0/24]"
EXTERNAL_NET: "!$HOME_NET"
Replace with YOUR network ranges:
- 192.168.1.0/24 (common home network)
- 192.168.0.0/24 (another common range)
- 10.0.1.0/24 (prosumer routers)
- 10.0.0.0/24 (UniFi default)
This tells Suricata which IPs are "yours" vs "external threats."
Save the file:
- Press Ctrl+C
- You'll see options at the bottom
- Select "a - save file"
- Press Enter to confirm filename
- The editor will close
Verify your changes:
# Check interfaces
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"
# Should now show em0 and em1, not eth0
# Check HOME_NET
cat /usr/local/etc/suricata/suricata.yaml | grep -A 5 "address-groups:"
# Should show YOUR networks
Step 23: Create Policy with Selected Rulesets (CRITICAL!)
This step activates your downloaded rules! Without this, rules are downloaded but disabled.
Services → Intrusion Detection → Policy
You'll likely see an empty page. That's normal.
Click + Add (top left):
Policy Configuration:
- Enabled: ✅ Check this
- Priority:
1
(or leave default) - Action:
alert
- This makes rules generate alerts (not block yet)
Rulesets - THIS IS THE KEY:
You'll see a list of all the rulesets you downloaded. You MUST select EVERY ruleset you want active!
Scroll through and check:
- ✅ abuse.ch/Feodo Tracker
- ✅ abuse.ch/SSL Fingerprint Blacklist
- ✅ abuse.ch/SSL IP Blacklist
- ✅ abuse.ch/ThreatFox
- ✅ abuse.ch/URLhaus
- ✅ ET open/emerging-malware
- ✅ ET open/emerging-phishing
- ✅ ET open/emerging-shellcode
- ✅ ET open/emerging-worm
- ✅ ET open/emerging-scan
- ✅ ET open/emerging-web_client
- ✅ ET open/threatview_CS_c2
- ✅ ET open/emerging-exploit (if you downloaded it)
Select ALL the rulesets you downloaded in Step 20.
Click Save (bottom of page)
Why is this so important?
- Downloaded rules start in "disabled" state
- Creating a policy and selecting rulesets enables them
- Without this, Suricata runs but catches nothing!
Step 24: Start Suricata
Now we're ready to start the IDS!
Go back to: Services → Intrusion Detection → Administration
Click Apply (top right, orange button)
Wait 30-60 seconds for Suricata to fully initialize.
Verify from console:
# Check if service is running
service suricata status
# Should show: "suricata is running as pid XXXX"
Check the logs:
# List log files
ls -la /var/log/suricata/
# Should see files like:
# - suricata_20251007.log
# - stats.log
# - eve.json
# Read the main log
tail -100 /var/log/suricata/suricata_*.log
Look for this at the end:
Threads created -> W: 4 FM: 1 FR: 1 Engine started
If you see "Engine started" - Suricata is operational! ✅
You may see warnings about "flowbit checked but not set" - these are harmless. They just mean some rules reference other rules you didn't enable.
Step 25: Test Intrusion Detection
Time for the moment of truth!
CRITICAL: You MUST test from a CLIENT device, NOT from OPNsense itself!
Suricata cannot inspect traffic originating from the OPNsense box. You need to test from a computer on your network.
From your Windows/Mac/Linux computer:
Windows (Command Prompt or PowerShell):
curl http://testmynids.org/uid/index.html
Mac/Linux (Terminal):
curl http://testmynids.org/uid/index.html
Or simply open a web browser and go to:
http://testmynids.org/uid/index.html
You should see:
uid=0(root) gid=0(root) groups=0(root)
This is a harmless test that triggers IDS rules.
Step 26: Check for Alerts
In OPNsense Web GUI:
Services → Intrusion Detection → Alerts
You should see an alert entry like:
- Alert: "GPL ATTACK_RESPONSE id check returned root"
- Source IP: Your client's IP (e.g., 192.168.1.100)
- Destination IP: testmynids.org IP
- Timestamp: Just now
- Classification: Potentially Bad Traffic
If you see this alert: 🎉 SUCCESS! Your IDS is working perfectly!
Part 9: Troubleshooting IDS
No alerts appearing after running the test? Here's how to debug:
Problem: Interface Configuration
# Verify interfaces are correct in config
cat /usr/local/etc/suricata/suricata.yaml | grep -A 20 "af-packet:"
# MUST show em0 and em1, NOT eth0
If it still shows eth0, go back to Step 22 and fix it.
Problem: HOME_NET Not Set
# Check HOME_NET includes your networks
cat /usr/local/etc/suricata/suricata.yaml | grep -A 5 "address-groups:"
# Should show YOUR actual IP ranges
If it shows generic ranges (192.168.0.0/16, etc.), edit and specify your exact networks.
Problem: Policy Not Created
Services → Intrusion Detection → Policy
- Should show at least one policy entry
- With all your selected rulesets listed
- If empty, go back to Step 23
Problem: Rules Not Downloaded
Services → Intrusion Detection → Download
- Should show dates next to enabled rulesets
- If showing errors, click Download & Update Rules again
Problem: Suricata Not Running
# Check service
service suricata status
# If stopped, check logs for errors
tail -100 /var/log/suricata/suricata_*.log | grep -i error
# Common error: "Cannot find interface em0"
# Solution: Edit YAML file (Step 22)
# Restart service
service suricata restart
sleep 10
service suricata status
Problem: Tested from OPNsense Itself
You cannot test from OPNsense! Suricata can only inspect traffic passing THROUGH the box, not originating FROM it.
Solution: Test from any client device on your network.
Problem: Client Can't Reach Test Site
# From client, test basic connectivity
ping YOUR_OPNSENSE_IP
nslookup testmynids.org
curl http://testmynids.org/uid/index.html
If DNS or connectivity fails, fix those first before troubleshooting IDS.
Part 10: Optional Enhancements
Email Alerts
Want to get notified of threats via email?
System → Settings → Notifications
For Gmail (easiest option):
-
Enable 2-Factor Authentication on your Gmail account
-
Create an App Password:
- Go to: https://myaccount.google.com/security
- Click "App passwords"
- Generate password for "Mail" / "Other"
- Copy the 16-character password
-
Configure in OPNsense:
- Enabled: ✅ Check
- From email:
youremail@gmail.com
- Notification recipient:
youremail@gmail.com
- SMTP Host:
smtp.gmail.com
- SMTP Port:
587
- Secure SMTP Connection:
STARTTLS
- SMTP Username:
youremail@gmail.com
- SMTP Password: [Your 16-char app password]
-
Click Save
-
Click Test - you should receive an email within 1-2 minutes
For IDS alerts:
- Services → Intrusion Detection → Administration
- Look for alert settings
- Configure to send alerts above certain severity
Enable IPS Mode (Blocking)
After running in Alert mode for 1-2 weeks with NO false positives:
Services → Intrusion Detection → Administration
- IPS mode: ✅ Check this box
Click Save
Click Apply
Now Suricata will actively BLOCK detected threats instead of just alerting!
Warning: Start with Alert mode. IPS mode can block legitimate traffic if rules are too aggressive. Monitor alerts for at least a week before enabling blocking.
DNS over TLS (DoT)
Want encrypted DNS queries to upstream servers?
Services → Unbound DNS → General
- Enable: DNS over TLS
- Configure upstream: Cloudflare, Quad9, or other DoT providers
This encrypts your outbound DNS queries for maximum privacy.
Part 11: Monitoring and Maintenance
Daily Monitoring
Dashboard (Lobby):
- Add widgets for System, Interfaces, Firewall
- Quick health check at a glance
Services → Intrusion Detection → Alerts:
- Check daily for threats
- Investigate any critical alerts
- Look for patterns or repeated attacks
Firewall → Log Files:
- Review blocked connections
- Look for scan attempts
- Monitor unusual traffic patterns
Weekly Tasks
Review IDS alerts:
- Services → Intrusion Detection → Alerts
- Sort by severity
- Investigate high-priority alerts
- Note repeat offenders (IPs, countries)
Check system resources:
- System → Activity
- Monitor CPU, RAM, disk usage
- Ensure Suricata isn't overloading the system
- If CPU > 80% sustained, consider reducing rulesets
Verify DNS is functioning:
- Test from various devices
- Check query logs: Services → Unbound DNS → Query Log
- Ensure no DNS-related errors
Monthly Maintenance
Update OPNsense:
- System → Firmware → Updates
- Check for updates
- Read release notes
- Apply updates (usually safe, but backup first)
Update Threat Rules:
- Services → Intrusion Detection → Download
- Click Download & Update Rules
- Verify update completes successfully
Backup Configuration:
- System → Configuration → Backups
- Download configuration
- Store safely (encrypted USB, cloud storage)
- Keep 3 recent backups
Review logs:
- Check for recurring issues
- Look for performance problems
- Identify false positives
Test DNS functionality:
- From multiple devices
- From multiple networks (if applicable)
- Verify ad blocking is working
Conclusion
Congratulations! You've built an enterprise-grade DNS and security monitoring system. Here's what you accomplished:
✅ Private DNS Server
- No tracking by ISPs or third-party DNS providers
- DNSSEC validation protects against DNS spoofing
- Recursive DNS queries for maximum privacy
✅ Multi-Network Support
- Serve multiple VLANs or subnets
- Centralized DNS for entire network
- Easy management from one interface
✅ Ad and Malware Blocking
- DNS-level blocking (all devices protected)
- No per-device configuration needed
- Blocks ads, trackers, and malware domains
✅ Real-Time Threat Detection
- Suricata IDS monitoring 24/7
- Multiple threat intelligence feeds
- Alerts on exploits, malware, C&C traffic
✅ Comprehensive Logging
- See all DNS queries
- Monitor security events
- Track network activity
Your network is now significantly more secure and private!
What's Next?
Explore Additional Features:
- Custom DNS overrides for local services
- Split DNS for internal domains
- Conditional forwarding
- Additional blocklists
- GeoIP blocking
Fine-Tune Security:
- Review IDS alerts weekly
- Adjust rules based on your environment
- Enable IPS mode after confidence builds
- Add custom Suricata rules
Expand Monitoring:
- Add Grafana for visualization
- Set up syslog forwarding
- Configure detailed alerting
- Integrate with SIEM tools
Key Takeaways
What Made This Work:
-
Intel E1000 network adapters - Critical for compatibility with OPNsense/FreeBSD
-
Correct interface configuration - The YAML file MUST use your actual interfaces (em0/em1), not default (eth0)
-
HOME_NET configuration - Suricata must know which IPs are yours vs. external
-
Policy creation - Downloaded rules are disabled by default; you MUST create a policy and select rulesets to activate them
-
Multi-network support - Access lists and firewall rules for each network segment
-
Testing methodology - Test from CLIENT devices, not from OPNsense itself
Final Thoughts
This setup provides security and privacy that most consumer routers can't match. You're now:
- Private: No one logs your DNS queries
- Secure: Threats detected in real-time
- Informed: Complete visibility into network activity
- Protected: Multiple layers of defense
The time investment pays off with peace of mind and network control.
Questions? Issues? Leave a comment below and I'll help troubleshoot!
Found this helpful? Share with others looking to improve their network security!
Quick Reference Card
Replace these with YOUR values:
YOUR_GATEWAY_IP
= Your router's IP (e.g., 192.168.1.1)YOUR_OPNSENSE_IP
= IP you chose for OPNsense (e.g., 192.168.1.53)YOUR_NETWORK
= Your network range (e.g., 192.168.1.0/24)
Common Network Ranges:
- 192.168.1.0/24 (192.168.1.1-254)
- 192.168.0.0/24 (192.168.0.1-254)
- 10.0.1.0/24 (10.0.1.1-254)
- 10.0.0.0/24 (10.0.0.1-254)
Key Commands:
# DNS testing
drill google.com @YOUR_OPNSENSE_IP
# Suricata status
service suricata status
# View alerts
tail -50 /var/log/suricata/suricata_*.log
# Restart services
service unbound restart
service suricata restart
Key Config Files:
- Suricata:
/usr/local/etc/suricata/suricata.yaml
- Unbound: Auto-generated by web GUI
Important URLs:
- Web GUI:
https://YOUR_OPNSENSE_IP
- Test IDS:
http://testmynids.org/uid/index.html
Critical Ports:
53
= DNS (don't change)443
= HTTPS web interface22
= SSH (if enabled)
Good luck with your deployment! 🚀🔒
Created & Maintained by Pacific Northwest Computers
Vancouver WA, Battle Ground WA, Camas WA, Washougal WA, Longview WA, Kelso WA, and Portland OR
No comments:
Post a Comment