Serious Discussion How much is your Security Budget?

[Captain Awesome]

Kaspersky 6 USD for 1 year
K7 Ultimate 30 USD 1 time paid for lifetime (good deal)
Total 36 USD with lifetime K7 lic.

 

[Victor M]

Currently, my first line of defense is OPNsense, configured with numerous list-based rules. I'm also using CrowdSec, ZenArmor (IDS/IPS), and the built-in IDS/IPS engine

Have you ever used pfsense? If so, how does it compare with OPNsense? What do you like about OPNsense?

 

[Kaffee4Eck]

Have you ever used pfsense? If so, how does it compare with OPNsense? What do you like about OPNsense?

I also gave pfSense a try, but eventually settled on OPNsense. Simply put, it offers a more modern GUI/WebUI and faster feature upgrades and updates. I wouldn’t necessarily call it “bleeding edge,” but you do get access to newer systems, services, packages, and extensions a bit earlier.

I also find the OPNsense community to be larger and more active compared to pfSense. That said, the differences between the two are relatively minor. In the end, I just felt more comfortable and better supported with OPNsense.

I also used Sophos UTM for a while, but after all the licensing changes and other shifts around 2014–2016, I moved away from it fairly quickly.

 

[Victor M]

@Kaffee4Eck . Do you think OPNsense protects your network more? Why?

 

[Jonny Quest]

@bazang thanks for the parathesis clarification, it can make a little more sense to those who used to read the "old version".

Security is not software (and configurations). It is a process (that requires knowledge and disciplined habits).

 

[Kaffee4Eck]

@Kaffee4Eck . Do you think OPNsense protects your network more? Why?

Absolutely, I do believe that OPNsense provides significantly more protection for my network — and here’s why:

---

1. Full Visibility & Control​

With OPNsense, I have deep insight into every packet, every connection, and every device — not just logs, but real-time flow inspection, application-level analysis (with ZenArmor), and custom rule enforcement down to specific VLANs and user groups.


Unlike most commercial routers or all-in-one solutions, OPNsense allows me to build an environment based on the principles of Zero Trust, not just basic firewalling.

---

2. True Network Segmentation​

I use VLANs to isolate:

• Work devices
• IoT
• Guest devices
• Malware testing labs
  ... each with individual firewall rules, DNS control, and security policies.

Compromising one device ≠ compromising my network. That’s a fundamental layer of protection commercial routers rarely offer in a meaningful way.

---

​

3. IDS/IPS with Active Threat Blocking​

By running Suricata in inline mode, OPNsense actively blocks:

• Exploits
• Botnet traffic
• Known malicious payloads and scans
  I feed it with custom rulesets and global threat intelligence feeds (e.g., ThreatFox, ET Pro, AbuseIPDB), and can fine-tune it to my environment.

---

4. DNS Security & Privacy​

Combining Unbound DNS resolver with AdGuard Home gives me complete DNS filtering, blocking malicious domains, ads, telemetry — with DNSSEC, DNS-over-TLS/DoH, and per-client filtering.


No third-party DNS provider is involved unless I explicitly allow it — privacy stays within my infrastructure.

---

5. Enterprise-Grade Layer 7 Filtering (with ZenArmor)​

Using ZenArmor, I have access to:

• Application-aware firewalling
• Country blocking
• Bandwidth-aware policies
• Content filtering
  ... all with reporting and real-time stats.

This is beyond what even most SMB firewalls offer, let alone consumer devices.

---

​

6. Transparency, Open Source, and No Vendor Lock-in​

OPNsense is fully open source, and I can audit, tweak, or extend every part of the system. No cloud dependencies. No silent data collection. No forced firmware updates.


That’s real control, and with it comes real trust.

---

​

Conclusion​

OPNsense protects my network more than any closed consumer or SMB router ever could — not because of a brand, but because it gives me:

• Full control
• Granular enforcement
• Modern threat protection
• Auditable privacy
• True segmentation
• And the freedom to evolve with my needs

It's not plug-and-play — it's powerful by design. And that's exactly what I want.

 

[Victor M]

@Kaffee4Eck What managed switch do you use? I am looking for one.

 

[Kaffee4Eck]

@Kaffee4Eck What managed switch do you use? I am looking for one.

At the moment, I'm not using anything particularly expensive or high-end—just three Zyxel XGS1210-12 switches.

 

[Victor M]

Zyxel XGS1210-12

That model doesn't have 802.1Q ?

 

[Victor M]

just three Zyxel XGS1210-12 switches.

If they don't support 802.1Q then your VLAN tags will be stripped away. Unless of course if you use Port based VLAN on your router.

 

[Kaffee4Eck]

That model doesn't have 802.1Q ?

They support VLAN Tags.

 

[Victor M]

Thanks, that clarifies that. The specifications page doesn't mention it.

 

[Naturia]

I’m actually trying to understand something related to 802.1Q tagging.
If a switch strips the tag or doesn’t support full tagging, what does that mean in practice for segmentation?
I’m reading mixed things about how devices handle tagged vs untagged frames on access/trunk ports, so I’m a bit confused about what actually happens on the wire.
If someone has a simple explanation, I’d appreciate it.

802.1Q Trunking Explained | CCNA 200-301

802.1Q Trunking allows VLANs to span across multiple switches. Learn how this tagging protocol works and why it’s essential for inter-switch communication.

pingmynetwork.com