Advanced Security Kaffee4Ecks OPNsense Config xD

Last updated
Jan 1, 2025
How it's used?
For work or educational use
Operating system
Windows 11
Other operating system
Arch Linux | MacOS
On-device encryption
N/A
Log-in security
    • Basic account password (insecure)
Security updates
Check for updates and Notify
Update channels
Allow stable updates only
User Access Control
Notify me only when programs try to make changes to my computer (do not dim my desktop)
Smart App Control
Off
Network firewall
Enabled
About WiFi router
Fritzbox (as DSL / Fiber Modem)
Real-time security
Service / ToolFunctionality
ESET Smart Security (Hardened)Signature and behavior-based protection, sample submission disabled, firewall enabled
Firewall security
Other - Next-generation Firewall (NGFW)
About custom security
Service / ToolFunctionality
ESET Smart Security (Hardened)Signature and behavior-based protection, sample submission disabled, firewall enabled
AdGuard Home + Unbound DNSLocal DNS filtering combined with privacy-focused DNS (DNSSEC, DNS-over-TLS/DoH optional)
SearXNG (Docker Instance)Private, self-hosted meta search engine – anonymous, no telemetry, no tracking
TailScaleVLAN-isolated remote access with ACLs and detailed audit logging
Sample Testing VLANIsolated network segment with virtual machines for malware, phishing, and exploit simulations
IP / DNS Blocklists (Threat Feeds)Includes ThreatFox, AbuseIPDB, FireHOL, MalwareDomains, AdGuard lists, and custom feeds
Periodic malware scanners
Nothing right now
Malware sample testing
I do participate in malware testing. See details about my testing environment below.
Environment for malware testing
Virtualization Environment: Malware test VMs are deployed in dedicated, air-gapped VLANs to ensure complete network isolation.
Browser(s) and extensions
Brave / Firefox: Bitwarden, AdGuard Assistant, Imagus
Secure DNS
AdGuard Home + Unbound DNS
Desktop VPN
ProtonVPN
Password manager
Bitwarden / Vaultwarden
File and Photo backup
Nextcloud
Immich
UrBackup
Macrium Reflect
Subscriptions
    • None
System recovery
Macrium Reflect Backups on Home Server + External Server
UrBackup Home Server + External Server
Risk factors
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Downloading software and files from unknown / untrusted / shady sites
    • Gaming
    • Gaming with third-party mods
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Coding and development
    • Downloading malware samples
Computer specs

🖥️ Workstation


ComponentSpecification
CPUIntel Core i9-14900K (planned upgrade: AMD Ryzen 9 9950X3D)
GPUNVIDIA RTX 3080 Ti (planned upgrade: AMD RX 9070 XT)
RAM128 GB DDR4
Storage4 × 2 TB Samsung 990 Pro (NVMe) 1 × 4 TB Transcend SSD

🖴 Server (Storage & Docker)


ComponentSpecification
CPUIntel Core i5-14500K
GPUIntegrated GPU (iGPU 😄)
RAM128 GB DDR4
Storage16 × 16 TB Toshiba MG08ATA (HDDs) 2 × 2 TB Samsung 970 Evo (NVMe) 2 × 2 TB WD RED NVMe SSDs

🌐 Firewall – OPNsense Appliance


ComponentSpecification
CPUIntel Core i5 (11th Gen)
GPUIntegrated GPU (iGPU)
RAM32 GB DDR4
Storage2 × 1 TB Samsung 980 Pro (redundant setup 😄)
What I'm looking for?

Looking for maximum feedback.

Kaffee4Eck

Kaffee4Eck

Level 2
Thread author
Verified
Dec 6, 2015
51
99
65
Germany

🧱 Core System & Endpoint Setup

Firewall

  • OPNsense (current stable version) with full VLAN segmentation

Endpoints

Device TypeUsage
WindowsGaming – hardened ESET Smart Security Premium
Arch LinuxDevelopment & system administration
Mac Mini M1Productivity & software testing

🧪 Virtualization Environment

  • Malware testing VMs are hosted in dedicated, air-gapped VLANs, fully isolated from production networks for safe phishing/malware/exploit simulations.

🔐 Firewall Components & Protection Layers

ComponentDescription
ZenArmor (NGFW)Layer-7 policy enforcement, app detection, activated per VLAN
Suricata IDS/IPS (inline)Real-time traffic analysis using Emerging Threats and custom local rules
GeoIP FilteringBlocks all incoming traffic from outside the EU, VLAN-specific
Firewall Aliases & SegmentationFine-grained control over traffic for workstations, IoT, guest devices, test labs, etc.

🧠 Extended Security Services & Features

Service / ToolFunctionality
ESET Smart Security (hardened)Signature + behavior-based protection, sample submission disabled, local firewall active
AdGuard Home + Unbound DNSLocal DNS filtering with privacy-focused DNS (DNSSEC, DoT/DoH optional)
SearXNG (Docker)Private, self-hosted meta search engine – fully anonymous, no telemetry or tracking
TailScaleVLAN-isolated remote access with ACLs and audit logging
Sample Testing VLANMalware/phishing/exploit simulation VMs in a fully isolated network segment
Threat Feeds / IP & DNS BlocklistsIncludes ThreatFox, AbuseIPDB, FireHOL, MalwareDomains, AdGuard lists, and custom feeds

🖥️ Operating Systems & Per-System Security Strategy

SystemMeasures
Windows (Gaming)Hardened ESET, SmartScreen disabled, telemetry reduced
Arch LinuxAppArmor, hardened kernel, firewalld, DNS via DNS-over-HTTPS (DoH)
macOS (M1 Mini)Local firewall, DNS via Unbound, no iCloud, tracker blocking active

🔐 Network Security Goals

  • Maximum segmentation & visibility – each device only sees what it’s supposed to
  • No third-party cloud analysis (e.g., Microsoft Defender Cloud, Google DNS)
  • Isolated, real-world malware testing environment with minimal risk to the rest of the network
  • Zero Trust DNS & application enforcement

Protection Focus

  • Phishing / Malware / Command & Control (C2) communications
  • Telemetry & tracking prevention (both DNS- and IP-based)
  • Ransomware & exploit protection (behavioral + signature-based)
 
  • Like
Reactions: Gandalf_The_Grey, Zero Knowledge, oldschool and 2 others

You may also like...