Stacks

Building an Enterprise Network with OPNsense: A Complete Stack Overview

On my BOTUM infrastructure, I replaced a commercial firewall with an OPNsense VM on Proxmox. Result: enterprise-grade security, fully under control, for under $300 in hardware. Here's the complete architecture — and the detailed guides for each component.

FDbot Admin

2 min read
Building an Enterprise Network with OPNsense: A Complete Stack Overview

On my BOTUM infrastructure, I replaced a commercial firewall with an OPNsense VM running on Proxmox. Enterprise-grade security, fully self-hosted, for under $300 in hardware. This series documents every component of the stack.

Posts in This Series

  1. Post 1Install OPNsense in Proxmox: Complete Step-by-Step Guide
  2. Post 2 — Zero Trust VLANs: Isolating IoT, Work, Guest and DMZ (coming soon)
  3. Post 3 — WireGuard VPN: Site-to-site + Remote Workers (coming soon)
  4. Post 4 — WiFi by VLAN: APs and Segmented SSIDs (coming soon)
  5. Post 5 — CrowdSec + fail2ban: Collaborative IDS/IPS (coming soon)
  6. Post 6 — SD-WAN with Automatic LTE Failover (coming soon)
  7. Article 6NAC with FreeRADIUS & 802.1X: Network Access Control
  8. Article 7Suricata IDS/IPS: Intrusion Detection and Deep Packet Inspection
  9. Article 8AdGuard Home + DNS over HTTPS: DNS Filtering and Privacy
  10. Article 9OPNsense Monitoring with Grafana and InfluxDB: Real-Time Dashboards
  11. Article 10CARP & High Availability: Active/Passive OPNsense Pair
  12. Article 11Lightweight SIEM with Wazuh: Centralize and Correlate All Stack Logs
  13. Article 12Ansible as Code for OPNsense: Deploy and Version Your Infrastructure in One Command
  14. Article 13Automated OPNsense Config Backup
  15. Article 14Let's Encrypt Certificates with ACME on OPNsense
  16. Article 15NetFlow + ntopng — Network Traffic Analysis
OPNsense VM in Proxmox

Why OPNsense Over pfSense?

Stack Architecture

Proxmox (bare-metal hypervisor)
└── OPNsense VM (firewall + router)
      ├── WireGuard  → Site-to-site VPN + remote workers
      ├── WiFi       → APs + SSID per VLAN (IoT/Work/Guest)
      ├── SD-WAN     → Automatic LTE failover
      ├── VLANs      → IoT / Management / Production / DMZ
      ├── Zero Trust → Inter-VLAN rules
      ├── CrowdSec   → Collaborative IDS/IPS
      └── fail2ban   → SSH protection

Component Overview

VLANs — Zero Trust Segmentation

Zero Trust VLAN Architecture

WireGuard — VPN

Natively integrated since OPNsense 21.7. Site-to-site + remote access. Latency < 5ms.

WireGuard VPN

CrowdSec — Collaborative IDS/IPS

~300 new blocking decisions per day on my BOTUM infrastructure. Automatically.

CrowdSec IDS

Where to Start?

Install OPNsense in Proxmox — Complete Guide
📥 Guide PDF complet

Téléchargez ce guide en PDF pour le consulter hors ligne.

⬇ Télécharger le guide (PDF)

Series Articles

🚀 Aller plus loin avec BOTUM

Ce guide couvre les bases. En production, chaque environnement a ses spécificités. Les équipes BOTUM accompagnent les organisations dans le déploiement, la configuration avancée et la sécurisation de leur infrastructure. Si vous avez un projet, parlons-en.

Discuter de votre projet →
OPNsense Series 📋 Complete series →

Read more