5.9 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| OpnSense - App Protection | App Inspection | true | 2026-02-23T21:52:43.630Z | markdown | 2026-02-23T21:50:37.324Z |
Zenarmor (NGFW)
Service: Zenarmor Next-Generation Firewall Plugin: os-sunnyvalley Tier: Free Edition Host: OPNsense firewall
Overview
Zenarmor adds application-layer awareness and web filtering to OPNsense that the base firewall does not provide. Where Suricata inspects packet content for known threat signatures, Zenarmor identifies what application or service is generating traffic and can block or allow based on that — regardless of port.
| Feature | Free Tier | Paid Tier |
|---|---|---|
| Layer-7 app identification | ✓ | ✓ |
| Web category filtering | Default policy only | Custom policies |
| Malware/phishing blocking | ✓ | ✓ |
| Real-time network analytics | ✓ | ✓ |
| Device tracking & alerts | ✗ | ✓ |
| Multiple policies | ✗ | ✓ |
| TLS inspection | ✗ | ✓ |
The free tier is useful primarily for visibility (seeing what applications are running on your network) and basic threat blocking (malware, phishing, PUP domains). The analytics dashboard alone makes it worthwhile.
✓ Zenarmor and Suricata can run simultaneously. They operate at different layers and do not conflict. Zenarmor handles application identity; Suricata handles content signatures.
⚠ MongoDB deprecation note: As of September 2025, MongoDB is being deprecated as the Zenarmor database backend. Use SQLite when prompted during setup — it is the supported path going forward.
Installation
Step 1 — Install the Plugin
- Go to System → Firmware → Plugins
- Search for
os-sunnyvalley - Click the + install button
- Wait for installation to complete
- Refresh the browser — a new Zenarmor menu item will appear in the sidebar
Step 2 — Initial Setup Wizard
Navigate to Zenarmor → Dashboard — this launches the setup wizard on first run.
Deployment Mode: Select Routed Mode (L3) for standard OPNsense setups. This is correct for your configuration.
Database: Select SQLite — do not select MongoDB (deprecated September 2025).
Interface: Select ATT (opt1) as the primary interface. Add WAN (igc0) while dual-WAN is still active.
⚠ Zenarmor should be applied to the LAN-facing side of the firewall for internal traffic inspection, or the WAN-facing side for inbound threat blocking. For your setup, applying it to both ATT and LAN gives the most coverage.
Cloud Connectivity: Leave enabled — Zenarmor uses cloud-based category lookups for web filtering. If you want fully offline operation, this can be disabled but web filtering accuracy degrades significantly.
Click Complete to finish the wizard.
Configuration
Step 3 — Security Policy
Navigate to Zenarmor → Security
Enable the following threat categories in the default policy:
| Category | Action | Notes |
|---|---|---|
| Malware | Block | Domains known to serve malware |
| Phishing | Block | Credential harvesting sites |
| Botnet | Block | C2 communication |
| PUP/Adware | Block | Potentially unwanted programs |
| SPAM Sources | Block | Known spam infrastructure |
| Parked Domains | Block | Often used for malicious redirects |
Leave the following as Alert initially (review before blocking):
- Anonymizers / Proxies — may block legitimate VPN services
- Peer-to-peer — may affect legitimate use cases
Step 4 — Application Control
Navigate to Zenarmor → Policies → Application Control
The free tier allows one default policy. Useful applications to consider blocking or monitoring:
| Application Category | Recommendation | Reason |
|---|---|---|
| Cryptocurrency mining | Block | Resource theft if unauthorized |
| Remote access tools (unknown) | Alert | Unexpected remote tools are a red flag |
| Tor | Alert | Monitor — may be legitimate or evasion |
| Anonymous proxies | Block | Bypass attempts |
Step 5 — Web Filtering
Navigate to Zenarmor → Policies → Web Controls
In the free tier, the default policy controls all web filtering. Recommended categories to block:
| Category | Action |
|---|---|
| Malware sites | Block |
| Phishing | Block |
| Hacking / exploit sites | Block |
| Illegal content | Block |
Enable Safe Search enforcement if desired — forces Google, Bing, and YouTube into safe search mode network-wide.
Dashboard & Analytics
Navigate to Zenarmor → Dashboard
The dashboard provides real-time visibility into:
- Top talkers — which internal hosts generate the most traffic
- Top applications — what services are being used
- Blocked threats — real-time feed of blocked requests
- Bandwidth usage — per-host and per-application
This is the primary value of the free tier — even without advanced policy control, the visibility into what is running on your network is significant.
Navigate to Zenarmor → Reports for historical analysis and trend data.
Performance Notes
Zenarmor uses deep packet inspection which adds some CPU overhead. On modern hardware (anything with i226-V NICs) this is negligible at home lab traffic volumes. Monitor CPU usage in Zenarmor → Dashboard → System after enabling.
If performance degrades, you can limit Zenarmor to specific interfaces rather than all interfaces.
Known Limitations (Free Tier)
- Only one web filtering policy — all devices get the same rules
- No per-device or per-group policies
- No TLS/SSL inspection — encrypted traffic is identified by SNI only
- No device inventory or unknown device alerts
- Web category database is cloud-dependent
Related Documentation
- OPNsense Firewall — parent firewall documentation
- Suricata IDS/IPS — complementary content inspection layer
- CrowdSec — IP reputation layer