Post

Home Lab 1 E3

Posted Updated
By
7 min read
Home Lab 1 E3

OPNsense NGFW with Zenarmor

If you’re running an OPNsense firewall, you already have a powerful open-source security platform. But what if you want to take it to the next level with Next-Generation Firewall (NGFW) capabilities like deep application inspection, advanced web filtering, and robust threat protection? Enter Zenarmor!

This guide will introduce you to Zenarmor, explain why it’s a fantastic addition to OPNsense, explore its features and plans, and walk you through the essential steps to install, use, and monitor it in your own lab or home network.

What is Zenarmor?

Zenarmor (from Sunny Valley Networks) is a powerful, lightweight, and easy-to-use NGFW plugin that seamlessly integrates with OPNsense (and other platforms). At its core, Zenarmor performs Deep Packet Inspection (DPI), allowing it to analyze network traffic at Layer 7 (the application layer). This means it can see beyond just IP addresses and ports, understanding the actual applications and protocols being used on your network.

Think of it as upgrading your firewall from a basic security guard checking IDs at the door to an intelligent security system that understands who is doing what, where they are going, and whether their activities are safe or allowed.

Why Use Zenarmor? The Benefits

Traditional firewalls are great for basic filtering, but modern networks face more sophisticated threats and require more granular control. Zenarmor bridges this gap by offering:

  1. Enhanced Security: Goes beyond IP/port blocking to identify and block advanced threats, malware, botnets, and phishing attempts based on real-time cloud-based threat intelligence.
  2. Application Control: See exactly which applications (e.g., Facebook, Netflix, BitTorrent, specific games) are being used on your network and create policies to block or allow them, regardless of the port they try to use.
  3. Advanced Web Filtering: Block access to undesirable website categories (e.g., adult, gambling, malware distribution sites, social media) with extensive categorization and policy options.
  4. User-Centric Policies (Paid Feature): Create different rules for different users or groups on your network, allowing for highly granular control (e.g., kids have stricter filtering than adults).
  5. Rich Reporting & Analytics: Gain deep insights into your network traffic with comprehensive reports on application usage, web activity, security threats, and bandwidth consumption.
  6. Ease of Use: Features a modern, user-friendly web interface (often cloud-managed) that simplifies complex NGFW policy creation.

Zenarmor Features & Plans: What to Expect

Zenarmor offers a range of features, typically scaling with different subscription plans. While you should always check the official Sunny Valley Networks website for the latest details, here’s a general overview:

  • Free Edition: Often includes:
    • Basic Application Control (a good number of app signatures).
    • Basic Web Filtering (e.g., based on security categories).
    • Community-driven threat intelligence.
    • Rich reporting and live session visibility.
    • This is an excellent way to get started and experience the core functionality.
  • Paid Editions (e.g., Home, SOHO, Business): These unlock more advanced capabilities:
    • Advanced Threat Intelligence: Access to commercial, real-time threat feeds for more comprehensive security.
    • Full Web Filtering Categorization: Access to a much larger and more detailed web category database.
    • Enhanced Application Control: More application signatures and finer control.
    • User Identification & User-Based Policies: Integrate with OPNsense local users, Active Directory, or other authentication methods to apply rules per user/group.
    • TLS Inspection (with caveats): The ability to inspect encrypted HTTPS traffic. This is a powerful feature for security but requires careful setup (deploying a local CA certificate to client devices) and has privacy implications.
    • Centralized Cloud Management: Manage multiple Zenarmor instances from a single cloud portal.
    • More extensive reporting and data retention.

The free tier is very generous and provides a fantastic way to explore Zenarmor’s power.

Getting Started: Installing, Using, and Monitoring Zenarmor on OPNsense

Here are the “final steps” to get Zenarmor up and running, assuming your OPNsense firewall has a stable internet connection and your client machines (like Kali) are correctly configured to use it as their gateway and DNS.

Prerequisite: Disable Other Conflicting IPS/IDS

If you have previously installed and enabled another Intrusion Prevention System (IPS) like Suricata, it’s crucial to disable it before running Zenarmor. Running two systems that perform deep packet inspection simultaneously can cause resource conflicts and packet handling issues.

  1. In OPNsense, navigate to Services -> Intrusion Detection -> Administration.
  2. On the Settings tab, UNCHECK the main Enabled checkbox for the Intrusion Detection System.
  3. Click Apply at the top to stop and disable Suricata.

Step 1: Install the Zenarmor Plugin

  1. In the OPNsense GUI, navigate to System -> Firmware -> Plugins.
  2. In the search box (you might need to click “Check for updates” first if the list is empty or old), type os-sunnyvally.
  3. You should see the os-sunnyvally plugin. Click the + (Install) icon next to it.
  4. Confirm the installation and wait for it to complete. A page refresh or even a firewall reboot might be recommended by the system after installation.

Step 2: Initial Zenarmor Setup Wizard

Once installed (and after a reboot if prompted), you should find “Zenarmor” in the main OPNsense navigation menu.

  1. Access Zenarmor: Click on the Zenarmor menu item. This will usually launch an initial setup wizard or take you to a dashboard with a “Get Started” prompt.
  2. Deployment Mode:
    • You’ll be asked to choose a deployment mode. For most OPNsense setups, “Routed mode with L3 Netmap support” is the recommended high-performance option.
    • (Remember our earlier troubleshooting? Using virtio-net adapters for your OPNsense VM in VirtualBox is highly recommended for best performance and stability with Netmap-based engines like Zenarmor).
  3. Interface Selection:
    • Choose the network interface(s) Zenarmor should monitor and protect. At a minimum, select your LAN interface (e.g., vtnet1 or em1). You can also select your WAN interface for visibility into egress traffic, but starting with LAN is common.
  4. Database Backend & Reporting:
    • Zenarmor needs a database for its rich reporting features. You’ll typically have options for:
      • Local Elasticsearch: Powerful but can be resource-intensive (RAM/CPU) on your OPNsense box.
      • Cloud-Based Reporting: This is often the easiest for beginners and less resource-intensive on your firewall. You’ll need to sign up for a free Sunny Valley Networks account to use their cloud portal.
    • Follow the prompts based on your choice.
  5. Account Registration: If you opt for cloud reporting or to activate any license (even the Free one), you’ll need to register for an account with Sunny Valley Networks and link your instance.
  6. Complete the Wizard: Follow any remaining prompts. Zenarmor will configure its packet engine and start analyzing traffic.

Step 3: Your First Policy - Basic Protection

After the wizard, you’ll access the Zenarmor dashboard (either embedded in OPNsense or via the Sunny Valley Cloud Portal).

  1. Find Policies: Navigate to the “Policies” section. There’s usually a “Default” policy created for the interface(s) you selected (e.g., your LAN).
  2. Edit the Default Policy:
    • Essential Security: Go to the “Security” or “Threat Protection” section within the policy. Enable basic protections like:
      • Malware and Virus Blocking
      • Phishing Protection
      • Blocking known Botnet Command & Control servers
    • Application Control: Go to “App Controls.” Try blocking a common application category (e.g., “P2P/File Sharing” like BitTorrent) or a specific application (e.g., “TikTok”).
    • Web Filtering: Go to “Web Controls.” Try blocking a common web category (e.g., “Gambling,” “Adult,” or “Social Networking”).
  3. Save your policy changes.

Step 4: Using and Monitoring Zenarmor

Now it’s time to see it in action!

  1. Test from a Client Machine (e.g., your Kali VM):
    • Try to access a website in a category you blocked. Zenarmor should present a block page.
    • Try to use an application you blocked. It should fail to connect or function.
    • Visit a few allowed websites and use some allowed applications.
  2. Explore Zenarmor’s Interface:
    • Live Sessions: Look for a “Live Sessions,” “Connections,” or “Activity” view. This shows real-time network connections, the applications Zenarmor identifies, and any actions it takes (allow/block).
    • Reports: This is where Zenarmor truly shines. Explore the various reports:
      • Top Applications
      • Top Web Categories
      • Blocked Threats
      • Blocked Web Requests/Applications
      • Bandwidth Usage by application/user.
    • These reports give you incredible insight into what’s happening on your network.

Conclusion

Zenarmor transforms your OPNsense firewall into a powerful Next-Generation Firewall, offering deep packet inspection, application control, advanced web filtering, and robust threat protection. While the initial setup might involve a few steps, the user-friendly interface and rich reporting make it a valuable tool for both home users and businesses.

Start with the free tier to explore its capabilities, and as your needs grow, you can consider their paid plans for even more advanced features. Happy (and secure) networking!

To get in touch with me or for general discussion please visit ZeroDayMindset Discussion

Project, Home-Lab-1
writing project cybersecurity
This post is licensed under CC BY 4.0 by the author.