Author: Rico Wu
Environment: OPNsense 25.x + Zenarmor + Suricata
Use case: Enterprise internet access control & application-layer filtering
๐งฑ 1. What Is Layer-7 Control?
Traditional firewalls operate mainly at Layer-3 and Layer-4 โ controlling traffic based on IP addresses, ports, and protocols.
While effective for basic routing and NAT, they canโt tell what the traffic actually is.
Thatโs where Layer-7 (L7) application-layer control comes in.
By inspecting packets deeply (DPI: Deep Packet Inspection), an L7 firewall can identify and control specific applications or services, such as:
- ๐ฌ YouTube, Netflix, TikTok
- ๐ฌ Facebook, Instagram, LINE, WhatsApp
- ๐ VPNs and proxy tunnels
- โ๏ธ P2P, torrent, or gaming traffic
In modern enterprise environments, this capability is essential for bandwidth management, security, and policy enforcement.
โ๏ธ 2. OPNsense and L7 โ How It Works
OPNsense is based on FreeBSD + pf, and the pf firewall engine natively supports only L3/L4.
However, OPNsense provides full L7 capability through add-on modules that integrate DPI engines and application databases.
๐ง Available L7 Solutions in OPNsense
| Module | Function | L7 Capabilities | Notes |
|---|---|---|---|
| Zenarmor (formerly Sensei) | Deep Packet Inspection, App & Web control | โ Full DPI with categorized application database | GUI-based, easy policy setup |
| Suricata IDS/IPS | Signature-based packet inspection | โ Detects and blocks based on protocol signatures | Ideal for security enforcement |
| Squid Proxy | HTTP/HTTPS proxy & filtering | โ ๏ธ Limited to web traffic (port 80/443) | Suitable for URL or domain control |
Together, these modules give OPNsense visibility and enforcement at the application layer, similar to commercial next-gen firewalls (NGFW).
๐งฉ 3. Zenarmor โ Visual, Policy-Driven L7 Control
Zenarmor is the most user-friendly and powerful L7 add-on for OPNsense.
It acts as a DPI engine that classifies and controls traffic across more than 3000 applications.
๐ง Key Features
- Application-based control (YouTube, Telegram, Steam, etc.)
- Category-based blocking (Streaming, Social Networking, VPN/Proxy, etc.)
- Real-time dashboards and reports
- User & device activity tracking
- Bandwidth usage analytics
- Cloud or on-premise policy sync
โ๏ธ Installation
- Go to System โ Firmware โ Plugins
- Search and install:
os-zenarmor - After installation โ Open Zenarmor Dashboard
- Follow the wizard to select:
- Protection mode (Routed or Passive)
- Interface (LAN, VLAN, or OPT1)
- Policy (Allow / Block categories)
โ Example Policy: Block Social Media & VPN
- In Zenarmor โ Policies โ Application Control
- Under Category, enable:
Social Networking โ Block VPN & Proxy Services โ Block - Save and apply.
Result:
All traffic matching these applications will be dropped, regardless of port or IP.
๐ 4. Suricata IDS/IPS โ Security-Focused L7 Detection
Suricata, included natively in OPNsense, provides a different angle: security detection and prevention.
- Detects malicious or suspicious traffic using rule sets (Emerging Threats, Proofpoint, etc.)
- Identifies applications and protocols (OpenVPN, WireGuard, BitTorrent)
- Can run in IPS mode to actively block packets
๐ก Recommended Settings
- Enable:
Services โ Intrusion Detection โ Settings โ Enable IDS & IPS mode - Choose rule sets:
ET-openorET-profor enterprise environments
- Add categories like:
policy-social, policy-vpn, malware, p2p - Apply and monitor under:
Intrusion Detection โ Alerts
Suricata complements Zenarmor โ the former focuses on security signatures, the latter on application visibility.
๐ 5. HTTPS and SNI Challenges
Most modern apps use HTTPS/TLS encryption, making deep inspection harder.
However, both Zenarmor and Suricata can still recognize applications using SNI (Server Name Indication) and other metadata, without breaking SSL.
If you need URL-level filtering, you can still use Squid Proxy with SSL Bump, but be aware that:
- It requires client-side CA installation.
- It may reduce performance.
For most enterprises, SNI-based L7 inspection is already sufficient for compliance and productivity control.
๐ง 6. Recommended Deployment Architecture
Best practice: combine Zenarmor and Suricata for visibility + protection.
[ Internet ]
|
(WAN)
[ OPNsense ]
โโโ Zenarmor (L7 application control)
โโโ Suricata (IDS/IPS, threat detection)
โโโ LAN/VLAN segments (192.168.x.x)
This dual setup delivers:
- Application-aware firewalling
- Behavior-based intrusion prevention
- Real-time analytics and bandwidth monitoring
๐ 7. Summary
| Goal | Recommended Tool | Description |
|---|---|---|
| App-based blocking | Zenarmor | Full L7 control, intuitive GUI |
| Threat detection | Suricata | Security-oriented DPI |
| URL filtering | Squid Proxy | HTTP/HTTPS content filter |
| Combined setup | Zenarmor + Suricata | Ideal for enterprise use |
โ 8. Conclusion
Layer-7 control turns OPNsense from a simple router into a next-generation firewall platform.
With Zenarmor and Suricata working together, IT teams can:
- Identify whatโs consuming bandwidth
- Block unwanted or risky applications
- Enforce productivity policies
- Detect malicious traffic in real time
This makes OPNsense not only open-source and cost-effective โ but a true enterprise-class security gateway.