Deep Packet Power: Enabling Layer-7 Traffic Control on OPNsense

Posted on by Rico

Author: Rico Wu
Environment: OPNsense 25.x + Zenarmor + Suricata
Use case: Enterprise internet access control & application-layer filtering

🧱 1. What Is Layer-7 Control?

Traditional firewalls operate mainly at Layer-3 and Layer-4 β€” controlling traffic based on IP addresses, ports, and protocols.
While effective for basic routing and NAT, they can’t tell what the traffic actually is.

That’s where Layer-7 (L7) application-layer control comes in.
By inspecting packets deeply (DPI: Deep Packet Inspection), an L7 firewall can identify and control specific applications or services, such as:

  • 🎬 YouTube, Netflix, TikTok
  • πŸ’¬ Facebook, Instagram, LINE, WhatsApp
  • πŸ”’ VPNs and proxy tunnels
  • βš™οΈ P2P, torrent, or gaming traffic

In modern enterprise environments, this capability is essential for bandwidth management, security, and policy enforcement.

βš™οΈ 2. OPNsense and L7 β€” How It Works

OPNsense is based on FreeBSD + pf, and the pf firewall engine natively supports only L3/L4.
However, OPNsense provides full L7 capability through add-on modules that integrate DPI engines and application databases.

πŸ”§ Available L7 Solutions in OPNsense

ModuleFunctionL7 CapabilitiesNotes
Zenarmor (formerly Sensei)Deep Packet Inspection, App & Web controlβœ… Full DPI with categorized application databaseGUI-based, easy policy setup
Suricata IDS/IPSSignature-based packet inspectionβœ… Detects and blocks based on protocol signaturesIdeal for security enforcement
Squid ProxyHTTP/HTTPS proxy & filtering⚠️ Limited to web traffic (port 80/443)Suitable for URL or domain control

Together, these modules give OPNsense visibility and enforcement at the application layer, similar to commercial next-gen firewalls (NGFW).

🧩 3. Zenarmor β€” Visual, Policy-Driven L7 Control

Zenarmor is the most user-friendly and powerful L7 add-on for OPNsense.
It acts as a DPI engine that classifies and controls traffic across more than 3000 applications.

🧠 Key Features

  • Application-based control (YouTube, Telegram, Steam, etc.)
  • Category-based blocking (Streaming, Social Networking, VPN/Proxy, etc.)
  • Real-time dashboards and reports
  • User & device activity tracking
  • Bandwidth usage analytics
  • Cloud or on-premise policy sync

βš™οΈ Installation

  1. Go to System β†’ Firmware β†’ Plugins
  2. Search and install: os-zenarmor
  3. After installation β†’ Open Zenarmor Dashboard
  4. Follow the wizard to select:
    • Protection mode (Routed or Passive)
    • Interface (LAN, VLAN, or OPT1)
    • Policy (Allow / Block categories)

βœ… Example Policy: Block Social Media & VPN

  1. In Zenarmor β†’ Policies β†’ Application Control
  2. Under Category, enable: Social Networking β†’ Block VPN & Proxy Services β†’ Block
  3. Save and apply.

Result:
All traffic matching these applications will be dropped, regardless of port or IP.

πŸ”’ 4. Suricata IDS/IPS β€” Security-Focused L7 Detection

Suricata, included natively in OPNsense, provides a different angle: security detection and prevention.

  • Detects malicious or suspicious traffic using rule sets (Emerging Threats, Proofpoint, etc.)
  • Identifies applications and protocols (OpenVPN, WireGuard, BitTorrent)
  • Can run in IPS mode to actively block packets

πŸ’‘ Recommended Settings

  1. Enable: Services β†’ Intrusion Detection β†’ Settings β†’ Enable IDS & IPS mode
  2. Choose rule sets:
    • ET-open or ET-pro for enterprise environments
  3. Add categories like: policy-social, policy-vpn, malware, p2p
  4. Apply and monitor under: Intrusion Detection β†’ Alerts

Suricata complements Zenarmor β€” the former focuses on security signatures, the latter on application visibility.

🌐 5. HTTPS and SNI Challenges

Most modern apps use HTTPS/TLS encryption, making deep inspection harder.
However, both Zenarmor and Suricata can still recognize applications using SNI (Server Name Indication) and other metadata, without breaking SSL.

If you need URL-level filtering, you can still use Squid Proxy with SSL Bump, but be aware that:

  • It requires client-side CA installation.
  • It may reduce performance.

For most enterprises, SNI-based L7 inspection is already sufficient for compliance and productivity control.

🧠 6. Recommended Deployment Architecture

Best practice: combine Zenarmor and Suricata for visibility + protection.

[ Internet ]
     |
   (WAN)
[ OPNsense ]
     β”œβ”€β”€ Zenarmor (L7 application control)
     β”œβ”€β”€ Suricata (IDS/IPS, threat detection)
     └── LAN/VLAN segments (192.168.x.x)

This dual setup delivers:

  • Application-aware firewalling
  • Behavior-based intrusion prevention
  • Real-time analytics and bandwidth monitoring

πŸš€ 7. Summary

GoalRecommended ToolDescription
App-based blockingZenarmorFull L7 control, intuitive GUI
Threat detectionSuricataSecurity-oriented DPI
URL filteringSquid ProxyHTTP/HTTPS content filter
Combined setupZenarmor + SuricataIdeal for enterprise use

βœ… 8. Conclusion

Layer-7 control turns OPNsense from a simple router into a next-generation firewall platform.
With Zenarmor and Suricata working together, IT teams can:

  • Identify what’s consuming bandwidth
  • Block unwanted or risky applications
  • Enforce productivity policies
  • Detect malicious traffic in real time

This makes OPNsense not only open-source and cost-effective β€” but a true enterprise-class security gateway.