Turn OPNsense into a complete security operations platform.
OPNsense is powerful. SecureEdge makes it operational.
A modern security workspace for firewall control, VPN visibility, threat detection, DNS protection, and safer network changes. Featuring real-time VPN / proxy / Tor detection that catches rotating residential proxies every 10 seconds — a capability no other firewall at this price point offers.
OPNsense is extremely capable, but daily operations can become time-consuming: rule order, DNS blocklists, Suricata rules, GeoIP aliases, VPN policies, CrowdSec services, NAT reloads, packet captures, and troubleshooting are scattered across different screens.
5NinesNet SecureEdge brings those workflows into one modern control panel.
"A custom network security management layer for OPNsense."
SecureEdge simplifies daily firewall operations, DNS security, IDS/IPS rule management, VPN administration, GeoIP policy enforcement, CrowdSec protection, and troubleshooting workflows through a modern web interface. Built on a device-based routing architecture, the portal scales from a single firewall to multi-location MSP deployments without rearchitecting.
Site-to-Site IPsec is the backbone of every multi-cloud and multi-site network — and the OPNsense native UI makes setting one up an afternoon of cross-referencing vendor docs and second-guessing IKE proposals. SecureEdge replaces all of it with a 6-step wizard, 5 cloud presets researched against vendor documentation, and a 4-LED dashboard borrowed from Palo Alto Networks so you know exactly which phase failed when something doesn't come up.
When a tunnel goes down at 3am, "is it phase 1 or phase 2?" is the question that costs you an hour. SecureEdge surfaces both — plus the tunnel interface state and live traffic — as four color-coded LEDs on every tunnel card. Same convention Palo Alto Networks ships in PAN-OS, now on top of OPNsense.
OPNsense's native IPsec UI shows tunnel status as a single boolean (connected / not connected). Diagnosing why something isn't coming up means SSH-ing in and reading swanctl --list-sas output. SecureEdge surfaces all four states inline.
Cloud presets configured against vendor docs. Phase 1/2 proposals, lifetimes, and routing mode are pre-set — you only edit if you need something custom.
AWS only supports route-based (VTI) tunnels. Wizard will configure tunnel_type=vti automatically. Configure AWS Customer Gateway with same PSK · BGP over VTI for dynamic routing.
Building an IPsec tunnel to AWS isn't hard — it's just full of gotchas. Wrong DH group on Azure? Tunnel won't establish. Forgot AWS only supports VTI? Stuck for an hour. SecureEdge ships with five presets where every gotcha is already pre-solved:
Cloud presets researched against vendor documentation as of April 2026. New cloud providers (Oracle, Alibaba, OCI) added on customer request as part of the SecureEdge engagement.
An animated hub-and-spoke SVG with your firewall at the center and every IPsec peer arranged around it. Each spoke shows live link state and active traffic. Hover any peer for IKE proposals, lifetimes, and last-renegotiation time — without leaving the page.
Built for the moment a CTO walks over and asks "what's connected to where?" — point at the screen, done. No PDF diagrams to maintain, no Visio file going stale.
Live event stream of every IKE phase 1/2 negotiation, child SA rekey, and DPD timeout. Filter by tunnel, severity, or time window. The same data swanctl --log shows — just searchable.
Configurable ICMP/TCP keepalive across the tunnel — catches "tunnel says UP, traffic doesn't flow" cases that vanilla IPsec misses. Auto-restart on monitor failure.
Per-tunnel uptime tracking with rolling 30-day SLA visibility. Goes red below 99.9%. Exportable as CSV for compliance reports.
Delete a tunnel and the wizard removes the connection, child SAs, PSK, firewall rules, and routes — all at once. Or just toggle disabled to test without losing config.
Rotate the pre-shared key on schedule or on-demand. Wizard handles the rekey window so the tunnel doesn't drop more than the configured DPD timeout.
Both routed (VTI, required for AWS/Azure/GCP) and policy-based (the OPNsense default). Wizard sets correctly per cloud provider's requirement.
Stripped of marketing language, here are the five security operations problems that drive buyers to SecureEdge. If any of these sound like your OPNsense deployment, we should talk.
"Users bypass geo-restrictions and DLP controls with ExpressVPN. Our GeoIP rules are useless because their exit IPs rotate every 3 minutes. Signature-based IP reputation never catches them."
DynVPN scans live pf states every 10 seconds against a 17M+ record VPN/proxy/Tor threat database. Kills active sessions on detection — not just new connections. The only firewall under $30K/year that does this.
"I pushed a firewall rule at 11pm and locked myself out of the OPNsense UI. Had to drive to the office for console access. Second time this year."
Juniper-style commit-confirm for OPNsense. Apply any rule with a 1–30 minute auto-revert timer. Lose your connection? The rule unwinds itself. No console drive, no 2am pain.
"A user says 'this domain should work' and I have 10 blocklists stacked. I don't know which list blocked it, or even if it's really blocked — Unbound just silently returns 0.0.0.0."
Query-level DNS visibility with blocklist attribution. Test any domain, see exactly which list matched, and get real answers for your users — not guesses.
"I want to block TikTok and known-malicious TLS SNI on my network, but writing app-layer Suricata rules by hand and testing them without breaking production is a weekend project."
Visual Suricata rule builder with DNS/TLS/HTTP app-layer presets. Build, preview, and deploy custom rules in minutes. Alert-only mode lets you test safely before enforcement.
"OPNsense upgraded overnight. Now DNS blocklists aren't updating, GeoIP aliases are stale, and my Suricata config got reset. I only noticed because a user complained about ads coming back."
Continuous Integration Health monitoring — 7 checks across SSH keys, DNSBL hooks, Unbound paths, cron jobs, and Suricata config. One "Repair All" button puts everything back. Drift caught in minutes, not weeks.
Create, edit, enable, disable, reorder, and review firewall rules from a cleaner interface designed for real operators. SecureEdge adds plain-English structure, rule position awareness, logging visibility, and safer change control.
Manage IDS/IPS mode, alert feeds, rulesets, custom rules, protocol-based blocking, DNS/TLS/HTTP inspection, and signature search — without manually editing rule files or SSHing into the box at 2am.
Protect users from ads, trackers, malware, phishing, adult content, gambling, VPN bypass, and DNS-over-HTTPS bypass using curated blocklists and guided testing. Every blocked query is explained, not silently dropped.
Create inbound block, allow, or alert policies by country using MaxMind GeoLite2, high-risk region presets, OFAC-style presets, and IP reputation feeds. Aliases and WAN rules are created automatically — you just pick the policy.
Install and manage CrowdSec directly from the portal. The agent detects attacks; the firewall bouncer blocks malicious IPs using pf tables with minimal performance impact. Console enrollment, API key registration, and decisions-table visibility — all one-click.
This is the letting-people-in side of VPN (separate from the DynVPN detection engine above, which keeps unwanted VPN traffic out). Create VPN users, download .ovpn profiles, manage sessions, integrate LDAP/TOTP, and build firewall policies around VPN user groups — the workflow that usually takes 8 OPNsense screens now takes one.
SecureEdge continuously validates the OPNsense integration: SSH keys, DNSBL hooks, Unbound paths, Dynamic VPN cron jobs, GeoIP rebuild jobs, Suricata config, and DNSBL update jobs. When something drifts, a single "Repair All" button puts it back.
OPNsense is excellent at the fundamentals — packet filtering, NAT, routing, VPN. But there are operational capabilities that don't ship in any open-source firewall distribution, and that enterprise vendors gate behind subscriptions. SecureEdge adds them as standard.
Juniper-style "commit confirmed" for OPNsense. Apply a rule change with a 1–30 minute auto-revert timer. Lock yourself out? The rule unwinds itself. Nobody dispatches to site.
Color-coded rule positions (#1 red, #2 amber, #3 yellow) with a "first match wins" banner. Catches the classic mistake where a catch-all block any rule silently hides everything below it.
Build DNS-tunnel detection, TLS SNI blocks, and HTTP URI filters without writing raw Suricata syntax. App-layer protocol detection catches traffic on any port, not just defaults.
Agent install, console enrollment, firewall bouncer registration, and API key provisioning — all in one workflow. What's normally a multi-hour setup guide becomes one button.
Continuous validation of SSH keys, DNSBL hooks, Unbound paths, cron jobs, and Suricata config. When an OPNsense upgrade drifts the integration, "Repair All" puts every hook back in one click.
"You can get each of these features individually by bolting together plugins, SSH scripts, and cron jobs — or by paying enterprise vendors five figures a year. SecureEdge gives you all six as standard, on top of the OPNsense you already trust."
Good firewall operations aren't about having every setting enabled — they're about a handful of habits that prevent the common mistakes. SecureEdge is designed around these six principles so they happen automatically, not by accident.
Every new IDS/IPS ruleset, GeoIP block, or DynVPN policy starts in alert-only. Watch what it would have blocked for 24–48 hours before enforcing. Catches every false positive before it breaks production.
Firewall rules are processed top-down, first-match-wins. SecureEdge shows rule position in color (#1 red, #2 amber, #3 yellow) and warns when a catch-all rule silently hides everything below it. No more "why isn't my new rule working?"
DNS filtering blocks malicious domains before the connection is ever attempted — cheaper than firewall rules, simpler than IDS. Start with curated blocklists (malware, phishing, ads), then layer firewall and IDS on top.
GeoIP is powerful but blunt. Block based on business need (no customers in Region X? Safe to block) — not out of paranoia. The inverse-match misconfiguration (thinking you're allowing US traffic when you're actually blocking non-US) is the #1 GeoIP mistake. SecureEdge prevents it.
VPN users accumulate over time — contractor left 8 months ago, account never disabled, firewall still trusts them. Run a quarterly review of active users, last-seen dates, and group membership. SecureEdge surfaces stale accounts automatically.
When something breaks, the first question is "what changed?" SecureEdge pairs commit-confirm (auto-revert bad rules) with a Git-backed change history — so you can trace every firewall change to a user, timestamp, and reason. Compliance audits become a 5-minute export.
"Security isn't about having every feature enabled. It's about the habits that prevent the mistakes."
— SECUREEDGE DESIGN PRINCIPLE
Real firewall and security workflows inside the SecureEdge interface — grouped by how you actually use them: starting with the overview, drilling into controls, adding protection, and troubleshooting when things go sideways.
Every deployment opens to a Control Panel showing firewall health, active IDS rules, DNS filtering state, NAT status, VPN user count, and integration health — all auto-refreshing. No setup screens to hunt through.
Full CRUD firewall rules with drag-reorder, live hit counts from pfctl, and the Juniper-style commit-confirm timer that auto-reverts if you lock yourself out. NAT and aliases on the same surface — no more tab-hopping.
All active protections in one surface: DNS blocklists, Suricata IDS/IPS, MaxMind GeoIP, CrowdSec community defense, and the DynVPN engine — each with its own live metrics, all on a single screen you can screenshot for a compliance auditor.
Guided packet tracer workflows instead of wrestling with raw tcpdump. Correlated logs across firewall/DNS/IDS on one timeline. Integration health panel that catches OPNsense upgrade drift before you notice it broke something. One "Repair All" button when it does.
⊛ Stylized previews shown above. Request a walkthrough to see the live product.
SecureEdge works across the same three environments where OPNsense itself shines — but removes the operational tax that usually scales with firewall complexity.
Clean DNS filtering for family safety, GeoIP blocking on WAN, daily config backups, VPN access from anywhere. Set up once, auto-heal on OPNsense upgrades.
Ad blocking, phishing protection, employee VPN with MFA, CrowdSec community defense, TLS SNI policies for productivity apps — without a dedicated security hire.
One portal, many firewalls. Device-based routing scales to dozens of client OPNsense boxes. Standardized rules, audit logs, customer-isolated views, and handoff documentation.
PCI-adjacent network segmentation, guest Wi-Fi isolation, PoS egress whitelisting, automated GeoIP blocking for payment terminals. Compliance evidence in one dashboard.
DNS-based content filtering that's explainable to parents and boards. Safe-search enforcement, gambling/adult blocking, and clear "why was this blocked?" reports.
IoT device isolation, smart-home egress control, VPN-only access to sensitive services, Tor exit blocking, and CrowdSec community defense on residential connections.
SecureEdge is a service-backed product. You're not downloading a free tool and fighting it at 2am — you're engaging an engineer to deploy, tune, and maintain your firewall stack end-to-end.
For homelab, rental property, or small office firewall setup — when you want the benefits of OPNsense without the weekend-long learning curve.
For small businesses or advanced home networks — when firewall operations need to actually run themselves while you focus on your business.
For MSPs and operators with multiple clients or locations — when firewall management becomes a service you deliver, and you need ongoing review, policy updates, and standardized deployment patterns.
Hardware is not included. SecureEdge runs on your existing OPNsense appliance (bare-metal, Proxmox VM, or supported cloud instance). If you need a new box, we'll spec one with you — typical SMB appliance runs $400–$900.
5NinesNet SecureEdge does not replace OPNsense — it makes OPNsense easier to operate, safer to manage, and more useful for real-world security workflows.
— THE 5NINESNET DESIGN PRINCIPLE
CCIE network architect with 20+ years across enterprise design, operations, and security. Spent that time building, breaking, and rebuilding networks at the layer where vendor marketing meets pf state tables — and got opinionated about what actually matters when something's on fire at 3 AM.
5NinesNet is the home for the work that came out of that — managed network infrastructure that doesn't require a six-figure contract and a year-long deployment to actually use. SecureEdge is part of it: a control plane for OPNsense-based deployments built on the principle that if you can't reproduce it from a clean install in 30 minutes, you don't actually own it.
When you engage 5NinesNet, you're not buying a license — you're buying a relationship with the person who wrote the code.
Let 5NinesNet design, deploy, and automate your OPNsense security stack. We'll start with a 30-minute scoping call, review your current setup, and send you a fixed-price package recommendation within 48 hours.
Or email hello@5ninesnet.com directly · typical response within 24 hours