PORT 18083🌐 Multi-WAN Manager
Bond multiple internet links with 4 modes: failover, round-robin, weighted, and policy-route. Supports DHCP, Static, PPPoE, LTE, 5G, and Starlink. Auto health-checks every 30s and failover within seconds.
Verified: dual-ISP weighted bond delivering 150 Mbps total down on test bench
PORT 18084🔀 NAT Manager
Port forwarding, 1:1 NAT, outbound NAT, NPT (IPv6), and Virtual IPs. Built-in port-forward reachability tester. NAT-reflection for hairpin scenarios.
Use cases: expose internal web/mail server, mask outbound traffic, IPv6 prefix translation
PORT 18087🌍 Web Filter
Category-based URL filtering (32+ categories), SafeSearch enforcement, and per-user/per-group policies. SSL Bumping for HTTPS inspection with proper CA distribution.
Block list size: 4M+ domains; supports Arabic-language allow-/block-lists
PORT 18099🔍 DNS Filter
RPZ-based DNS sinkhole. Block malware, phishing, ads, adult content at DNS layer - fastest tier of defense. DoH/DoT support for encrypted upstream.
Latency overhead: <2ms with local cache
PORT 18088📊 QoS Controller
HFSC/CBQ shaper with 7 ready-made templates: VoIP-priority, Video, Office, Hotel, Café, Manufacturing, Hospital. Per-VLAN, per-device, or per-app rate-limiting.
Hardware offload via Intel I350 multi-queue when available
PORT 18098🔐 VPN Service
WireGuard (modern, fast), OpenVPN (compatible), IPsec (enterprise). Per-user policy routing, MFA-protected client portals, and SSO integration.
Throughput: ~2 Gbps WireGuard on a single x3250 M5 core
PORT 18102⚔️ DDoS Protection
SYN-cookies, rate-limiting per source, geofencing, and behavioral anomaly detection. Auto-blackhole at the edge before traffic reaches the firewall stack.
Mitigates volumetric (L3/4) up to NIC line rate, application-layer (L7) up to 10K rps
PORT 18096🛡️ WAF Service
OWASP ModSecurity-compatible Coraza WAF with CRS rules. Bot-mitigation, JSON-schema validation, GraphQL inspection, and per-API rate-limit policies.
CRS 4.0 rules ship pre-installed; custom rules via Web UI
PORT 18081🚪 Port Manager
Inventory and lifecycle for the 16 physical ports. Tag roles (WAN/LAN/DMZ/Mgmt), monitor link state, push interface configs to the OPNsense kernel.
Auto-discovers I350-T4, X710-DA2 PCIe cards on first boot
PORT 18097📡 Port Checker
External port scanner - verifies your published services from the public internet side. Confirms NAT rules really work end-to-end.
Scans from regional probes to validate global reachability