ND

Project | Network Security

OPNsense Edge Firewall

OPNsense 26.1 deployed on a Dell Optiplex 5040 SFF as the sole edge device: routing, DHCP, DNS filtering, VLAN segmentation, wildcard TLS, IDS on WAN, and a DMZ-isolated Cloudflare Tunnel for public ingress — no raw management ports on the internet.

OPNsense 26.1 VLAN Segmentation AdGuard Home Suricata IDS ACME / TLS Cloudflare DoT
OPNsense edge firewall architecture diagram

What I Built

  • Deployed OPNsense 26.1 on a Dell Optiplex 5040 SFF as the dedicated edge router and firewall.
  • Segmented the network into LAN and a Public DMZ VLAN for Cloudflare Tunnel isolation.
  • Replaced the default Unbound DNS resolver with AdGuard Home (OPNsense plugin) with Cloudflare DoT upstream for encrypted, filtered DNS.
  • Deployed Suricata IDS on the WAN interface in netmap mode for intrusion detection.
  • Automated wildcard TLS certificate issuance for *.masternazz.com using ACME with Cloudflare DNS-01 challenge.
  • Placed Cloudflare Tunnel connector in the DMZ VLAN so public HTTPS ingress never touches the LAN directly.

Skills Demonstrated

  • Network segmentation and VLAN design
  • Firewall rule logic and change tracking
  • DNS filtering and encrypted upstream resolvers
  • Intrusion detection system configuration
  • Automated TLS certificate management (ACME / DNS-01)
  • Public/private service boundary decision-making
DNS

AdGuard + Encrypted Upstream

Replaced Unbound with AdGuard Home for network-wide DNS filtering with ad and malware blocking. Upstream queries go over Cloudflare DNS-over-TLS so ISP-level DNS snooping is eliminated.

Ingress

DMZ-Isolated Public Access

Cloudflare Tunnel connector runs in a dedicated Public DMZ VLAN, isolated from the LAN. Public HTTPS traffic routes through Cloudflare → tunnel → reverse proxy without exposing internal addressing or management ports.

IDS

Suricata on WAN

Suricata runs in netmap mode on the WAN interface for wire-rate intrusion detection. Alerts feed into Wazuh for centralized analysis and correlation with host-level events.

What This Shows Employers

I built and operate a real edge firewall — not a lab simulation. I know how traffic flows from WAN to service, why VLAN isolation matters for tunnel placement, and how to keep management surfaces off the internet. The IDS, DNS filtering, and automated cert pipeline are all production habits, not checkboxes.

Explore More Projects

Project pages that build on top of the network security foundation.

Architecture

Enterprise Homelab Architecture

A production-grade virtualization lab: Proxmox cluster, Cisco switching, and Synology storage.

View project ->
Virtualization

Proxmox Cluster Management

Multi-node compute environment running 20+ VMs/LXCs with focus on high-availability.

View project ->
Monitoring

SIEM/XDR with Wazuh

Active security monitoring and log aggregation for endpoint behavior and compliance.

View project ->
IAM

Centralized Identity & Auth

Authentik implementation for SSO, OIDC, and LDAP across the lab infrastructure.

View project ->

Get In Touch

Open to Junior Network Administrator, SOC Analyst, NOC, MSP, Help Desk, IT Support, and Cybersecurity Internship opportunities.

Email Me LinkedIn GitHub

Email: NazeemDickey@gmail.com | Boynton Beach, FL

<- Back to projects