SecureNet

OPNsense on Protectli hardware with Intel ME disabled via HAP bit. 8 isolated networks, Suricata IDS/IPS, Unbound DNS filtering, DNS over TLS, Monit monitoring, self-hosted blocklists. Every config on Forgejo.

200,000+Threat Signatures*
1 million+Blocked Domains*
8Isolated Networks

*Updated nightly while you sleep. Your security stays current automatically.

What Is SecureNet?

A complete OPNsense deployment on Protectli Vault hardware: 8 isolated networks, Suricata IDS/IPS with ~200K signatures, Unbound DNS with self-hosted blocklists covering 1M+ domains, DNS over TLS, Monit monitoring, and pre-configured WireGuard integration for SafeNet VPN. Coreboot firmware with Intel ME neutralized via the HAP bit. Everything preloaded by Protectli engineers from OSS-authored configurations before it ships.

You plug it in, baseline security is already active. The 25-minute onboarding call customizes it for your ISP, your home, and your device inventory.

OPNsense Dashboard
OPNsense Dashboard: Your network security at a glance

Network Architecture

SecureNet implements 8 separate networks: 3 physical (full access) and 5 virtual VLANs (restricted). Each network isolates devices by trust level and use case.

The 8 Networks

LAN1 (Admin/Home)

192.168.1.0/24

Primary trusted devices with full access. Your computers, phones, tablets. Can access firewall GUI and all other networks.

LAN2 (Backup)

192.168.2.0/24

Hardware failover network. If Port 1 fails, plug into Port 4. Internet restored in 30 seconds.

IoT VLAN

192.168.20.0/24

Security cameras, doorbells, motion sensors. Internet-only access: can't reach your computers or NAS if compromised.

Smart VLAN

192.168.30.0/24

Smart TVs, Sonos speakers, robot vacuums. Isolated from internal networks: TV spyware can't access your work laptop.

Guest VLAN

192.168.40.0/24

Visitor WiFi. Zero internal visibility: guests can't see other guests, can't discover internal services, can't reach firewall GUI.

Kids VLAN

192.168.50.0/24

Children's devices with DNS filtering. Blocks adult content, gambling, drugs. Network isolation + content filtering.

SafeNet VLAN

10.60.60.0/24

WiFi VPN tunnel. All traffic routes through a SafeNet server. For privacy-focused browsing.

SafeNet Port

10.70.70.0/24

Wired VPN on Port 3. Plug in ethernet devices that need VPN: home office setup, devices without VPN clients.

IP Addressing Strategy

SecureNet uses deliberate IP patterns so routing path is visible at a glance:

IP PatternMeaningRouting
192.168.x.xStandard networksDirect to ISP (untunneled)
10.x.x.xSafeNet networksThrough WireGuard tunnel

Port Assignments & VLAN Trunking

PortInterfacePurpose
Port 1 (Left)LAN + VLAN TrunkTagged 802.1Q trunk to WiFi AP: LAN1 untagged, IoT/Smart/Guest/Kids/SafeNet tagged
Port 2WANInternet gateway (connects to ISP modem)
Port 3SafeNet PortWired VPN for ethernet devices (untagged, tunneled)
Port 4 (Right)LAN2 BackupHardware failover if Port 1 fails (untagged, no VLANs)

Firewall Rules & VLAN Isolation

OPNsense runs on FreeBSD's pf packet filter. Every restricted VLAN uses an identical 3-rule pattern applied as interface rules (processed after floating rules in OPNsense's rule order).

The 3-Rule Isolation Pattern

# Rule 1: Allow devices on same VLAN to communicate
Pass: VLAN net → VLAN net (AirPlay, Chromecast, local gaming)

# Rule 2: Block ALL internal networks
Block: VLAN net → RFC1918 (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)

# Rule 3: Allow internet access
Pass: VLAN net → * (only public IPs remain after Rule 2)

A device on the IoT VLAN can reach the internet and talk to other IoT devices, but it cannot reach your computers, your NAS, your admin network, or any other VLAN. Period.

Attack Scenarios Prevented

  • Compromised IoT CameraAttacker gains camera shell, scans for NAS. All blocked. Attack stops at the camera.
  • Malicious GuestGuest with hacking tools scans 192.168.1.0/24. Sees nothing. Zero visibility into internal network.
  • Smart TV SpywarePre-installed TV spyware tries to find SMB shares. Blocked. Work documents stay safe.

Simplified Rule Management: The RFC1918 alias covers all private address space in a single entry. Isolation rules reference this alias, so adding a new VLAN doesn't require updating every existing rule set.

Suricata IDS/IPS

Suricata is the first layer of our two-layer packet inspection architecture. It sits on the WAN interface, inspecting all internet traffic before it reaches your internal networks.

Configuration

ParameterValue
InterfaceWAN (perimeter defense)
ModeIPS: blocking, not just alerting
Pattern MatcherHyperscan (Intel's open-source high-performance regex library, near-wire-speed matching)
Total Signatures~200K active rules*
UpdatesNightly automatic (2 AM CST cron)
Rule TuningKnown false-positive SIDs disabled after SPL validation

Ruleset Breakdown (Updates Nightly)*

Rulesets selected to maximize home network protection without false positives:

SourceSignaturesWhat It Catches
Abuse.ch ThreatFox147,379+Active campaign indicators of compromise (IOCs)
Abuse.ch URLhaus28,451+Malicious URLs, phishing, exploit kits
Abuse.ch SSL Fingerprint9,192+Malicious SSL/TLS certificates
ET emerging-malware17,797+Trojans, ransomware, spyware
ET emerging-phishing2,800+Credential theft, fake login pages
ET emerging-exploit1,676+CVE exploits, buffer overflows, RCE
ET emerging-scan285+Port scanning, reconnaissance
Feodo Tracker + others~125+Botnet C&C, worms, DoS, current events

*Signature counts update nightly as new threats are discovered and old ones expire.

Performance with Full Security Stack (Lab Validated)

All performance numbers validated in our Security Performance Lab with real traffic patterns:

HardwareThroughputPacket LossAdded Latency
Protectli V1410~1.2 Gbps0%<5ms
Protectli VP2430~1.7 Gbps0%<5ms

DNS Filtering & Ad Blocking

Unbound DNS runs locally on your SecureNet firewall, resolving queries faster than remote servers while blocking malicious domains and ads before any connection is made. DNSSEC validation is enabled for all upstream responses.

Self-Hosted Blocklists

We aggregate multiple trusted sources into a single, deduplicated blocklist hosted on our own infrastructure at oss-blocklist.net. Refresh runs nightly at 2 AM CST so your security updates while you sleep.

Why Self-Hosted? We control uptime (not dependent on third-party hosting). Dead feeds get replaced transparently. Customer firewalls always receive updated lists. Format is guaranteed consistent.

DNS Blocklist Sources (1 million+ domains)*

SourceFocus
Hagezi Pro++Aggressive malware, tracking, and ads (~800K domains)
OISD BigBalanced coverage with low false positives
Steven Black UnifiedConservative malware and adware
1Hosts ProMalware, tracking, and suspicious domains
OSS CommunityCustomer-reported malicious domains and ads

IP Blocklist Sources (~45,000 IPs)*

SourceFocus
Spamhaus DROPHijacked networks, criminal operations
DShield Top 20Active attackers from real-world data
Hagezi TIFC2 servers, malware hosting
OSS CommunityCustomer-reported malicious IPs

*Counts update nightly as sources refresh and community reports are added.

Community-Driven Protection

See an ad that slipped through? Find a malicious site we missed? Report it and we'll add it to the OSS Community list. Your feedback improves protection for everyone.

You report a threat or adWe verify and add to OSS listAll customers protected

Whitelist Process

If a legitimate site gets blocked (false positive):

  • 1. You report it to OSS
  • 2. We verify the domain is safe
  • 3. We add it to our whitelist
  • 4. Next nightly refresh fixes it. No action required on your end.

Two-Layer Protection

DNS filtering and IP blocking work together to catch threats that slip through one layer:

Threat ScenarioDNS LayerIP Layer
New domain + new IP Misses Misses
New domain + known bad IP Misses Blocked
Known bad domain + new IP Blocked Misses
Known bad domain + known bad IP Blocked Blocked

DNS over TLS

All DNS queries from your network are encrypted before leaving your home. Your ISP cannot see what websites you're visiting.

Configuration

SettingValueWhy
PrimaryQuad9 (9.9.9.9:853)Non-profit, Swiss jurisdiction, no query logging
BackupCloudflare (1.1.1.1:853)Fastest public DNS, KPMG-audited privacy
EncryptionTLS 1.3Latest standard

What Your ISP Sees

Without DNS over TLS

ISP sees every domain you query: netflix.com, bankofamerica.com, webmd.com...

They can build a complete profile of your browsing habits, sell it to advertisers, or comply with requests without your knowledge.

With SecureNet DoT

ISP sees: encrypted connection to 9.9.9.9:853

They know you're making DNS queries. They cannot see what domains you're querying.

Why Not Google DNS? SecureNet prioritizes DNS providers whose incentives align with user privacy. Quad9 is a non-profit with no logging. Cloudflare has audited privacy practices and no advertising business. Google's core business is advertising.

Hardware Monitoring (Monit)

Monit watches your firewall hardware 24/7 and sends email alerts before problems become crises.

What's Monitored

  • Port 1 NIC StatusIntel i226 NICs can fail. Monit detects link-down and alerts you. 1-hour delay prevents false positives from brief outages.
  • CPU UsageAlert at 95%+. Could indicate DDoS attack, malware, or IDS overload.
  • Memory UsageAlert at 90%+. Detects memory leaks or SYN flood attacks.
  • Disk SpaceAlert at 90%+. Log growth can fill disks over time.
  • Unbound DNSIf DNS crashes, Monit automatically restarts it and alerts you. Self-healing: fixed before you notice.

Port 1 Failover Procedure

If Port 1 NIC fails (you receive Monit alert):

1. Unplug power from vault
2. Move ethernet cable from Port 1 → Port 4
3. Plug power back in
4. Wait 2 minutes for boot
5. Internet restored

# Note: VLANs won't work on Port 4. Only main network.
# Contact OSS for warranty replacement

Zenarmor Application Firewall

Zenarmor is the second layer of our two-layer packet inspection architecture. While Suricata inspects traffic at the WAN perimeter, Zenarmor monitors LAN traffic and identifies applications regardless of encryption.

Zenarmor Dashboard
Zenarmor Dashboard: Application visibility and control

What Zenarmor Catches That Suricata Can't

ScenarioSuricata (WAN)Zenarmor (LAN)
Compromised device scanning internal networkCan't see (internal traffic)Detects abnormal scanning
HTTPS malware from legitimate CDNSees valid HTTPS, passesDetects behavioral anomaly
Bandwidth abuse (torrenting)Sees encrypted trafficIdentifies BitTorrent application
Policy violations (TikTok on Kids VLAN)Can't distinguish appsIdentifies and can block application

Free vs Paid Tiers

Free Tier (Included)

  • • Application visibility
  • • Device identification
  • • Real-time traffic analysis
  • • Dashboard & reporting
  • • DPI / TLS fingerprinting

Home Tier ($10/month)

  • • Everything in Free
  • • 3 custom blocking policies
  • • Application blocking
  • • Web category filtering
  • • Time-based controls
  • • Safe search enforcement

Support Boundaries

OSS provides: Installation, configuration, and brief dashboard tutorial during onboarding.

Zenarmor provides: Ongoing support, feature training, policy creation help, troubleshooting.

Zenarmor Resources

WireGuard VPN Integration

SecureNet includes pre-configured WireGuard integration for SafeNet VPN subscribers. Traffic from SafeNet networks routes through our servers automatically via policy-based routing.

Tunnel Configuration

ParameterValue
ProtocolWireGuard
MTU1420 (standard)
Persistent Keepalive25 seconds
AllowedIPs (default)0.0.0.0/0 (full tunnel)
AllowedIPs (Apple split tunnel)0.0.0.0/0 except 17.0.0.0/8 (APNS)

Policy-Based Routing

NetworkRouting
Home, IoT, Smart, Guest, KidsDirect to ISP (no VPN)
SafeNet VLAN (10.60.60.0/24)Through WireGuard tunnel
SafeNet Port (10.70.70.0/24)Through WireGuard tunnel

Apple Split Tunnel: Households with Apple devices get a customized AllowedIPs config that excludes Apple's 17.0.0.0/8 block. This preserves APNS (Apple Push Notification Service) delivery for iMessage, FaceTime, and app notifications while still tunneling all other traffic.

Connect to SafeNet WiFi when you want private browsing. Connect to your regular network for everything else. No apps to install, no settings to change. It's automatic.

Learn More: SafeNet VPN is covered in detail on the SafeNet page →

Coreboot & Intel ME Disabled

Protectli Vaults ship with Protectli's coreboot firmware and Intel ME disabled via the HAP bit. This is the single most important firmware-level differentiator on this page, and no other home firewall vendor can legitimately claim it.

What Is Intel ME?

Intel's Management Engine is a secondary CPU embedded in nearly every Intel processor shipped since 2008. It runs its own closed-source firmware, has its own network stack, operates below the operating system, and cannot be inspected, audited, or disabled by standard means. It has full access to system memory, network interfaces, and storage. It runs whether your computer appears to be on or off.

Intel ME has had multiple documented critical vulnerabilities over the years, including remote code execution bugs discovered by researchers long after the affected hardware shipped. Because the ME runs below the OS, OS-level security tools can't see it and can't protect against it.

Intel ME runs on nearly every consumer firewall on the market. Firewalla Gold Plus. Netgate 2100. Ubiquiti UDM. Any Intel-based mini PC running pfSense or OPNsense without coreboot+HAP modifications. The ME is running. You cannot turn it off through standard firmware settings. Your firewall has a second, unauditable computer inside it with network access.

Protectli Vaults are the only home firewall appliances on the market that ship with Intel ME neutralized via HAP.

How Protectli Disables It: HAP Bit

The HAP (High Assurance Platform) bit is a configuration flag originally created for US government High Assurance Platform program customers. Setting HAP=1 causes the Intel ME to halt its firmware execution immediately after the bring-up phase. The ME is still present on the die (it's physically integrated into the chipset and can't be removed), but it stops running code after boot. No network stack. No listening services. No persistent execution.

Protectli ships all Vaults with coreboot firmware that sets HAP=1 and additionally cleans the ME firmware region to minimize the attack surface during the brief pre-HAP bring-up phase. This is the most thorough ME neutralization method publicly available and is used in production by security-focused organizations that require high-assurance hardware.

The Full Open Stack

LayerComponentOpen Source?
Hidden management CPUIntel ME (disabled via HAP) Neutralized
FirmwareCoreboot Yes
Operating SystemOPNsense (FreeBSD) Yes
ConfigurationSecureNet Configuration Yes (Forgejo)
VPN ProtocolWireGuard Yes

From chipset through VPN tunnel, every configurable component is publicly reviewable and independently auditable. The one component we can't open-source (Intel ME's physical presence on the die) is the one we neutralize.

For the skeptical: You can verify Intel ME is disabled on a Protectli Vault yourself. Tools like intelmetool and me_cleaner can inspect ME status post-boot. Protectli's coreboot source is publicly available.

WiFi Access Point

OSS offers an optional enterprise-grade Omada EAP720 wireless access point, professionally configured in Stand Alone mode: no cloud dependency, no subscriptions, full VLAN support.

Specifications

FeatureValue
WiFi StandardWiFi 7 (802.11be) with MLO
2.4GHz SpeedUp to 344 Mbps
5GHz SpeedUp to 2,882 Mbps
SSIDs6 per band (one per VLAN)
VLAN SupportFull 802.1Q tagging
Coverage~1,500 sq ft per AP
ManagementStand Alone (local web interface)

Expansion: Homes over 1,500 sq ft can add additional Omada EAP720 access points. Wired backhaul recommended for best performance.

What's Included

Hardware (Purchased From Protectli)

  • Protectli Vault (V1410 or VP2430)Fanless firewall appliance with coreboot firmware, Intel ME disabled, 2-year hardware warranty
  • SecureNet Pre-InstalledConfiguration loaded by Protectli engineers before ship. Plug in and baseline security is active.
  • +
    Optional: Omada EAP720 Wireless Access PointWiFi 7 with full VLAN support, professionally configured. Not required if you already have a capable access point.

Services (OSS)

  • Onboarding ConsultationCustomize SecureNet for your ISP, home, and device inventory
  • ZFS Snapshot + Encrypted BackupKnown-good restore point after onboarding
  • Network DocumentationDiagram, failover procedures, restore instructions

Optional Subscriptions

  • +
    SafeNet VPNPrivate browsing through OSS-operated WireGuard servers. Includes full support.
  • +
    Zenarmor HomeApplication blocking, parental controls. $10/month via Zenarmor.

No subscriptions required. The firewall provides complete security functionality without SafeNet or Zenarmor. These are optional enhancements, not requirements.

Is SecureNet Right for You?

Honest about who SecureNet is, and isn't, designed for.

Good Fit

  • ✓ Want professional security without learning networking
  • ✓ Value owning hardware with no mandatory subscriptions
  • ✓ Won't tinker with the configuration
  • ✓ ISP modem supports bridge mode
  • ✓ Want transparency: able to verify every claim

Not a Good Fit

  • ✗ Want to learn and experiment with OPNsense
  • ✗ Need 24/7 phone support
  • ✗ ISP won't allow bridge mode
  • ✗ Plan to heavily customize the configuration
  • ✗ Want a learning platform, not a finished product

Want to DIY? Our configurations are published on Forgejo. OPNsense is free and open source. You can absolutely replicate this yourself, but expect 20-30 hours for a first-time build if you already understand the stack, plus 4-6 hours/month ongoing maintenance to keep rulesets tuned and blocklists healthy. SecureNet is for people who want the result without the project.

Configuration Transparency

Everything is published. Verify every claim we make.

What's Public

  • • SecureNet configurations: Forgejo
  • • SafeNet server configurations: Forgejo
  • • Security Performance Lab methodology and raw CSV data: Forgejo
  • • AI Whitepaper: 50-page technical reference
  • • DNS blocklist sources and aggregation methodology
  • • Suricata ruleset selection rationale and tuning notes

What's NOT Public

  • • Private keys (SSH, WireGuard)
  • • Customer-specific passwords
  • • That's it.

Links & Resources

AI WhitepaperForgejo: SecureNet ConfigSecurity Performance LabKnowledge Base

Ready to Secure Your Network?

Schedule a free 10-minute introduction call. We'll verify ISP compatibility, answer questions, and make sure SecureNet is right for you.

Schedule Free Intro CallRead the AI Whitepaper First