After exporting 593 days worth of traffic logs from my OPNsense homelab firewall, I developed a Python script to process the CSV data into JSON. Which I then visualized using D3.js and JavaScript.
seen from United States
seen from Netherlands
seen from Slovenia
seen from Australia
seen from Yemen
seen from United States

seen from Portugal
seen from China
seen from China
seen from United States

seen from Slovenia

seen from Slovenia

seen from United States
seen from United States
seen from United States
seen from Russia

seen from Slovenia

seen from United States
seen from United States
seen from Slovenia
After exporting 593 days worth of traffic logs from my OPNsense homelab firewall, I developed a Python script to process the CSV data into JSON. Which I then visualized using D3.js and JavaScript.

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
A JavaScript visualization featuring 75 days of activity on my home LAN.
alright open source tech types, what would you use for OS on your edge device? opnsense? openwrt? something else?
I was leaning toward opnsense, but the lil NUC I got could get wifi added on, and it's tempting to get better coverage, but looks like my options are super limited for FreeBSD compatible M.2 cards?
Hyppönen's Law: "If it's smart, it's vulnerable"
Netztrennung im Smart Home – warum sie heute unverzichtbar ist
Im modernen Haushalt hängen oft dutzende IoT-Geräte im WLAN: Kühlschränke, Lampen, Steckdosen, Kameras. Praktisch – aber sicherheitstechnisch meist schwach. Deshalb lohnt sich eine klare Trennung der Netzwerke, um zu verhindern, dass ein kompromittiertes IoT-Gerät Zugriff auf private PCs, Smartphones oder NAS bekommt.
VLANs & Segmentierung – einfach mehr Sicherheit
Mit VLANs lässt sich das Heimnetz logisch aufteilen, zum Beispiel in:
Home (private Geräte)
IoT (smarte Geräte)
Guest (Besucher)
OPNsense oder OpenWrt machen diese Segmentierung unkompliziert. Über Firewall-Regeln lässt sich festlegen, wer nur ins Internet darf, wer intern kommunizieren darf und wer komplett isoliert bleibt.
OpenWrt & mehrere SSIDs
Mit OpenWrt lassen sich mehrere WLAN-SSIDs definieren, die jeweils einem eigenen VLAN zugeordnet sind. Damit bleiben IoT-, Gäste- und Privatgeräte sauber getrennt – auch wenn alle über dieselben Access Points laufen.
802.11r – wenn mehrere Access Points im Spiel sind
In Haushalten mit mehreren Access Points erleichtert 802.11r (fast BSS transition) das Roaming zwischen APs. Es ermöglicht, dass Clients ihre Verbindung schneller an Nachbar-APs übergeben, ohne erneut vollständige Authentifizierung durchlaufen zu müssen. Das sorgt für stabile Verbindungen, selbst wenn jede SSID in verschiedene VLANs segmentiert bleibt.
VPN und DMZ – das Sahnehäubchen
Wer Dienste von außen erreichbar macht (z. B. Home Assistant, Kameras oder Server), sollte diese in einer DMZ isolieren – also einem getrennten Netzwerkbereich, der selbst bei Angriffen keinen Zugriff auf das interne Heimnetz gewährt.
Und für Privatkunden gilt: Ich empfehle grundsätzlich, niemals direkt Ports ins Internet zu öffnen, sondern ausschließlich über VPN auf das Heimnetz zuzugreifen. WireGuard bietet hier eine extrem sichere, schnelle und mobilfreundliche Lösung – ideal für Smartphones, Tablets oder Laptops. So bleibt der Fernzugriff nicht nur komfortabel, sondern auch maximal geschützt.
If It's Smart, It's Vulnerable : Hyppönen, Mikko: Amazon.de: Bücher
Intrusion Monitoring mit Graylog
Ein modernes Smart Home braucht mehr als eine Firewall. Ein intelligentes IDS/IPS auf Basis von OPNsense mit Suricata und Graylog überwacht sämtliche Zugriffe auf Web-Services und analysiert nicht nur was passiert, sondern auch die Intention hinter den Requests.
Suricata erkennt verdächtige Muster direkt auf Netzwerkebene, während Graylog die Ereignisse zentral sammelt, korreliert und visualisiert – inklusive Angreifer-Standorte, Honeypot-Auswertung und Echtzeit-Alerts bei bösartigem Verhalten. So werden Logs zu einem aktiven, transparenten Sicherheitssystem.

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
Whimsical Systems Podcast #1
“When you finally get tired of your ISP router, one of the most-recommended replacements is making your own with a custom OPNsense firewall. This puts the power back in your hands, limits what your ISP can do to your connection, and gives you plenty of protection and features you’ve been missing all this time. But one of the awesome things about OPNsense isn’t just that it’s a powerful router, but that you can make it even better by installing other services as plugins.”
OPNsense is a fork of PFsense, with a more modern UI, more regular updates, and slightly lighter resource requirements.
The plugins listed are all very useful, but it is worth also just making some comments about some of them here, as I’ve been using a few of them myself after having considered alternatives:
Zenarmor can be used for free, but it will then lack the device tracking and alerting for unknown devices, as well as the more advanced rules management and additional profiles. For me, the device identification and management was quite key. Zenarmor is ideal for protecting the LAN side of the firewall by inspecting every network packet, and blocking/altering regarding known and emerging threats. It is similar to the free ntopng plugin, but ntopng really only analyses and inspects, and does no blocking. If you are interested in buying the Zenarmor subscription, my referral code SVNCDQ4TQW294 will get you 10% off your first payment (month or year).
OPNsense does have a built-in IDS/IPS system, but the issue really is you have to configure the rules to be downloaded, and then set them to alert/block, and it is a rather cumbersome process.
CrowdSec is ideal for blocking threats from outside your WAN, also compared to known threats. The free version is usually good enough for most people, and it adjusts the blocking rules of OPNsense.
Tailscale is a remote access tool that is based on WireGuard. For me, its big advantage can be that it is easier to configure end devices for access, and it will work well with dynamic IP addresses. Although Tailscale is a commercial product, the free version will do what most home users require.
The linked article mentions os-git-backup plugin for backing up config changes, but I am using the Nextcloud plugin to back up automatically to my own Nextcloud.
It is really worth exploring the OPNsense plugins as they can provide some really rich extra functionality. Just bear in mind everything may not work, e.g. the SMART drive plugin does not work with my Protectli eMMC drive.
See https://www.xda-developers.com/opnsense-plugins-that-make-my-home-network-a-joy-to-use
OPNManager is a streamlined, user-friendly application designed to simplify the management of OPNsense firewalls. Built with Tauri and SvelteKit, this cross-platform app provides an intuitive interface for users who need a more simplified alternative to the standard OPNsense web interface.
It is not an official OPNsense mobile app but will use the OPNsense API to allow a user to view and manage some basic dashboard functionality.
The dev is trying to get enough testers together (see on the r/opnsense Subreddit) and then the app can appear as a beta testing app on Android’s app store.
But if you look at the GitHub site you will see an Android APK release, as well as Linux releases including an AppImage so far.
See https://github.com/Red-Swingline/OPNManager