Hi,
I'm looking to see what are the options to detect and block malicious IPs and Domains that made inbound \ outbound connections per individual device on the network. This is to establish if a device was compromised in some way and to detect and block malicious connection(s) taking place. When it comes to features, what I would like to see is:
- Log IPs \ Domains per device with a timestamp upon malicious connection and when it was blocked.
- Archive logs of IPs \ Domains within selected amount of time for detection and blocking in the future.
- Dashboard with data and metrics.
- Highlight connections to suspicious \ malicious domains in the dashboard.
- Search functionality where I can manually search if a specific IP \ Domain made a connection on my network.
- Automatically grab fresh feeds of data to keep database of malicious domains and IPs up to date.
- Store logs up to selected amount of months or years e.g 3 months or 1 year as an example.
- Automatically block connections to malicious domains \ IPs that are on the downloaded data feeds.
I'm thinking about buying external hard drive that I would connect via USB port to store logs so storage is not a problem. However, my hardware is relatively weak with 4 CPU cores and 8GB of DDR4 RAM. I'm looking for something more automated where I set it up and it just works or I can occasionally do maintenance on it to review blocked domains and ips. My initial plan was to just monitor if a malicious connection took place but automatically blocking it would make things much easier. I'm looking for a solution that is aimed at home usage. I don't mind paying a small monthly fee if the solution does what I need with all the required features and very up to date data feed, however, I would prefer something free.
Any suggestions how I can go about it and what are my options ?
There are plenty of options :
- ZenArmor
- Suricata
- Pi-Hole
The first two are full IDS/IPS solutions and the last one is a DNS Blocklist based system which you can combine with this : https://forum.opnsense.org/index.php?topic=9245.0
I would say install a VM for each and have a look around in their webGUI :)
Quote from: nero355 on February 10, 2026, 03:23:46 PMThere are plenty of options :
- ZenArmor
- Suricata
- Pi-Hole
The first two are full IDS/IPS solutions and the last one is a DNS Blocklist based system which you can combine with this : https://forum.opnsense.org/index.php?topic=9245.0
I would say install a VM for each and have a look around in their webGUI :)
I took a look at the link you provided but the guide is broken as the images are not available anymore. So, to use Pi-Hole, I need to make additional changes within OPNSense while with the first two solutions (Zenarmor and Suricata) I don't need to make much of adjustments when it comes to DNS within OPNSense ?
Quote from: BigFreddy on February 12, 2026, 09:03:52 PMI took a look at the link you provided but the guide is broken as the images are not available anymore.
I am guessing you are in a country that blocked IMGur.com since the first post of the thread contains images hosted there and work just fine here ?!
QuoteSo, to use Pi-Hole, I need to make additional changes within OPNSense while with the first two solutions (Zenarmor and Suricata) I don't need to make much of adjustments when it comes to DNS within OPNSense ?
If you need to ask me that question I would suggest to take some time to read a lot and I do mean
A LOT about all three and how they work, because nor ZenArmor nor Suricata are a so called
"Turn it on and forget about it!" solution and you really need to know what you are doing !! ;)