- Scenario Overview
- STEP 1 - Deploy OPNsense Firewall Router (Bare Metal / Virtual Machine)
- STEP 2 - OPNsense Configuration Essentials
- STEP 3 - Unbound DNS Configuration (In OPNsense)
- STEP 4 - Docker Host Preparation (AdGuard Home or Pi-hole)
- STEP 5 - Deploy DNS Sinkhole (Pick One)
- STEP 6 - Ansible Infrastructure-as-Code & Backups
- STEP 7 - Confirm Final Integration
#Scenario Overview
- Purpose: Construct a resilient, robust homelab infrastructure to cover firewall, routing, DHCP, DNS resolution and ad-blocking using proven open-source tools.
- Components Integrated:
- OPNsense — Firewall, Router, DHCP, DNS rebinding protection
- Unbound (integrated within OPNsense) — Local recursive DNS resolver (self-hosted DNS queries)
- AdGuard Home OR Pi-hole (in Docker) — DNS sinkhole (ad-blocking, tracker blocking, DNS-over-HTTPS capability)
- Docker — Lightweight and flexible service encapsulation
- Ansible — Automated infrastructure deployment, backups, and recovery.
#STEP 1 - Deploy OPNsense Firewall Router (Bare Metal / Virtual Machine)
#Installation
Download installer from official source:
- Official Image: https://opnsense.org/download/
- Recommendation: latest stable ISO version, amd64 architecture
Install OPNsense on dedicated hardware or virtualization hypervisor (recommended hypervisors: Proxmox, VMware ESXi, XCP-ng).
#Network Interfaces
- Assign at least two interfaces:
WAN
→ ISP modem (public facing)LAN
→ Switch (internal network, client-facing)
Adjust default interface settings to match your network.
#STEP 2 - OPNsense Configuration Essentials
Login:
https://opnsense-ip
(Web GUI default user: root, password: opnsense)
#LAN Interface Configuration
Example addressing scheme:
- LAN Network:
192.168.10.0/24
- OPNsense LAN IP:
192.168.10.1
Configure at:
- Interfaces → LAN: static IPv4, CIDR
192.168.10.1/24
#DHCP Server Setup
- In Services → DHCPv4 → LAN:
- Enable DHCPv4 server
- Range:
192.168.10.100 - 192.168.10.200
- Gateway:
192.168.10.1
- DNS Server: Will be assigned later (AdGuard Home)
#Firewall Basic Rules (default recommended rules):
- LAN interface → allow LAN to Any via IPv4 (default outbound rule provided by OPNsense)
- WAN interface → default deny incoming, allow responses from LAN initiated traffic (default)
#STEP 3 - Unbound DNS Configuration (In OPNsense)
Location: Services → Unbound DNS
- Enable Unbound service (check)
- DNSSEC Validation (check)
- Listen interfaces (check both): LAN and Localhost only
- Access Lists: Allowed networks (“192.168.10.0/24”)
- Advanced settings (recommended):
- Enable DNS rebinding protection (check) under System → Settings → Administration → DNS settings (“Enable DNS Rebinding Checks”).
#STEP 4 - Docker Host Preparation (AdGuard Home or Pi-hole)
Deploy on dedicated physical server or VM, e.g., Ubuntu Server 22.04 LTS:
#Set static IP on Docker host (example):
Configure static IP:
Apply and reboot:
#Installing Docker (Ubuntu Example):
#STEP 5 - Deploy DNS Sinkhole (Pick One)
#OPTION A) AdGuard Home via Docker
Create directories:
Launch AdGuard Home via Docker Compose:
Deploy:
Web login to AdGuard Home at:
http://192.168.10.5:3000
After setup, change DHCP DNS entry in OPNsense DHCP server to 192.168.10.5
#OPTION B) Pi-hole via Docker
Create directories:
Docker Compose YAML (~/docker/pihole/docker-compose.yml
):
Start Pi-hole:
Access WebGUI at:
http://192.168.10.5/admin
Set DHCP DNS IP to 192.168.10.5
in OPNsense DHCP server.
#STEP 6 - Ansible Infrastructure-as-Code & Backups
Install Ansible (on local PC, Linux):
Project Directory structure:
inventory.yml
:
site.yml
:
roles/docker_host/tasks/main.yml
:
roles/opnsense_backup/tasks/main.yml
(ex. OPNsense backup):
Run Ansible Playbook (periodically):
#STEP 7 - Confirm Final Integration
Clients → DHCP DNS server (192.168.10.5
) → AdGuard or Pi-hole → Unbound (OPNsense at 192.168.10.1
) → Internet DNS Root servers
Backup strategy — Fully automated via Ansible, consistently reproducible.
Homelab complete and optimized!