DNS-based filters have been the standard tool for years to block unwanted applications inside the corporate network. But with DNS-over-HTTPS (DoH), DNS-over-TLS and more and more apps shipping their own resolvers or hard-coded IP pools, classic blocklists are losing their bite. An employee who wants TikTok installs a WireGuard tunnel on their personal phone in two minutes — and the DNS block on the Pi-hole never sees a thing.
This is exactly where Zenarmor steps in: a Layer 7 security plugin for OPNsense that identifies applications by their traffic behaviour — independent of DNS, port or TLS SNI. In this article we show what that looks like in practice, which licence makes sense for SMBs and what kind of performance you should expect on a symmetric Gigabit line.
Why classic filters fail today
Three effects make life hard for DNS- and port-based blocking:
- DNS-over-HTTPS is on by default in Chrome, Edge and Firefox. Queries go to Cloudflare, Google or NextDNS — the local resolver sees nothing.
- App-internal resolvers: TikTok, WhatsApp and many games bring hard-coded resolvers or bootstrap IPs.
- VPN tunnels as bypass: WireGuard on port 443/UDP looks like normal HTTPS traffic to a traditional firewall.
Zenarmor solves this by classifying packets not by domain or port but by application fingerprints — packet sizes, timing, TLS handshake patterns and flow behaviour. That way TikTok can still be detected even if the user has built a tunnel to a Hetzner server, because the characteristic shape of the TikTok stream remains visible.
Installation on OPNsense 25.7
Setup on a current OPNsense 25.7 takes only a few minutes:
# SSH into OPNsense
pkg install os-sensei
# Then in the web UI:
# System -> Firmware -> Plugins -> enable os-sensei
# Afterwards under "Zenarmor" launch the Initial Setup Wizard
During the wizard you select the interfaces to monitor (typically LAN, plus VLANs for guest, IoT and staff) and define a storage location and retention for reporting data. We recommend a dedicated ZFS dataset on SSD with at least 50 GB for an SMB with 50 clients and 90 days of log retention.
Licence tiers: Free, Home and Business
Zenarmor ships in four editions. In practice only three are relevant for SMBs:
| Edition | App detection | Reporting | Cloud threat intel | Price (2026) |
|---|---|---|---|---|
| Free | around 300 apps | 24 h | no | 0 EUR |
| Home | around 1,500 apps | 7 days | limited | around 30 EUR/year |
| SOHO | around 4,500 apps | 90 days | yes | around 290 EUR/year |
| Business | around 4,500 apps | unlimited | yes, with SLA | from around 720 EUR/year |
The Free edition is fine for a first evaluation, but as soon as you want to productively block TikTok, Instagram Reels or specific generative AI tools, you need SOHO or Business. Only there do you get the fingerprints for the popular social media and AI platforms.
Whitelist mode versus blocklist mode
Zenarmor supports two fundamental policy models:
Blocklist mode (default): Everything is allowed except the listed categories. Practical for environments where staff should browse relatively freely, but categories such as “Social Networking”, “Adult Content” or “Anonymizer” are blocked. Low maintenance, acceptable risk.
Whitelist mode: Nothing is allowed except explicitly permitted applications. Useful for highly sensitive subnets — for example a production VLAN that may only talk to the MES and a handful of update servers. Very restrictive, high initial effort, but extremely resilient against shadow IT.
In typical SMB setups we combine both approaches: staff VLAN in blocklist mode, IoT and server VLANs strictly in whitelist mode. Zenarmor cleanly separates this per policy.
Concrete example: blocking social media despite DoH and VPN
A typical scenario from our projects: management wants social media blocked during working hours, but the Wi-Fi for staff phones shares the SSID with the company laptops (a bad practice we regularly fix during OPNsense consulting).
Configuration:
- Policy “Staff LAN”
- Enable Application Control
- Category “Social Networking” -> Block
- Category “Anonymizer & Proxy” -> Block (covers Tor and some consumer VPNs)
- Application “WireGuard” and “OpenVPN” -> Allow only for the source IP of the corporate VPN server, otherwise Block
- Enable TLS fingerprinting
Test result: even if an employee uses a private cloud VPN provider on port 443/TCP, Zenarmor recognises the WireGuard- or OpenVPN-typical handshake pattern and blocks tunnel setup. The user only sees that “the connection doesn’t come up” — without a classic block banner in the browser.
Reporting and dashboard
The Zenarmor dashboard is one of the big advantages over pure Suricata or ntopng setups. You see per host, user (with AD integration), application and category:
- Top apps by bytes and sessions
- Blocked hits per policy
- History of individual endpoints (forensic view)
- Threat events from cloud threat intel
- Bandwidth heatmap per hour
Important for GDPR compliance: you can disable or pseudonymise user tracking and have logs auto-deleted after X days. In SMB projects we usually configure 30 days of detailed logs and 12 months of aggregated statistics.
Performance on a 1 Gbit symmetric line
The most common practical question: “Will this slow down my internet?” Our measurements on standard hardware — a 4-core Intel N305 with 16 GB RAM and 2.5G NICs — on a 1 Gbit symmetric line:
| Configuration | Throughput (iperf3) | CPU load |
|---|---|---|
| OPNsense bare, no IDS | 940 Mbit/s | 12 % |
| OPNsense + Suricata IPS | 680 Mbit/s | 55 % |
| OPNsense + Zenarmor (Free) | 920 Mbit/s | 22 % |
| OPNsense + Zenarmor (SOHO, all features) | 880 Mbit/s | 38 % |
| OPNsense + Zenarmor + Suricata in parallel | 620 Mbit/s | 71 % |
Zenarmor alone barely slows things down — the big jump comes when you also run Suricata signatures. For most SMBs we recommend Zenarmor as the L7 layer and Suricata only selectively for CVE protection on exposed servers, instead of enabling both across the board.
Conclusion and recommendation
Zenarmor closes the gap that DNS filters and classic firewall rules leave behind through DoH, app-internal resolvers and private VPN tunnels. The SOHO licence is available at a fraction of the cost of commercial NGFW subscriptions and provides reporting that even non-technical management understands. The key is a clean policy architecture — blocking everything wholesale only causes friction, while a well-thought-out mix of whitelist and blocklist mode brings calm to the network.
DATAZONE supports you in choosing the right licence, building the policy structure and integrating Zenarmor into existing Active Directory and backup landscapes. We look after OPNsense deployments from single-site setups to multi-site environments with central reporting. Reach out via our contact page — we provide a realistic assessment for your network and, on request, handle the full implementation.
More on these topics:
More articles
Linux Server Hardening: 15-Minute Checklist
Ten concrete hardening steps for a freshly installed Debian, Ubuntu or Rocky Linux server — SSH, updates, firewall, auditing, sudo, limits, services, NTP, logging, kernel sysctl. With commands, doable in a quarter of an hour.
Backup Encryption: Key Management Done Right
Encrypted backups are useless if key management is sloppy. Symmetric vs. asymmetric, vault options, rotation, recovery scenarios and the tool-level practice for PBS, Restic and TrueNAS.
OPNsense 26.7 Release: What's Coming
OPNsense 26.7 is due: what to expect from the traditional July major release — HardenedBSD/FreeBSD update, plugin refresh, GUI improvements. An honest look at the public roadmap.