OPNsense Rule & Alias Recipe Generator
Pick a goal — isolate an IoT VLAN, guest-WiFi internet-only, force all DNS to Pi-hole, WireGuard road-warrior, block a country, a safe port-forward — fill a few names and subnets, and get an ordered, copy-pasteable OPNsense rule plan in the exact UI terms, with the reason for every line and an inline lint.
1. Pick a goal
2. Fill the details
—
3. Your rule plan
Aliases to create first
Firewall ▸ Aliases. Create these before the rules so you can reference them by name.
Ordered rule plan
Create in this order. Each row shows where in the OPNsense UI, the rule, and why it exists.
How to read this & honest caveats
OPNsense applies floating rules (those with quick) before per-interface rules,
and within an interface it is first-match-wins, top to bottom. NAT is evaluated
before the filter, which is why a port-forward's matching firewall rule references the
internal IP and port, not the external one. The plan above is ordered so a naive top-to-bottom
paste behaves correctly; the inline lint flags the three mistakes that break these recipes most often:
an any → any allow that shadows everything below it, a NAT port-forward with no associated pass
rule, and floating-vs-interface ordering.
OPNsense is stateful: a pass rule automatically permits the return traffic, so these recipes
deliberately do not add separate "reply" rules — adding them is a common source of confusion. The
WireGuard recipe explicitly includes the interface-assignment step because without it the
Firewall ▸ Rules ▸ <wg> tab does not exist at all.
Recipes, parameters and lint conditions live in src/data/opnsense-recipes.json
(model v1.0.0). This produces a plan to apply by hand on a current OPNsense release — it is
not a config import and does not know your existing ruleset. Always review every rule before
Apply, and test from the affected VLAN, not just from LAN.