How to run software (e.g. docker) on box with OPNSense installed?

Hello all, I just registered here to ask the below question (being the scope of YouTube comments…; last paragraph below) but got interested into pfsense (and ended up using OPNSense due to i226-v compatibility/support issues) after following the Lawrence Systems channel on YouTube for a while which really helped me to start with the more advanced network hardware/setup.

Up until recently I ran my network on a dumb TP-Link router + QNAP NAS. Now my setup looks as follows: FTTH connection through a fibre modem going into an AliExpress box natively (not VM) running OPNSense, behind that a Netgear managed switch, a QNAP NAS (running Pi-hole), Wifi AP and some home IoT devices (e.g. heating).

The question is: OPNSense does 80% of what I need, but all the additional gimmicks like Bitwarden, Linux box, other software is, from what I gather from community posts and tutorials, most of the time best run from a docker container or a separate install. The FreeBSD underbelly of OPNSense has limited repositories available and I don’t want to break things. What’s the best setup to run additional software on the same hardware as the OPNSense firewall? Is there a best practice or recommend setup how to work with containers besides OPNSense?

While I love to tinker with my network, I’m trying to get a somewhat future proof setup with limited maintenance need (other than security updates) once set up and configured.

Thanks for the input and the support in advance.



Best practice is not to run other services and software on the firewall. I would recommend running a separate box behind the firewall in order to run these services. If it is just for personal use, this doesn’t have to be high-end server hardware.

If you absolutely have to run everything on a single box, you could install a hypervisor like Proxmox or XCP-NG on it and iinstall OPNSense and the other services in separate VMs. But that complicates things and if there is a problem with the box, or if you have to reboot it, the internet connection on your entire network will be gone / get disrupted. I’m not a big fan of this solution.

Why don’t you use the QNAP to host your applications in a vm or container ?

Thank you both for the comments. I agree with your statement that running additional applications on the firewall is a security snafu.

I have Containerstation on the QNAP, where I’m already running Pi-Hole. So it’s not an issue to run further apps there, but so far the QNAP crippled Linux made is very difficult to get many containers to run properly.