How to run software (e.g. docker) on box with OPNSense installed?

Hello all, I just registered here to ask the below question (being the scope of YouTube comments…; last paragraph below) but got interested into pfsense (and ended up using OPNSense due to i226-v compatibility/support issues) after following the Lawrence Systems channel on YouTube for a while which really helped me to start with the more advanced network hardware/setup.

Up until recently I ran my network on a dumb TP-Link router + QNAP NAS. Now my setup looks as follows: FTTH connection through a fibre modem going into an AliExpress box natively (not VM) running OPNSense, behind that a Netgear managed switch, a QNAP NAS (running Pi-hole), Wifi AP and some home IoT devices (e.g. heating).

The question is: OPNSense does 80% of what I need, but all the additional gimmicks like Bitwarden, Linux box, other software is, from what I gather from community posts and tutorials, most of the time best run from a docker container or a separate install. The FreeBSD underbelly of OPNSense has limited repositories available and I don’t want to break things. What’s the best setup to run additional software on the same hardware as the OPNSense firewall? Is there a best practice or recommend setup how to work with containers besides OPNSense?

While I love to tinker with my network, I’m trying to get a somewhat future proof setup with limited maintenance need (other than security updates) once set up and configured.

Thanks for the input and the support in advance.

Michael

Hi @MPH

Best practice is not to run other services and software on the firewall. I would recommend running a separate box behind the firewall in order to run these services. If it is just for personal use, this doesn’t have to be high-end server hardware.

If you absolutely have to run everything on a single box, you could install a hypervisor like Proxmox or XCP-NG on it and iinstall OPNSense and the other services in separate VMs. But that complicates things and if there is a problem with the box, or if you have to reboot it, the internet connection on your entire network will be gone / get disrupted. I’m not a big fan of this solution.

Why don’t you use the QNAP to host your applications in a vm or container ?

Thank you both for the comments. I agree with your statement that running additional applications on the firewall is a security snafu.

I have Containerstation on the QNAP, where I’m already running Pi-Hole. So it’s not an issue to run further apps there, but so far the QNAP crippled Linux made is very difficult to get many containers to run properly.