diff --git a/OPNSENSE_RECOMMENDATION.md b/OPNSENSE_RECOMMENDATION.md new file mode 100644 index 0000000..4ae0361 --- /dev/null +++ b/OPNSENSE_RECOMMENDATION.md @@ -0,0 +1,256 @@ +# OPNsense vs OpenWRT: The Superior Choice + +## 🎯 Bottom Line Recommendation + +**Buy a Protectli VP2420 ($400-450) and run OPNsense with Zenarmor** + +Your current hardware (Archer AX72 Pro) becomes a dedicated WiFi Access Point. + +## Why OPNsense Wins for Your Household + +### What You Get vs What You Can't Get + +| Feature | OpenWRT on Archer | OPNsense + Dedicated HW | +|---------|-------------------|-------------------------| +| **Application Control** | ❌ Can't distinguish apps | ✅ Block TikTok, allow Khan Academy | +| **Traffic Visibility** | Basic bandwidth totals | **Full Deep Packet Inspection** | +| **Parental Controls** | All-or-nothing blocking | **Per-app time quotas & schedules** | +| **Reporting** | Manual log analysis | **Automated daily email reports** | +| **Content Filtering** | DNS only | **DPI + DNS + TLS inspection** | +| **Cost (5 years)** | $0 | $695 ($400 HW + $295 Zenarmor) | + +## The Game-Changing Difference + +### OpenWRT Says: +``` +"Bella used 2GB today" +``` + +### OPNsense with Zenarmor Says: +``` +Bella used 2GB today: + - 1.2GB YouTube (700MB educational, 500MB entertainment) + - 500MB TikTok (EXCEEDED QUOTA at 5:43 PM - BLOCKED) + - 200MB Discord + - 100MB Khan Academy + +Peak usage: 3-5 PM +Violations: + - Attempted adult site at 4:32 PM (BLOCKED) + - Bypassed SafeSearch at 6:15 PM (BLOCKED) + - 3rd violation this week (parent alert sent) +``` + +**That's the difference!** + +## Real-World Example: School Night Gaming + +### Problem: "Bella is gaming too much during school hours" + +#### OpenWRT Solution: +- Block ALL internet during school hours +- OR manually identify gaming server IPs and block those +- **Problem:** Can't distinguish homework from gaming +- **Result:** Blocks everything or nothing + +#### OPNsense + Zenarmor Solution: +```yaml +Policy: Bella (14yo) - School Days + +7 AM - 3 PM (School Hours): + ✅ Allow: Educational sites (Khan Academy, school portal) + ✅ Allow: Research (Wikipedia, Google for homework) + ❌ Block: Gaming (Fortnite, Roblox, Minecraft, web games) + ❌ Block: Social Media (TikTok, Instagram, Snapchat) + ❌ Block: Streaming (YouTube, Netflix, Disney+) + +3 PM - 9 PM (After School): + ✅ Allow: YouTube Educational (2 hours max) + ⏱️ Limit: Gaming (1 hour max) + ⏱️ Limit: TikTok (30 minutes max) + 🔒 Force: SafeSearch on all searches + +9 PM - 7 AM (Bedtime): + ❌ Block: Everything except emergency sites + +Always: + ❌ Block: Adult content, Gambling, Violence + 📧 Alert: Parent on violations + 📊 Log: All blocked attempts +``` + +**OpenWRT CANNOT do this!** + +## Recommended Hardware: Protectli VP2420 + +### Specs ($400-450): +- **CPU:** Intel Celeron J6412 (4 cores, 2.0 GHz) +- **RAM:** 8GB DDR4 (upgradeable to 32GB) +- **Storage:** 256GB M.2 SSD +- **Network:** 4x Intel 2.5GbE +- **Power:** 6-10W (silent, fanless) + +### Performance: +- ✅ 1 Gbps with Zenarmor Deep Packet Inspection +- ✅ Runs Suricata IDS/IPS simultaneously +- ✅ Months of detailed logs +- ✅ Room for future features + +### vs Archer AX72 Pro (for reference): +- CPU: 880 MHz MIPS ❌ +- RAM: 512MB ❌ +- Storage: 128MB flash ❌ +- **Cannot run Zenarmor** ❌ +- **Cannot do DPI** ❌ + +## Cost Justification + +### 5-Year Total: +- **OPNsense:** $400 + ($59/year × 5) = **$695 total** ($11.58/month) +- **Commercial Service (Qustodio):** $138/year × 5 = **$690** +- **OpenWRT:** $0 (but basic features only) + +**OPNsense gives you MORE than commercial services for the SAME price!** + +Plus you get: +- Professional firewall +- Network security (IDS/IPS) +- Traffic analysis +- Router redundancy +- Future upgrade path + +## What Zenarmor Gives You + +### 1. Live Session Monitoring +See RIGHT NOW what each person is doing: +- "Bella is watching YouTube (Educational) - 2.5 Mbps" +- "Xander is on Discord voice chat - 500 Kbps" +- "William is downloading from Steam - 45 Mbps" + +### 2. Application-Level Blocking +- "Block TikTok for Bella" +- "Block Fortnite during school hours" +- "Block all social media 9 PM - 7 AM" +- Works even if they use VPNs or proxies! + +### 3. Time Quotas Per App +- "2 hours of YouTube per day" +- "1 hour of gaming per day" +- "30 minutes of TikTok per day" +- Automatic blocking when exceeded + +### 4. Safe Search Enforcement +- Google: Forced Safe Search +- YouTube: Restricted Mode +- Bing: Strict filtering +- **Cannot be disabled by kids** + +### 5. Category-Based Filtering +- Block: Adult Content, Gambling, Violence (always) +- Limit: Social Media (time-based) +- Limit: Streaming (bandwidth-based) +- Allow: Educational (always) + +### 6. Professional Reporting +Automated daily email: +``` +Daily Report - December 21, 2025 + +BELLA (14yo): + Usage: 2.1 GB + Top Apps: YouTube (1.2GB), Discord (400MB), TikTok (200MB) + Violations: 3 (attempted adult site, SafeSearch bypass, quota exceeded) + Time Online: 4.5 hours + +XANDER (15yo): + Usage: 3.4 GB + ... +``` + +## Home Assistant Integration + +### OPNsense has OFFICIAL integration: +```yaml +# Via HACS - auto-creates entities: +device_tracker.opnsense_bella_iphone # Presence +sensor.opnsense_bella_bandwidth # Usage +switch.opnsense_firewall_bella_block # Control +sensor.opnsense_bella_violations # Alerts + +# Plus Zenarmor API: +sensor.bella_youtube_time_today # Per-app usage +sensor.bella_policy_violations # Violation count +``` + +### OpenWRT requires manual SSH commands: +```yaml +shell_command: + block_device: "ssh root@router 'iptables...'" + +sensor: + - platform: command_line + command: "ssh root@router 'nlbwmon...'" +``` + +## Setup Timeline + +### OPNsense Path (1 week total): +**Day 1:** Order Protectli VP2420 +**Days 2-7:** Read docs, watch tutorials +**Day 8:** Install OPNsense (2 hours) +**Day 9:** Setup HA + Zenarmor (3 hours) +**Day 10:** Configure policies (4 hours) +**Days 11-14:** Test & optimize + +**Result:** Enterprise system for years! + +### OpenWRT Path (2 weeks): +**Week 1:** Flash, setup, configure +**Week 2:** HA integration, testing + +**Result:** Better than stock, but limited. + +## Decision Factors + +### Choose OPNsense If: +- ✅ You want to know WHAT apps kids use +- ✅ You need different rules per child +- ✅ You want professional reports +- ✅ You have 3 kids with 22 devices +- ✅ You're willing to invest $400 +- ✅ You want it to "just work" + +### Choose OpenWRT If: +- ✅ $0 budget is critical +- ✅ Basic blocking is sufficient +- ✅ You enjoy tinkering +- ✅ You don't need app-level visibility + +## Final Verdict + +For a household with **3 children (14, 15, 17)** and **22 devices**, **OPNsense on dedicated hardware is the clear winner**. + +The $400 investment gives you: +- 🏆 Enterprise-grade parental controls +- 🔒 Professional network security +- 📊 Complete visibility +- 🚀 Room to grow +- 😌 Peace of mind + +**It's worth it.** + +## Next Steps + +1. **Order:** Protectli VP2420 from Protectli.com or Amazon +2. **Read:** Full OPNsense setup guide (see DOCS_INDEX.md) +3. **Install:** OPNsense (30 minutes) +4. **Configure:** Zenarmor policies (few hours) +5. **Enjoy:** Professional parental controls! + +--- + +**For complete technical details, see the full OPNSENSE_VS_OPENWRT_COMPARISON.md file (822 lines) in your outputs directory.** + +--- + +*This summary captures the key decision points. Your specific needs (3 kids, 22 devices, age-appropriate controls) make OPNsense the obvious choice.*