# OPNsense vs OpenWRT: The Superior Choice ## 🎯 Bottom Line Recommendation **Buy a Protectli VP2420 ($400-450) and run OPNsense with Zenarmor** Your current hardware (Archer AX72 Pro) becomes a dedicated WiFi Access Point. ## Why OPNsense Wins for Your Household ### What You Get vs What You Can't Get | Feature | OpenWRT on Archer | OPNsense + Dedicated HW | |---------|-------------------|-------------------------| | **Application Control** | ❌ Can't distinguish apps | ✅ Block TikTok, allow Khan Academy | | **Traffic Visibility** | Basic bandwidth totals | **Full Deep Packet Inspection** | | **Parental Controls** | All-or-nothing blocking | **Per-app time quotas & schedules** | | **Reporting** | Manual log analysis | **Automated daily email reports** | | **Content Filtering** | DNS only | **DPI + DNS + TLS inspection** | | **Cost (5 years)** | $0 | $695 ($400 HW + $295 Zenarmor) | ## The Game-Changing Difference ### OpenWRT Says: ``` "Bella used 2GB today" ``` ### OPNsense with Zenarmor Says: ``` Bella used 2GB today: - 1.2GB YouTube (700MB educational, 500MB entertainment) - 500MB TikTok (EXCEEDED QUOTA at 5:43 PM - BLOCKED) - 200MB Discord - 100MB Khan Academy Peak usage: 3-5 PM Violations: - Attempted adult site at 4:32 PM (BLOCKED) - Bypassed SafeSearch at 6:15 PM (BLOCKED) - 3rd violation this week (parent alert sent) ``` **That's the difference!** ## Real-World Example: School Night Gaming ### Problem: "Bella is gaming too much during school hours" #### OpenWRT Solution: - Block ALL internet during school hours - OR manually identify gaming server IPs and block those - **Problem:** Can't distinguish homework from gaming - **Result:** Blocks everything or nothing #### OPNsense + Zenarmor Solution: ```yaml Policy: Bella (14yo) - School Days 7 AM - 3 PM (School Hours): ✅ Allow: Educational sites (Khan Academy, school portal) ✅ Allow: Research (Wikipedia, Google for homework) ❌ Block: Gaming (Fortnite, Roblox, Minecraft, web games) ❌ Block: Social Media (TikTok, Instagram, Snapchat) ❌ Block: Streaming (YouTube, Netflix, Disney+) 3 PM - 9 PM (After School): ✅ Allow: YouTube Educational (2 hours max) ⏱️ Limit: Gaming (1 hour max) ⏱️ Limit: TikTok (30 minutes max) 🔒 Force: SafeSearch on all searches 9 PM - 7 AM (Bedtime): ❌ Block: Everything except emergency sites Always: ❌ Block: Adult content, Gambling, Violence 📧 Alert: Parent on violations 📊 Log: All blocked attempts ``` **OpenWRT CANNOT do this!** ## Recommended Hardware: Protectli VP2420 ### Specs ($400-450): - **CPU:** Intel Celeron J6412 (4 cores, 2.0 GHz) - **RAM:** 8GB DDR4 (upgradeable to 32GB) - **Storage:** 256GB M.2 SSD - **Network:** 4x Intel 2.5GbE - **Power:** 6-10W (silent, fanless) ### Performance: - ✅ 1 Gbps with Zenarmor Deep Packet Inspection - ✅ Runs Suricata IDS/IPS simultaneously - ✅ Months of detailed logs - ✅ Room for future features ### vs Archer AX72 Pro (for reference): - CPU: 880 MHz MIPS ❌ - RAM: 512MB ❌ - Storage: 128MB flash ❌ - **Cannot run Zenarmor** ❌ - **Cannot do DPI** ❌ ## Cost Justification ### 5-Year Total: - **OPNsense:** $400 + ($59/year × 5) = **$695 total** ($11.58/month) - **Commercial Service (Qustodio):** $138/year × 5 = **$690** - **OpenWRT:** $0 (but basic features only) **OPNsense gives you MORE than commercial services for the SAME price!** Plus you get: - Professional firewall - Network security (IDS/IPS) - Traffic analysis - Router redundancy - Future upgrade path ## What Zenarmor Gives You ### 1. Live Session Monitoring See RIGHT NOW what each person is doing: - "Bella is watching YouTube (Educational) - 2.5 Mbps" - "Xander is on Discord voice chat - 500 Kbps" - "William is downloading from Steam - 45 Mbps" ### 2. Application-Level Blocking - "Block TikTok for Bella" - "Block Fortnite during school hours" - "Block all social media 9 PM - 7 AM" - Works even if they use VPNs or proxies! ### 3. Time Quotas Per App - "2 hours of YouTube per day" - "1 hour of gaming per day" - "30 minutes of TikTok per day" - Automatic blocking when exceeded ### 4. Safe Search Enforcement - Google: Forced Safe Search - YouTube: Restricted Mode - Bing: Strict filtering - **Cannot be disabled by kids** ### 5. Category-Based Filtering - Block: Adult Content, Gambling, Violence (always) - Limit: Social Media (time-based) - Limit: Streaming (bandwidth-based) - Allow: Educational (always) ### 6. Professional Reporting Automated daily email: ``` Daily Report - December 21, 2025 BELLA (14yo): Usage: 2.1 GB Top Apps: YouTube (1.2GB), Discord (400MB), TikTok (200MB) Violations: 3 (attempted adult site, SafeSearch bypass, quota exceeded) Time Online: 4.5 hours XANDER (15yo): Usage: 3.4 GB ... ``` ## Home Assistant Integration ### OPNsense has OFFICIAL integration: ```yaml # Via HACS - auto-creates entities: device_tracker.opnsense_bella_iphone # Presence sensor.opnsense_bella_bandwidth # Usage switch.opnsense_firewall_bella_block # Control sensor.opnsense_bella_violations # Alerts # Plus Zenarmor API: sensor.bella_youtube_time_today # Per-app usage sensor.bella_policy_violations # Violation count ``` ### OpenWRT requires manual SSH commands: ```yaml shell_command: block_device: "ssh root@router 'iptables...'" sensor: - platform: command_line command: "ssh root@router 'nlbwmon...'" ``` ## Setup Timeline ### OPNsense Path (1 week total): **Day 1:** Order Protectli VP2420 **Days 2-7:** Read docs, watch tutorials **Day 8:** Install OPNsense (2 hours) **Day 9:** Setup HA + Zenarmor (3 hours) **Day 10:** Configure policies (4 hours) **Days 11-14:** Test & optimize **Result:** Enterprise system for years! ### OpenWRT Path (2 weeks): **Week 1:** Flash, setup, configure **Week 2:** HA integration, testing **Result:** Better than stock, but limited. ## Decision Factors ### Choose OPNsense If: - ✅ You want to know WHAT apps kids use - ✅ You need different rules per child - ✅ You want professional reports - ✅ You have 3 kids with 22 devices - ✅ You're willing to invest $400 - ✅ You want it to "just work" ### Choose OpenWRT If: - ✅ $0 budget is critical - ✅ Basic blocking is sufficient - ✅ You enjoy tinkering - ✅ You don't need app-level visibility ## Final Verdict For a household with **3 children (14, 15, 17)** and **22 devices**, **OPNsense on dedicated hardware is the clear winner**. The $400 investment gives you: - 🏆 Enterprise-grade parental controls - 🔒 Professional network security - 📊 Complete visibility - 🚀 Room to grow - 😌 Peace of mind **It's worth it.** ## Next Steps 1. **Order:** Protectli VP2420 from Protectli.com or Amazon 2. **Read:** Full OPNsense setup guide (see DOCS_INDEX.md) 3. **Install:** OPNsense (30 minutes) 4. **Configure:** Zenarmor policies (few hours) 5. **Enjoy:** Professional parental controls! --- **For complete technical details, see the full OPNSENSE_VS_OPENWRT_COMPARISON.md file (822 lines) in your outputs directory.** --- *This summary captures the key decision points. Your specific needs (3 kids, 22 devices, age-appropriate controls) make OPNsense the obvious choice.*