Skip to main content

Published: in Videos

Boost OPNsense Firewall Security with Q-Feeds Threat Intelligence

By Sam Sheridan - 21st January, 2026

If you’re running OPNsense at home or in a small business, you can get a meaningful security upgrade by adding threat intelligence, the kind that helps your firewall recognise known-bad IPs and domains and block them early. In this guide, we’ll walk through using Q-Feeds (now with an official OPNsense integration) to harden your firewall in a practical, low-noise way.

A video walkthrough accompanies this guide and will be linked here once it is available. The full written steps and commands are provided below.

What you’ll do in this post

  • Install the Q-Feeds connector plugin in OPNsense

  • Add your API key and enable the feeds

  • Block outbound connections to known malicious infrastructure (LAN → Internet)

  • Optionally block inbound traffic from known malicious sources (WAN → you)

  • Verify hits in the firewall logs

Why Q-Feeds (and why threat intel in your firewall)?

A lot of people rely on massive, uncurated blocklists. The problem: they often include dead IPs, mis-categorised hosts, and threats that haven’t been relevant in years—creating noise, bloat, and sometimes unnecessary blocking.

Q-Feeds positions itself differently:

  • Fewer, higher-quality indicators of compromise (IOCs)

  • Cleaner data → fewer false positives

  • Focus on active, real-world threats

  • Aggregates intelligence from thousands of curated sources

  • Update frequency depends on subscription level (more on that below)

The benefit is simple: you get threat intel you can actually use in rules without drowning in junk.

Requirements before you start

To use Q-Feeds with OPNsense, you’ll need:

  • An OPNsense firewall with access to install plugins

  • A Q-Feeds account (free or paid subscription)

  • A Q-Feeds API key

Q-Feeds requires a subscription (free or paid). You’ll generate an API key in your Q-Feeds account and paste it into OPNsense.

Step 1: Install the Q-Feeds plugin in OPNsense

  1. In OPNsense, go to:
    System → Firmware → Plugins

  2. Search for: os-q-feeds

  3. Click Install

  4. If prompted that your installation is out of date, run:
    System → Firmware → Updates → “Check for updates”, then retry the plugin install.

  5. Refresh the UI if needed.

After installation, you should see the Q-Feeds menu under Security (wording may vary slightly by version), such as:
Security → Q-Feeds Connect

Step 2: Add your API key and enable the feed integration

  1. Go to: Security → Q-Feeds Connect

  2. Paste in your API key

  3. Select/enable the feed options you want

DNS blocklist integration (recommended if you run Unbound)

In the Q-Feeds settings you may see an option like:

  • Use domain feeds in Unbound DNS block list

Enable it if you’re using Unbound and want domain-based blocking at the DNS layer.

Then confirm your Unbound blocklist is enabled:

  1. Go to: Services → Unbound DNS → Blocklist

  2. Enable the blocklist feature

  3. Apply changes

This ensures domain feeds actually take effect through Unbound.

Step 3: Firewall rules — the practical way to use Q-Feeds

Q-Feeds integrates into OPNsense so you can reference its data in rules (typically via aliases created/updated by the plugin). The two most common—and most useful—approaches are:

Option A (Most common): Block outbound connections from your LAN

This prevents devices on your network from reaching known malicious infrastructure.

  1. Go to: Firewall → Rules → LAN

  2. Add a new rule at/near the top:

    • Action: Block

    • Protocol: IPv4+IPv6 (or start with IPv4 if that’s your environment)

    • Source: LAN net (or “any” if you prefer)

    • Destination: the Q-Feeds alias/list (malicious IPs/domains provided by Q-Feeds)

    • Log: Enable logging (strongly recommended while validating)

  3. Save + Apply

What this does: If something inside your LAN tries to “call out” to known-bad IPs/domains, it gets blocked.

Option B (Optional): Block inbound traffic from known bad sources on WAN

This is especially useful if you expose services to the internet (VPN, web apps, mail, etc.).

  1. Go to: Firewall → Rules → WAN

  2. Add a new rule:

    • Action: Block

    • Protocol: IPv4+IPv6

    • Source: the Q-Feeds alias/list (malicious IPs)

    • Destination: WAN address (or specific exposed service targets)

    • Log: Enable

  3. Save + Apply

What this does: Stops traffic coming from known malicious infrastructure from reaching your WAN-facing services.

Step 4: Confirm it’s working (logs)

To validate blocks:

  • Go to Log Files → Live View (or Firewall logs depending on your UI)

  • Look for hits on your Q-Feeds block rules

If you’re behind CGNAT or don’t expose services publicly, you may see fewer (or zero) inbound hits on WAN rules—that’s normal.

Subscription levels (as discussed in the video)

Pricing and update frequency were described like this:

  • Free: data delayed by 7 days

  • Q-Feeds Plus: delayed by 4 hours

  • Q-Feeds Premium: updates as often as every 20 minutes

  • Example annual pricing mentioned: €99 and €249 (yearly)

Always double-check current pricing on Q-Feeds, but the key takeaway is: update freshness improves as you move up tiers.

Recommended rollout (to avoid surprises)

If you want this to be smooth and low-risk:

  1. Start with LAN outbound blocking first (highest value for most networks)

  2. Enable logging, watch for hits and false positives

  3. If you host services, add WAN inbound blocking

  4. Keep rules specific and avoid stacking huge unrelated lists—Q-Feeds works best as a curated signal

Wrap-up: A fast security win for OPNsense

With the official Q-Feeds plugin, you can add curated threat intelligence to OPNsense in minutes:

  • Install the plugin

  • Add your API key

  • Enable Unbound DNS blocking (optional but powerful)

  • Add simple LAN/WAN rules referencing Q-Feeds indicators

  • Verify in logs

Tags:

opnsense firewalls threat intelligence

Got Questions?

Find quick answers to common IT support questions

How quickly can you respond to IT issues?

While many companies claim a 15-minute response, we guarantee a one-hour response time for urgent issues. This realistic timeframe allows our expert team to mobilise properly and arrive fully prepared to diagnose and resolve the problem efficiently - ensuring quality support rather than a rushed service.

How long has Sheridan Computers been established?

We've proudly been established for over 15 years. Our enduring presence in the IT industry is a testament to our commitment to quality, innovation, and reliable service. We’re here for the long haul, continuously evolving to meet the needs of our customers today - and in the future.

IT Emergency?

24/7 emergency IT support available for existing clients

Call Emergency Support
Help & Support
Standard Support Hours

Monday - Friday 8:00 - 17:00
Saturday Closed
Sunday Closed
Client Access
Remote Support Tool Client Portal Login
Other Ways to Reach Us
Email Support
24/7 Emergency Support

Critical issues? Our emergency team is available 24/7 for existing clients.

Emergency Support Line