Firewall

Network security begins at the periphery, but only ends with the last service in the system.
I plan and operate firewall and VPN structures that reliably separate internal and external systems while enabling secure access.

To do this, I rely on open, traceable technologies such as OPNsense, WireGuard, and Ansible-supported rule sets—customizable, documented, and maintainable over the long term.

Firefighter dragon Comeli in front of a firewall wall – symbol of network security.

Architecture & Segmentation

I design network architectures that integrate security and transparency right from the start.

The goal is to clearly separate zones and services without unnecessarily complicating operations.

  • DMZ, management, and internal network separation
  • VLAN design and routing rules (L3 segmentation)
  • NAT, port forwarding, and load balancing
  • Integration of physical and virtual firewall components

Firewall platforms & technologies

I prefer to work with OPNsense—a FreeBSD-based, open firewall solution—as well as Linux-based components for specific scenarios.

This creates a transparent, modular security architecture with modern features.

  • OPNsense with IDS/IPS (Suricata) and geo-blocking
  • WireGuard for site-to-site and remote VPNs
  • Failover cluster with CARP and synchronized rule sets
  • OpenVPN or IPsec for legacy environments
  • Automated rule management with Ansible

Site networking & VPN

I connect distributed sites, servers, or data centers securely and efficiently using open-source VPN technologies.

I focus on simple administration, modern cryptography, and reproducible configuration.

  • WireGuard for high-performance, encrypted tunnel connections
  • OPNsense gateway redundancy (CARP + policy routing)
  • Dynamic DNS & multi-WAN failover
  • Integration into centralized authentication (LDAP/Kerberos)

Trainings

You can find specific trainings and current topics in the Comelio GmbH training catalog.
Available in-house at your company, as a webinar, or as an open training—designed to meet different requirements.

View trainings

Frequently asked questions about Firewall

In this FAQ, you will find the topics that come up most frequently in consultations and training sessions. Each answer is kept brief and refers to further content where necessary. Can’t find your question? Feel free to contact me.

Comeli dragon leans against a ‘FAQ’ sign and answers questions about Firewall.

WireGuard, IPsec, or OpenVPN – when to use which?

WireGuard: lean, fast, ideal for site-to-site & remote with low overhead. IPsec: standards-compliant, good for heterogeneous environments (cloud/hardware gateways). OpenVPN: proven for legacy/client ecosystems. Decision based on remote sites, performance/MTU requirements, and operating costs.

How do I build HA & Multi-WAN without session interruptions?

OPNsense cluster with CARP (virtual IPs), pfsync for state sync, and policy routing per WAN. Clearly define health checks, sticky connections, and outbound NAT; test failover/failback with runbooks to prevent sessions (VPN/HTTP) from breaking.

IDS/IPS (Suricata) – without a flood of false positives?

Start as IDS (alert-only), curate feeds, define reputation/geo lists and bypass networks, then gradually add IPS inline (drop). Correlate events in EVE/JSON to SIEM (e.g., Loki/Elastic), version rules, schedule regular tuning sprints.