One of the cornerstones of any home lab is a powerful firewall to learn the ins and outs of traffic control, packet inspection, and other important security tools. While there are a ton of options for use, pfSense and its fork OPNsense are often used, partly because they're free to use, but also because there is a wealth of information out there to help guide you through initial setup stages and any complex scenarios you might want to create.
Plus, you can spin up a custom firewall in no time at all using any old PC hardware you may have sitting around, making it an affordable way to learn advanced networking skills. With the sheer number of options and configurations afforded by custom firewall software, it might be tricky to know exactly where to start. Whatever other use cases for your firewall, setting up these options first will give you a solid foundation to build on.
Should you use OPNsense or pfSense in your home lab?
Which open-source firewall software should you be picking?
6 Ensure restricted admin access
You don't need access from outside your networkβthat's what VPNs are for
Once you've changed the default password to something long and unique, and preferably created a new admin user that doesn't use admin as its username, it's also good practice to further beef up security with two-factor authentication (2FA), which is simple to set up on pfSense and OPNsense. But that's the bare minimum for restricting admin access to your firewall, and there are a few more things to set up for tighter control.
Country blocking is a good start because cyberattacks overwhelmingly come from a certain set of countries. Even if they're using VPNs to bypass geo-blocks, why should you make it easier for them? pfBlockerNG is free and open-source. It plugs into pfSense or OPNsense to block traffic from specified geographical locations. It also limits advertising and harmful content on your home lab network.
The last admin restriction is to disable SSH. This is one of the first points of attack as it keeps a port open to the WAN at all times, and changing the port number will only slow down a dedicated attacker for a short while. If you want to learn how to set up key-based auth to avoid brute force attacks, then leave SSH enabled, but it's recommended to disable it in any other situation. If you need to connect to the firewall while you're outside it, use a properly configured VPN or protocol like WireGuard to have your admin device act as if it's on the home lab network.
4 reasons you need to use WireGuard instead of OpenVPN for connecting to your home lab remotely
If you have a home lab and want to connect to it remotely, WireGuard is much better than OpenVPN.
5 Restrict internal network access
Only trusted computers should be able to log in to the firewall
Not every machine on your home lab network needs to be able to connect to the firewall for management purposes. Ideally, you'd have a single device that's authorized to connect and restricted by IP, ports, and MAC address. You still need admin credentials and 2FA to log in to the Web UI. You could even keep this device offline unless it's needed to configure the firewall, and it's better not to give it WAN access, to limit its exposure.
That's not always possible or practical, especially in a home lab with limited resources. But limiting the number of computers that can log in to the firewall's admin pages is good security practice, and IP and MAC restrictions are sufficient for home lab use.
While you're limiting the number of IPs, computers, and users that can log in to the firewall to make changes, it's also a good plan to enable notifications for changes. These could be sent via email or pushover notifications, or via API to Telegram or Slack, and not only notify you about important things like certifications that are expiring, but it's also an important way to harden the firewall.
These notifications not only serve as a record of planned changes, which is awesome in case something goes wrong. They also let you see any unauthorized changes as they're made so that network intrusions can be dealt with as they happen. Once you're moving these configurations to a production environment, the notifications can help with meeting legal obligations surrounding security problems.
6 overlooked router settings that can improve your network security
You can make your home network much more secure with a few changes.
4 Stay on top of updates
Your home lab doesn't need unnecessary bugs as features
Keeping any electronic device updated is important for security, and the same goes for anything that's supposed to protect your other devices. Whether you're running pfSense or OPNsense, the developers will periodically issue updates to fix bugs or critical vulnerabilities in the code. It's worth remembering that, unlike consumer routers, neither of these firewall operating systems will automatically update without an admin's confirmation. Logging in to the dashboard will trigger a check against the update servers, but it will still take a manual click to begin the update process. We don't advise setting up a cronjob to handle automatic updates, as if anything goes wrong, your firewall will go down until you notice.
But it's not just the operating system you need to keep up to date. Any installed packages will also get their own update cadence, and you'll want to check the Package Manager tab every so often to check for updates. You can use the Web UI for either task, or use the console if you prefer. You can even do a dry run to test if the update will cause issues with your currently running setup, which could be the difference between a smooth upgrade and your home lab going out of commission.
How I built a powerful custom router with pfSense
Get everything online on your home LAN with your very own router.
3 Backup your config
Starting from scratch is never a good plan
Accidents happen, and in the home lab, you can't just paint over them as new trees or birds, like Bob Ross taught us. Whether it's a misconfigured config file, hardware failure, or a natural disaster, your home lab firewall will invariably run into an issue. That means starting from scratch again, but if you've been tracking system changes, have a robust documentation system, and have periodically backed up your pfSense or OPNsense installation, recovering from disaster won't be too painful.
This backup can be a full configuration in XML form, or you can back up specific configuration sections as individual files, which makes restoration less time-consuming. Along with setup choices, the backups can either include or exclude installed packages and their data, depending on if you want full recovery or an easy way to troubleshoot misbehaving packages. And you can back up SSH keys, extra data like DHCP leases, and if you want to store your backups encrypted.
5 things you should back up in your home lab
You're going to break things, here's how you get back on track.
2 Use a dedicated management VLAN
Plus use the console port for management wherever possible
One of the first things you should set up in your home lab network is a dedicated VLAN for management devices, with a set of anti-lockout rules. This VLAN will only connect to the admin pages of your firewall and other networking gear and will not contain any other devices. It's a vital part of disaster recovery, as it ensures you can log in to the relevant management pages regardless of the state the rest of your network is in.
But if you have a hardware firewall running pfSense or OPNsense, you might also have a plug-in console port. That can be invaluable when needing to recover a failed configuration change or update, as sometimes the Web UI might be inaccessible, making the console the only way to manage certain aspects without doing a full restore.
5 essential firewall rules every home lab should have
Before you start playing with services and tools, here's what you should set up first.
1 Shorter rulesets are better
Fewer rules to debug and organize make for a friendlier home lab firewall
It's tempting to pile on firewall rules when learning, tweaking things to specific situations or hardware configurations. But the downside to that specificity is that it makes troubleshooting more difficult. Having a shorter ruleset is far more manageable, easier to optimize, and less prone to errors. A default deny strategy helps you keep things shorter, by permitting only the bare minimum of required traffic for your home lab.
While you're pruning your firewall rules to be more manageable, pay careful attention to the four types of rules you don't want:
- Redundant rules
- Outdated rules
- Conflicting rules
- Out-of-order rules
Sometimes longer rules are unavoidable, but you can reduce the complexity by grouping similar firewall rules and using aliases for them, narrowing down the area for investigation if things go wrong.
5 advanced firewall rules to lock down your home lab
You don't want your home lab to bleed over into your home network.
Whether you choose pfSense, OPNsense, or another custom firewall software package, the current best practices are the same
While hardware firewalls and the software you use to create them all differ in their advanced feature sets, the core setup and best practices are applicable across the board. That's even more applicable for pfSense and OPNsense, as they're both based on the same core codebase and many of the guides you may find are easily translatable between them. Best practices in cybersecurity are always evolving as the technology and threat landscape evolve, but these tips are from current home lab enthusiasts and security professionals, and cover smart security setup steps that are unlikely to change much as time goes on.