Building your own pfSense router is one of the best upgrades you can make to your home networking set up. It opens up a world of power and customization that's normally locked away in expensive, off-the-shelf routers. But getting pfSense up and running can be a daunting task, and there's lots to learn as you go. Some quick research beforehand, as well as a basic understanding of what your router does and how it works, can help you avoid sinking time and frustration into any of the common pitfalls.

We'll be focusing on pfSense here, but this advice is generally applicable whether you're using openSense, OpenWRT, or another platform. So here, in no particular order, are five mistakes to avoid when building your first custom router.

5 Not using a CPU with AES-NI support

This one is important, especially if you're planning on using an older CPU for your pfSense router. AES-NI (or Intel Advanced Encryption Standard New Instructions) is a hardware encryption feature that dramatically speeds up AES-based encryption and decryption operations by allowing them to be directly offloaded to the CPU. This is especially important if you're running a VPN with multiple users, with anywhere from a 2-3 to 10x increase in encryption performance depending on your use case. This allows you to reduce your CPU load, in turn reducing energy usage and allowing your router to handle higher bandwidth connections. There are also potentially some security benefits here (though they're slight) as using on-chip logic for AES operations helps mitigate the risk of timing attacks, and can allow you to use more advanced AES standards.

4 Using double NAT

This is a classic mistake. NAT (or Network Address Translation) allows your network to map a single external IP address into multiple, internal IP addresses, usually in a private IP space (say 192.168.0.1). This technology allows multiple devices on your network to connect externally through a single IP, helping with the problem of IPv4 exhaustion. Now you might be tempted to set up pfSense inside your existing home network, whether just to experiment, try it out, or just to get started. But here be dragons. By setting up pfSense inside your network, you're likely configuring its upstream WAN as your own existing router, and subnetting a second NAT behind it, leaving you with two stacked implementations of NAT on your network.

This can cause problems, and while it might work in some cases, some services might be sporadically broken - especially applications that require inbound connections like VPNs, games, or remote access services. It is possible to run a network like this, but you'll be adding latency, making troubleshooting difficult, and potentially breaking some services (including things that run on UPnP).

To avoid doing this, you can try configuring your ISP router in 'bridge' mode if it's supported. This allows your ISP router to act as a modem only, disabling its routing/NAT capabilities and leaving them up to your pfSense router. Alternatively, if you've got a separate modem, connect your pfSense box directly to the modem.

3 Running too many services out of the gate

We've all been guilty of this one, myself included. When you get a fancy new bit of technology to play with, you want to push its limits immediately by installing loads of packages, tools, and things to fiddle with. But in this case, we'd suggest you resist (or at least get some experimenting out the way, then reset your router before using it day to day). There are lots of very powerful tools available for pfSense, which can do everything from intrusion detection to network monitoring, and often these can come with performance considerations. Whether these tools slow down your router out of the gate, need specific performance tuning, or simply hog resources away from more important things (like routing!), it's best to move slowly and incrementally.

We'd suggest getting a basic and stable setup running on your router, effectively matching the configuration of your previous router as far as possible. From there, work incrementally and make regular backups of your configuration, adding services and features to your router as you see fit.

2 Not backing up your configuration

One of the best things about pfSense is that it makes it easy to backup and restore your network configuration. This is common in anything even remotely enterprise-targeted, as there are plenty of options to configure and no one wants to be doing that by hand. However, backup and restoration are lacking in many consumer routers.

We'd recommend you make full use of this functionality, and make regular backups of your configuration. Part of the downside that the power pfSense leaves in your hand is that it is very much possible to completely break your configuration, and it can be a complete pain to have to set up everything from scratch again. It's easy to export and import your configuration via the GUI.

1 Misconfiguring your router's security

This is a catch-all for something that you should pay close attention to when setting up your router. One of the big benefits of pfSense over most consumer routers is that it'll receive regular security updates, and is a well-hardened, regularly tested open-source product (as opposed to the closed-off black-box software most consumer routers ship with). That said, if you misconfigure your security, all that is undone. Some classic mistakes include:

• Exposing your router's web portal over WAN, making it accessible anywhere
• Not installing an HTTPS certificate and SSL for the web portal
• Not changing the default web UI password
• Configuring your VPN with weak or even broken encryption settings

pfSense generally makes this easy with a lot of sensible defaults, guidance during the setup process, and sane guardrails to stop you from going too far over the edge. The important thing is to ensure that your WAN is configured correctly and to follow good practices for your security.

pfSense leaves the power with you

pfSense is a fantastic tool that puts control of your router into your own hands, but there can be pitfalls (both in hardware and software). That said, you'll have no problems if you follow some sensible defaults, make use of the wide array of documentation online, and approach setting up your router with a desire to learn along the way. Once you're all set up and running, you'll have an incredibly feature-rich, enterprise grade router/firewall at your disposal without breaking the bank for high-end consumer routers.