When you're planning out the network for your home lab, a customizable firewall is key to keeping your home lab (and your home network) safe and secure. Once you've decided if you're going to make your own firewall or go with a prebuilt hardware firewall, and before you get to more advanced rules, there are a few essential firewall rules to set up. These are core to your home lab network, and make it so that you can always reach your firewall appliance to change rules should something go wrong. And let's face it, this is a home lab, and everything that can go wrong, will go wrong.
Five reasons to build your own custom firewall
Level up your security game and take back control of your network with a custom firewall and router
5 Drop outbound traffic by default
What happens in the home lab stays in the home lab
The more control you have over your home lab, the better, and that includes any traffic going through the WAN interface to your home network or to the wider internet. The default should be to drop outgoing traffic on both IPv4 and IPv6 so that nothing escapes unless you've permitted it to. You can separate out IPv4 and IPv6 as I do, if you prefer for readability, or you can combine the two into one rule.
While we're creating overarching rules, you can also make the same rules for incoming traffic. Setting both IPv4 and IPv6 to block any incoming packets unless explicitly allowed with more advanced rules means you know what's happening on your home lab network at all times. It also narrows down the number of ports you have to investigate if something does go wrong, saving you valuable time.
9 things to avoid when building your dream OPNsense firewall
Building your own firewall can be incredibly rewarding, but here are some things to watch out for.
4 Set up a management VLAN
This is essential for you to always be able to reach your firewall
While you'll be doing most of your home lab experimentation in VLANs, there is one specific VLAN to set up that never gets touched past the initial setup stages. That's a dedicated Management VLAN, which is used only for connecting to the management interfaces of your networking appliances.
This has several benefits in practice, with the most important in a home lab scenario being that it enables you to access the management interface of your devices, even if something goes wrong with one (or all) of the other VLANs, and you're unable to connect from it. Adding some routing rules between the management VLAN and trusted VLANs means you can dial in from any of those, with some solid firewall rules to limit this to trusted IPs only.
This also means that the management interfaces aren't accessible to an attacker who finds their way onto one of your other VLANs because they're not in the same area of the network. The interfaces often have terrible security, and you want a firewall between them and the rest of your networks.
3 reasons you should you be using VLANs on your home network
Virtual LANs are excellent for creating the perfect network.
3 Set up an anti-lockout rule
You're going to be messing around with ports and blocking, and you don't want to get caught out
One of the trickiest parts I've found when managing my home lab is getting back into my core appliances, like or firewalls, after a DHCP change I've made has gone wrong. Even when you have physical access to the hardware, it's not always simple to log in and revert changes, but if you set up an Anti-Lockout rule before you start messing around with other DNS-related functions, it makes things so much easier for you when it does go wrong. What you want to set up are the following options:
- Enable SSH to port 22
- Enable traffic to port 443
- Enable ICMP ping
These could be individual settings, or you could bundle them into an alias called ADMIN_PORTS, and then you only have to call the alias in future setup steps. Now, while you could set this on every VLAN or even on the connection from your home network, it's easiest to add these rules to the management VLAN we already set up. That VLAN is only used for managing network appliances, is never touched when playing around with home lab experiments, and should be easily accessible to fix any misconfigured VLANs that we've broken in the normal course of our home lab learning.
6 ways to make use of port mapping on your home network
Being able to map ports is an invaluable networking skill.
2 Segregate with VLANs so your home network is safe
You don't want your home lab to take over your other networks
Depending on how elaborate your home lab set-up is, you might be running it on hardware connected to your home network. Even if you're not, it's still valuable to use VLANs to segregate devices into their own networks. One VLAN could be servers or storage, one could be IoT devices to play with, one could be locked down for poking at malware or reverse engineering things you wouldn't want to let loose on a normal network.
It's all about reducing the risk profiles for whatever experiments your home lab is doing. External devices like security cameras should absolutely be on their own VLAN, to limit access to the rest of your network if someone gets access to them outside. And you could go further with a VLAN for VPN traffic, one for guests to use, one for things like Google Home or Alexa devices that need to talk to each other while connecting to the internet, or any other ways to segment your home lab and home networks that make sense to your configuration. The point is that VLANs can only talk to each other through the firewall, and then only if you specifically allow them to.
6 things you need to know before setting up VLANs on your home network
VLANs are super handy for organizing your network, but you need to do some prep work first
1 Set up GeoIP blocking
Your network will be safer if you limit the countries that can connect to it
One of the most useful rules you can enable on advanced firewalls, like OPNsense or pfSense is GeoIP, which lets you block any incoming traffic from geographical areas you set. This easily limits the number of bad actors you have to deal with, while still keeping connectivity from the countries that your cloud storage might be hosted in, or the servers for voice assistants.
Again, you'll want to set this block for traffic going in or going out of your firewall, because being able to stop malware from phoning home is always a good idea, even if you can't guarantee it won't make it into your home lab. And you can even reverse this if you're a security researcher, setting up honeypots and using GeoIP to block selective countries to let known bad actors access your network to study what they do.
How to protect your home network with a Raspberry Pi firewall
Here's how you can configure a network-wide firewall with your Raspberry Pi
Your home lab adventures are much easier with some sane firewall rules in place first
It might be tempting to dive into advanced configurations in your home lab and spin up a bunch of services from the start, but it's much better to take a methodical approach and get some basic ground rules established first. With these firewall and networking rules in place, you stand a better chance of keeping your home lab secure, and of being able to fix issues without having to wipe it and start from scratch.