Voozh

Have you ever looked at your ISP-provided router and thought, "I wonder what it would be like to build my own firewall?" That's precisely what went through my mind last year when I finally made the switch from an ISP router to my own DIY networking solution. Although no beginner when it comes to building custom firewalls, having built a few pfSense units in the past, I never attempted it at home because I never had the need. Even with network-attached storage (NAS) and a powerful PC at the ready, I still didn't feel the need to make the switch.

That was until I started to self-host much more than Plex and some movies and shows. Even at that point, we still relied heavily on streaming services. The same went for storage with cloud subscriptions and the rest. We were spending a lot each month to keep ourselves entertained and all our data safe. Once I started firing up Proxmox containers and virtual machines, having self-hosted services from home allowed us to cut costs and take full control of our data, but I required something slightly more potent than a standard ISP router.

This is why I finally made the switch to OPNsense and built myself a firewall with nothing more than a USB drive for the OS installer, a $100 passively-cooled Intel-powered mini PC, a RAM kit, a spare NVMe SSD, and 10 minutes of my time.

Why OPNSense was the perfect fit

Secure, lightweight, and easy to use

OPNsense is a fork of pfSense and is my go-to for all things networking, thanks to its polished web interface, emphasis on openness, and a frequent release schedule. I've used the software extensively over the last year or so after switching from pfSense, and the process of setting up your own firewall is incredibly easy. Solutions such as pfSense and OPNsense start protecting your network as soon as they're installed. Even in their default configuration, they're still acting as your primary line of defence.

With OPNsense, I was able to configure virtual local area networks (VLANs), dynamic DNS (DDNS) to help make it easier to access all my self-hosted services from the outside world, traffic shaping, and VPN support for the entire LAN. That last part is game-changing by loading up the VPN on the firewall itself, which provides full blanket coverage across the entire LAN, which can then be used in conjunction with rules to exclude specific clients and send traffic outside the VPN.

Another handy feature was Unbound, which is pre-loaded on OPNsense. This handy caching DNS resolver supports the use of block lists, which negates the need to run a dedicated system for Pi-hole or AdGuard and ensures I don't need to run anything on Proxmox. This helps with redundancy since the firewall will never be taken offline. Simply load up a list and you're good to go. But the real reason that OPNsense made sense for this project is its resource requirements. Even a cheap $100 mini PC can run it without issues.

That's when the search for a decent system started.

Finding the perfect cheap mini PC

It's easier than you think

There's a plethora of choices when it comes to choosing a mini PC for running a firewall firmware such as pfSense or OPNsense. There are a few things to bear in mind when shopping around. The first is the processor. While OPNsense and all your network traffic won't be terribly demanding for a system to handle, it's when you start getting real busy with data transfers and running plugins on the OPNsense installation that the CPU can come under fire.

Then there's the fact that this thing will be running 24/7, so it needs to have low power consumption, not make too much noise when under load, offer a few network interface ports, and rock an x86 architecture to ensure compatibility with OPNsense’s FreeBSD base. That's when I stumbled onto a sea of mini PCs for around $100 or so. These affordable boxes are compact, have very few ports, and are designed as mini firewalls rather than computers, though you could install Linux or Windows and use one as such.

I opted for one of the branded systems, which is likely a white-label product shared by a few companies, but it offered many of the things I required. First, we had an Intel N3700 CPU with four cores capable of bursting to 2.4 GHz with a TDP of just 6 watts. It supports a maximum of 8 GB of DDR3L RAM, which is perfect for an application such as this where one doesn't wish for system power draw to be too high. 8 GB is also more than enough for running OPNsense.

On the front are four 2.5 GbE Intel networking ports, one reserved for the WAN link to our fiber box. It may sound obvious, but make sure you get a device with more than one LAN port else you'll quickly run into trouble. SSD and RAM weren't included with the mini PC, but that's fine, as I had a module from an old NAS that would work well, and a simple low-capacity mSATA SSD did the trick. Once everything was installed and the system powered on, installing OPNsense took a few minutes.

The difference was immediate

Building your own firewall is worthwhile

Although many wouldn't place fun and networking in the same sentence, I find it incredible to tinker around with everything on the LAN. With OPNsense installed, it was possible to quickly configure the virtual private network (VPN) to connect to our provider and load up network-wide protection. I configured outbound NAT, created a few rules to isolate IoT devices on their own VLAN, and enabled DNS filtering to block known malicious domains using Unbound.

From there, I was only limited by imagination. DDNS through a domain provider was simple enough to allow me to use reverse proxies and access services such as Jellyfin and Immich from outside the home without needing to update apps with a new external IP address. OPNsense even has its own Intrusion Detection System (IDS). Although disabled by default, it's worth enabling the ET Open ruleset, which detects suspicious traffic patterns and blocks potential attacks.

Considering this was a $100 mini PC, the results are impressive. CPU loads are usually fairly low. Temperatures barely surpass 50 degrees Celsius, and everything runs smoothly. We're able to hit maximum throughput with our current ISP plan, and we've had zero network-related downtime that wasn't either planned or due to human error. Although this system is effectively designed for running a firewall, it was still surprising to see how well it performs at such a reasonable price.

It's likely not something you've thought long and hard about, but building your own firewall with OPNsense can transform your network with the deployment of advanced features. Creating and using VLANs alone will help segment your network and keep everything protected within its respective groupings. If you're serious about launching a home lab and adding Internet of Things products to your household, I can't recommend this process enough. The best part is you don't need to spend much either.