This past weekend, I finally took the plunge and deployed a new home network using pfSense. The purpose of this post is to share my experience, lessons learned, and perhaps inspire others to tackle a home networking project. Additionally, others might look at my setup and hone it, critique it, or modify it, thereby making it better for the next person. I would also like to share helpful resources that made the project possible. For context, I am not a network engineer, just a person who tinkers and ingests content.
Project Goals
- Network Segmentation using vlans\subnetting
- Self Managed Devices\Services
- Moderate Costs
Equipment
- CWWK Mini PC Intel N Series 4-core N100 - Barebones Kit - $239
- G.Skill Memory DDR5 (16GB) - $47.99
- EnGenius Fit Wireless Access Point (EWS356-FIT) - $69.99
- NETGEAR 5 Port PoE Gigabit Ethernet Plus Switch (GS305EP) - $69.99
- M.2 drive I had laying around
Once I assembled the CWWK Mini PC (which was very easy), I installed pfSense. The installation was lightning quick, taking under five minutes. I connected my PC through the switch to pfSense and accessed the web GUI. I used a ton of guides, mostly by Tom from Lawrence Systems. Tom and Wendell are responsible for creating some of the best content out there. Here are some of the most useful guides I used for the project. Using the guides, I ended up completing the following, keeping in mind, I am no expert - You can do this!
- Configured vlans (Primary, IoT, Guest Wireless, Services)
- Set up Firewall rules to prevent the aforementioned networks from talking to each other
- Installed and configured PFBlocker
- Configured Acme for automatic certificate renewal
- Configured HAProxy and put the webguis for my switch and WAP behind it. It allowed me to use an SSL certificate to eliminate browser errors when managing my devices
- Installed ntopng to examine and monitor network traffic
The following resources made all of this possible. Wendel’s videos nudged me to check out EnGenius and inspired me to tackle some home projects.
- pfSense Setup - https://youtu.be/fsdm5uc_LsU?si=xnVZnPbQki-9_AUn
- Firewall Rules - https://youtu.be/bjr0rm93uVA?si=ocqQUji8U5O3E3Kn
- PFBlocker - https://youtu.be/oNo77CMoxUM?si=ciik96ba708O69ZQ
- HAProxy - https://youtu.be/bU85dgHSb2E?si=qYScniPSBsuSY21X
- ntopng - https://youtu.be/P8oxTUoF2Nw?si=35a3ql6qdtdji00P
Lessons Learned
-
Firewall rules to block traffic need to be applied on the interface you wish to block. I made the mistake of placing a rule on the primary network to “block traffic from the IoT Network to the Primary Network”. I spent hours troubleshooting, trying to figure out why traffic could still flow from one network to another. The rule worked like a charm when I attached it to the IoT Network.
-
Cheap equipment can be unreliable and may require reboots. In the early part of the project, I trunked a port on the little Netgear switch. The trunk did not work. I assumed I had made a mistake and tried various permutations/ports to get the trunk to work. I reverted to the original trunk configuration, went to bed, and hoped to wake up with it working. The next day, it still did not work. After rebooting the switch, everything flowed correctly. A similar occurrence happened with the EnGenius WAP. I configured one of my wireless networks, and it just would not work. After waiting an hour with no success, I rebooted the device, and it worked like a charm.
-
DNS and attention to detail are important. I chased an HAProxy issue for two hours. The issue turned out to be a typo I made in DNS on the pfSense side.
-
The Mini PC I bought is probably overkill for what I am doing. The resource usage is extremely low, even with multiple services running. I have a 1 Gbps Comcast connection.
If anyone reads this and would like a detailed guide on what I did, I would be glad to share. Thanks to all the people out there who share knowledge, post guides, and make great content for the rest of us. I am super happy with my new network.