Easy to follow Small Secure (dual-stack) Network Firewall

Version 0.16 (?) - work in progress

To add:

  • add more IPv6 rules to improve IPv6 network compatibility, like ICMPv6 Router Solicitation / Advertisement, Neighbor Solicitation / Advertisement, FQDN query / reply, Multicast listener, Node information Request / Reply, Who Are You Request / Reply
  • screenshots from the firewall rules tab as examples (after adding the IPv6 ICMP rules)


So you want an easy guide for a secure network for home or for a (very) small business? Want to read some accompanying rants, or just simply ignore walls-of-text not related to the actual guide? You’re in luck. I did this post, inspired by other wiki entries from members of the forum, specifically:

I’ll try to keep it short, but still explain some stuff on the way using the blur / spoiler tag. The reason behind this post is that I can’t seem to find an easy to follow guide for creating a secure network for home or small businesses with not too many restrictions to link to people who need it, so I decided to make my own.

(Potential) Physical Diagram


sorry for the small res

This network will have the ISP modem / router preferably in switch mode / ONT mode / media converter mode, to avoid double NAT, the main firewall, a managed switch, 2 WiFi access points, a PC, a laptop and a smart lightbulb. There’s also a file server / NAS running Samba just as an example for special rules you have to make in the firewall. Add however many devices you want on your network in the limits you have (maximum WiFi connections, maximum switch ports etc.).

(Potential) Network Diagram


I will be configuring a network with 3 subnets + a WAN connection. The reasoning behind this would be, first of all that’s what I have; second of all, that’s the number of ports (4) most USFF devices come with, so you should make use of all your resources; and third, you should definitely, at the very least have a trusted wired LAN (which could also be the management LAN), a second subnet for WLAN (wireless devices) which can be hacked into, especially if you are using old wireless access points or old routers with no firmware updates and old standards like WPA2 (upgrade to something which supports WPA3), and a third network for untrusted devices, which can be IoT devices (wired or wireless), in which you ought to be using a separate wireless access point for if you can’t have them wired, albeit wired is highly recommended. Again, at the very least a trusted wired network, a slightly trusted network (usually for WiFi) and an untrusted network. The firewall rules will vary depending on how much you trust your WiFi network and how confident you are in WiFi security (which, from my knowledge, you shouldn’t be).

  • An internet connection (or a connection to an adjacent public or private network)
  • A router / firewall device with 4 Ethernet (or SFP/+) ports. This can be an old x86 / x86_64 PC with a 4 port Ethernet Adapter, an USFF router / device (like PLL’s Protectli FW4B J3610 box or an ARM / RISC-V / POWER equivalent device that can run the OS of your choice.
  • Cables to connect everything (duh)

Add whatever hardware / however many ports you need for your own setup.

I only recommend running FOSS firewalls / routers, so that would be pfSense, OPNsense or a DIY solution using *BSD (pf, preferably OpenBSD) or Linux. FreeBSD has a faster network stack and more hardware support, at the cost of a little more complexity. pfSense is based on it because of that (and a few other reasons). OPNsense is a fork of pfSense and uses HardenedBSD, which is a fork of FreeBSD. If you fancy DIY solutions and minimalism, for home use and even for a small to medium-sized business, OpenBSD is fine. You should go FreeBSD (DIY) or pfSense / OPNsense if you predict the business (or home network, I won’t judge if you got lots of devices and services running at home) will grow too big. IMO, that would be over 100 concurrent devices and / or services or over 300 users for 10 services (so 3000+ connections). But a network this big is beyond the scope of this wiki.

If you like DIY and want Linux, personally I’d go with Alpine, due to its reduced size, hardening and the ability to run from RAM).

Personally I wouldn’t go with *WRT or Tomatoes due to the fact that they usually run on hardware with a built-in not-really manageable switch, so you basically only have 1 (internal) port that you can set VLANs on and which will be applied to all the switch ports from your router (if it even has more than 1 LAN port). You can if you want, but I wouldn’t recommend.

  • A managed switch (highly recommended) or multiple unmanaged switches
  • A wireless Access Point or an old router

The old router can be put in bridge / AP mode and be used for wireless only. Here, I definitely recommend you use a *WRT or Tomato firmware for features and (security) updates. But these things are optional and you can definitely have a network with just the main router and 3 devices connected to it (aside from the main Internet connection), with no potential for adding new devices unless you get a switch or wireless AP.

I will do this guide with pfSense, because that’s what I have. I would have done OpenBSD, but I hate distro-hopping in general (unless it’s really necessary) even when I love a certain OS over another, so I use whatever I have.

Aside from the prerequisites, you need a monitor + keyboard + / - mouse and a separate device you can use to remote / serial console into the firewall / router and / or switch for configurations, preferably a desktop PC or laptop with an Ethernet or SFP/+ port. Additionally, you might need a USB to Serial converter + a Serial to Console cable if your managed switch doesn’t come with a built-in USB management port (most newer switches have a USB Mini-B port near the console port). I won’t get into how to connect to your firewall or switch via serial console.



First prep

First, go to the BIOS / UEFI and check if your device has a “Last State” or “Always On / Power On” feature. This is going to be a firewall, so it’s expected to run 24/7 and should not need any user input to go back online. If it doesn’t, but your device support Wake-on-LAN (WOL), you can set up a device in your network, like a *Pi and make it check its own last state / uptime and the availability of your firewall and set it up to power-on the router. In abscence of that, you can still configure something like a *Pi to use the physical Power button to power on your firewall. This is beyond the scope of this wiki. Following that, install an OS.

Initial port configuration

After you have installed the OS of your choice (again, using pfSense here) on your firewall box, configure the ports as follows (I will start with 0, because that’s what you get in most *nix OS, like igb0, re0, eth0, enpXs0 etc.):

  • Port 0 = WAN
    Depending on what you’re connecting to, you have to either set a static IP address, get an IP address via DHCP, or set a PPPoE connection. This can be skipped for now and configured in just a moment via the web GUI.
  • Port 1 = LAN (trusted network)
  • Port 2 = WLAN (slightly trusted network)
  • Port 3 = UNTRUSTED (untrusted network)

For each network you have to set an IP address on the port and a subnet. These must be different for each port. You should also not give the whole subnet for use by the DHCP server, keep between 30 to 60 IP addresses reserved for static mapping, like the first or last IPs from the subnet. For example, if your LAN subnet is, give to the firewall port 1 and give the DHCP either the IPs from to, or the IPs from to Keep the rest of the IPs either for static IP address configurations on servers, or static DHCP mappings to MAC Addresses. Do this for all the subnets your create, it may save you some hassle later. Do not enable VLANs on the ports, as the switch ports will be set to Mode Access. You can set VLANs on any one port if you need more subnets in the future and use Mode Trunk on the switch, but this goes beyond the scope of this wiki.

Once created, temporarily connect an end-user device to your router, if using Ethernet, preferably using a crossover cable, however most modern devices support auto-negotiation and won’t care if it’s a straight or crossover cable; if using SFP/+, either connect a device that also has a SFP/+ port, or first use a switch in its default configuration and connect your end-device to the switch.

pfSense General Setup

Under general setup, set up a few DNS servers you trust for DNS resolution inside your network. Under DNS Resolution Behavior select the default behavior “Use local DNS, fall back to remote DNS servers” UNLESS you plan on using a separate DNS server inside your network, like a Pi-Hole, in which case you use “local DNS, ignore remote DNS.” That goes beyond the scope of this wiki. Further down, set your timezone and a NTP server (I just use the pfsense pool). We will make use of the default NTP server option in pfSense in just a little.

Firewall Rules

Now go to Firewall → Rules. If you don’t want IPv6, ignore WAN and go to LAN. The order of the rules matters a lot, so be careful about the order.


If you’re not using a dark theme or an extension for dark CSS, you’re a terrible person.

If you want IPv6, you will want to permit your firewall to communicate with a DHCPv6 server, so you have to add in WAN:

  • Pass: IPv6 UDP ; Source Any ; Port 547 ; Destination This Firewall (Self) ; Port 546

Port 547 is used by DHCPv6 servers and port 546 is used by DHCPv6 clients.


Add to the end (append) the following:

  • Block: IPv4+6 TCP/UDP ; Source Lan Net ; Port * ; Invert Match Destination This Firewall (Self) ; Port 53 (DNS)
  • Block: IPv4+6 TCP/UDP ; Source Lan Net ; Port * ; Invert Match Destination This Firewall (Self) ; Port 853 (DNS over TLS)
  • Block: IPv4+6 TCP/UDP ; Source Lan Net ; Port * ; Invert Match Destination This Firewall (Self) ; Port 123 (NTP)

#These are rules to block DNS, DNS over TLS and NTP to anything other than the Firewall. This is what Invert Match is for. To replicate this without Invert Match, you have to first add a rule to pass these 3 ports to the firewall, then block these 3 ports to anywhere else, so we halvened the rules! You have a DNS and NTP server on your network, there is absolutely 0 reasons to use outside services for this on your end-user devices. Note that you need to configure at least NTP on each of your end-user devices manually, as the DNS will be configured by the DHCP server on your devices if you use DHCP and not manual static IP.

I was thinking while posting this, I will have to upload new pics after I add the IPv6 rules, so things will change, so this will be the only example of rules from pfSense for now. Not to complicated, right? Oh, just realized I didn’t save the rule to block port 123 on the Internet on my trusted LAN. That should go before the Pass IPv4 rule, as mentioned.

Make sure the “Default allow Lan (and ipv6) to any rule” are moved to the bottom otherwise it will allow DNS, DoT and NTP to ourside your network, since they’re the first rules to apply. If you want your LAN (your wired connection) to also be a management network, give it a rule (append / add at the end) to allow it to go anywhere, for the sake and simplicity, like so, then delete the default 2 separate rules:
Pass: IPv4+6 * ; Source LAN Net ; Port * ; Destination * ; Port *

If you don’t want it to communicate with wireless devices and untrusted devices, you can add 2 rules before the Management (allow any) rule to Block Destination WLAN and UNTRUSTED. There are legitimate reasons for wanting to have completely separate networks, however, this is outside the scope of this wiki.

I recommend leaving the LAN as-is for now. Only connect devices you really trust to this network. For example, that could be your main desktop, a *Pi running Pi-Hole, a NAS and a virtualization server.


Go to Firewall → Rules → WLAN. Disable or delete any default rules. Here, add:

  • Pass: IPv4+6 TCP/UDP ; Source WLAN Net ; Port * ; Destination This Firewall (Self) ; Port 53 (DNS)
  • Pass: IPv4+6 TCP/UDP ; Source WLAN Net ; Port * ; Destination This Firewall (Self) ; Port 853 (DNS over TLS)
  • Pass: IPv4+6 TCP/UDP ; Source WLAN Net ; Port * ; Destination This Firewall (Self) ; Port 123 (NTP)
  • Block: IPv4+6 * ; Source WLAN Net ; Port * ; Destination This Firewall (Self) ; Port *
    #Other than DNS, DoT and NTP, you should not allow any WiFi device from accessing the firewall management interface(s). Adapt this to your preferences, but it is not recommended. At the very least, set up a static DHCP mapping and only allow an individual device to access the management, but again, not recommended.
  • Pass: IPv4+6 TCP/UDP ; Source WLAN Net ; Port * ; Destination Single Host or Alias 192.168.x.x ; Port 445 (MS DS)
    #This rule is an example of WiFi devices being allowed to access a single IP address from the LAN, only on port 445, which is the secure SMB port.
  • Block: IPv4+6 * ; Source WLAN Net; Port * ; Destination LAN Net ; Port *
    #This is a rule to block WiFi devices from accessing any device from the LAN. It is highly recommended you do so.
  • Block: IPv4+6 * ; Source WLAN Net; Port * ; Destination UNTRUSTED Net ; Port *
    #This rule may be optional. If you have things like a WiFi RGB Light Bulb or smart light switches on your UNTRUSTED subnet and want to use a program on your phone to control them, then you should either disable / delete this rule, or more recommended, find the port(s) used by the program to control the devices and allow the WLAN Net to the UNTRUSTED Net on said protocols and ports (usually most of the stuff is controlled via TCP and HTTP commands, but YMMV). Even more recommended is that you have something like a tablet that you only use to control these devices (like a remote control / central control hub) and connect the tablet to the UNTRUSTED network, instead of installing junk programs on your phone and allowing traffic to a network which is supposed to be more locked-down and where there are potentially lots of untrusted IoT devices.
  • Pass: IPv4+6 * ; Source WLAN Net; Port * ; Destination * ; Port *
    #This rule, at this point (with these exact order of rules), acts as an “allow all traffic to the Internet.” You can modify this rule to be more restrictive and only allow HTTP(S) and maybe SMTP(S) and IMAP(S) ports, instead of allowing Destination Ports Any, requiring 2 to 6 additional rules. Assuming you will connect your phone and probably your laptop to this network, if you don’t have other security requirement or threat model, you should leave this as is.


Go to Firewall → Rules → UNTRUSTED.

This is probably the longest list to block. Depending on your threat model, you may want to severly lock-down this network. In my configuration, I only allowed DNS, DoT and NTP to the Firewall (Self), blocked everything else to Firewall, blocked any to LAN Net except ICMP Echo Reply (ping replies), blocked any to WLAN Net and only allowed port 80 and 443 to the Internet for OS updates. Depending on what Internet-of-Spyware you add there, you may want to make an additional subnet (and thus, add an Ethernet port on your firewall, or use VLANs on one port) just for “very-slightly-trusted-devices” which you should allow access on the Internet on port 80 and 443. On my network, the UNTRUSTED OPT acts as a DMZ, albeit no service is exposed on the Internet there (just a remote backup NAS for security cameras footage from another far location, which connects to that site using Wireguard). This was initially supposed to act similar to a DMZ and host services here which would be available on the Internet, but never got around to that. The rules I set were as follows:

  • Pass: IPv4+6 TCP/UDP ; Source UNTRUSTED Net ; Port * ; Destination This Firewall (Self) ; Port 53 (DNS)
  • Pass: IPv4+6 TCP/UDP ; Source UNTRUSTED Net ; Port * ; Destination This Firewall (Self) ; Port 853 (DNS over TLS)
  • Pass: IPv4+6 TCP/UDP ; Source UNTRUSTED Net ; Port * ; Destination This Firewall (Self) ; Port 123 (NTP)
  • Block: IPv4+6 * ; Source UNTRUSTED Net ; Port * ; Destination This Firewall (Self) ; Port *
  • Pass: IPv4+6 ICMP Echo Reply: Source UNTRUSTED Net ; Port * ; Destination LAN Net ; Port *
  • Block: IPv4+6 * ; Source UNTRUSTED Net ; Port * ; Destination LAN Net ; Port *
  • Block: IPv4+6 * ; Source UNTRUSTED Net ; Port * ; Destination WLAN Net ; Port *
  • Allow: IPv4+6 TCP ; Source UNTRUSTED Net ; Port * ; Destination * ; Port 80 (HTTP)
  • Allow: IPv4+6 TCP ; Source UNTRUSTED Net ; Port * ; Destination * ; Port 443 (HTTPS)

Here you can add additional rules, like for example, allow 1 device or all subnet to connect to a remote VPN port. I am not using any IoT devices on this subnet, as mentioned, there is just one VM running here that only needs access to the local NTP and DNS server (firewall), HTTP and HTTPS access on the internet for OS updates (it’s a Linux VM) and access on my Wireguard port on the VPN on the internet, which I did not add to this list, as it is highly specific.

Again, add and remove rules to your liking.

Enabling IPv6 (dual-stack)

Important! IPv6 may break some functionalities in your current IPv4 network, because IPv6 is the preferred layer3 stack. Also, stateful firewalls like pf or iptables are causing issues for IPv6 that NAT used to cause for IPv4, so don’t assume IPv6 is the be-all end-all solution to some network applications’ issues. You could allow all traffic to go unfiltered to a host, but that’s not recommended.

Also, of high importance: pfSense and probably OPNsense too have some hiden rules enabled by default to prevent users from killing their IPv6 traffic. I will go through the rules and adding rules manually for IPv6, but keep in mind those may already exist. You can check them using “pfctl -s rules” in the terminal or in the WebGUI → Diagnostics → Command Prompt.

To enable IPv6, go to System → Advanced → Networking tab → check “Allow IPv6” box. Save and Apply configurations.

Go to Interfaces → WAN and under IPv6 Configuration Type select “DHCP6”. Under the same page, go to DHCP6 Client Configuration and select “DHCPv6 Prefix Delegation Size” = 60.

That means that you will be requesting a /60 network. By default this is set to /64. Prefix Delegation is the IPv6 option through which you ask for a bigger network segment. So a /64 is a single network, a /63 could be split into 2x /64 networks, a /62 into 4x /64, a /61 into 8x /64 etc.

So with a /60 Delegation Prefix you will be able to make 16x /64 networks. Reminder that a single /64 IPv6 network is a lot bigger than the whole IPv4 Internet as a whole. Also, there have been reports that some ISPs will only give you the number of Prefix Delegation originally set. Not sure about that, but do keep in mind. Also, the biggest network segment ISPs usually give is a /48, with most of them only offering a /56 at most (again, YMMV). A /60 should be plenty even for the most advanced home network and maybe even for a medium-sized business network in one location (of course, a medium-sized business can outgrow 16 subnets by aggressively splitting networks between departments, which they should).

You may need to check “Send IPv6 prefix hint” (I have) and maybe check “Do not wait for RA” (I have not, it worked without checking it). Depends on your ISP. Save and Apply Configurations. You may need to reboot the router, mine didn’t work until I did so.
Another important note about IPv6 is that an interface has more than 1 IP address assigned to it, usually 2.

These are the Link-Local address, which is used to only communicate only on the local network / broadcast domain and the Global Addressing IP address (i.e. the address that is reachable from the Internet). The concept of link-local address is similar to the in IPv4, however, using both the auto-assigned IP and another addressable IP address in IPv4 caused conflict, but in IPv6, this link-local address is a neccessity. The link-local address always starts with fe80.

Also note that in IPv6 there is no concept of broadcast, only multicast. Every IPv6 capable device on the local network (link-local) subscribes to the address “ff02::01” which is the “All nodes on link-local” multicast address. All routers also subscribe to the address “ff02::2,” which is the “All routers” multicast address. “ff01::1” if used for “All nodes on local node.” Similar multicast addresses exist for other services, such as DHCP, NTP, MLD, OSPF etc.

If everything went correctly, you should be presented on the dashboard with both an IPv4 and IPv6 address on the WAN. Alternatively, you can check Status → Interfaces → WAN and see both an IPv6 Link Local and IPv6 Address. If you don’t see the IPv6 Address, again, reboot your firewall either through SSH, or through Diagnostic → Reboot. To check if IPv6 works on your firewall, go to Diagnostics → Ping and ping google.com using IPv6.

Now go to Interfaces → LAN and set “IPv6 Configuration Ttype” = “Track Interface,” then at Track IPv6 Interface select “IPv6 Interface” = “WAN” and “IPv6 Prefix ID” = anything from 0 to f (default is 0).

Save, then go an do the same to WLAN and UNTRUSTED, with the only difference being the IPv6 Prefix ID (you can’t have the same prefix on multiple subnets). Then Save and Apply Changes.

Following that, go to Services → DHCPv6 Server and RA → LAN and go to DHCPv6 Server and enable it. Set “Prefix Delegation Size” = 64 and make sure “Provide DNS servers to DHCPv6 clients” is checked. You can set “Domain name” and “Domain name search” to local or whatever domain or subdomain you own. Save and go to Router Advertisement. I prefer the “Router Mode” = “Managed,” you can keep it as “Assisted” if some devices on your network (Android phones usually reported) can’t get a stateful DHCPv6 IP address and can only use SLAAC with DHCPv6.

Router Mode has flags for different Router Advertisement messages. Managed is just like classic DHCPv4, Router Only only presents the router, Unmanaged lets clients know of the router and lets them use SLAAC, assisted is presentic both Managed and SLAAC flags, usually SLAAC is ignored, unless the device is really dumb and really wants SLAAC, while Statelss DHCP is an option to allow SLAAC address config and present the router (like Unmanaged), but also adds other services, like DNS and NTP which are taken from the DHCP server (so basically DHCP configuration for everything except the IP address).

Save and apply changes.

Managed switch

Every switch OEM have different OS running on them and thus, different tools, commands and terms. I will mostly use the Cisco nomenclature, because that’s what I learned. At home I’m using a rather old HP ProCurve switch. For good op-sec, you shouldn’t divulge any device and / or software / firmware and its version you are running, because that gives attackers enough information to exploit potential vulnerabilities, but I guess do as I say, not as I do, as I have posted on this forum my hardware before, but I’m always running the latest version of everything, so I have at least some trust in my network against script-kiddies, but not against glow-boys and their backdoors side gates.

Once you are inside your switch’s configuration mode, select the ports you want to connect to your router and put them in different VLANs. I prefer having the ports in Access Mode, since I don’t use VLANs on the router ports themselves. For example, put port 1 (LAN) in VLAN 4, port 2 (WLAN) in VLAN 5 and port 3 (UNTRUSTED) in VLAN 6. The VLAN numbers don’t matter, just make sure you remember which one is associated with which network, as you will need to configure others ports that you connect to the end-devices using the same VLANs, depending on their roles. It is highly recommended not to use sequential VLAN numbers and to avoid using the VLAN numbers in this wiki. These are just example to make it easy to understand.

  • Set a strong password for your administrative account
  • Don’t enable services you won’t use and don’t enable Telnet. If you need remote access, use SSH.
  • Set the switch ports you will use for your router and end-devices and put them in Access Mode (e.g. ports 1 to 7, 1 to 3 being used by the firewall)
  • Enable Port Security and set a limited number of MAC Addresses on each switch port, preferably just 1 if it will be just 1 device on it. If you will run VMs, you should set it to the maximum number of VMs you will run behind that port, unless you will be doing NAT. The same goes for WLAN and UNTRUSTED, only allow the maximum number of MAC Addresses you know you will have on each port (for example, on WLAN if you only have a phone, a laptop and a tablet, allow 4 MAC Addresses to account for the Wireless AP which is connected to e.g. port 4)
  • Enable DHCP Snooping on all ports except the ones that will be connected to your router, e.g. 4 to 24 if you have a 24 port managed switch (more correctly said, set the router ports as trusted by DHCP Snooping, e.g. port 1 to 3 and leave 4 to 24 as untrusted)
  • Enable Dynamic ARP Inspection
  • Enable IP Source Guard
  • Enable PortFast on all ports (unless you use VLANs on your firewall ports)
  • Enable BPDU Guard
  • Set the native VLAN to something you don’t use (like VLAN 89)
  • Do not use VLAN 1 for anything
  • Disable all unused switch ports (so 8 to 24) and put them in a different VLAN you are not using (like VLAN 74)
  • Disable trunking auto-negotiation
  • Optionally, but highly recommended is to add a description on each port (e.g. Port 1 = pfSense LAN, Port 2 = pfSense WLAN, Port 4 = WiFi AP etc.)

At the size of this network, you shouldn’t need Spanning Tree Protocol or other advanced Layer 2 features, so enable all the aggressive security measured mentioned above or their equivalent from different OEMs.

Unmanaged switches

Not much to say other than connecting them to your firewall’s ports and only adding devices to them based on the network you want them to be in. Additionally, you can label them to make it easier to remember which is connected to which network.

WiFi Access Points

Go into your AP configuration, set a static IP address or take its MAC Address and put it in your DHCP server, configure your wireless settings, like WPA2 password, band etc. Not much to say here.

Old routers

If you want to use old routers in AP or bridge mode, go into its web configuration, set an unused static IP address from the network configured on the firewall, disable its DHCP server, configure your wireless settings like WPA2 password, band etc., enable AP or bridge mode, then plug the router into the switch or directly in your firewall’s port using the old router’s LAN port, not WAN port. Depending on the device you are using, the web GUI may or may not be available anymore after enabling AP mode.

Connecting everything up

Since everything is configured now, you can disconnect your end-device from your router and connect everything up as you have configured, e.g.:
  • fw port 0 → ISP device (modem, router, ONT)
  • fw port 1 → switch port 1 (VLAN 4)
  • fw port 2 → switch port 2 (VLAN 5)
    Note: you can plug the Wireless AP directly to firewall port 2 if you don’t intend to have additional wired devices plugged to this network. One such use-case for an additional wired device would be having a jump server, which is allowed in the firewall to access certain areas of your other networks. I personally had such a setup, albeit connected to my old router’s switch / LAN port which I used as a jump server to my LAN when my laptop was connected to a VPN which redirected all my traffic, so I had to use local network hackery to access my local resources.
  • fw port 3 → switch port 3 (VLAN 6)
  • wireless AP → switch port 4 (VLAN 5)
  • trusted desktop PC → switch port 5 (VLAN 4)
  • NAS → switch port 6 (VLAN 4)
  • very shady looking IoT device or aditional WiFi AP for untrusted wireless networking → switch port 7 (VLAN 6)

I’ve been writing at this for almost 7 hours straight, I need a dang break!


It’s a lot to take on. Take your time.


Need 3 more :heart: on OP to get a badge. Any donators?

Also, added some pics yesterday. Still need to do the IPv6 stuff, which I haven’t yet implemented even on my network.


Fantastic write up. When I have some time I think this is what I need to get started. I will have to learn how to utilize my domain name (I think I can use this for security? Recursive dns with pi-hole?)… I also have to utilize wifi to connect part of my network, so I think I’ll need to use a Cisco managed switch before the AP.

I also started nginx on another pc for testing as I have no idea what to do with it. Think it applies to above for recursive dns, maybe https for home net?.. I’m kind of at a loss. I have wayyyy more reading to do.

Sadly, I have listed all my hardware so there goes that opsec item lol.

This is only a half developed post… I have much more to add once I attempt to figure things out myself first and I have time. Wife took today of work worrying about house sale… But I hope to have some time to mess around today with it.

nginx is a web server that can be used as a reverse proxy. No idea how it related to recursive DNS. Looking through PLL’s guide, it appears nginx is only used for the DNS over TLS HTTPS part, meaning: instead of using unencrypted UDP packets to query a DNS server about a DNS record, you are using TCP packets encrypted with TLS (https) to query a web server about a DNS record. I think this is quite the endeavor, I’ll probably try it in the future, but I don’t have much against forwarder DNS (the default configurations on home routers, where you forward the query to a DNS cacher, like Google, Cloudflare or most commonly ISP DNS).

Telling people the brands and software used isn’t necessarily bad opsec. It becomes bad opsec when you tell every piece of software you are using, so it’s preferable you say none. As for brands, just “Cisco” tells us nothing. Just don’t mention model and especially not firmware. And keep your software up to date.

1 Like

If I understand your guide correctly, This is what my network should look like for a simple version.

I rely on the wifi AP to relay information via its mesh network because I do not have wires in this house, and I think I will have to in the apartment.

Would I just need one wire to the AP? and would the AP relay VLAN tags?

I believe I will also need to design IP’s and Subnets to help keep things organized. I have been reading up on that but the math for whatever reason does not make sense to me. I haven’t had a chance to read the chapter on it front to back, so maybe I am missing something.

Nope, you just bridged the LAN with SEMI-TRUSTED with UNTRUSTED on the WiFi AP. Consumer routers / APs don’t know what vLAN is, so you will need 2 different APs for each vLAN (2 because I prefer LAN not be wireless, so 1 AP for UNTRUSTED and 1 AP for SEMI-TRUSTED). You only connect SEMI-TRUSTED to the WiFi AP. And yeah, they go in a LAN port, after you disable DHCP on the WiFi router (or if they have a dedicated “AP mode”).

Depending on your setup, you may not need the UNTRUSTED network to be wireless. Do you have smart light bulbs and other Internet-of-Junk devices? :slight_smile:

1 Like

Sadly yes I do. I also have wireless solar cameras. I was hoping to find a way to cut those off from the internet/and keep them on the LAN only unless its passed securely. Then also some alexa devices (I know I know), figured there has to be a way to secure their traffic as well. I also have a subscription to a VPN (PIA) I should be able to utilize as well.

That might be possible because I forgot I had a linksys mesh system as well I can put alexa and cameras on.

Now is it possible to have subnets for each vlan? IE (have a IP range for trusted, Semi, and un trusted?)? Or is that redundant or less secure?

1 Like

The only way is for each vLAN to have its own subnet. The router’s job is to route traffic between subnets, which are on different vLANs.
e.g. trusted =
untrusted =
semi-trusted =

1 Like

Very nice, that makes sense. I’ll have to try that.

1 Like

I forgot to mention that every port needs to be in Mode Access. If you make a server that you want to have access / bridge connections to VMs from both LAN and UNTRUSTED, only set that server’s port (on the switch) in Trunk and allow the 2 vLANs only.

1 Like

So, for testing… What would be the best way for me to run a setup like this?
Or should I go for a physical connection to the LAN port on the Protectili? I know you said you have used cisco switches, have you ever had a problem with the updates saying the Firmware Image was too large?

Or is this not possible because I already have a router “up stream” (not sure if thats the right term) of the firewall?

Would it be easiest to set the “Default Gateway” on the asusrock edge PC to the IP of the LAN on the firewall? or handle it with the switch and connect port 2 to port 3 someway?

Know I’m kinda lost here…

No, but I’ve read that if you have enough storage and RAM available, you should rename the newer image to something that goes alphabetically before the old image (like from “ios-123.bin” to “aios-123.bin”), as Cisco apparently loads things in alphabetical order.

The current map makes the network between the Asus router and the Protectli available on the switch. If don’t you intend to connect other wired devices or VMs to the main Asus network, or more than wired 2 devices, then I suggest you plug the LAN from Asus directly to the WAN from Protectli to save some switch ports. But if you want to make it available to say, Proxmox, then keep this configuration.

You’ll have:

  • port 8 mode access in vLAN Asus → Asus LAN port
  • port 1 mode access in vLAN Asus → Protectli WAN port
  • port 2 mode trunk with vLANs LAN, semi-trusted and untrusted → Protectli LAN port
  • port 3 mode trunk with vLANs LAN, semi-trusted, untrusted and Asus (so that you can make the pseudo-DMZ available to Proxmox VMs, it could we worth it for testing some stuff or just pure learning) → Proxmox

I personally used all 4 ports from my firewall to the switch and had the switch ports in mode access, but that’s because I have a 48 port switch (and about 20 of them occupied). But there’s nothing wrong with using vLANs, just that the stuff behind will be limited to 1Gbps total, instead of 1Gbps per subnet. This is ok if you want to save switch ports (to connect other devices).

Also, the attached image doesn’t have labels, but I guess it should be obvious that the Arris port should go to the Asus WAN port.

1 Like

Really a great write-up on this for someone who really has no experience with networking and firewall rules this helps clarify A LOT.

I do apologize for some of the stupid questions as this really did answer alot once I made it to the section I had a question on (I tended to get ahead of myself/and already have a hard time keeping a train of thought).

To anyone else attempting this I highly recommend reading it through at least once if not twice in it’s entirety (including blurred out points at least on the second read) before you implement or follow the guide. A lot is explained as you go when it’s needed and not before. I assure you the answer to your question is probably there somewhere.


I really should have checked these forums first, as I got super frustrated with setting up my IPv6 stack. I’m not sure if the tutorial would have helped though, since I’m doing everything on a basic Void Linux install. I ended up going with dnsmasq and dhcpcd for getting and assigning IP addresses. I wrote a tutorial myself, in case anyone is trying to do this with a custom Linux router:

1 Like

Love that you’re using Void. Anyway, I’ll have to check your ipv6 rules, but this project is currently on-hold for now, because I don’t have access to my router at this point in time (and probably won’t for a while). But I will come back to it.

The problem with my tutorial is that it’s split into two parts: the first is the basics, which I should have taken care of, doing the ipv6 rules recommended by the RFCs, and the second part for more advanced users, where I want to block certain traffic (like ICMP v6 echo requests / replies, that are apparently recommended to be allowed). I have waited to write the second part along with the first one, which was a little dumb on my part.

Thank you for your write-up tough, I really appreciate contributions!

1 Like

I tried to enable DHCPv6 and router advertisement on my internal network, and I set the interfaces to “monitor WAN” in pfSense and somehow I managed to get myself locked out of my network. Somehow, pfSense is so ridiculous that if IPv6 is not working properly, neither is IPv4. How in the world?..

Anyway, the project is still on-hold, I’ll probably have to do a virtual network at some point and continue this project. It’s been a royal PITA, but I don’t like letting things unfinished.

1 Like

SOOOO… now that I have a better understanding and I’m not completely illiterate to the terminology I was able to follow this guide very easily.

I originally didnt have the WAN rules and was able to set those up no problem.

Thanks again for such an amazing guide for the lay person my friend.


This is still incomplete and I’m ashamed of it, but I don’t have the infrastructure to finish it at this point in time. REEEEEEEE

1 Like