Copyright XDA Developers
Having built and deployed a few firewalls before launching one at home, I'd like to think I know a thing or two about getting it right. Thankfully, if you're choosing between OPNsense and pfSense, it's difficult to get it wrong since even as a default installation. Both are fairly secure and will do a stellar job at keeping unwanted parties from gaining access to your local area network (LAN). But there are still some things I wish I had been told when I built my first firewall. Don't lock yourself out It happens to the best of us Configuring a firewall using OPNsense can lead to a world of pain if this happens to be your first foray into custom networking hardware. Firstly, the default IP of the firewall will likely clash with your existing router, which usually has an address of 192.168.1.1. That's the gateway, which OPNsense (or other similar firmware) will become. That's an initial headache that could catch unsuspecting victims, but this is what one should expect when building their own firewall. Back up often, and I mean back up everything often. PCs, phones, NAS, servers, and even your firewall. Everything should have configuration file copies, as well as backups of stored data, to ensure you don't lose a single bit and can minimize downtime with a few clicks and key strokes. Don't worry if you manage to break something and lock yourself out of the firewall. We've all been there and either had to load a recent backup or quickly reset/reinstall everything. VLANs are your best friends Use them wisely When working with Internet of Things (IoT) hardware such as thermostats, smart plugs, light bulbs, and much more, you may notice some of them calling home. That's when they're designed and developed to communicate with some company-owned server somewhere. Splitting your smart home stuff into its own VLAN is a good idea to avoid this and make your entire LAN more secure, since these devices can have unpatched vulnerabilities. A VLAN keeps them separate from the rest of the network. It's no good spending countless hours perfecting your LAN only to see it come crashing down with an infection of some sort, thanks to your "smart" doorbell having a backdoor vulnerability. Keep everything patched and use VLANS to segment the network and keep specific clients separated, such as guest devices, servers, IP cameras, and more. Your choice of NIC matters Not all are built the same OPNsense and similar firmware can be a little finicky when it comes to network interface cards (NICs). Realtek NICs are notoriously difficult to get working, so it's often recommended to stick to Intel hardware when possible. Also, avoid USB NICs at all costs. Try and purchase a system with enough Ethernet ports to avoid having to resort to LAN adapters. If I were to recommend one to look out for on your hunt, it would be the Intel i350. These are vital for your firewall since they are responsible for handling all the transfer requests that flow through the LAN. You don't want to be dropping packets or stalling under heavier loads, especially when making the move to fiber connections. Don't experiment with a live firewall Create a second test bench Once your firewall is operational, it should really stay that way. OPNsense is much more than a basic interceptor with a few rules to allow or deny traffic. The software handles DHCP, 6 reasons to host your own DNS server at home, and much more, acting as the foundation of your home network. By experimenting with OPNsense (or some other firewall), you run the risk of breaking something or preventing others from reliably using the LAN or connecting to the outside world. Unless you have a support ticket system self-hosted on a NAS somewhere to deal with the sudden influx of requests from family members, I strongly advise you to leave any changes and update deployments to a dev branch before making them to your live environment. Spin OPNsense up as a virtual instance within Proxmox, or even use a cheap and affordable single-board computer (SBC) to provide the means to have a little play around. Keep it simple Think of the rest of the family I recommend exploring the firewall to see what else you can activate and configure to make your networking life much easier, but it's easy to go overboard with functionality. First, get used to all the basics, such as rules, traffic monitoring, DNS, setting up a VPN, and even configuring Unbound to block tracking. There are some truly fantastic plugins available for OPNsense, but many of the versatile features that will create the ultimate LAN come preinstalled. And remember: someone else may have to log into the firewall to fix or change something. Would you want to be on the phone for two hours walking a family member through the process of achieving something in your convoluted setup? I thought not. Keep it simple. Start with the basics and slowly add to your LAN as needed. That's the important part — make sure it's something you (and your LAN) require. OPNsense is the way to go It's the best firewall firmware around If you're struggling to pick the right router, firewall, or firmware, I'd say go with OPNsense. It's community-backed, is completely open, and has served me well enough. All you need is a small mini PC, something with Intel LAN ports and a low-power CPU. It will happily chug along and handle all your network loads. My own firewall is entirely passive, operating at around 50 degrees Celsius, which isn't too bad when you consider it has a 5 Gb truncated link to the wider LAN and we've got a lot running internally. The one thing I would recommend with OPNsense is to avoid running the firewall as an access point (AP). It's possible, but you'll end up with spotty wireless performance, even with a beefy system running the firmware. The primary cause is the underlying FreeBSD OS, which is notoriously bad with modern Wi-Fi NICs. It's also a firewall first and foremost, and it's best to keep advanced features, such as wireless networking, on dedicated hardware like an AP. Building your own firewall is a great hobby Leading into deploying and managing your own expansive network, creating a custom firewall to replace an existing ISP-provided router can provide numerous benefits. You'll have access to more advanced features that simply weren't possible with that hardware. Some may not even allow for guest networks, let alone configuring virtual LANs (VLANs) and Dead Man Zones (DMZs). Creating your own firewall teaches you more about networking and is great for getting more from your LAN.
