Protect home network using subnets with pfSense

Alan Chan
January 24, 2019

You can better protect your home network, your sensitive data & activities by separating your home network into sub-networks (subnets).

A typical home network is a simple single network. A single network that allows connections (wired or wireless) from all computers, mobile devices, peripheral devices and Internet enabled devices like Internet of things (IoT).

Risks of a single home network?

If any one device is compromised or infected with malware, the attacker may be able to spread malware or compromise your other devices.

The attacker may also be able to sniff and eavesdrop your network traffic to steal your critical personal information (e.g. login credentials).

Attacks do not necessary start at your most important devices. In fact, they usually start with devices that have the weakest security protection. Once they get their foot in a device, they can work their way to your other devices within the same network.

Your devices could be infected in several ways:

Internet of Things (IoT)

More and more devices, appliances and innovative things are Internet connected. But not all of them are created equal. Some could have very weak security protection or even no security protection.

These devices could be of high risk to your network.

However, they would only grow in popularity. Incorporating IoT to your home network is just a matter of time, if not already started. Therefore, it’s best to restructure your home network to accommodate them.

Devices that lack firmware updates

Peripheral devices like printers or some simple network devices like hub or switch usually don’t receive much firmware updates from the manufacturer. If these devices have vulnerabilities, the attacker could take advantage of that to gain access to them.

Devices that have outdated firmware

From time to time, vulnerabilities could be found for a particular device (e.g. router) and manufacturer may provide firmware updates to fix the vulnerabilities.

However, if these devices’ firmware are not kept up-to-date in a timely fashion, they could become the attack target.

Wi-Fi hacking

Wi-Fi access is becoming a must have for every home network. Because of it’s wireless nature, attacker does not need to be into your home to perform their attacks.

Mobile devices joining untrusted networks

It’s typical that we use some public networks for Internet access when we are on the go. But these open public hotspots also have risk to get your cell phone or laptop infected.

And when you bring your infected mobile device home, attackers now have their foot in your network.

Phishing or malicious websites

And of course, if we are not careful about our Internet activities, our computers can be infected by malware through phishing or accessing some malicious websites.

Multiple users / family members

Your home network is most likely used by your family members, kids, relatives, friends and guests. For some you simply don’t have control over their devices. And it’s hard to know if their devices are infected or not. This would also pose a security risk to your home network.

Separate home network into multiple subnets

You can minimize these risks by dividing your single network into multiple sub-networks.

Typically, devices in a subnet do not have access to another subnet. Therefore, the risk of a compromised device would be limited to a single subnet and it would not be able to spread or access to devices on other subnets.

By carefully grouping and dividing your devices into different subnets, you can best protect your important data and online activities (e.g. online banking).

The above network diagram is an example of home network using subnets.

subnet 1: This is the most important sub-network to protect. Devices and computers here are used to store your most important data and perform your most important online activities. Any potential risky activities should be avoided in this sub-network.
subnet 2: Wired devices or computers where you may perform more risky activities like browsing unknown websites, checking emails with links and attachments. Any malware infection or malicious website attacks will be restrained within this sub-network and would not affect subnet 1.
subnet 3: Peripheral devices like printers that don’t get firmware updates or have outdated firmware. These devices typically don’t need Internet access. Therefore, devices in this sub-network can be restricted to NO network access to eliminate their exposure.
subnet 4: Similar to subnet 2 but is dedicated for gaming devices/consoles.
subnet 5: Mobile devices that may be used to connect any other untrusted networks (e.g. public open Wi-Fi hotspots)
subnet 6: A sub-network dedicated for IoT to provide them Internet access but NOT access to your other devices.
subnet 7: A guest sub-network for your friends and visitors. Similar to subnet 6, they only need Internet access.

How to implement subnets?

It could be overwhelming to restructure the whole home network all at once. But we can do it step by step.

Part 1: Create initial subnets using pfSense firewall
Part 2: Setup more subnets using VLANs
Part 3: Setup Wi-Fi subnets using VLANs

Create phyiscal subnets using pfSense firewall

The very first step is to incorporate a feature packed network firewall as the cornerstone of setting up subnets for the home network.

Firewall requires a minimum of 2 network interfaces, 1 for connecting to WAN, 1 for connecting to LAN (internal home network). Each extra network interface would allow firewall to create an additional physical sub-network. Therefore, a firewall with 3 network interfaces allows you to create 2 physical subnets.

Figure 3: 2 subnets using pfSense firewall

pfSense firewall is recommended.

pfSense (Community Edition) is a free, open source firewall used by many. You can purchase NetGate’s official pre-configured pfSense appliances.

Or you can download the latest stable version at pfsense.org and install it to a compatible hardware device (e.g. mini pc).

Recommended hardware

Multiple cores CPU at 2.0GHz+
4GB+ RAM
10GB+ Hard drive space
3 or more Intel PCI-e NICs
for future compatibility (pfSense v2.5+), CPU requires AES-NI encryption support

A good mini PC to use please check out Qotom Q330G4 with 4 NICs. This would allow you to setup 3 physical subnets. I have been using an older version of Qotom mini PC, running pfSense firewall for couple years without problems.

Subnet access control

With pfSense firewall rules, you have the flexibility of defining how devices within a subnet can access other resources, for example:

access only devices within the same subnet.
Internet access only.
access devices on a different subnet.
combination of the above rules.

As shown in figure 3, with the appropriate firewall rules defined, we can limit devices in subnet 2 with Internet access but no access to any devices in subnet 1.

And for devices (secure desktop) in subnet 1, we can allow them access to devices in subnet 2 so that print jobs can be sent to the printer in subnet 2.

Installing pfSense

Follow the guide to install pfSense using USB flash drive to complete the initial installation and setup.

A typical pfSense installation uses 2 network interfaces, one for Internet access (WAN interface), one for local network (LAN interface).

The default access control for the LAN interface is full access. That is, devices in LAN interface has Internet access and can access devices in all subnets that you may create later. So you can use this LAN interface as subnet 1.

Configure subnet 2 using 3rd network interface

Once you have sucessfully installed pfSense with 1 WAN and 1 LAN setup, use pfSense web gui and follow steps below to setup the third network interface as subnet 2 with Internet access ONLY.

Step 1: create the 3rd interface

go to Interfaces > Assignments
at Available network ports, an available (unassigned) NIC should be selected automatically
click Add

A new interface, default name ‘OPT1’ would be created

Step 2: Enable new interface and assign a private static IPv4 address

Click on OPT1 to configure the interface

check the Enable interface checkbox
select Static IPv4 for IPv4 Configuration Type
Go to section Static IPv4 Configuration, enter 192.168.99.1/24 for IPv4 address. This would be the IP address for this firewall to serve as the gateway for this subnet
click Save, then Apply Changes

Step 3: Setup DHCP server for OPT1 to automatically assign IP addresses to devices

go to Services > DHCP Server > OPT1
check the Enable DHCP server on OPT1 interface checkbox
for Range, specify a range of IP address that can be use for automatic assignment (e.g. from 192.168.99.201 to 192.168.99.254)
click Save near end of the page.

Step 4: Setup firewall rules to allow Internet access only

Other than the LAN interface automatically created by pfSense installation, all new interfaces created manually will have no access to anything by default.

Before defining the actual firewall rules, we will first create an IP alias to represent all the private IP addresses (used by all private subnets).

go to Firewall > Aliases > IP
click Add
enter ‘Private_IPv4s‘ as Name
select Network(s) as Type
add following 3 networks:
- enter 192.168.0.0 / 16
- click Add Network and enter 10.0.0.0 / 8
- click Add Network and enter 172.16.0.0 / 12
click Save then Apply Changes

Now let’s create firewall rule to allow Internet access:

Firewall rule: allow Internet access

go to Firewall > Rules > OPT1
click Add button
for Address Family, select IPv4+IPv6
for Protocol, select Any
for Source, select OPT1 net
for Destination,
- check Invert match checkbox
- select Single host or alias
- then type ‘Private_IPv4s’ as the Destination Address
for Description, enter ‘allow Internet access’
click Save, then Apply Changes

Now you can use this OPT1 interface for subnet 2 with access to Internet. However, they won’t be able to access subnet 1.

Notes about double NATs

pfSense firewall also serves as a router. When you have 2 routers (ISP router and pfSense) in a network, that creates double NATs.

To put it simple, it works completely fine for general Internet use like browsing, emails, cell phones & most gaming.

However, it may have problem when some services you use require port forwarding. If you don’t need port forwarding, you probably won’t find any issues.

Port forwarding

Approach 1: If you do need port forwarding, the easiest approach is to configure port forwarding on both ISP Router and pfSense firewall.

Approach 2: configure ISP router to use a DMZ address to point to the pfSense firewall. For this approach, you only need to configure port forwarding at the pfSense firewall.

Approach 3: Use some more advance techniques (out of scope for this post) including bridging the ISP router, or replace ISP Router completely by directly connecting the Internet connection to the pfSense firewall. However, take the following into consideration especially when this is your first time setting up pfSense firewall:

require more in-depth knowledge in networking.
most likely require involvement of technical support from the ISP provider to reset the connection. This could be frustrating and time consuming when you have to do it back and forth multiple times.
some functionalities could be lost if the service provider also offers TV/Phone service through the ISP provided router.
the ISP provider may refuse technical support if you encounter difficulties, until you switch back to their original ISP provided router.

pfSense is a nice great powerful firewall. Once you have it setup as part of your network, there are other awesome features you can utilize to better your network.

NEXT > Part 2: Setup more subnets using VLAN

This Post Has 79 Comments

Yasa
13 Aug 2019 Reply

HI Alan, found your article is very informative and easy to follow. I have started doing the steps already. Keep the good work. cheers, Yasa
1. Alan Chan
  13 Aug 2019 Reply
  
  Great! I am glad that it is useful and thanks for your feedback. Alan
Yasa
21 Aug 2019 Reply

Hi Alan,

the setup i need to main is with the following HW.
ISP router
PFsense FW loaded on a old laptop ( 1 on board NIC, 2 USB NICs )
cisco 3560/ 8 port

this is the HW i have with me.

Any advice of how best I can secure/facilitate my network. i would like to have 3 subnets,
kids
guests and for myself ( my PC )

any help is much appreciated

regards
Yasa
1. Alan Chan
  29 Aug 2019 Reply
  
  Your pfSense with 3 NICs allow you to setup 2 local subnets (1 NIC [WAN] connects to ISP router, 1 NIC for kids, 1 NIC for yourself).
  You can use the ISP router’s switch ports for guests (or ISP router’s wi-fi in isolation mode if available). Your guest connections would be outside your local subnets (blocked by pfSense).
  
  This seems like the most simple setup for the HW you have.
  1. Akil
    11 Dec 2019 Reply
    
    Hello Alan
    Following your advice I got a qatom unit i7 with 4 Intel nic my requirement is I want one nic connected to wifi access point to provide internet to all device and one nic running open vpn connected to another access point since I need sometimes to connect to vpn network wirelessly to access sites and make VoIP calls since blocked by my isp
    1. Alan Chan
      11 Dec 2019 Reply
      
      Hi Akil, wouldn’t running vpn for all networks be better? so that all traffic is encrypted and more secure.
      When using openvpn on pfSense, a typical setup will usually update routing table & gateway for all networks to go through vpn.
    2. James
      21 Sep 2020 Reply
      
      Can you not run the same setup with a pfsense box with just TWO NICs (one WAN and one LAN) and have the VLANs as some sort of virtual (vs. physical) subnets, provided you have a managed switch too? what would be involved in that? At the end of the day a NIC can handle any number of subnets…
      1. Alan Chan
        21 Sep 2020
        
        Yes, you can check out the part 2 & part 3 of the posts (Setup VLAN subnets for home network).
        You can skip subnet1 and just use 2 NICs
  2. Guillaume
    15 Mar 2020 Reply
    
    Hi Alan,
    
    Thank you so much for this brilliant idea !
    I’ve been struggling for weeks trying to figure out an easy way to set up a Wifi guest network that would not communicate with my local network.
    I have now plugged in a Wifi access point to my ISP bridged router, and it works flawlessly !
    1. Alan Chan
      16 Mar 2020 Reply
      
      You are welcome. Glad that this helps. Cheers Alan
Luke
22 Dec 2019 Reply

Hi Alan. Thanks for your article.
A couple of questions for you.

-I didn’t understand what is for and how exactly “invert match” in Destination works

-Which software did you use to draw the (network) pictures in the article above.
Thanks again
Luke
1. Alan Chan
  28 Dec 2019 Reply
  
  “invert match” means ‘not’. In the post, it is used on destination that is a private address. The rule with then only apply to destination that is NOT a private address (i.e. other subnets).
  As a result, traffic is allowed when target machine is in the Internet (with public ip addresses) but is blocked when trying to access machine on another subnet (with private ip address).
  
  draw.io is used for network diagrams.
  
  cheers. Alan
josh
7 Mar 2020 Reply

Hi Alan, novice user…in the section where you set the Destination to Invert match – Single host or alias than entering Prviate_IPv4s. how did you get pfsense to accept that. It is not working for me because it is asking for Destination IP address. I am stuck at this section and cannot move on. Please advised
1. Alan Chan
  8 Mar 2020 Reply
  
  Hi josh, Make sure you have created the alias (Private_IPv4s) as described at the beginning of step 4. Then you should be able to use it to create firewall rules. Also double check for any typos.
  1. josh
    13 Mar 2020 Reply
    
    Thanks Alan. It is working.
    Based on your setup, Subnet 1 has internet access and subnet 2 does not have internet access. If I want to allow subnet 2 and the sub-interface/VLANs to have internet access. Do I create rules for only Opt1 or do I need to create rules for all of the VLANs as well?
    1. Alan Chan
      14 Mar 2020 Reply
      
      You are welcome. Each VLAN should be treated as a separate subnet. So you should create rules for each VLAN based on your security requirements.
Anonymous
14 Mar 2020 Reply

How come subnet 2 on vlan 99 does not have internet access? Rules were created for subnet 2, when OPT1 was setup. Am I wrong about that rule?
1. Alan Chan
  14 Mar 2020 Reply
  
  You should have Internet access if setup correctly. There’s a few things you can do to troubleshoot.
  1. run command ipconfig (windows or ifconfig for others) at your computer to ensure you have correct ip address (should be 192.168.99.x). If not, check pfSense config and make sure DHCP is configured correctly for OPT1
  2. run command ping 192.168.99.1 (pfSense) at your computer. You should be able to ping 192.168.99.1 successfully. If not, make sure you have firewall rule setup at OPT1 to allow OPT1-net devices to communicate with each other
  3. at pfSense, go to Diagnostics > Ping, use 8.8.8.8 as hostname, OPT1 as Source address. This is to test Internet access for interface OPT1. If failed, make sure you have firewall rule setup at OPT1 to allow Internet access.
  
  If all 3 tests are successful, you should be able to access Internet.
josh
16 Mar 2020 Reply

Thanks, Alan. It is working.
1. Alan Chan
  17 Mar 2020 Reply
  
  You are welcome.
josh
17 Mar 2020 Reply

Alan, I am trying to block Downloads by Extension in Pfsense ex:(.exe.,mp3.,mp4,etc) using v2.4.4. I not sure how to do that. Do you have anything like that to post?
1. Alan Chan
  18 Mar 2020 Reply
  
  Check out SquidGuard package. It enables content filtering. You can install it to pfSense at System > Package Manager.
  1. josh
    22 Mar 2020 Reply
    
    I installed the squidguard package and filtered to block extension file through regular expression. It does not seem to work for me.
    Expressions:(.*\/.*\.(exe|mp4|mp3|flv|avi|zip))
    
    What am I missing? Does this configuration not work for pfsense version 2.4.4?
    1. Alan Chan
      22 Mar 2020 Reply
      
      I tested using your expression and it works just fine with pfsense 2.4.4.
      Make sure you click Apply at General settings of SquidGuard and clear cache of browser when testing.
      
      It’s easy to setup to work with http.
      However, if you want it to also work for https, you need to do SSL/TLS MITM interception. To do that, you need to create CA and install it as trusted to all client devices.
      It’s more complicated to setup and maintain. Plus the fact that it breaks the SSL/TLS connection, not sure if it’s worth doing.
      
      For HTTPS, it’s much easier to setup to block domain names instead of file extensions.
      1. josh
        23 Mar 2020
        
        Alan, I installed both Squid and SquidGuard. Is that what you did to get it to block file extension or just using SquidGuard?
        
        I installed Squid to setup the proxy server and installed SquidGuard to filter.
      2. Alan Chan
        23 Mar 2020
        
        Yes. For Squid, enabled ‘Transparent HTTP Proxy’. ‘Real Time’ tab can confirm Squid is processing HTTP requests
        At SquidGuard
        
        created rule to block URLs using expressions at Target categories
        
        At Common ACL’s Target Rules list, select deny for rule just created and allow for Default access [all]
        
        click Apply at General settings
        
        Clear browser’s cache and test.
        This works for me.
      3. Anonymous
        24 Mar 2020
        
        I do not know what I am missing here. It is not working for me.
        
        Transparent HTTP Proxy
        Enable transparent mode to forward all requests for destination port 80 to the proxy server.
        
        @SquidGuard
        created rule name and enter regular expression rule (.*\/.*\.(exe|mp4|mp3|flv|avi|zip))
        follow the same steps as you did and it is not blocking any down file set in the url expression.
        
        restarting from the beginning to make sure that I am not missing anything.
      4. Alan Chan
        24 Mar 2020
        
        Not sure what went wrong but try to make 1 thing work at a time. see following troubleshooting steps:
        1. check Squid real time log to ensure http requests are proxied
        2. ensure SquidGuard is enabled
        3. enable SquidGuard log (at General settings, Common ACL & rules). check log to see any requests showed up blocked
        4. make sure URL request is HTTP, and not HTTPS
        5. try to block a domain instead of expression to see if SquidGuard works at all. Good sign if this works
        6. try use a simple expression like: .*\.com (This blocks all .com domains, e.g. http://anyname.com)
        7. if all failed, try uninstall and reinstall them again.
Roberto
18 Mar 2020 Reply

Hi Alan,

That’s great information, would love to see if you can add guide for VPN run from pfSense on selected VLAN (would like to run some devices on VPN)
1. Alan Chan
  19 Mar 2020 Reply
  
  Thanks. I have a post about setting up PIA VPN with pfSense.
  It’s site-to-site VPN connection.
  To exclude a VLAN from using the VPN, simply specify the gateway to use original WAN connection (instead of Default) at the VLAN’s firewall rules
Troy
23 Mar 2020 Reply

Hi Alan,
Thank you for the great guide. It is very helpful and things worked just fine when I followed yours steps.

I would like to install Pfblocker on my pfsense but I only want it to filter ads on a specific VLAN and also on another one physical subnet. Is this possible? I assume that the way to make this work is to play with firewall rules which I am not that familiar with. Can you please help me with those rules? Below is high level of my setup

ISP —igb0(WAN)——>Pfsense —–igb1——>LAN1 ( secure)
|
|———–igb2 (LAN2) and VLAN 30—-> Switch —–> Wireless Access Point on LAN2 (SSID1)
| |
| |———–VLAN 30 on igb2 (SSID2)
| |
| |———–VLAN 40 on igb2 (SSID3)
|
|———–igb3 (LAN3) —-> Gaming Consules

I would like to filter ads on VLAN 30 but NOT VLAN 40. Also I want to filter ads on LAN3.

Thanks
1. Troy
  23 Mar 2020 Reply
  
  Sorry my drawing got mixed up after I submitted my reply.
  igb1, igb2 and igb3 are physical NIC on the Pfsense.
  igb2 goes to a VLAN aware switch (unifi switch)
  igb3 goes to a gaming consule
  
  igb2 (LAN2) which includes VLAN 30 and VLAN 40 go to the switch which has a wireless access point connected to it
  the wireless access point broadcasts three SSIDs:
  SSID1: on LAN2
  SSID2: VLAN 30
  SSID3: VLAN 40
  1. Alan Chan
    24 Mar 2020 Reply
    
    Hi Troy,
    
    Each VLAN is treated as an interface (subnet).
    when you run the Pfblocker setup wizard after installing it, you can select which outbound firewall interfaces to block at IP Component Configuration screen.
    Select only the interfaces that you want blocking would do.
    
    cheers Alan
    1. Troy
      25 Mar 2020 Reply
      
      Hi Alan,
      
      Thanks for replying back to me.
      
      I have two questions:
      
      1. I installed pfblocker and checked the interfaces I want to block ads on during the setup wizard but I am still seeing clients showing in pfblocker Reports that are connected to the interface that I did not select in the setup wizard.
      
      2. I am using DNSBL and I have my own blacklist that I added successfully but I am still seeing clients being blocked from an interface that I did not select.
      
      Is there an option or a setting that I should check in order to enable blocking ONLY on a specific interface or VLAN?
      
      Thanks again
      1. Alan Chan
        25 Mar 2020
        
        In addition to firewall rules, pfBlocker also uses DNS resolver to block domains.
        For interfaces that allow ads, the simples way is to use a different DNS (e.g. google’s DNS 8.8.8.8)
        
        So configure the DHCP server for these interfaces to use DNS 8.8.8.8 when assigning IP-addresses to devices.
josh
3 May 2020 Reply

Alan, can zone based policies be configured on pfsense? if so, how do you go about setting up the rules for each zone?
1. Alan Chan
  21 May 2020 Reply
  
  Hi Josh, pfSense is interface/subnet based, not zone based.
josh
9 May 2020 Reply

HI Alan
Great posts from everyone…
Question, this might be a silly question. Can you use squidguard without installing squid?
1. Alan Chan
  21 May 2020 Reply
  
  Hi Josh, Squidguard requires Squid.
Ty
8 Jun 2020 Reply

Hi Alan,
Nicely explained setup here. I was under the impression I could achive this goal of creating a seperate/private network using an additional router and have that be assigned on a different subnet, however when I ping a device on my main ISP router on subnet 1, I am able to successfully ping from a device on my 2nd router/private network on subnet 2. Any ideas how I would make it private so that pings fail between these 2 different subnets – this was I feel it is private and seperate. Thanks in advance
1. Alan Chan
  9 Jun 2020 Reply
  
  If I understand your setup correctly, your additional router’s WAN port is connected to your ISP router which is subnet 1.
  For subnet 2 to access Internet, traffic must goes through WAN port, via subnet 1 to ISP router and then to the Internet.
  Therefore, subnet 1 in this setup cannot be separated from subnet 2.
  
  To have separate networks, you need to create subnet 3 at your additional router (that means you need 3 network ports). Then setup firewall rules for both subnet 2 & subnet 3 to only have Internet connections.
  This way, your subnet 2 & subnet 3 will be separated.
  
  Alan
Ian
9 Jun 2020 Reply

My ISP dhcp address on the wan side is 85.x.x.x, this then translates to a 192.168.0.1 on the router for use on the lan.So would i need to change this 192.168.0.1 to a total different IP (not in the above config) and then use this as my outside WAN interface, as the 85.x.x.x changes?
1. Anonymous
  10 Jun 2020 Reply
  
  Got it working !!
Ty
10 Jun 2020 Reply

Thanks for the reply Alan. Yes my additional/2nd router’s WAN port is connected to the ISP router. I wanted the ping to fail when pinging from a device on router 2 to a device on ISP router – however it suceeds. I actually reversed the test and the ping test failed when pinging from a device on ISP router to a device on the 2nd router. At this stage, I’ve achieved my goal on the “wrong” router! lol. I need the 2nd/additional router to host the private network, not the ISP router.
I have partially understood your reply but kindly need some clarity please;
– I don’t understand the principal of creating subnet 3? how does this help? To access internet, wouldn’t subnet 3 also require traffic to go through WAN port via subnet 1 to ISP?
– is a Firewall (with the appropriate rules) a requirement to eb able to seperate the network i.e. no Firewall = no private network? Whilst I see great security benefits of having a Firewall in this instance, I did not think it was an absoloute requirement to be able to create/seperate a private network.
– I read up online and several resources give me the impresstion that a private network can be created using 2 routers (as I have now) but amending the subnet masks. Do you have any thoughts on this idea?

A slight deviation to the above, but I’ve looked through my 2nd router’s manual and it provides a “Guest network”. This is an Assus N66U. It seems that I could achieve my goal by allowing “un-trusted” users to connect to the guest network (as opposed to configuring Routers and/or a firewall).

The goal is to have a private network which if infected with a virus does not affect my main network. Additionally to prevent access to sensitive/private files as alluded in your article. Thanks in advance for any guidance. Ty
1. Alan Chan
  19 Jun 2020 Reply
  I picture your setup like this:
  
  Internet — ISP Router — Subnet 1 — Router 2 — Subnet 2
  
  As you can see, for devices at subnet 2 to access the Internet, it must pass through subnet 1. Therefore, subnet 1 has to allow traffic from subnet 2 and cannot be a separate private network.
  In order to have several private networks, your options are:
  
  Internet -- ISP Router -- Subnet 1 -- Subnet 2 or Internet -- ISP Router -- Subnet 1 -- Router 2 -- Subnet 2 -- Subnet 3
  
  (in this case, subnet 2 & 3 are private, subnet 1 is not private)
  
  It also depends on the routers you have if they can support the said capabilities.
Josh
15 Jul 2020 Reply

Hi Alan, would you recommend or how to configure putting a Cisco router behind pfSense? what would the configuration look like on both devices?
1. Alan Chan
  16 Aug 2020 Reply
  
  For home use, you don’t really need a Cisco router to run behind pfSense.
  But if you have an extra Cisco router lying around, you can always use it as part of your homelab.
Justin Benjamin
21 Aug 2020 Reply

Hey Alan, thank you so much for writing all of this out. It has been extremely helpful. One question that I haven’t found a specific answer to:

I have a mac mini I use as a home file server and a plex server. Devices across a couple VLANs will need access. Which VLAN should I put that on, following your model/which rules would I put in place to make it available both home and remotely? Thanks again!
1. Alan Chan
  22 Aug 2020 Reply
  
  Assuming data wouldn’t require strong protection, you can consider putting your mac mini at printer vlan where other vlans have access to.
  Then setup firewall rules for each vlan that you want to allow access to the printer vlan.
  For accessing remotely, you can setup openvpn server at pfSense and configure firewall rule for openvpn interface to access printer vlan.
  
  cheers Alan
Michael
15 Sep 2020 Reply

Alan, I have a HTPC setup using a Windows 7 PC (for Windows Media Center program [WMC], EPG program guide, and recorded programs), a SiiconDust 2 channel TV tuner, and a main tv/monitor for viewing recorded or live broadcast and internet tv, e.g., Netflix. Of course there is a router and a modem for internet service (not cable tv programming). Other computers are on the home LAN but are not used for tv viewing, just internet.

With the vulnerabilities Win 7 has, which are likely to grow in the future, I’d like to separate the Win 7 PC with it’s WMC program and harddrive from the rest of the home lan. But I’d like to continue tto use it’s TV as our main and only TV connected to Win 7 and its WMC program. Is this an achievable outcome if I become familiar with the pfSense firewall system?
1. Alan Chan
  16 Sep 2020 Reply
  
  Based on your description, your HTPC & TV/Monitor will reside on 1 subnet (separated). Your other computers will reside on another subnet (home LAN).
  You can achieve this using pfSense firewall with 3 network ports (1 port for HTPC subnet, 1 port for home LAN and 1 port for ISP router)
  
  Alan
Eric
26 Sep 2020 Reply

RE: My 3 Subnet Plan
IoT Only – wired and wireless (Wife and Kids devices who are less careful with security)
Internet and LAN access for some devices only – wired and wireless (My devices)
PoE devices (IP cameras wired for both power and data; AND RING cameras that’ll be powered over CAT5e and data through 2.4Ghz Wi-Fi Access Point).

RE: Physical Subnet vs VLANs
I have a Qotom i5, 8GB w/ 4 LAN ports and am new to networking. What’s the easiest path to get setup? Only use 2 ports (WAN, LAN, leave the other 2 unused) and create multiple VLANs for the LAN? Or use 3 physical sub-nets for the LAN? Is there a performance hit of going physical vs VLAN subnets? How does Intrusion Protection and other security/encryption features impact all of the above?

RE: Unmanaged or Managed Switches? Brands?
Is it recommended to have a dedicated physical switches for Outdoor (sheltered 8.5 to 9 ft above the ground) PoE cameras, In-door PoE cameras and in-door Wi-Fi Access Points, and switch for everything else in the house? What’s recommended for all of the above, Unmanaged? Managed? Brand? I’m seeing Unifi switches recommended for ease of use, but at the same time, I see people complaining it’s a forever beta product?
1. Alan Chan
  27 Sep 2020 Reply
  
  The easiest path is to use all 4 ports, creating 3 physical subnets so you can skip all the VLANs setup. The drawback is that you need separate WiFi access point for each subnet.
  VLAN traffic adds a small tag in the packet so it would increase processing time for sure but in general there won’t be significant performance hit so I wouldn’t worry about it.
  
  Unmanaged switch does not support VLAN so managed switch is needed if you would use VLANs or give you flexibility to configure VLANs in the future.
  if your switch (for outdoor) location could expose to environmental (temperature, humidity & etc.) variation or physical access by outsider, it would be better to have a dedicated switch for Outdoor.
  
  I typically research devices based on functionality and review Amazon ratings/reviews to determine best device for my needs.
  I don’t have any Unifi switch but own a Unifi Pro Access Point for WiFi VLAN support.
  I did have a little hiccup to work with it’s required software to configure the access point. But once configured successfully, it’s working and serving me well for my WiFi connections.
Nasty
18 Oct 2020 Reply

Hey Alan –

You are a godsend. Appreciate the walkthrough
1. Alan Chan
  25 Oct 2020 Reply
  
  Thanks. Great that it helps.
Anonymous
2 Feb 2021 Reply

Hi Alan, can i create a similar configuration and skip the pfsense firewall… ie FIOS ONT —> gigabit wired router that supports vlans —> L2 switch and create the vlans from there —–> wireless AP or wireless router in AP mode.
1. Alan Chan
  15 Feb 2021 Reply
  
  that would do if all you need is vlan support.
Arthur
7 Feb 2021 Reply

Many thanks Alan! Very clear steps. Following the steps, I set up two subnets on Qotom mini PC smoothly.

LAN: 192.168.29.1/24
OPT1: 192.168.99.1/24

I have a further question. How do I allow computers in LAN access computers in OPT1. In the OPT1 interface firewall rules, I already have a pass rule set up from LAN to OPT1. Do I also need to set up a routing for it?
1. Alan Chan
  15 Feb 2021 Reply
  
  The firewall rules should be set at LAN interface, not OPT1 interface for devices in LAN to access devices in OPT1.
  
  cheers Alan
  1. Thomas Yuen
    22 Jul 2022 Reply
    
    Hi, I have similar issue … 6 port mini PC, 1 Wan, 5 Lan port. (Figure 2: Home network with subnets)
    I able create 2 bridge(opt5,opt6), opt5=Subnet1(Lan+opt1+opt2) 192.168.100.0/24, opt6=Subnet(opt3+opt4) 192.168.200.0/24. follow your instruction looking beautiful.
    Thanks Alan!!!!
    Need someone help!!
    Printer and NAS in Subnet2. not able to access from Subnet1. Firewall Rule opt5(Subnet1), interface: Subnet1
    Addess: v4+v6, Potocol: any , Source: Subnet1 net, Destination: Subnet2
Willard Hamilton
25 Feb 2021 Reply

Hey Alan,
I am in over my head with trying to revamp my network all at once, but circumstances are the driving force. My setup was: Edge Router X (Main & Firewall) with Netgear WNDR330 (DD-WRT) as my wireless AP on port 1 of the Edge Router X. Port 2 went to D-Link 16-Port Gigabit Switch (DGS-1016A) and everything was wired from it. All wireless of course went thru the DD-WRT AP.
The Edge router keeps dropping Admin password and I am replacing it with Netgate SG-2100 BASE pfSense+ Security Gateway × 1. I had added a UniFi_AP-Pro_AP to replace the DD-WRT AP, but it has also started dropping wireless clients and will not accept my Access Key to add items back in (My iPhone and my wife’s Macbook Air (which is the main items) her iPhone and the Alexa are connected and work fine. So I am replacing UniFi_AP-Pro_AP with NETGEAR Wireless AP (WAX610PA) – WiFi 6 Dual-Band AX1800, I also picked up a NETGEAR 8-Port Gigabit Ethernet Unmanaged PoE Switch (GS308P), to go with my D-Link 16-Port Gigabit Switch (DGS-1016A) which is in place. After reading this “Protect home network using subnets with pfSense” and ordering the new items, I am looking at setting up vLans to segregate things as you suggest.
I have been reading the guide on setting up firewall rules in pfSense but am not grasping it, as I have never worked with these, (sheltered) my firewall was created and handled by my supervisor (due to my working remotely and security requirements. Now that I have fully retired I no longer have that support and am trying to setup and run my little network for my family (Daughter and many Adult grandkids + Great Grandkids to allow remote access to my media-center.

I realize I am asking a lot here and do not expect you to become my support service, but I could really use some help and step-by-step guidance on setting up the pfSense firewall and OpneVPN.
Or if you can point me to somewhere that I can get more layman step-by-step guidance. I would really appreciate it.
• The guidance in your post (s)
• Part 1: Create initial subnets using pfSense firewall
• Part 2: Setup more subnets using VLANs
• Part 3: Setup Wi-Fi subnets using VLANs
Is exceptionally informative and I will be using them to setup the VLANs I am looking at.
Thank you for these and for your assistance.
Butch
1. Alan Chan
  1 Apr 2021 Reply
  
  Your Netgate SG-2100 has 4 network ports that would allow you to experiment and test out config.
  I would suggest using 1/2 ports to setup your network using pfSense for regular use (without VLANs). Then use the remaining ports to test out the vlan setup discussed in the posts.
  Once the VLANs are working, you can then switch your devices over.
  pfSense govern network traffic based on which interface the traffic is coming in from.
  So if traffic arrives at pfSense from LAN interface, you define rules at LAN interface.
  
  Cheers, Alan
TB
7 Mar 2021 Reply

I followed your instructions, except that I changed the alias’s for 172 from 12 to 16, and 192 from 16 to 24. There’s an issue though. When I change the my computers ethernet connection from a switch on 10.0.0.0/27 to another switch connected to the OPT port — hooked in as a subnet 10.0.0.32/27 — I get the correct IP from the DHCP, but it gives my computer a DNS IP of the “router” IP: It configures my computer with an .34 IP of the 2nd subnet’s .33 address for DNS, which won’t resolve internet hosts. I have to manually enter into my computer configuring it to use my ISP DNS, It will work then, but I would like for it it use unbound’s caching server and pick up resolution as it does on the LAN int @ .1 sub 1,

Any fixes for this to try. I’m looking too.
1. Alan Chan
  1 Apr 2021 Reply
  
  By default, pfSense’s DHCP will use pfSense’s IP address as the DNS IP. You can enable DNS forwarder or resolver and then pfSense should be able to resolve Internet hosts.
  If you want to use ISP DNS instead, you can configure pfSense’s DHCP to pass your ISP DNS when assigning IP addresses.
Andrew Wen
30 Apr 2021 Reply

hi Alan:

Found your article about home network is very helpful. Thanks a lot.

I just start to look into more information about home network security. I have a qnap nas with my life record in it and I’m lucky didn’t got hit by qlocker. Your article provides very good example plan to keep my nas safe at home.
Nicolas Boisvert
15 Sep 2021 Reply

Dear Alan,
By far the most comprehensive guide I have found yet.

One thing I can’t figure is:

If your pfSense is at 192.168.1.1 then what are:
192.168.0.0
10.0.0.0
172.16.0.0

I’d like to understand what this is because actually (before setting up the VLANs), my pfSense is at 10.0.0.1 and connected directly in to the ISP modem.

Thanks
1. Alan Chan
  16 Sep 2021 Reply
  
  These are private network IDs. All IP addresses within these network IDs are used in local networks that using NAT (Network Address Translation).
  IP addresses on the Internet are called public IP addresses.
  Private IP addresses can only be used in local networks and are not routable through Internet.
  1. Anonymous
    17 Sep 2021 Reply
    
    Thanks. While my comment was awaiting moderation, I found those Private IP ranges on Wikipedia. RFC 1918
Nicolas Boisvert
16 Sep 2021 Reply

Dear Alan

Most comprehensive guide I found. Thank you!!!

If I refer to figure 3, my most secure computer that would go in subnet 1 is my TrueNAS server.
In this server, I have:
– NAS
– a VM running a music server (dbPoweramp Asset)
– a Jail running a video server (Emby)

Each of these three has it’s own IP over a single ethernet NIC.
The server has another NIC that it’s not in use at the moment.

The server is downstairs and fed by a single CAT6 going trough an unmanager switch from which there are:
– TrueNAS server
– 2 cameras
– a wifi access point set in the garage 20m away from the locker room.

The greatest security concern must be the AP.

Unless fishing another CAT6 cable downstairs, how would you put this to safety other than replacing the unmanaged switch by a smart one ?

Thanks

Nicolas
1. Anonymous
  16 Sep 2021 Reply
  
  Here is a picture of my actual setup.
  
  I have only one subnet as the smart switch was received earlier this box.
  The semi transparent boxes show devices in the same physical location.
  
  Any suggestion on granularity would be appreciated.
  https://imgur.com/nyAK0Xh
  1. Alan Chan
    16 Sep 2021 Reply
    
    Hi Nicolas,
    
    According to your setup, I would say the best way is to replace your unmanaged switch with a smart switch.
    
    Alan
2. Alan Chan
  16 Sep 2021 Reply
  
  The goal is to separate your TrueNAS from other devices.
  Therefore, your cameras and Wi-Fi access point should be on different VLANs or different subnet.
  In addition to what you have mentioned, you can also use Wi-Fi extender or mesh so your AP can connect directly to your pfSense.
  1. Nicolas Boisvert
    17 Sep 2021 Reply
    
    Thanks again
Donovan Winebarger
1 Feb 2022 Reply

I truly wanted to type a small comment in order to express gratitude to you for all of the splendid tips you are showing here. My time intensive internet search has at the end of the day been paid with reliable facts and strategies to exchange with my close friends. I ‘d express that many of us site visitors actually are undeniably lucky to be in a fabulous site with many special individuals with very helpful solutions. I feel somewhat lucky to have discovered your entire web site and look forward to so many more amazing moments reading here. Thank you again for everything.
Pierre
21 Mar 2022 Reply

This is an amazing guide. The only unclear thing for me as someone new to networking is when we get to Step 4/creating the firewall alias. I got two questions:

1) assuming that the entry 192.168.0.0 / 16 represent subnet 2 (OPT1), that the entry 172.16.0.0 / 12 represent subnet 1 (LAN), then what is the purpose for entry 10.0.0.0 / 8 ?
2) I was expecting the network entries to have 3 octet specified (i.e. 192.168.99.0). Can you explain why the entries only have the last 2 octet as 0?

Thank you.
1. Alan Chan
  6 Apr 2022 Reply
  
  These are all the private IP address space range available you can use to define your subnets.
  Typical use, like you said, uses 3 octet as the network ID.
  So use 192.168.0.0/16 as an example, you can define a subnet 192.168.1.0/24 (valid IPs from 192.168.1.1 – 192.168.1.254).
  Similarly, you can define another subnet 192.168.2.0/24, 192.168.3.0/24 and so on.
  All these example subnets fall within 192.168.0.0/16 which is considered as private IP addresses.
  
  The 3 different private IP address range give you options to define your subnets. You don’t need to use them all.
Ash
13 Apr 2022 Reply

Hi Alan

You just saved me a lot of time, thank you!

I’m setting up a Pfsense router with 100+ VLANS, each having there own 10.0.X.0/24 subnet so this is going to be very helpful in simplifying the firewall rules for each interface.
elon_masked
22 Apr 2022 Reply

Hi Alan. Thank you for writing this. As someone new to pfSense I find your guide most informative.

I’m running pfSense in an old desktop with 1 WAN and 1 LAN.

Can you please confirm whether I am to apply the steps in the section “Configure subnet 2 using 3rd network interface” to the LAN interface?
1. Alan Chan
  16 May 2022 Reply
  
  you can skip subnet 2 as your device only have 2 ports.
  subnet 2 can be configured if you have a 3rd network interface card.