You can better protect your home network, your sensitive data & activities by separating your home network into sub-networks (subnets).

A typical home network is a simple single network. A single network that allows connections (wired or wireless) from all computers, mobile devices, peripheral devices and Internet enabled devices like Internet of things (IoT).

typical home network
Figure 1: Typical home network

Risks of a single home network?

If any one device is compromised or infected with malware, the attacker may be able to spread malware or compromise your other devices.

The attacker may also be able to sniff and eavesdrop your network traffic to steal your critical personal information (e.g. login credentials).

Attacks do not necessary start at your most important devices. In fact, they usually start with devices that have the weakest security protection. Once they get their foot in a device, they can work their way to your other devices within the same network.

Your devices could be infected in several ways:

Internet of Things (IoT)

More and more devices, appliances and innovative things are Internet connected. But not all of them are created equal. Some could have very weak security protection or even no security protection.

These devices could be of high risk to your network.

However, they would only grow in popularity. Incorporating IoT to your home network is just a matter of time, if not already started. Therefore, it’s best to restructure your home network to accommodate them.

Devices that lack firmware updates

Peripheral devices like printers or some simple network devices like hub or switch usually don’t receive much firmware updates from the manufacturer. If these devices have vulnerabilities, the attacker could take advantage of that to gain access to them.

Devices that have outdated firmware

From time to time, vulnerabilities could be found for a particular device (e.g. router) and manufacturer may provide firmware updates to fix the vulnerabilities.

However, if these devices’ firmware are not kept up-to-date in a timely fashion, they could become the attack target.

Wi-Fi hacking

Wi-Fi access is becoming a must have for every home network. Because of it’s wireless nature, attacker does not need to be into your home to perform their attacks.

Mobile devices joining untrusted networks

It’s typical that we use some public networks for Internet access when we are on the go. But these open public hotspots also have risk to get your cell phone or laptop infected.

And when you bring your infected mobile device home, attackers now have their foot in your network.

Phishing or malicious websites

And of course, if we are not careful about our Internet activities, our computers can be infected by malware through phishing or accessing some malicious websites.

Multiple users / family members

Your home network is most likely used by your family members, kids, relatives, friends and guests. For some you simply don’t have control over their devices. And it’s hard to know if their devices are infected or not. This would also pose a security risk to your home network.

Separate home network into multiple subnets

You can minimize these risks by dividing your single network into multiple sub-networks.

Typically, devices in a subnet do not have access to another subnet. Therefore, the risk of a compromised device would be limited to a single subnet and it would not be able to spread or access to devices on other subnets.

By carefully grouping and dividing your devices into different subnets, you can best protect your important data and online activities (e.g. online banking).

Home network with subnets
Figure 2: Home network with subnets

The above network diagram is an example of home network using subnets.

  • subnet 1: This is the most important sub-network to protect. Devices and computers here are used to store your most important data and perform your most important online activities. Any potential risky activities should be avoided in this sub-network.
  • subnet 2: Wired devices or computers where you may perform more risky activities like browsing unknown websites, checking emails with links and attachments. Any malware infection or malicious website attacks will be restrained within this sub-network and would not affect subnet 1.
  • subnet 3: Peripheral devices like printers that don’t get firmware updates or have outdated firmware. These devices typically don’t need Internet access. Therefore, devices in this sub-network can be restricted to NO network access to eliminate their exposure.
  • subnet 4: Similar to subnet 2 but is dedicated for gaming devices/consoles.
  • subnet 5: Mobile devices that may be used to connect any other untrusted networks (e.g. public open Wi-Fi hotspots)
  • subnet 6: A sub-network dedicated for IoT to provide them Internet access but NOT access to your other devices.
  • subnet 7: A guest sub-network for your friends and visitors. Similar to subnet 6, they only need Internet access.

How to implement subnets?

It could be overwhelming to restructure the whole home network all at once. But we can do it step by step.

Create phyiscal subnets using pfSense firewall

The very first step is to incorporate a feature packed network firewall as the cornerstone of setting up subnets for the home network.

Firewall requires a minimum of 2 network interfaces, 1 for connecting to WAN, 1 for connecting to LAN (internal home network). Each extra network interface would allow firewall to create an additional physical sub-network. Therefore, a firewall with 3 network interfaces allows you to create 2 physical subnets.

2 subnets using pfSense
Figure 3: 2 subnets using pfSense firewall

pfSense firewall is recommended.

pfSense (Community Edition) is a free, open source firewall used by many. You can purchase NetGate’s official pre-configured pfSense appliances.

Or you can download the latest stable version at and install it to a compatible hardware device (e.g. mini pc).

Recommended hardware

  • Multiple cores CPU at 2.0GHz+
  • 4GB+ RAM
  • 10GB+ Hard drive space
  • 3 or more Intel PCI-e NICs
  • for future compatibility (pfSense v2.5+), CPU requires AES-NI encryption support

A good mini PC to use please check out Qotom Q330G4 with 4 NICs. This would allow you to setup 3 physical subnets. I have been using an older version of Qotom mini PC, running pfSense firewall for couple years without problems.

Subnet access control

With pfSense firewall rules, you have the flexibility of defining how devices within a subnet can access other resources, for example:

  • access only devices within the same subnet.
  • Internet access only.
  • access devices on a different subnet.
  • combination of the above rules.

As shown in figure 3, with the appropriate firewall rules defined, we can limit devices in subnet 2 with Internet access but no access to any devices in subnet 1.

And for devices (secure desktop) in subnet 1, we can allow them access to devices in subnet 2 so that print jobs can be sent to the printer in subnet 2.

Installing pfSense

Follow the guide to install pfSense using USB flash drive to complete the initial installation and setup.

A typical pfSense installation uses 2 network interfaces, one for Internet access (WAN interface), one for local network (LAN interface).

The default access control for the LAN interface is full access. That is, devices in LAN interface has Internet access and can access devices in all subnets that you may create later. So you can use this LAN interface as subnet 1.

Configure subnet 2 using 3rd network interface

Once you have sucessfully installed pfSense with 1 WAN and 1 LAN setup, use pfSense web gui and follow steps below to setup the third network interface as subnet 2 with Internet access ONLY.

Step 1: create the 3rd interface

  1. go to Interfaces > Assignments
  2. at Available network ports, an available (unassigned) NIC should be selected automatically
  3. click Add
create subnet 2interface

A new interface, default name ‘OPT1’ would be created

Step 2: Enable new interface and assign a private static IPv4 address

  • Click on OPT1 to configure the interface
edit subnet 2 interface
  1. check the Enable interface checkbox
  2. select Static IPv4 for IPv4 Configuration Type
  3. Go to section Static IPv4 Configuration, enter for IPv4 address. This would be the IP address for this firewall to serve as the gateway for this subnet
  4. click Save, then Apply Changes
configure subnet 2 interface

Step 3: Setup DHCP server for OPT1 to automatically assign IP addresses to devices

  1. go to Services > DHCP Server > OPT1
  2. check the Enable DHCP server on OPT1 interface checkbox
  3. for Range, specify a range of IP address that can be use for automatic assignment (e.g. from to
  4. click Save near end of the page.
configure DHCP

Step 4: Setup firewall rules to allow Internet access only

Other than the LAN interface automatically created by pfSense installation, all new interfaces created manually will have no access to anything by default.

Before defining the actual firewall rules, we will first create an IP alias to represent all the private IP addresses (used by all private subnets).

  1. go to Firewall > Aliases > IP
  2. click Add
  3. enter ‘Private_IPv4s‘ as Name
  4. select Network(s) as Type
  5. add following 3 networks:
    • enter / 16
    • click Add Network and enter / 8
    • click Add Network and enter / 12
  6. click Save then Apply Changes
setup private IPs alias

Now let’s create firewall rules (we will create 2 rules):

First rule: devices within the same subnet can communicate with each other

  1. go to Firewall > Rules > OPT1
  2. click Add button to create 1st rule (allow access to other devices within the same subnet)
  3. for Address Family, select IPv4+IPv6
  4. for Protocol, select Any
  5. for both Source and Destination, select OPT1 net
  6. for Description, enter ‘allow access within subnet’
  7. click Save
firewall rule to access same subnet

Second rule: allow Internet access

  1. click Add button again to create 2nd rule (allow Internet access)
  2. for Address Family, select IPv4+IPv6
  3. for Protocol, select Any
  4. for Source, select OPT1 net
  5. for Destination,
    • check Invert match checkbox
    • select Single host or alias
    • then type ‘Private_IPv4s’ as the Destination Address
  6. for Description, enter ‘allow Internet access
  7. click Save, then Apply Changes
firewall rule to access Internet

Now you can use this OPT1 interface for subnet 2. With these 2 rules, devices within subnet 2 can communicate with each other and access Internet. However, they won’t be able to access subnet 1.

list of 2 firewalls for subnet 2

Notes about double NATs

pfSense firewall also serves as a router. When you have 2 routers (ISP router and pfSense) in a network, that creates double NATs.

To put it simple, it works completely fine for general Internet use like browsing, emails, cell phones & most gaming.

However, it may have problem when some services you use require port forwarding. If you don’t need port forwarding, you probably won’t find any issues.

Port forwarding

Approach 1: If you do need port forwarding, the easiest approach is to configure port forwarding on both ISP Router and pfSense firewall.

Approach 2: configure ISP router to use a DMZ address to point to the pfSense firewall. For this approach, you only need to configure port forwarding  at the pfSense firewall.

Approach 3: Use some more advance techniques (out of scope for this post) including bridging the ISP router, or replace ISP Router completely by directly connecting the Internet connection to the pfSense firewall. However, take the following into consideration especially when this is your first time setting up pfSense firewall:

  • require more in-depth knowledge in networking.
  • most likely require involvement of technical support from the ISP provider to reset the connection. This could be frustrating and time consuming when you have to do it back and forth multiple times.
  • some functionalities could be lost if the service provider also offers TV/Phone service through the ISP provided router.
  • the ISP provider may refuse technical support if you encounter difficulties, until you switch back to their original ISP provided router.

pfSense is a nice great powerful firewall. Once you have it setup as part of your network, there are other awesome features you can utilize to better your network.

NEXT > Part 2: Setup more subnets using VLAN

This Post Has 8 Comments

  1. HI Alan, found your article is very informative and easy to follow. I have started doing the steps already. Keep the good work. cheers, Yasa

    1. Great! I am glad that it is useful and thanks for your feedback. Alan

  2. Hi Alan,

    the setup i need to main is with the following HW.
    ISP router
    PFsense FW loaded on a old laptop ( 1 on board NIC, 2 USB NICs )
    cisco 3560/ 8 port

    this is the HW i have with me.

    Any advice of how best I can secure/facilitate my network. i would like to have 3 subnets,
    guests and for myself ( my PC )

    any help is much appreciated


    1. Your pfSense with 3 NICs allow you to setup 2 local subnets (1 NIC [WAN] connects to ISP router, 1 NIC for kids, 1 NIC for yourself).
      You can use the ISP router’s switch ports for guests (or ISP router’s wi-fi in isolation mode if available). Your guest connections would be outside your local subnets (blocked by pfSense).

      This seems like the most simple setup for the HW you have.

      1. Hello Alan
        Following your advice I got a qatom unit i7 with 4 Intel nic my requirement is I want one nic connected to wifi access point to provide internet to all device and one nic running open vpn connected to another access point since I need sometimes to connect to vpn network wirelessly to access sites and make VoIP calls since blocked by my isp

        1. Hi Akil, wouldn’t running vpn for all networks be better? so that all traffic is encrypted and more secure.
          When using openvpn on pfSense, a typical setup will usually update routing table & gateway for all networks to go through vpn.

  3. Hi Alan. Thanks for your article.
    A couple of questions for you.

    -I didn’t understand what is for and how exactly “invert match” in Destination works

    -Which software did you use to draw the (network) pictures in the article above.
    Thanks again

    1. “invert match” means ‘not’. In the post, it is used on destination that is a private address. The rule with then only apply to destination that is NOT a private address (i.e. other subnets).
      As a result, traffic is allowed when target machine is in the Internet (with public ip addresses) but is blocked when trying to access machine on another subnet (with private ip address). is used for network diagrams.

      cheers. Alan

Leave a Reply

Close Menu