You can better protect your home network, your sensitive data & activities by separating your home network into sub-networks (subnets).

A typical home network is a simple single network. A single network that allows connections (wired or wireless) from all computers, mobile devices, peripheral devices and Internet enabled devices like Internet of things (IoT).

typical home network
Figure 1: Typical home network

Risks of a single home network?

If any one device is compromised or infected with malware, the attacker may be able to spread malware or compromise your other devices.

The attacker may also be able to sniff and eavesdrop your network traffic to steal your critical personal information (e.g. login credentials).

Attacks do not necessary start at your most important devices. In fact, they usually start with devices that have the weakest security protection. Once they get their foot in a device, they can work their way to your other devices within the same network.

Your devices could be infected in several ways:

Internet of Things (IoT)

More and more devices, appliances and innovative things are Internet connected. But not all of them are created equal. Some could have very weak security protection or even no security protection.

These devices could be of high risk to your network.

However, they would only grow in popularity. Incorporating IoT to your home network is just a matter of time, if not already started. Therefore, it’s best to restructure your home network to accommodate them.

Devices that lack firmware updates

Peripheral devices like printers or some simple network devices like hub or switch usually don’t receive much firmware updates from the manufacturer. If these devices have vulnerabilities, the attacker could take advantage of that to gain access to them.

Devices that have outdated firmware

From time to time, vulnerabilities could be found for a particular device (e.g. router) and manufacturer may provide firmware updates to fix the vulnerabilities.

However, if these devices’ firmware are not kept up-to-date in a timely fashion, they could become the attack target.

Wi-Fi hacking

Wi-Fi access is becoming a must have for every home network. Because of it’s wireless nature, attacker does not need to be into your home to perform their attacks.

Mobile devices joining untrusted networks

It’s typical that we use some public networks for Internet access when we are on the go. But these open public hotspots also have risk to get your cell phone or laptop infected.

And when you bring your infected mobile device home, attackers now have their foot in your network.

Phishing or malicious websites

And of course, if we are not careful about our Internet activities, our computers can be infected by malware through phishing or accessing some malicious websites.

Multiple users / family members

Your home network is most likely used by your family members, kids, relatives, friends and guests. For some you simply don’t have control over their devices. And it’s hard to know if their devices are infected or not. This would also pose a security risk to your home network.

Separate home network into multiple subnets

You can minimize these risks by dividing your single network into multiple sub-networks.

Typically, devices in a subnet do not have access to another subnet. Therefore, the risk of a compromised device would be limited to a single subnet and it would not be able to spread or access to devices on other subnets.

By carefully grouping and dividing your devices into different subnets, you can best protect your important data and online activities (e.g. online banking).

Home network with subnets
Figure 2: Home network with subnets

The above network diagram is an example of home network using subnets.

  • subnet 1: This is the most important sub-network to protect. Devices and computers here are used to store your most important data and perform your most important online activities. Any potential risky activities should be avoided in this sub-network.
  • subnet 2: Wired devices or computers where you may perform more risky activities like browsing unknown websites, checking emails with links and attachments. Any malware infection or malicious website attacks will be restrained within this sub-network and would not affect subnet 1.
  • subnet 3: Peripheral devices like printers that don’t get firmware updates or have outdated firmware. These devices typically don’t need Internet access. Therefore, devices in this sub-network can be restricted to NO network access to eliminate their exposure.
  • subnet 4: Similar to subnet 2 but is dedicated for gaming devices/consoles.
  • subnet 5: Mobile devices that may be used to connect any other untrusted networks (e.g. public open Wi-Fi hotspots)
  • subnet 6: A sub-network dedicated for IoT to provide them Internet access but NOT access to your other devices.
  • subnet 7: A guest sub-network for your friends and visitors. Similar to subnet 6, they only need Internet access.

How to implement subnets?

It could be overwhelming to restructure the whole home network all at once. But we can do it step by step.

Create phyiscal subnets using pfSense firewall

The very first step is to incorporate a feature packed network firewall as the cornerstone of setting up subnets for the home network.

Firewall requires a minimum of 2 network interfaces, 1 for connecting to WAN, 1 for connecting to LAN (internal home network). Each extra network interface would allow firewall to create an additional physical sub-network. Therefore, a firewall with 3 network interfaces allows you to create 2 physical subnets.

2 subnets using pfSense
Figure 3: 2 subnets using pfSense firewall

pfSense firewall is recommended.

pfSense (Community Edition) is a free, open source firewall used by many. You can purchase NetGate’s official pre-configured pfSense appliances.

Or you can download the latest stable version at pfsense.org and install it to a compatible hardware device (e.g. mini pc).

Recommended hardware

  • Multiple cores CPU at 2.0GHz+
  • 4GB+ RAM
  • 10GB+ Hard drive space
  • 3 or more Intel PCI-e NICs
  • for future compatibility (pfSense v2.5+), CPU requires AES-NI encryption support

A good mini PC to use please check out Qotom Q330G4 with 4 NICs. This would allow you to setup 3 physical subnets. I have been using an older version of Qotom mini PC, running pfSense firewall for couple years without problems.

Subnet access control

With pfSense firewall rules, you have the flexibility of defining how devices within a subnet can access other resources, for example:

  • access only devices within the same subnet.
  • Internet access only.
  • access devices on a different subnet.
  • combination of the above rules.

As shown in figure 3, with the appropriate firewall rules defined, we can limit devices in subnet 2 with Internet access but no access to any devices in subnet 1.

And for devices (secure desktop) in subnet 1, we can allow them access to devices in subnet 2 so that print jobs can be sent to the printer in subnet 2.

Installing pfSense

Follow the guide to install pfSense using USB flash drive to complete the initial installation and setup.

A typical pfSense installation uses 2 network interfaces, one for Internet access (WAN interface), one for local network (LAN interface).

The default access control for the LAN interface is full access. That is, devices in LAN interface has Internet access and can access devices in all subnets that you may create later. So you can use this LAN interface as subnet 1.

Configure subnet 2 using 3rd network interface

Once you have sucessfully installed pfSense with 1 WAN and 1 LAN setup, use pfSense web gui and follow steps below to setup the third network interface as subnet 2 with Internet access ONLY.

Step 1: create the 3rd interface

  1. go to Interfaces > Assignments
  2. at Available network ports, an available (unassigned) NIC should be selected automatically
  3. click Add
create subnet 2interface

A new interface, default name ‘OPT1’ would be created

Step 2: Enable new interface and assign a private static IPv4 address

  • Click on OPT1 to configure the interface
edit subnet 2 interface
  1. check the Enable interface checkbox
  2. select Static IPv4 for IPv4 Configuration Type
  3. Go to section Static IPv4 Configuration, enter 192.168.99.1/24 for IPv4 address. This would be the IP address for this firewall to serve as the gateway for this subnet
  4. click Save, then Apply Changes
configure subnet 2 interface

Step 3: Setup DHCP server for OPT1 to automatically assign IP addresses to devices

  1. go to Services > DHCP Server > OPT1
  2. check the Enable DHCP server on OPT1 interface checkbox
  3. for Range, specify a range of IP address that can be use for automatic assignment (e.g. from 192.168.99.201 to 192.168.99.254)
  4. click Save near end of the page.
configure DHCP

Step 4: Setup firewall rules to allow Internet access only

Other than the LAN interface automatically created by pfSense installation, all new interfaces created manually will have no access to anything by default.

Before defining the actual firewall rules, we will first create an IP alias to represent all the private IP addresses (used by all private subnets).

  1. go to Firewall > Aliases > IP
  2. click Add
  3. enter ‘Private_IPv4s‘ as Name
  4. select Network(s) as Type
  5. add following 3 networks:
    • enter 192.168.0.0 / 16
    • click Add Network and enter 10.0.0.0 / 8
    • click Add Network and enter 172.16.0.0 / 12
  6. click Save then Apply Changes
setup private IPs alias

Now let’s create firewall rules (we will create 2 rules):

First rule: devices within the same subnet can communicate with each other

  1. go to Firewall > Rules > OPT1
  2. click Add button to create 1st rule (allow access to other devices within the same subnet)
  3. for Address Family, select IPv4+IPv6
  4. for Protocol, select Any
  5. for both Source and Destination, select OPT1 net
  6. for Description, enter ‘allow access within subnet’
  7. click Save
firewall rule to access same subnet

Second rule: allow Internet access

  1. click Add button again to create 2nd rule (allow Internet access)
  2. for Address Family, select IPv4+IPv6
  3. for Protocol, select Any
  4. for Source, select OPT1 net
  5. for Destination,
    • check Invert match checkbox
    • select Single host or alias
    • then type ‘Private_IPv4s’ as the Destination Address
  6. for Description, enter ‘allow Internet access
  7. click Save, then Apply Changes
firewall rule to access Internet

Now you can use this OPT1 interface for subnet 2. With these 2 rules, devices within subnet 2 can communicate with each other and access Internet. However, they won’t be able to access subnet 1.

list of 2 firewalls for subnet 2

Notes about double NATs

pfSense firewall also serves as a router. When you have 2 routers (ISP router and pfSense) in a network, that creates double NATs.

To put it simple, it works completely fine for general Internet use like browsing, emails, cell phones & most gaming.

However, it may have problem when some services you use require port forwarding. If you don’t need port forwarding, you probably won’t find any issues.

Port forwarding

Approach 1: If you do need port forwarding, the easiest approach is to configure port forwarding on both ISP Router and pfSense firewall.

Approach 2: configure ISP router to use a DMZ address to point to the pfSense firewall. For this approach, you only need to configure port forwarding  at the pfSense firewall.

Approach 3: Use some more advance techniques (out of scope for this post) including bridging the ISP router, or replace ISP Router completely by directly connecting the Internet connection to the pfSense firewall. However, take the following into consideration especially when this is your first time setting up pfSense firewall:

  • require more in-depth knowledge in networking.
  • most likely require involvement of technical support from the ISP provider to reset the connection. This could be frustrating and time consuming when you have to do it back and forth multiple times.
  • some functionalities could be lost if the service provider also offers TV/Phone service through the ISP provided router.
  • the ISP provider may refuse technical support if you encounter difficulties, until you switch back to their original ISP provided router.

pfSense is a nice great powerful firewall. Once you have it setup as part of your network, there are other awesome features you can utilize to better your network.

NEXT > Part 2: Setup more subnets using VLAN

This Post Has 33 Comments

  1. HI Alan, found your article is very informative and easy to follow. I have started doing the steps already. Keep the good work. cheers, Yasa

    1. Great! I am glad that it is useful and thanks for your feedback. Alan

  2. Hi Alan,

    the setup i need to main is with the following HW.
    ISP router
    PFsense FW loaded on a old laptop ( 1 on board NIC, 2 USB NICs )
    cisco 3560/ 8 port

    this is the HW i have with me.

    Any advice of how best I can secure/facilitate my network. i would like to have 3 subnets,
    kids
    guests and for myself ( my PC )

    any help is much appreciated

    regards
    Yasa

    1. Your pfSense with 3 NICs allow you to setup 2 local subnets (1 NIC [WAN] connects to ISP router, 1 NIC for kids, 1 NIC for yourself).
      You can use the ISP router’s switch ports for guests (or ISP router’s wi-fi in isolation mode if available). Your guest connections would be outside your local subnets (blocked by pfSense).

      This seems like the most simple setup for the HW you have.

      1. Hello Alan
        Following your advice I got a qatom unit i7 with 4 Intel nic my requirement is I want one nic connected to wifi access point to provide internet to all device and one nic running open vpn connected to another access point since I need sometimes to connect to vpn network wirelessly to access sites and make VoIP calls since blocked by my isp

        1. Hi Akil, wouldn’t running vpn for all networks be better? so that all traffic is encrypted and more secure.
          When using openvpn on pfSense, a typical setup will usually update routing table & gateway for all networks to go through vpn.

      2. Hi Alan,

        Thank you so much for this brilliant idea !
        I’ve been struggling for weeks trying to figure out an easy way to set up a Wifi guest network that would not communicate with my local network.
        I have now plugged in a Wifi access point to my ISP bridged router, and it works flawlessly !

        1. You are welcome. Glad that this helps. Cheers Alan

  3. Hi Alan. Thanks for your article.
    A couple of questions for you.

    -I didn’t understand what is for and how exactly “invert match” in Destination works

    -Which software did you use to draw the (network) pictures in the article above.
    Thanks again
    Luke

    1. “invert match” means ‘not’. In the post, it is used on destination that is a private address. The rule with then only apply to destination that is NOT a private address (i.e. other subnets).
      As a result, traffic is allowed when target machine is in the Internet (with public ip addresses) but is blocked when trying to access machine on another subnet (with private ip address).

      draw.io is used for network diagrams.

      cheers. Alan

  4. Hi Alan, novice user…in the section where you set the Destination to Invert match – Single host or alias than entering Prviate_IPv4s. how did you get pfsense to accept that. It is not working for me because it is asking for Destination IP address. I am stuck at this section and cannot move on. Please advised

    1. Hi josh, Make sure you have created the alias (Private_IPv4s) as described at the beginning of step 4. Then you should be able to use it to create firewall rules. Also double check for any typos.

      1. Thanks Alan. It is working.
        Based on your setup, Subnet 1 has internet access and subnet 2 does not have internet access. If I want to allow subnet 2 and the sub-interface/VLANs to have internet access. Do I create rules for only Opt1 or do I need to create rules for all of the VLANs as well?

        1. You are welcome. Each VLAN should be treated as a separate subnet. So you should create rules for each VLAN based on your security requirements.

  5. How come subnet 2 on vlan 99 does not have internet access? Rules were created for subnet 2, when OPT1 was setup. Am I wrong about that rule?

    1. You should have Internet access if setup correctly. There’s a few things you can do to troubleshoot.
      1. run command ipconfig (windows or ifconfig for others) at your computer to ensure you have correct ip address (should be 192.168.99.x). If not, check pfSense config and make sure DHCP is configured correctly for OPT1
      2. run command ping 192.168.99.1 (pfSense) at your computer. You should be able to ping 192.168.99.1 successfully. If not, make sure you have firewall rule setup at OPT1 to allow OPT1-net devices to communicate with each other
      3. at pfSense, go to Diagnostics > Ping, use 8.8.8.8 as hostname, OPT1 as Source address. This is to test Internet access for interface OPT1. If failed, make sure you have firewall rule setup at OPT1 to allow Internet access.

      If all 3 tests are successful, you should be able to access Internet.

  6. Thanks, Alan. It is working.

    1. You are welcome.

  7. Alan, I am trying to block Downloads by Extension in Pfsense ex:(.exe.,mp3.,mp4,etc) using v2.4.4. I not sure how to do that. Do you have anything like that to post?

    1. Check out SquidGuard package. It enables content filtering. You can install it to pfSense at System > Package Manager.

      1. I installed the squidguard package and filtered to block extension file through regular expression. It does not seem to work for me.
        Expressions:(.*\/.*\.(exe|mp4|mp3|flv|avi|zip))

        What am I missing? Does this configuration not work for pfsense version 2.4.4?

        1. I tested using your expression and it works just fine with pfsense 2.4.4.
          Make sure you click Apply at General settings of SquidGuard and clear cache of browser when testing.

          It’s easy to setup to work with http.
          However, if you want it to also work for https, you need to do SSL/TLS MITM interception. To do that, you need to create CA and install it as trusted to all client devices.
          It’s more complicated to setup and maintain. Plus the fact that it breaks the SSL/TLS connection, not sure if it’s worth doing.

          For HTTPS, it’s much easier to setup to block domain names instead of file extensions.

          1. Alan, I installed both Squid and SquidGuard. Is that what you did to get it to block file extension or just using SquidGuard?

            I installed Squid to setup the proxy server and installed SquidGuard to filter.

          2. Yes. For Squid, enabled ‘Transparent HTTP Proxy’. ‘Real Time’ tab can confirm Squid is processing HTTP requests
            At SquidGuard

            • created rule to block URLs using expressions at Target categories
            • At Common ACL’s Target Rules list, select deny for rule just created and allow for Default access [all]
            • click Apply at General settings

            Clear browser’s cache and test.
            This works for me.

          3. I do not know what I am missing here. It is not working for me.

            Transparent HTTP Proxy
            Enable transparent mode to forward all requests for destination port 80 to the proxy server.

            @SquidGuard
            created rule name and enter regular expression rule (.*\/.*\.(exe|mp4|mp3|flv|avi|zip))
            follow the same steps as you did and it is not blocking any down file set in the url expression.

            restarting from the beginning to make sure that I am not missing anything.

          4. Not sure what went wrong but try to make 1 thing work at a time. see following troubleshooting steps:
            1. check Squid real time log to ensure http requests are proxied
            2. ensure SquidGuard is enabled
            3. enable SquidGuard log (at General settings, Common ACL & rules). check log to see any requests showed up blocked
            4. make sure URL request is HTTP, and not HTTPS
            5. try to block a domain instead of expression to see if SquidGuard works at all. Good sign if this works
            6. try use a simple expression like: .*\.com (This blocks all .com domains, e.g. http://anyname.com)
            7. if all failed, try uninstall and reinstall them again.

  8. Hi Alan,

    That’s great information, would love to see if you can add guide for VPN run from pfSense on selected VLAN (would like to run some devices on VPN)

    1. Thanks. I have a post about setting up PIA VPN with pfSense.
      It’s site-to-site VPN connection.
      To exclude a VLAN from using the VPN, simply specify the gateway to use original WAN connection (instead of Default) at the VLAN’s firewall rules

  9. Hi Alan,
    Thank you for the great guide. It is very helpful and things worked just fine when I followed yours steps.

    I would like to install Pfblocker on my pfsense but I only want it to filter ads on a specific VLAN and also on another one physical subnet. Is this possible? I assume that the way to make this work is to play with firewall rules which I am not that familiar with. Can you please help me with those rules? Below is high level of my setup

    ISP —igb0(WAN)——>Pfsense —–igb1——>LAN1 ( secure)
    |
    |———–igb2 (LAN2) and VLAN 30—-> Switch —–> Wireless Access Point on LAN2 (SSID1)
    | |
    | |———–VLAN 30 on igb2 (SSID2)
    | |
    | |———–VLAN 40 on igb2 (SSID3)
    |
    |———–igb3 (LAN3) —-> Gaming Consules

    I would like to filter ads on VLAN 30 but NOT VLAN 40. Also I want to filter ads on LAN3.

    Thanks

    1. Sorry my drawing got mixed up after I submitted my reply.
      igb1, igb2 and igb3 are physical NIC on the Pfsense.
      igb2 goes to a VLAN aware switch (unifi switch)
      igb3 goes to a gaming consule

      igb2 (LAN2) which includes VLAN 30 and VLAN 40 go to the switch which has a wireless access point connected to it
      the wireless access point broadcasts three SSIDs:
      SSID1: on LAN2
      SSID2: VLAN 30
      SSID3: VLAN 40

      1. Hi Troy,

        Each VLAN is treated as an interface (subnet).
        when you run the Pfblocker setup wizard after installing it, you can select which outbound firewall interfaces to block at IP Component Configuration screen.
        Select only the interfaces that you want blocking would do.

        cheers Alan

        1. Hi Alan,

          Thanks for replying back to me.

          I have two questions:

          1. I installed pfblocker and checked the interfaces I want to block ads on during the setup wizard but I am still seeing clients showing in pfblocker Reports that are connected to the interface that I did not select in the setup wizard.

          2. I am using DNSBL and I have my own blacklist that I added successfully but I am still seeing clients being blocked from an interface that I did not select.

          Is there an option or a setting that I should check in order to enable blocking ONLY on a specific interface or VLAN?

          Thanks again

          1. In addition to firewall rules, pfBlocker also uses DNS resolver to block domains.
            For interfaces that allow ads, the simples way is to use a different DNS (e.g. google’s DNS 8.8.8.8)

            So configure the DHCP server for these interfaces to use DNS 8.8.8.8 when assigning IP-addresses to devices.

Leave a Reply

Close Menu