Let’s Have Some Fun Securing Our Home Network With pfSense



As I alluded to in a previous blog post, I’ve been beefing up my home network security as it’s become apparent we are now living in the midst of a cyber war.

I use a VPN and have for many years now, but I have had all kinds of problems with running the VPN connection on all of my devices. The iOS support for VPN connections is especially terrible. So I decided to instead get a firewall device to sit between my network and the internet. I configured a Protectli device with pfSense, a FreeBSD-based open source OS for firewalls.

Diagram of my network configuration.

pfSense is configured with a VPN connection that “tunnels” my network traffic to another server somewhere on the other side of the internet. This is important because it prevents my ISP from reading my network traffic. To the ISP, any traffic coming from the pfSense firewall looks like static — it is indistinguishable from noise. In effect, this allows all the devices attached to my network to appear with the same phony IP address (that of the VPN server).

Hiding your IP address is a good idea if you care about privacy. Ad tech companies, including the big hitters like Google, Facebook, and Twitter, use your IP address (or a hash of it) to identify you online. Using your IP address, a company like Facebook can connect your activity across browser sessions, devices, and so on. Additionally, your ISP knows your IP address and can, if compelled by a court order or DMCA request, hand over your name and identification in association with your IP address.

In short, here’s what you’ll need for this setup:

  • A physical firewall device that can run pfSense (I recommend Protectli) [about $300]
  • A USB thumb drive, which we’ll use to install pfSense [$10 or less]
  • A speedy WiFi router that does not run your ISP’s modem connection (if you have a separate device for the router from the modem, you can probably use that device, but my instructions here assume your ISP’s WiFi device cannot be trusted) [about $100]

This isn’t a home security panacea. Next, I’ll need to configure my own DNS to avoid DNS leak. I may try to get DoH setup, but I’m not sure if pfSense supports encrypted DNS yet. Once I have that setup I’ll also be able to block all advertising inside my network, as a nice bonus!

Finally, my eventual goal is to have this network function as a sort of “home lab” setup. I want to be able to VPN into my firewall from anywhere on the internet, effectively allowing me to establish a secure connection for file sharing between friends and family. My pfSense adventure is just beginning! 🙂

Comments are disabled.