pfSense Network Security Gateway

Overview

I deployed pfSense as the primary firewall and router for my homelab to gain deeper control over network segmentation, security policies, and traffic visibility. Running pfSense on bare metal keeps the security perimeter independent from my Proxmox virtualization stack.

Architecture and design decisions

• Bare‑metal deployment: Dedicated mini PC with WAN + USB NIC for VLANs.
• VLAN segmentation: Separate LAN, IoT, DMZ, and lab networks.
• Pi‑hole integration: DNS filtering and telemetry reduction.
• NetAlertX monitoring: Device and service visibility across VLANs.
• WireGuard VPN: Secure remote access.
• Snort IDS/IPS: Real‑time threat detection and alerting.

Security controls and policies

• Default‑deny posture between VLANs.
• VPN‑first remote access using WireGuard.
• DNS control via Pi‑hole.
• Traffic logging for audit and troubleshooting.
• IDS visibility through Snort.

Challenges and resolutions

• USB NIC stability: Resolved with BSD‑compatible chipset.
• VLAN tagging issues: Fixed switch trunk/access configuration.
• Snort false positives: Tuned rule sets and suppressed noise.

Security impact

• All remote access routed through encrypted VPN.
• IoT and lab devices isolated from main LAN.
• Traffic monitored per VLAN.
• Least‑privilege firewall rules.

Skills practiced

• VLAN design and segmentation
• Firewall rule creation and ordering
• WireGuard VPN configuration
• Snort IDS/IPS tuning
• DNS/DHCP integration
• Traffic analysis and troubleshooting

Next improvements

• Enable Snort IPS mode
• Expand VLANs for production vs. lab workloads
• Enhance NetAlertX monitoring
• Explore pfSense backup/HA options