Can a Dedicated Firewall Help at Home?
Smarter Networking Without the ISP Box
Introduction
Odds are you have some kind of high-speed internet connection at your residence. Whether it's cable, fiber, or something in between, most households today rely on a single device provided by the ISP that handles both modem and wireless routing functions. But things didn’t start out that way.
I remember getting my first cable modem in the late 1990s. This was before wireless networking was common in homes, so your computer connected directly to the modem using a wired Ethernet cable. If you had a second device that required internet access, you could often request an additional IP address from your provider and connect both through a basic Ethernet switch. Consumer routers weren’t widely available yet, and most setups had no concept of internal network security. (In terms of security, you were often downloading the free ZoneAlarm to help out as the built in Windows firewall wasn’t up to par yet.)
Back then, the idea of running a dedicated firewall at home was virtually unheard of. That sort of thing was reserved for businesses. Encryption wasn’t widespread either. SSL was limited to things like logging into webmail or banking sites. Obtaining and installing SSL certificates for most web pages or sites was costly, and it may have not been possible to even install it because of hosting provider limitations. The vast majority of online traffic was sent in plaintext.
Eventually, wireless routers became common, and people began placing them inside their homes to share the connection across multiple devices. Over time, ISPs started bundling everything into a single gateway unit to simplify installations and offer upsell opportunities. These all-in-one devices now dominate the consumer market, often combining modem, router, and Wi-Fi access point in one box.
But what if your needs go beyond the basics? What if you want more control, better performance, or tighter security? I’ll walk through the approach I use today and some of the benefits that come with it.
Proposed Setup
To clarify the various setups and options, here are some illustrations. Early on, we had the aforementioned direct connection (before the days of wireless routers).
While the standard was finalized in 1999, 802.11b WiFi devices didn’t really hit the market until 2000. It was a matter of purchasing a router and then adapters or devices that supported WiFi natively.
Over time, this setup evolved. Your ISP could charge a surcharge leasing these devices to you, so exciting-sounding “all in one” devices became the norm to be offered during signup and installation.
While the proposed (recommended) setup is a little more complex, it offers the most flexibility and power.
Another benefit of managing your own network setup is freedom from being locked into a single technology standard. With an all-in-one device provided by your ISP, you're limited to whatever wireless protocol it supports at the time. For example, if your gateway includes Wi-Fi 6, upgrading to Wi-Fi 7 (and in 2028, WiFi 8) means relying on your ISP to offer newer hardware. There's no guarantee they'll make that available promptly, and when they do, the cost is likely to be passed on to you through higher rental fees or upgrade charges. By keeping your router separate, you can adopt new standards on your own schedule without waiting or paying extra.
My particular setup focuses on using a dedicated hardware device, such as the small form-factor boxes made by Protectli, which are available through retailers like Amazon. I pair that with the community edition of pfSense, which offers a strong mix of performance, flexibility, and control for users who want more say over their network.
This approach works well for me, but I wouldn’t claim it’s the best fit for everyone. Other hardware options are available, including devices from Netgate (the official pfSense hardware provider), Qotom, and a variety of fanless mini-PCs. On the software side, alternatives include OPNsense, IPFire, or even a general-purpose Linux system configured with tools like nftables or Firewalld. The key idea is that once you move beyond the standard ISP gateway, you gain access to a wide range of customizable options.
Real-World Uses
Let’s take a look at some of the possibilities. I’ll start by highlighting the features I personally use with my pfSense setup. The community edition of pfSense typically receives a major base update once a year, but many of its individual features, provided through optional packages, can be installed and updated as needed.
Setting these up requires a modest level of technical understanding. That said, if you’ve found your way to this Substack and you already have an idea of the feature you want to implement, you can probably figure it out. I won’t go into full technical depth for each item, but I’ll provide a clear overview of what’s available and why I use it.
LAN IP Address Control
When using a standard all-in-one gateway or even a typical consumer router, you may find limited control over how LAN IP addresses are assigned. Some models allow basic customization, but many lock you into predefined settings or restrict how much you can fine-tune your network. With pfSense, you get full control over your internal address structure. Best methods and use is somewhat subjective, and others may prefer different strategies, so make your own decision based on your needs.
Most consumer routers default to an internal subnet of 192.168.1.0/24, meaning all devices on your network will receive addresses like 192.168.1.x. Changing this default can provide benefits. For instance, certain devices (for example, ISP-provided equipment) may try to use the 192.168.1.x range for their own administrative access. This can cause confusion or small conflicts when troubleshooting. Picking a different subnet helps avoid these overlaps and makes it easier to keep track of which device is doing what.
There is also a small security advantage. Some older exploits relied on users clicking links that appeared to point to internal addresses but were actually redirecting to external domains. If someone sees a link like 192.168.1.1.myroutermanagement.net, they might click it without realizing it is part of a malicious domain. By using a less common subnet, such as 192.168.8.0/23 or 192.168.16.0/23, you possibly reduce the chances of those tricks being effective. You also gain a larger pool of usable IP addresses, which can be helpful in homes with many connected devices.
pfSense also lets you define a specific address pool for DHCP (Dynamic Host Control Protocol). If a device does not have a static assignment, it can be given a dynamic IP from this limited pool. By narrowing this range, you create a natural barrier against rogue devices that might try to join your network if your Wi-Fi password is compromised. Fewer open slots means fewer chances for unauthorized access.
Finally, controlling your LAN addressing scheme sets the stage for future optimizations. You might want to group streaming devices into one range, smart home gear into another, and reserve a block for gaming systems. This makes it much easier to apply firewall rules, prioritize traffic, or simply keep your network organized as it grows.
A Clarification on Topology
In my setup, I needed to make a few adjustments on the gateway device provided by my fiber internet provider. Specifically, I accessed its admin interface and navigated to a section labeled something like Firewall > IP Passthrough. There, I entered the WAN MAC address of my pfSense box. This setting tells the gateway to pass the public IP address directly to my pfSense device, effectively putting it in control of network routing and firewall duties. I also disabled Wi-Fi on the gateway entirely.
These changes serve two important purposes. First, turning off Wi-Fi on the gateway prevents it from interfering with my own mesh Wi-Fi 7 system, which handles wireless coverage much more effectively. Leaving the gateway’s Wi-Fi on could create unnecessary noise or overlap, and it might remain an open access point that I forget to secure or monitor. Second, enabling IP passthrough allows pfSense to operate as a true edge firewall, managing traffic directly without needing to route through another layer of NAT or filtering on the ISP gateway.
Technically, you could run pfSense behind the gateway’s built-in firewall, but that creates a double NAT situation. While it can work, it often introduces complications with port forwarding, remote access, and some gaming or VoIP services. Using IP passthrough keeps the routing cleaner, simplifies troubleshooting, and puts full control into your hands.
Additionally, since you’ll be using a separate Wi-Fi router to provide wireless access in your home, you may need to put it into what’s commonly called Access Point mode (or Bridge Mode). This disables the router’s own NAT (Network Address Translation), DHCP, and firewall features so it no longer performs routing duties. Instead, it simply bridges wireless devices to your main network managed by the dedicated firewall. This avoids double NAT issues and ensures all devices are on the same subnet, with your firewall retaining full control over traffic flow and IP assignments. Most modern routers include this option in their settings, though it might be labeled something other “bridge mode” or “AP mode” depending on the manufacturer.
Setting up DHCP
When setting up DHCP assignments, especially for mobile devices and modern laptops that use Wi-Fi, one important step is to disable MAC address randomization for your home network. Most devices today include a setting that lets you toggle this per Wi-Fi connection. It is a great privacy feature when you are out in public, since it helps prevent tracking between networks. However, on your home network, it can interfere with your ability to manage devices consistently, particularly when assigning static IP addresses or applying firewall rules.
Your device might warn you that disabling MAC randomization reduces security, and that is a fair warning. There are pros and cons. I am not going to turn this into a MAC address deep dive, but my personal rule is simple: keep randomization on at the coffee shop, and turn it off for my home network. This gives me the control I need without sacrificing privacy where it matters most. You may come to a different conclusion, and that is fine.
Once MAC randomization is turned off, I let the device connect to Wi-Fi and receive a dynamic address from the DHCP pool I previously defined. Then, in the pfSense admin interface, I locate that lease in the DHCP status list. There’s a plus sign next to each active lease that allows you to create a static DHCP mapping based on that entry. I click that, assign a recognizable name to the device, and choose an IP address from the planned static range within my subnet.
The device will continue using the dynamic address until the lease expires or it reconnects. After that, it will receive the new static address going forward. This method keeps things organized, avoids address conflicts, and gives me full control over what devices are where on my network.
The Firewall
By default, pfSense takes a practical and balanced approach to firewall rules. Outbound traffic from your internal devices is allowed without restriction. This ensures that everyday activities like web browsing, streaming, or downloading updates work without issue. The idea is that your internal devices are trusted and not trying to make unwanted outbound connections. If something on your network is behaving suspiciously, that is a separate issue to investigate, but at least you will not be troubleshooting why a specific device cannot reach a particular website or service.
Incoming traffic from the WAN side is blocked by default. Unless you specifically create a rule to allow it, outside requests are denied. This acts as a first line of defense against unsolicited scans, probes, and intrusion attempts. When a device on your network initiates a connection to an external server, the return traffic is allowed as part of that session. No extra rule is needed to support responses from legitimate outbound requests.
In my case, I have created a few custom rules that suit my home network. For example, I have some older devices that I trust on my internal network but want to prevent from talking to the internet altogether. This is useful for hardware that previously relied on a cloud service that is now discontinued (and not receiving firmware updates), such as a NAS or a security camera. These devices still function well for local use, and there is no reason for them to communicate outside the network.
I also have a rule that allows OpenVPN traffic, which I will cover in a later section. This is one of the key advantages of using pfSense. It gives you full control over how traffic flows through your network, both internally and externally.
pfSense includes a built-in tool called pfTop, which allows you to monitor real-time network traffic. It gives you a live view of connections passing through your firewall, showing which devices are talking, how much data is moving, and where it is going. You can access pfTop through the web interface or through the command line by enabling SSH access on the LAN side. The SSH version updates more smoothly and offers a faster view into active traffic flows.
Much of what you see in pfTop will be routine background activity. Smart home devices may be communicating with each other, music apps might be streaming, operating systems could be checking for updates, or voice assistants like Alexa might be standing by for commands. It is normal for modern homes to generate a steady stream of this kind of traffic. Phones, tablets, laptops, and streaming devices all run multiple services at once, many of which reach out to the internet without any user interaction.
Occasionally, you might notice something that seems unusual. A device could be making repeated connections to a specific port or IP address. This does not always indicate a problem, but it may be worth a closer look. pfSense makes it easy to respond. You can block the device from reaching that address, prevent it from accessing the internet altogether, or create a temporary rule to isolate the traffic and see what stops working. This gives you a flexible and low-risk way to investigate what is happening on your network.
Dynamic DNS
Dynamic DNS (DDNS) is a valuable feature in pfSense, especially if your internet service provider does not assign you a static (or semi-static) public IP address. In my setup, I use a non-essential domain that points to a dynamic DNS provider such as ZoneEdit. I specifically use a third-level domain, which adds a layer of obfuscation by requiring anyone attempting an exploit to know the exact subdomain in use. pfSense includes built-in support for many DDNS providers, making it easy to keep your DNS records up to date without manual intervention.
Once configured, pfSense will monitor your WAN IP address and automatically log into your chosen DDNS provider to update the associated record when your IP changes. This is particularly helpful if your ISP changes your address periodically, even if not often. Without this feature, remote access services such as OpenVPN would break unless you manually updated your DNS settings each time your IP changed.
Using a consistent DNS name tied to your current IP makes it much easier to connect back to your network. Whether you are using a mobile OpenVPN client or accessing your home server remotely, you can simply point the connection to a hostname that always reflects your current WAN IP. This is a cleaner and more stable solution than relying on hardcoded IPs that might change without warning.
OpenVPN
Setting up OpenVPN on pfSense is one of the most useful features for anyone who wants secure remote access to their home network. Whether your goal is to protect yourself on public Wi-Fi, access files and systems while traveling, or avoid paying for a third-party VPN just to encrypt your traffic, hosting your own VPN is a powerful and practical solution.
To begin, you will need to go through pfSense’s certificate setup process. This involves creating a certificate authority (CA), generating a server certificate, and issuing individual client certificates. These are used for secure authentication and encryption. Once that is complete, you can install the OpenVPN Client Export package within pfSense. This makes it easy to generate client configuration files or bundles that can be imported into VPN apps on your devices.
For mobile devices, you will need a trustworthy OpenVPN client. On iOS, the official OpenVPN Connect app from OpenVPN Technologies is the best option and supports profile import directly from your device. For Android, both OpenVPN Connect and OpenVPN for Android by Arne Schwabe are solid choices. The latter offers additional customization if you need it. Be sure to download from the official app stores to avoid tampered or fake versions.
You will also need to adjust your firewall settings in pfSense to allow traffic to the OpenVPN server. This usually involves opening UDP port 1194 on the WAN interface, although you can choose a different port if desired. In addition, pfSense requires you to define a virtual IP address pool for VPN clients. This pool should be outside your main LAN subnet. For example, if your LAN uses 192.168.8.0/24, you might use 10.0.8.0/24 for VPN clients. This separation simplifies routing and lets you apply specific rules or monitoring for VPN users. Additionally, pay careful note to this setting. It is off by default. In my case, I opted for IPv4 traffic to get routed exclusively via the VPN when connected. (I recommend turning both IPv4 and IPv6 on, and then try disabling IPv6 if you experience problems. Your home gateway or ISP configuration may not be properly configured in some cases for IPv6).
One of the strengths of OpenVPN is its support for a wide range of encryption algorithms. The most common and recommended cipher today is AES-256-GCM. This provides strong encryption and includes built-in authentication, making it more efficient than older modes like AES-256-CBC with separate HMAC. If your hardware supports AES-NI (most modern devices do), you can run AES-256-GCM with minimal performance impact. You will also need to choose a certificate type. RSA with 2048-bit keys is secure and sufficient for most users, but 4096-bit RSA is available if you want additional strength and do not mind the performance trade-off. Enabling a static TLS key for additional handshake authentication is also recommended, as it blocks unauthorized connection attempts before encryption negotiation even begins.
It is worth mentioning that while OpenVPN is widely trusted and highly configurable, it is not the newest protocol on the block. Some users prefer WireGuard for its speed and simplicity. However, OpenVPN remains more flexible, more transparent in terms of logging and configuration, and better supported across a wider range of platforms, especially in a project like pfSense.
The benefits of self-hosted OpenVPN are clear. It adds a strong layer of encryption when you are on public Wi-Fi, preventing eavesdropping or data theft. It allows you to access your home devices and services securely while away. And if your main goal is simply to protect your connection without bypassing geo-restrictions, it can save you money compared to a paid VPN service. Once set up, OpenVPN on pfSense provides peace of mind and complete control over your secure remote access.
Other Features Worth Knowing About
pfSense includes a multitude of features beyond what I’ve covered in this article. The list below highlights just a handful of them. I personally haven’t implemented all of these in my own setup, but I can easily see where they would be valuable depending on your network needs or specific use cases. Whether you're managing a small office or just experimenting with advanced tools at home, some of these may be worth exploring.
Built-In Diagnostics and Tools
pfSense includes a variety of built-in utilities that can help you quickly diagnose and understand what is happening on your network. These tools are accessible directly from the web interface and are based on standard open source command line utilities, which means they behave exactly as expected for those familiar with Linux or BSD environments.
Basic tools like Ping and Traceroute are available under the Diagnostics menu. These are helpful for checking connectivity to a device or seeing how traffic is being routed. While many consumer routers offer similar tools, pfSense gives you a more reliable and transparent implementation based on proven utilities.
One especially useful inclusion is nmap, a network scanning tool that can identify open ports and running services on devices across your network. I often use this when I forget which port a security camera or other device is using for its admin interface. Instead of manually guessing or resetting the device, I can scan its IP address and get a quick answer.
As mentioned earlier, pfTop is another powerful utility included with pfSense. It provides a real-time view of network traffic, allowing you to see which devices are using the most bandwidth and which connections are active. If your connection suddenly slows down, pfTop is often the first place to look. It’s just one more example of how pfSense offers tools typically found only in enterprise-grade gear, made accessible to home and small office users.
Wake-on-LAN (WoL)
Wake-on-LAN might not seem like a standout feature at first glance, but it can be surprisingly useful in the right context. In my case, I have a NAS backup system that spends most of its time in hibernation. For a long time, I was manually pulling and reinserting the power cable every time I needed it, not realizing that the device actually supported WoL. Once I enabled it, pfSense gave me a simple way to wake the system on-demand without relying on command-line tools or third-party utilities.
You might have other devices on your network that behave the same way, staying inactive until they receive a WoL packet. pfSense includes a built-in interface to send these packets with just a few clicks. If you have a lot of automation running in your home, this feature is worth exploring. It gives you more control over when devices are powered on, helps conserve energy, and can simplify remote access to systems that do not need to stay on all the time.
Captive Portal
I have not used the Captive Portal feature in pfSense personally, but I can see where it would be useful—especially in a small commercial setting like a coffee shop, waiting room, or co-working space. Captive Portal allows you to create a network login page that users must interact with before gaining access to the internet. This might include accepting terms of service, entering a password, or even using a voucher or login credentials you provide.
The feature is highly customizable and can be tailored to display your branding, legal disclaimers, or access rules. You can set time limits, bandwidth restrictions, and even control how many devices a user can connect under the same login.
Of course, using Captive Portal in a commercial or guest-facing environment means thinking about your network layout carefully. You would not want to allow guest traffic to mix with your internal business systems. Creating a separate VLAN or isolated Wi-Fi network for guests is strongly recommended. pfSense can help manage that segmentation as well, but you will need to plan your topology and firewall rules accordingly to ensure both usability and security.
Even More Ideas
As I was wrapping up this post, I asked ChatGPT for other ideas and features I might have overlooked. The result was a great reminder that pfSense is capable of far more than most users will ever need. What follows is just a limited subset of additional tools and capabilities that are built in or available through optional packages. I have not explored every one of these personally, but many are worth a closer look depending on how you use your network.
One powerful add-on is pfBlockerNG, which allows you to block entire countries or IP ranges with just a few clicks. Whether you're trying to reduce unwanted login attempts, cut down on junk traffic, or tighten your exposure footprint, this can be an effective layer of protection. You can filter by geographic region, known bad actors, or even advertising and tracking domains.
Firewall aliases are another underrated feature. These let you group together devices, IP addresses, or networks into a single label. You can then apply rules to that alias instead of creating separate rules for each item. It is a huge time-saver if you regularly tweak access policies or want to quickly block a whole category of devices with one change.
For households, pfSense also includes features that can help with security and safeguarding, especially for families. You can create scheduled access limitations to restrict internet access by device or group. This could be used to pause access during homework hours, block access overnight, or simply give certain devices a more limited window of connectivity.
Another useful feature is the ability to assign custom DNS entries right within pfSense. If you want to refer to devices on your network with easy names like nas.home or printer.local, you can do that without running a separate DNS server. It is a small touch that makes managing your environment more convenient.
Finally, pfSense gives you precise control over routing traffic through a VPN. You might want only certain devices, like your Roku or a torrent box, to use a third-party VPN service such as NordVPN or Mullvad. pfSense can selectively route traffic from those devices through the VPN while keeping everything else on your regular WAN connection. This gives you flexibility without requiring VPN apps on every device.
There are many other features beyond this list, but even just exploring a few of them can open the door to new possibilities for how you manage and secure your network.
Conclusion
You can probably see that pfSense offers an impressive level of control and capability, especially for something that runs on free, open-source software. Whether your focus is network visibility, better security, or simply organizing and managing your home or small office environment more effectively, pfSense provides tools that are usually found in much more expensive solutions.
In my setup, I use the free pfSense Community Edition alongside a small dedicated device from a vendor like Protectli. Hardware in this category typically ranges from $249 to $349 USD, depending on specs such as RAM, storage, and the number of network ports. That may seem higher than the cost of a basic consumer router, but when compared to premium consumer firewall appliances, the value becomes clear. Many of those retail models start around $300 and can reach $500 or more, especially when they include features like VPN support, malware filtering, and advanced traffic shaping.
What really sets pfSense apart is the flexibility. There are no recurring license fees, no limitations on features based on your subscription tier, and no reliance on proprietary firmware updates. You are in control of your system and can add or remove functionality as your needs evolve.
For anyone who wants a deeper understanding of their network, more secure access to their devices, or the satisfaction of managing things on their own terms, pfSense is a strong choice. It rewards curiosity and offers long-term reliability without locking you into a specific ecosystem.