Optimal Home Network/Home office configuration…maximize security and privacy?



  • I am looking to get some feedback on how best to configure my pfsense/netgate sg2440 to make my network as secure and private as I can.

    I have managed to get the following working:
    3 VLANs (office, wife'devices and iot)
    The VLANs parent interface is the default LAN
    The VLANS all have separate ssids with. Unifi-Pro
    Default LAN interface not being used except for VLAN trunk
    I have a sg2440 (4 interfaces-WAN, LAN, pfSense GUI, extra)
    Snort on the separate VLANs
    Rules for each interface (see attached for general VLAN rule structure)
    PIA vpn connection

    My specific questions are:
    I Am not hosting email nor a website…is their any benefit to a DMZ?

    Should I be using the default LAN as stated above or would I be better off using one of the extra interfaces, creating a new interface and adding the VLANs parent interface to it?

    Getting my Unifi Pro's controller to connect? It's currently plugged into my LAN interface. Should the VLAN parent interface have any rules for Unifi pro to stay updated(Call home?) I believe the Unifi pro controller will not work over a VLAN?

    Value of adding OpenDNS IPs vs default pfsense? I believe OpenDNS has malware and phishing protection

    I have struggled to get PfBlocker to work...I have a separate post in the PfBlocker section about network configuration but wanted to provide context to my over all network strategy.

    Using a switch vs a separate interface directly to the VLAN capable Unifi pro? I have available ports on my netgate sg2440

    Any feedback would be greatly appreciated...



  • I'd always say no to a DMZ. They is really no reason to ever have one unless you are running a honey pot or having networking issues that port forwarding can not handle. It's always more secure to use port forwarding method as you are restricting everything expect for those ports allowed.

    Honestly for LAN's. It really doesn't matter what you use. If they get passed your firewall, they will figure out the LAN subnet easy enough. Some might disagree with that statement but I work as a network engineer. I can't tell you how many times I was able to sniff out a network once getting past the firewall in about 3 minutes. HOWEVER. I would change up the differences between all my interfaces. For Example. I use a 192.168.1.x for my production LAN PCs, but my servers uses a 10.10.10.x subnet. Instead of keeping the 192.168.x.x scheme. I changed it for the servers because if someone gets access to one LAN, they may stop their port scans thinking they obtained access and only do damage to the one LAN instead of both. But that is just my two sense on it.

    UnFi's are awesome. I've only used the software manager/controller not a physical one. But if you want to be able to access LAN devices from the wifi. You can plug the UnFi into the main production subnet and then just enable "guest" on the WAP to have the guest network separated from the LAN. If you do not need access to devices on the LAN. Why not simply plug it into another optional interface and be done with it? There  is no real reason for a switch unless you need more WAPS with Vlaning and POE etc…  I believe the controller will work over the VLAN. Just in the PFSense you need to make a specific rule entry to allow your production subnet to talk to that specific WAP ip address on the other subnet.

    As for DNS. There is really not much to it, other then what DNS provides more stable\fastest connections for your IP to Name resolutions compared to your current ISP DNS. What I did was ran a namebench on my workstation. It took about 30 minutes, but it checks UltraDNS, OpenDNS, Google DNS and your IPS's DNS and compares them. For me OpenDNS was 200% faster then my ISP's, so I changed my PFSense to use OpenDNS instead. Your results may very so make sure to run the tool.

    http://code.google.com/p/namebench/

    I would also recommend that if you do change your DNS servers, that you do it under System>General Setup and not under Services>DNS Forwarders. Anything in System>General Setup over takes priory over the Services area.

    Sorry can't be much help on PFBlocker. I don't use it so have no experience with that.

    Hope that helps,


  • Rebel Alliance Global Moderator

    "I Am not hosting email nor a website…is their any benefit to a DMZ? "

    Lets be clear what we are defining as a DMZ.. DMZ is really nothing more than a firewalled segment.  So in that sense lets say you allow unsolicited inbound traffic to something.. I for one host a ntp server to the ntp pool.. This server sits in what I call my dmz - all that really means is this network segment has no other access to my other segments.  So even if the machine was compromised it would only have access to other stuff in the dmz segment.

    Even if you don't forward any unsolicited traffic from internet, you might want a "dmz" or firewalled segment that can not talk to your other networks - but your networks can talk to it.  You might use such a segment for say your iot devices.  So just encase these doing something you don't want them to do they are firewalled off from your other networks.



  • I thank you both kindly for your thoughts.

    Very helpful…more work to do.

    Thanks again :)



  • @johnpoz:

    "I Am not hosting email nor a website…is their any benefit to a DMZ? "

    Lets be clear what we are defining as a DMZ.. DMZ is really nothing more than a firewalled segment.  So in that sense lets say you allow unsolicited inbound traffic to something.. I for one host a ntp server to the ntp pool.. This server sits in what I call my dmz - all that really means is this network segment has no other access to my other segments.  So even if the machine was compromised it would only have access to other stuff in the dmz segment.

    Even if you don't forward any unsolicited traffic from internet, you might want a "dmz" or firewalled segment that can not talk to your other networks - but your networks can talk to it.  You might use such a segment for say your iot devices.  So just encase these doing something you don't want them to do they are firewalled off from your other networks.

    Well as you mentioned. There are a few meaning of DMZ.

    In my example, a DMZ is a zone that allow for ALL traffic inbound to come in. This is where honey pots and other things are useful. It can redirect attacks on your network to places you have them go specifically because all traffic is allowed and its easy to get to.

    Its also often used for troubleshooting, such as those with issues with NAT on a Playstation, would create a DMZ and allow all traffic to it as a troubleshooting method or simply to leave it in that state for a full NAT connection.

    While I know that is one example of what a DMZ is. It is not the only, different vendors have different definitions of what a DMZ is. For example, I believe Sonicwall considers a DMZ as what I mentioned above. However, Watchguard defines it as simply a segmented zone. So basically another subnet could be your "DMZ", if you simply call a segmented zone (aka another subnet) your DMZ, then it is a DMZ…

    Honestly, to avoid all this, I simply live by the ruling of no DMZ's ever. There is really no point in doing it unless you are troubleshooting something network wise or bating attackers. (however, subnetting is another story)

    So depending on your definition, it can mean two different things. To avoid confusion I simply just say (using another subnet) instead of (using a DMZ).

    Here is a thread on PFSense forums with someone asking the difference between the two. Most pretty much follow my first definition of the word.

    https://forum.pfsense.org/index.php?topic=97636.0



  • A belated thank you!



  • I would personally set up a DMZ if I have servers that need Internet a permanent connection
    or IoT devices that are sniffing my network and then snitching all home to the vendor server.

    It could be also a nice place for smart TV, game consoles and/or internet radios or many IoT
    devices, for sure that can be also done with an extra multimedia VLAN for sure, so nothing
    wrong with it if they are all not disturbing the rest of the LAN.

    I would the entire local area network divide into several VLANs and this by using a small switch
    either Layer3 or Layer2, likes needed and/or wished. Cisco SG220/SG250 or SG350 series are
    here one of the best you can get your hands on, they are starting with 10 Ports and ending up
    with 48 port models, likes you need it. This is based on my own opinion and nature and surely
    not a must be. If you need a switch you may get also the benefit from that, if your entire
    network load is to high, based on what ever, the switch is saturated and if this all will be
    connected to your firewall directly this one will be freezing!

    I would set up:
    pfSense 192.168.1.0/24
    VLAN1 - management VLAN - 192.168.1.0/24
    VLAN10 - IoT devices - 192.168.3.0/24
    VLAN20 - private wired devices - 192.168.4.0/24
    VLAN30 - office - 192.168.0.5/24
    VLAN40 - WiFi guest - 192.168.6.0/24
    VLAN50 - WiFi private - 192.168.7.0/24
    VLAN60 - children (each) - 192.168.8.0/24
    ect…...

    wired devices over OpenLDAP on a small MinnowTurBot or Raspberry PI 3.0 with Debian Linux or TurnKey Linux
    wireless devices (guests) over the Captive Portal w/ voucher system
    wireless devices (private) over FreeRadius Server 3.0 w/ certificates
    OpenDNS Account if children are in that house hold and then matching to their age

    pfBlockerNG & DNSBL + TLD might be also nice to use, but a Squid Proxy with user auth. might be
    better together with SquidGuard & SARGE to get knowledge who is surfing where! (Children)