pfSense Basics for Home Networks - cover image

pfSense Basics for Home Networks

Table of Contents

What Is pfSense

pfSense is a FreeBSD-based firewall and router distribution. It takes commodity PC hardware - sometimes literal junk-drawer PCs - and turns them into network appliances that rival enterprise equipment costing thousands of dollars. The web interface handles all configuration, so you do not need to touch the command line unless you want to.

At its core, pfSense is a packet filter with a web GUI. But the package ecosystem extends it into a full network security platform: intrusion detection, DNS filtering, VPN, traffic shaping, DHCP, and more. For a home network, pfSense replaces your router's firewall functions entirely. Your consumer router becomes just a WiFi access point.

Hardware Requirements

pfSense needs surprisingly little hardware. For a typical home network (under 500 Mbps), the minimum is a dual-core 64-bit CPU, 4 GB of RAM, a small SSD (32 GB is more than enough), and two network interfaces (one for WAN, one for LAN).

Old desktop PCs work well. An Intel NUC or similar mini PC with an added USB Ethernet adapter is a compact option. For dedicated hardware, Netgate (the company behind pfSense) sells appliances starting around $200 that are purpose-built and fanless.

The critical requirement is two network interfaces. Onboard Ethernet covers one. A PCIe or USB Ethernet adapter handles the second. Intel-chipset NICs are the most compatible, but most Realtek adapters work too.

For gigabit throughput with Suricata (intrusion detection) running, plan for a quad-core CPU and 8 GB of RAM. Without IDS, a ten-year-old desktop handles gigabit routing without breaking a sweat.

Installation Walkthrough

Installation follows a standard process. Download the installer ISO from the pfSense website, write it to a USB drive using Rufus or Etcher, boot from USB, and follow the text-based installer. The entire process takes about ten minutes.

The installer asks three important questions: which disk to install on (it will erase it), which interface is WAN (connects to your modem), and which is LAN (connects to your switch or access point). If you get the interfaces backward, pfSense will swap them on first boot - you just reconfigure through the console menu.

After installation, connect a computer to the LAN port and navigate to 192.168.1.1 in a browser. The setup wizard walks through basic configuration: hostname, DNS servers, WAN type (usually DHCP if your modem handles PPPoE), LAN subnet, and admin password.

graph TD
    subgraph "Installation Steps"
        A[Download pfSense ISO] --> B[Write to USB Drive]
        B --> C[Boot Target Hardware from USB]
        C --> D[Run Text-Based Installer]
        D --> E[Select Disk and Interfaces]
        E --> F[Reboot into pfSense]
    end
    subgraph "Initial Configuration"
        F --> G[Connect PC to LAN Port]
        G --> H[Browse to 192.168.1.1]
        H --> I[Setup Wizard - DNS/WAN/LAN]
        I --> J[Set Admin Password]
        J --> K[System Ready]
    end

pfSense installation and initial setup - from ISO download to running system in under 20 minutes

WAN and LAN Interface Setup

The WAN interface connects to your modem or ISP handoff. In most home setups, this uses DHCP - your modem assigns pfSense a public IP address (or a CGNAT address). If your ISP requires PPPoE authentication, pfSense supports that natively.

The LAN interface connects to your internal network. By default, pfSense assigns itself 192.168.1.1 on LAN and runs a DHCP server handing out addresses in the 192.168.1.100-199 range. You can change both the subnet and the DHCP range to avoid conflicts with other equipment.

If you add more network interfaces (for a dedicated IoT network, a guest network, or a DMZ), each one gets its own interface assignment, its own subnet, and its own firewall rules. This is where pfSense starts to shine - true network segmentation that consumer routers cannot do.

Understanding Default Rules

pfSense ships with two default rule sets that form a sane starting point.

WAN rules: Block everything. No inbound traffic from the internet reaches your network unless you explicitly create a rule allowing it. This includes an anti-lockout rule on LAN that ensures you can always reach the web interface, and default blocks for RFC 1918 private addresses and bogon networks on WAN.

LAN rules: Allow everything. Any device on your LAN can send traffic anywhere - to the internet, to other interfaces, everywhere. This is permissive by design (to avoid breaking things on first boot), but you should tighten it over time.

The firewall evaluates rules top-to-bottom, first match wins. If a packet matches rule number 3, rules 4 through 50 are never checked. Order matters. Put specific allow rules above general deny rules.

graph TD
    subgraph "WAN Rules - Default"
        W1[Block RFC 1918 Private Addresses] --> W2[Block Bogon Networks]
        W2 --> W3[Block All Other Inbound]
    end
    subgraph "LAN Rules - Default"
        L1[Anti-Lockout Rule - Allow GUI Access] --> L2[Allow All IPv4 to Any]
        L2 --> L3[Allow All IPv6 to Any]
    end
    subgraph "Recommended LAN Tightening"
        R1[Allow DNS to pfSense Only] --> R2[Allow HTTP/HTTPS to Any]
        R2 --> R3[Allow Specific Services]
        R3 --> R4[Block All Other Traffic]
    end
    L2 -.->|Should Evolve To| R1

Default pfSense rules vs recommended tightened configuration - moving from allow-all to explicit-allow

Creating Firewall Rules

Firewall rules in pfSense have several components: action (pass, block, or reject), interface (which network the rule applies to), protocol (TCP, UDP, ICMP, or any), source (where traffic comes from), destination (where traffic goes), and destination port.

A practical example: to allow your LAN devices to browse the web but nothing else, you would create two rules on the LAN interface. First, allow TCP from LAN net to any destination on ports 80 and 443. Second, allow UDP from LAN net to your DNS server on port 53. Then a final rule: block everything else. Anything not matching the first two rules hits the block rule and gets dropped.

pfSense also supports aliases - named groups of IPs, ports, or networks. Instead of creating separate rules for each service, you can create an alias called "Allowed_Ports" containing 80, 443, 993, and 587, then reference that alias in a single rule. When you need to add a port, update the alias instead of editing rules.

VLAN Support for IoT Segmentation

VLANs (Virtual LANs) let you create separate networks on a single physical interface. pfSense supports 802.1Q VLAN tagging natively. Combined with a managed switch that also supports VLANs, you can create isolated network segments without additional hardware.

A common home setup uses three VLANs: Trusted (VLAN 10, 192.168.10.0/24) for computers and phones, IoT (VLAN 20, 192.168.20.0/24) for cameras, smart speakers, and automation devices, and Guest (VLAN 30, 192.168.30.0/24) for visitors.

Firewall rules between VLANs control the traffic flow. IoT devices can reach the internet but cannot initiate connections to the Trusted network. Guest devices can reach the internet but nothing else. Trusted devices can reach everything. This means a compromised smart bulb cannot pivot to attack your desktop.

Essential Packages

pfSense has a package manager with add-ons that extend its capabilities significantly.

Suricata is a network intrusion detection and prevention system (IDS/IPS). It inspects traffic against rule sets containing known attack signatures. Running on the WAN interface, it can detect (and optionally block) exploit attempts, malware communications, and policy violations. The Emerging Threats rule set is free and updated regularly.

pfBlockerNG combines DNS-based ad blocking (similar to Pi-hole) with IP-based threat intelligence. It can block entire IP ranges associated with known malicious activity, and it resolves DNS queries for ad and malware domains to a blackhole address. Running pfBlockerNG on pfSense means you do not need a separate Pi-hole device.

WireGuard or OpenVPN packages let you create VPN tunnels for secure remote access to your home network. Instead of port-forwarding RDP or SSH, you VPN in and access everything securely.

OPNsense as an Alternative

OPNsense forked from pfSense in 2015. It runs on the same FreeBSD base and offers similar capabilities. The main differences are the web interface (OPNsense uses a more modern design), the update cadence (OPNsense releases more frequently), and some package availability differences.

If you are starting fresh and have no existing preference, try both. OPNsense has a slightly gentler learning curve due to its interface design. pfSense has a larger community and more third-party documentation. Both will serve a home network extremely well.

Is It Worth the Effort

The learning curve is real. Budget a weekend for initial setup and a few weeks of occasional tweaking to get rules dialed in. You will break something - a device that cannot reach the internet because your rules are too strict, a VLAN that is not quite routing correctly, a package that needs tuning.

But the result is a home network with visibility and control that consumer routers cannot provide. You will see every connection, control what goes where, detect intrusion attempts, and block malicious domains. Combined with wireless monitoring from tools like the BLEShark Nano (which covers the WiFi and BLE environment that pfSense cannot see), you have a genuinely layered defense.

For anyone serious about home network security, pfSense or OPNsense is the single highest-impact upgrade you can make.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment