Setting Up a Home Firewall - cover image

Setting Up a Home Firewall

Table of Contents

What Your Router Already Does

Every consumer router sold in the last fifteen years has a firewall built in. Most people never touch it. The default settings block unsolicited inbound connections from the internet, which handles the most common attack vector: someone on the internet trying to connect directly to a device on your local network.

The problem is that "default" does not mean "optimal." Router manufacturers prioritize ease of use over security. Features like UPnP are enabled by default on most routers, and the firewall rules are intentionally permissive to reduce support calls. Understanding what your router's firewall actually does - and what it does not do - is the first step toward a properly defended home network.

SPI and NAT Explained

Your router uses two mechanisms that together form its firewall: Stateful Packet Inspection (SPI) and Network Address Translation (NAT).

NAT is technically not a security feature. It exists because IPv4 addresses are scarce, so your router shares one public IP address among all devices on your network. Each device gets a private IP address (typically 192.168.x.x), and the router translates between the two. A side effect of NAT is that inbound connections from the internet cannot reach your internal devices unless the router has a specific rule telling it where to forward that traffic.

SPI adds actual firewall logic on top of NAT. It tracks the state of each connection - which internal device initiated it, which external server responded, and whether the packets arriving match an existing conversation. If a packet arrives that does not match any tracked connection, SPI drops it. This prevents a range of attacks where an attacker sends crafted packets hoping to slip through a stateless filter.

graph TD
    subgraph "Internet"
        EXT[External Server]
        ATK[Attacker]
    end
    subgraph "Router Firewall"
        NAT[NAT Translation Table]
        SPI[Stateful Packet Inspection]
        FW_RULES[Firewall Rules]
    end
    subgraph "Home Network - 192.168.x.x"
        PC[Desktop PC]
        PHONE[Smartphone]
        IOT[IoT Devices]
    end
    PC -->|Outbound Request| NAT
    NAT -->|Translated Packet| EXT
    EXT -->|Response - Matches State| SPI
    SPI -->|Valid State - Forward| NAT
    NAT -->|Deliver to PC| PC
    ATK -->|Unsolicited Packet| SPI
    SPI -->|No Matching State - DROP| FW_RULES

How SPI and NAT work together - outbound traffic creates state entries, inbound responses are matched, unsolicited traffic is dropped

Inbound vs Outbound Rules

Firewall rules come in two flavors: inbound and outbound.

Inbound rules control what traffic from the internet can reach your network. On consumer routers, the default is to block everything inbound unless it matches an existing connection that one of your devices started. This is the right default. You should not change it unless you have a specific reason (like running a server).

Outbound rules control what traffic your devices can send to the internet. On nearly every consumer router, the default is to allow everything outbound. This is the wrong default for security, but changing it on consumer hardware is usually not possible. Outbound filtering matters because compromised devices on your network - malware-infected PCs, hijacked IoT cameras - need to communicate with their command-and-control servers. If your firewall blocked outbound connections to unknown ports or suspicious destinations, it could limit the damage.

Outbound filtering is one of the main reasons to consider dedicated firewall hardware. Consumer routers simply do not offer the granularity needed. A dedicated firewall like pfSense or OPNsense lets you create rules like "IoT devices can only reach the internet on ports 80 and 443" or "block all outbound DNS except to my chosen DNS server."

Port Forwarding Risks

Port forwarding is how you punch deliberate holes in your firewall. When you forward a port, you tell the router: "any traffic arriving on this port should be sent to this specific internal device." This is necessary for running game servers, self-hosted services, or remote access tools.

Each port forward is a permanent hole in your firewall. The security of that hole depends entirely on the software listening on the other end. If you forward port 22 for SSH access to a Raspberry Pi, anyone on the internet can attempt to log in. If that Pi has a weak password or an unpatched SSH vulnerability, your network is compromised.

Common port forwarding mistakes include forwarding port 80 or 443 to a NAS with a web interface that has known vulnerabilities, forwarding port 3389 (Remote Desktop) directly to a Windows PC, and leaving port forwards active for services that are no longer running.

Audit your port forwards quarterly. Most routers list active forwards under a "Port Forwarding" or "Virtual Servers" section. Remove any forward you cannot explain.

UPnP - The Silent Door Opener

Universal Plug and Play (UPnP) allows devices on your network to automatically create port forwards without your knowledge or approval. A gaming console uses UPnP to open ports for multiplayer. A smart TV uses it to receive incoming streams. The intent is convenience.

The security problem is severe. Any device on your network - including compromised ones - can use UPnP to open a port forward to itself. Malware regularly exploits UPnP to open backdoors through the firewall. The user never sees a prompt, never approves the change, and often never knows the port was opened.

Disable UPnP on your router. The setting is typically under "Advanced" or "NAT" settings. Some devices will complain about "strict NAT" afterward (particularly gaming consoles). For those specific devices, create manual port forwards instead. Manual forwards are controlled and auditable. UPnP forwards are neither.

graph LR
    subgraph "Your Network"
        CONSOLE[Game Console]
        MALWARE[Infected IoT Device]
        CAMERA[IP Camera]
    end
    subgraph "Router"
        UPNP[UPnP Service]
        FW[Firewall Rules]
        PORT_TABLE[Port Forward Table]
    end
    subgraph "Internet"
        GAME_SRV[Game Server]
        C2[Command and Control Server]
    end
    CONSOLE -->|UPnP Request - Open Port 3074| UPNP
    MALWARE -->|UPnP Request - Open Port 4444| UPNP
    UPNP -->|Auto-creates Forward| PORT_TABLE
    PORT_TABLE -->|Bypasses| FW
    C2 -->|Connects Through Open Port| MALWARE
    GAME_SRV -->|Connects Through Open Port| CONSOLE

UPnP lets any device open firewall ports automatically - including compromised devices creating backdoors

DMZ Misconceptions

The "DMZ" setting on consumer routers is one of the most misunderstood features. In enterprise networking, a DMZ (Demilitarized Zone) is a separate network segment that sits between the internet and the internal network. Servers that need public access go in the DMZ, protected by firewall rules on both sides.

On a consumer router, "DMZ" means something completely different. It forwards ALL inbound traffic to one device. Every port. Every protocol. The device receives the full force of the internet with zero filtering. It is the nuclear option of port forwarding.

People enable DMZ when they cannot figure out which specific ports to forward. This is a terrible solution. Instead of opening the one or two ports a service needs, DMZ opens all 65,535 of them. Never use the DMZ setting on a consumer router unless you fully understand the consequences and the target device has its own robust firewall.

When to Upgrade Hardware

Consumer routers have real limitations. Their firewall rules are basic (inbound allow/deny, no outbound filtering), their logging is minimal (if it exists at all), and their firmware updates are infrequent. When you need more, dedicated firewall hardware is the answer.

pfSense runs on any x86 hardware with two network interfaces. An old desktop with an added PCIe network card works. Dedicated appliances from Netgate start around $200. pfSense gives you full inbound and outbound filtering, VLAN support, VPN, intrusion detection (via Suricata), DNS filtering (via pfBlockerNG), and detailed logging.

OPNsense is a fork of pfSense with a more modern interface and slightly different package ecosystem. The capabilities are similar. Either one transforms your home network from "default consumer" to "properly defended."

Consider upgrading when you need outbound filtering, VLAN segmentation, VPN for remote access, IDS/IPS, or simply better visibility into what your network is doing.

graph TD
    subgraph "Consumer Router"
        CR_IN[Inbound Filtering - Basic]
        CR_OUT[Outbound Filtering - None]
        CR_LOG[Logging - Minimal]
        CR_VLAN[VLANs - None]
        CR_IDS[IDS/IPS - None]
    end
    subgraph "Dedicated Firewall - pfSense/OPNsense"
        DF_IN[Inbound Filtering - Granular]
        DF_OUT[Outbound Filtering - Full Control]
        DF_LOG[Logging - Detailed with Export]
        DF_VLAN[VLANs - Full Support]
        DF_IDS[IDS/IPS - Suricata Integration]
        DF_DNS[DNS Filtering - pfBlockerNG]
        DF_VPN[VPN - WireGuard/OpenVPN]
    end
    CR_IN -.->|Upgrade Path| DF_IN
    CR_OUT -.->|Upgrade Path| DF_OUT

Consumer routers vs dedicated firewall hardware - the gap in capability is significant

What Firewalls Do Not Protect Against

A firewall controls network traffic. It does not control what users do, what software runs on devices, or what happens on wireless networks.

Phishing bypasses your firewall completely. The user initiates the connection by clicking a link, so the firewall sees it as legitimate outbound traffic followed by a legitimate inbound response. The phishing page is served over HTTPS on port 443 - the same port every legitimate website uses.

Malware on trusted devices communicates outbound, which consumer firewalls allow unconditionally. Even with outbound filtering on a dedicated firewall, modern malware uses HTTPS to blend with normal traffic. Without TLS inspection (which has its own complications), you cannot distinguish malware callbacks from normal web browsing.

WiFi attacks operate below the firewall layer entirely. Deauthentication attacks, evil twin access points, and WPA handshake captures all happen on the wireless medium before any traffic reaches the router's firewall logic. A firewall cannot protect against an attacker who is attacking the wireless protocol itself.

A firewall is one layer of defense. It needs to work alongside endpoint protection, DNS filtering, network segmentation, and wireless security monitoring.

Verifying Your Firewall With BLEShark Nano

The BLEShark Nano is useful here in a complementary role. While it cannot test your firewall rules directly (that requires tools like nmap from the WAN side), it fills the gap your firewall leaves open: wireless security.

Use the Nano's WiFi scanner to check for unauthorized access points on or near your network. A rogue AP connected to your LAN behind the firewall gives an attacker direct access to your internal network, completely bypassing every firewall rule you have configured. The Nano can also detect deauthentication attacks targeting your wireless clients - another threat class that firewalls are blind to.

Think of it this way: your firewall guards the front door (the internet connection). The BLEShark Nano watches the windows (the wireless environment). Both need attention.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment