Around march this year I started watching a few tech channels on YouTube. I came across a youtuber called NetworkChuck who did a tutorial on setting up Pfsense on a mini-pc called a Protectli. Pfsense is an open-source firewall/router software used in home, small business, and enterprise settings. It can be ran virtually or on a hardware appliance. I took the hardware route and purchased a Protectli box through amazon and installed the Pfsense software via flash-drive.
Out of the box Pfsense denies all WAN traffic, allows all LAN traffic, and has no open ports. Security off the bat is relatively secure since no holes are open in the firewall. My next goal was to learn about VLANs and network segmentation. I purchased a TP-Link TL-SG108E, 8 port, managed switch to allow for VLANs. My switch is managed through a Web GUI where I added three VLANs on specific ports for IOT Devices, Work Tablet, and my household’s personal desktop PCs. Once the switch was aware of the VLANs I added interfaces in the Pfsense to recognize these VLAN Tags.
Once both of these were aware of the VLANs, and an interface created, I only had to create the firewall rules and enable the DHCP server. I chose to make the IP address scheme based on the VLAN tag such as 10.27.40.1 which was for VLAN tag 40. I limited the amount of IP address given via DHCP per interface to the number of devices on said interface besides the IOT network. By doing this no other device could connect to said interface and get an IP. An example I attached below shows only 1 IP address available in my DHCP range since only my tablet is used.
When planning out my firewall rules I wanted to make sure each network could not communicate with one another besides my desktop PCs for management/security purposes. For an example, on my work network, I put a block for the LAN net and IOT net to isolate this device from the others. I attached a screenshot of this setup for a reference below.
Overall, this project gave me an understanding of DHCP, traffic flow, firewall rules, VLANs, and network segmentation. This was my first real networking project, but this is not the full scope of my knowledge. I have taken many steps further such as setting up a VPN server, privacy VPN, web filtering, and other projects. As time allows, I will be updating my website with these projects.
