Intro

For this project, it’s essential to have a highly configurable firewall and gateway that supports advanced networking features. Specifically, the lab requires:

  • VLAN support for network segmentation

  • Advanced routing and NAT rules

  • Internal DNS resolution

  • Traffic filtering and monitoring capabilities

There are many firewalls that meet these criteria, including OPNsense, VyOS, and enterprise-grade hardware solutions. However, I’m most familiar with pfSense, a mature and feature-rich open-source firewall built on FreeBSD. It offers a robust web interface, extensive community support, and deep configuration options.

That said, as I continue to build out my homelab environment, I plan to experiment with alternative solutions in controlled scenarios. This project begins with pfSense, but it’s part of a broader effort to explore and compare tools in real-world setups.

Hardware Considerations

When selecting hardware for a firewall, it’s important to balance external bandwidth needs (your ISP connection) with internal throughput (the traffic between devices on your network).

In my case:

  • My expected internet connection is 400 Mbps down, which is a common mid-range residential speed

  • However, my internal network will use Gigabit Ethernet (1000 Mbps) hardware, allowing much faster communication between devices within the lab

This means that while external downloads are limited to 400 Mbps, internal operations like file transfers, backups, and logging between VMs or hosts can run at full gigabit speed — independent of the internet.

A note on terminology (often a source of confusion):

  • Gigabit (Gb) and Megabit (Mb) measure network bandwidth

  • Gigabyte (GB) and Megabyte (MB) measure file sizes or storage

  • 1 byte = 8 bits, so a 1000 Mbps network can theoretically transfer ~125 MB per second

This distinction helps explain why an internet connection labeled as “400 Mbps” won’t download files at “400 megabytes per second” — it’s a difference in units, not speed inconsistency.

Core Network Hardware

To support this lab’s needs for VLANs, routing, and internal traffic analysis, I’ve selected the following core hardware:

  • Router: Protectli Vault FW4B-0-8-120
    An affordable, compact mini PC purpose-built for firewall deployments.

    • Equipped with 4 Intel NICs, RJ45 console port, USB 3.0, and HDMI output

    • Ideal for running pfSense, with enough horsepower to handle IDS/IPS workloads, VLAN routing, and VPN throughput

  • Switch: TP-Link TL-SG1024DE (24-Port Gigabit Easy Smart Switch)
    A budget-friendly, VLAN-capable switch with a good port count.

    • Supports 802.1Q VLAN tagging, port mirroring, and basic traffic monitoring

    • Not a full Layer 3 managed switch, but sufficient for homelab segmentation and testing

These choices reflect a balance between cost, capability, and power efficiency. Both are key considerations for long-running home infrastructure. This also happens to be hardware I already had on hand from previous lab iterations.

Integrating the Switch with pfSense

Although the TP-Link TL-SG1024DE is not a fully managed Layer 3 switch, it supports 802.1Q VLAN tagging, which is essential for network segmentation in this lab. Later in the project, pfSense will be configured with multiple VLAN interfaces, and this switch will relay that segmentation across physical ports.

The switch’s configuration will be kept intentionally minimal — enough to mirror VLAN assignments from pfSense and ensure tagged traffic is properly segmented across connected hosts. This strikes a balance between practical homelab capability and the kind of structured isolation seen in production networks.

VLAN creation and tagging will be covered in the next post where pfSense interface assignments and switch configuration are aligned.

Home vs. Industry: What’s Different?

While this project aims to replicate many aspects of a production network, it’s important to understand where a residential homelab environment differs from a true enterprise deployment:

AreaHomelab SetupIndustrial Network
HardwareLow-power appliances (Protectli, TP-Link)Enterprise-grade appliances (Cisco, Juniper, Fortinet)
SwitchingBasic VLAN support, limited QoS/ACLsFull Layer 3 switching, redundant paths, PoE, QoS
Power & CoolingStandard power supply, minimal coolingUPS-backed redundant power, climate control
Uptime/SLAsOccasional reboots/upgrades acceptableHigh availability, failover, 24/7 reliability
Scale< 10 devices or VMs100s–1000s of clients, racks of gear

Despite these limitations, a homelab can closely approximate the structure and workflows of a production network. With the right VLAN configuration, firewall policies, and service layering, the lab will replicate key architectural and security concepts used in professional environments.

By designing with modularity, segmentation, and observability in mind, this project builds meaningful, real-world experience — even if the equipment is scaled down.

pfSense Installation Summary

With hardware selected and goals defined, I installed pfSense CE on the Protectli Vault using the standard USB Memstick installer. The setup process involved:

  • Flashing the pfSense ISO to a USB drive
  • Booting via HDMI and keyboard
  • Installing to the internal SSD and assigning interfaces via console

Initial layout:

  • igb0 → WAN (modem)
  • igb1 → LAN (managed switch)

After setting a static LAN IP, I accessed the web UI to:

  • Run the setup wizard
  • Configure admin credentials and hostname
  • Verify WAN/LAN routing
  • Set custom DNS servers (I currently prefer Google’s 8.8.8.8 and 8.8.4.4)

With connectivity verified, the firewall was ready for advanced configuration: VLANs, firewall rules, IDS, and DNS overrides.

In the next post, I’ll walk through configuring VLAN interfaces on pfSense and aligning the switch port assignments to match.