If you’re into home labbing and networking, building your own router with software like OPNsense or pfSense might sound like a lot of fun, but to be honest, it’s not for everyone. Not only do you need slightly more specialist hardware, but there’s a lot of work that goes into maintaining your network, too; significantly more than if you had just stuck with your ISP’s router.
With that said, the benefits can be worth it, and it can be incredibly rewarding to set up and configure. If you’re looking to weigh up the differences between OPNsense and pfSense, we’ll touch on that a little bit here too, but this article is more about whether you should set up a custom router platform in general. This is a decision that shouldn’t be taken lightly.
Using OPNsense or pfSense is a commitment
Poorly implemented security is worse than no security
Your ISP’s router, or even just a regular off-the-shelf router from the likes of TP-Link, is preconfigured to protect your network from the wider internet. It’ll have its own firewall, it’ll have basic features to improve security that are easily configured, and for the most part, you simply don’t need to worry about things working. These devices are designed for everyone, including those who may not be particularly adept when it comes to technology, so their simplicity, married with effectiveness, tends to be their selling point.
When you commit to your own router and firewall platform, however, none of that is provided. I’ve built my own OPNsense router and firewall on my home network, which manages all my connections to my ISP over PPPoE. It manages my DHCP for allocating IP addresses to devices on my network, my port forwards, and my network protections in the form of a firewall, Intrusion Detection Systems (IDS), and Intrusion Protection Systems (IPS). The latter two are implemented using CrowdSec and ZenArmor. With ZenArmor, I can see inbound and outbound connections, filtering traffic based on rules relating to malware protection and targeted attacks.
By default, on most networks, OPNsense will allow all outbound traffic, and it’s up to you to figure out the traffic you want to block and allow. There are plenty of resources out there to get you started, and I set up a blocking rule with FireHOL’s IP list immediately. This is a list of IP addresses that are associated with malware, spam, and network attacks. It’s pretty easy to set up and configure, but it’s merely scratching the surface of network security. If you need to use a VLAN (which some ISPs require), then OPNsense will block everything by default, which means you’ll need to create rules to allow traffic instead.
That’s the problem when it comes to running your own router, though, as you’re now the one in charge of security and connections. Even though your ISP’s router may not use things like the FireHOL IP list to protect you online, you know that it’s giving you some protection, and that everything will just work. When you misconfigure something on your network, it’s your responsibility, and the power that you wield to block everything can also be used to accidentally allow traffic that you didn’t intend to… and may even give would-be attackers more access to your home network than your ISP router would ever have. Plus, it’s possible to lock yourself out of your own router, which is a headache in itself to try and solve in some situations.
That’s not to scare you off of configuring your own network, though. It’s just the reality of it, and poorly implemented security can be worse than having no security at all, as you’ll think you’re protected when you’re not. If your ISP router was the kind to never get updates or security patches, then you’ll almost always be safer on your own OPNsense or pfSense platform, but you still need to keep on top of your firewall rules, your IDS/IPS, and system updates. Otherwise, you’re kind of missing the point of why you’d do it in the first place, and you’re leaving yourself at risk.
You might need to buy new hardware
And maybe even some software
To run your own OPNsense or pfSense network, too, you’ll likely need to make some investments. You’ll need a machine that has multiple Network Interface Cards, or NICs, so that one can connect to your ISP and one can connect to your network switch. You’ll also need to be careful of the brand of the NICs, with Intel NICs being some of the highest quality you can get. Realtek NICs, for example, suffer from instability issues, which could see your network stop working for reasons that aren’t immediately apparent. I’m using the Ugreen DXP4800 Plus with Proxmox installed on it for my OPNsense platform, and that NAS has an Intel I226-V 2.5GbE and an Aquantia AQC113 10GbE. The Aquantia NIC does not have any FreeBSD drivers, which is why I have to run OPNsense through Proxmox. Plus, for gigabit PPPoE connections, it can be better to virtualize OPNsense instead of running it on bare metal.
However, even if you have a NAS with the NICs required to make this work, best practice dictates that you do very little else on the host that handles your network. All of those home lab experiments that crash your server or even just require a reboot? Those become significantly more detrimental when the server that crashes is also handling your connectivity, so whatever device you install OPNsense or pfSense on, you should be content with letting it sit there more or less untouched. I have a basic iSCSI share from the drives that are still in the Ugreen NAS, but that’s it. I wouldn’t deploy any additional software on it.
What that means is that if you have a home lab, don’t go and buy an extra PCI NIC just to set up your own router and firewall. It’s best to have a dedicated piece of hardware that you can use for connectivity, and that way, you’ll never have to look at it or change anything software-wise once it’s up and running. That’ll run its own cost, but depending on the software that you want to protect your network, you may need to prepare to cough up some additional expenses, too. ZenArmor, for example, is great for network security, but it’ll incur a monthly subscription, whereas Suricata is free, with the pro version also available for free if you opt in to telemetry. Sadly, it doesn’t work on a WAN interface with PPPoE connections, and my log was completely empty for two days before I realized it.
Being honest, it’s possible to run a secure network without making investments on the software side of things, but spending money can sometimes make it easier. If you can run Suricata and CrowdSec, both free options, you’re already in a really good position. Pair it up with Unbound DNS, a DNS server that runs inside of OPNsense, and you’re good to go in order to protect yourself against the vast majority of threats online. I’m just in the unfortunate position of using PPPoE to connect to my ISP, which isn’t always supported by typical IDS/IPS solutions.
Related
5 reasons Proxmox is better than Harvester for your home lab
Not everyone needs a production-grade virtualization platform
Should you commit to building your own router?
It doesn’t hurt to try
If you’ve read this article and come away from it thinking “that sounds fun!” then you’re the prime candidate to deploy this kind of system. If, however, it sounds like a lot of work, and you’re apprehensive about managing your own security, it’s completely understandable. You take on a lot of responsibility, and while both OPNsense and the many plugins available aim to make it as easy as possible, the truth is it won’t ever be as easy as using an off-the-shelf router or even just the one from your ISP. You’ll miss out on some incredible features that way, but at least you’ll save yourself the headache.
For me, deploying OPNsense was as much about security as it was about having fun and learning something new. I really enjoyed setting it up, and having control of my entire network is super interesting. With ZenArmor, I can log all of the traffic, and I can even generate reports and statistics if I want to. As a data nerd, I get pretty excited by those possibilities. Plus, you can combine Unbound in OPNsense with Pi-hole for blocking content across the web.
If you have the hardware available to you to try and pull off an OPNsense or pfSense setup, you can always try it out and go back to your old router if it doesn’t work for you. There’s no need to commit to it, and it doesn’t have to be a permanent changeover. With a network switch too, you simply plug your LAN port from your OPNsense/pfSense device into it, and then you can use the switch to share that connection to other devices. I have my main home lab server, my PC, and my mesh network plugged into my switch, and everything just works. I didn’t have to do anything on any of my other devices, as my only wireless access that I used was the mesh network anyway.
I loved setting up OPNsense, and the power I have over my network is just really… fun. I’m super careful with it, but I love trying out new plugins and optimizing things further. Even when it comes to IP leasing from my ISP, I used to have five minutes of downtime around midnight, as my ISP router took a couple of minutes to realize it no longer had internet access and needed to request a new IP. Now, it happens in under a minute. It’s the little things, but if you’re the kind of person that loves playing around with configurations and collecting data, it’s definitely worth it.
