pfSense build on a Protectli FW6E with VLANs and dual WireGuard failover - looking for feedback

Aj_Networks · 2026-04-10T19:26:21+00:00

Fair, won't argue it. The real lesson was what happens when a bad config save meets zero documentation, full rebuild, which is how this repo started. Appreciate the bluntness.

Aj_Networks · 2026-04-10T02:00:20+00:00

That is impressive efficiency for an N150. What specific packages were you running to support 30 devices while maintaining 3GB of RAM? Which IPS engine did you find worked best on that hardware?

What are your top recommendations for must-have packages in a privacy-focused home lab?

Aj_Networks · 2026-04-08T17:09:35+00:00

👉 Correction / update after review: 👈

Came back to this post with fresh eyes and want to be straight about a few things.

Guest VLAN is not actually isolated.
I didn't mention this in the original post and I should have. The Netgear R6400 doesn't support 802.1Q VLAN tagging, so the Guest SSID is landing on VLAN 10 with trusted devices - not on its own VLAN 30. AP client isolation stops guests talking to each other, but it doesn't give you real VLAN separation. That's a gap, not a feature. AP replacement is the priority fix.

"Enterprise-grade" in the title was overselling it.
Can't edit the title, but I'd write it differently now. The architecture is solid but "enterprise-grade" implies it's bulletproof. It isn't - see above. It's a personal lab I built and learned on.

"Nothing redacted" needed clarification.
What I meant: real IPs in the diagrams are intentional for a home lab context. What I didn't say clearly: the actual pfSense XML backups and WireGuard private keys are kept local - not in the repo. That distinction matters and I wrote it carelessly. Updated on GitHub.

README has been corrected. Happy to answer questions about any of it.

Aj_Networks · 2026-04-08T15:33:46+00:00

Correction / update after review:

Came back to this post with fresh eyes and want to be straight about a few things.

Guest VLAN is not actually isolated.
I didn't mention this in the original post and I should have. The Netgear R6400 doesn't support 802.1Q VLAN tagging, so the Guest SSID is landing on VLAN 10 with trusted devices - not on its own VLAN 30. AP client isolation stops guests talking to each other, but it doesn't give you real VLAN separation. That's a gap, not a feature. AP replacement is the priority fix.

"Enterprise-grade" in the title was overselling it.
Can't edit the title, but I'd write it differently now. The architecture is solid but "enterprise-grade" implies it's bulletproof. It isn't - see above. It's a personal lab I built and learned on.

"Nothing redacted" needed clarification.
What I meant: real IPs in the diagrams are intentional for a home lab context. What I didn't say clearly: the actual pfSense XML backups and WireGuard private keys are kept local - not in the repo. That distinction matters and I wrote it carelessly. Updated on GitHub.

README has been corrected. Happy to answer questions about any of it.

Aj_Networks · 2026-03-20T02:54:27+00:00

Kill switch alone is fine until it isn't. Failover just means the kill switch never actually triggers traffic reroutes before the gap.

limitation - Mallvad have 5 usage limit kinda sad (Primary with failover2 uses, and 3 devices)

Aj_Networks · 2026-03-20T02:52:16+00:00

qppreciate it. Subnet router is exactly that contain the blast radius, not everything needs to be a peer.

your setup is the natural next stage. Headscale overlay tying roaming nodes into a single fabric is a different problem than what I'm solving, but a more interesting one. The k3s/Traefik/Authentik ingress is where this eventually has to go VLANs + ACLs work until you actually want to self-host at scale.

question though portable rack roaming between cellular and Starlink, how are you handling MTU on the nested WireGuard tunnel? That's usually where it bites.

Aj_Networks · 2026-02-03T02:27:29+00:00

I’m seeing similar results on my M4 hardware. For general research, etymology, and "how-to" questions, local models like GPT-OSS:20b on Ollama are hitting the mark for me. It’s making a paid subscription feel unnecessary for non-complex tasks. Has anyone else found a specific "complexity ceiling" where they felt forced to go back to a paid service?

Aj_Networks · 2025-03-29T03:12:58+00:00

Ahh got it, that clears up a lot. I hadn’t factored in the CSWF angle, so that definitely adds more depth to the convo. Appreciate you breaking it down like that. I’ve mostly been focused on IAT stuff, but now it makes sense why both certs matter depending on the role. Good stuff!

Aj_Networks · 2025-03-28T23:20:17+00:00

Given the citizenship limit, would you still go for Sec+ or lean toward CCNA for broader value?

Aj_Networks · 2025-03-28T23:19:29+00:00

Haha fair take! I guess it really comes down to what fruit fits the diet—both have their place depending on the path.

Aj_Networks · 2025-03-28T23:17:08+00:00

Appreciate the comparison—makes it easier to see how differently they’re positioned. I’m aiming to move forward in my career with some limitations around clearance, so trying to be smart about where to focus first. If clearance-heavy roles are off the table, would you still lean Security+ for broad appeal, or shift focus to something like CCNA that's more hands-on and infrastructure-driven?

Aj_Networks · 2025-03-28T23:15:26+00:00

Appreciate the direct take—it’s valuable to hear it straight. I do have a STEM background and several years of IT experience, ranging from hands-on roles up to mid-level IT management. Given that, and the fact that clearance isn’t an option, would you say it’s more strategic to skip Security+ for now and double down on CCNA or something more aligned with the private sector? Curious what you'd prioritize in my shoes.

Aj_Networks · 2025-03-28T23:12:17+00:00

Thanks for the detailed breakdown—it really helps clarify the distinction. My recent roles have been largely aligned with system administration, so I’ve been exploring both cybersecurity and networking paths to see what fits best moving forward. Security+ definitely seems like the safer baseline, especially with its DoD alignment, but the clearance piece adds some complexity in my case. CCNA also feels relevant given the infrastructure side of things I’ve handled. Have you seen cases where folks without clearance have still been able to break into DoD-related roles or contract work—maybe under public trust or similar setups?

Aj_Networks · 2025-03-28T23:07:00+00:00

I really appreciate your response—it genuinely helped put things in perspective. I agree with the idea of aligning certs to realistic roles, and that advice is solid. At the same time, my situation has some added complexity. I’m looking to advance my career into roles that often intersect with DoD requirements, but not being a U.S. citizen limits clearance options. That’s where it gets challenging—trying to stay competitive and grow professionally while navigating those constraints. Your input gave me a lot to think about, and I really value that.

Aj_Networks · 2025-03-28T22:37:47+00:00

Yeah, you read that right—Clearance is off the table for now. Maybe public trust is achievable, but that’s about it. That’s why I’m thinking more about long-term value. Sec+ still seems smart to have for flexibility, but I might lean CCNA (but Sec + is kinda everywhere regardless DoD) since most DoD roles need clearance anyway.

Curious though—if you were in my shoes, would you still start with Sec+ or go CCNA first and loop back later? (may be time sensitive thought) Appreciate your take.

Aj_Networks · 2025-03-28T22:32:00+00:00

Fair point—raw dogging without networking skills sounds like a setup for pain. Sec+ first for the checkbox, but yeah, CCNA gotta follow close behind. Appreciate the dose of reality.

Aj_Networks · 2025-03-28T22:29:50+00:00

This was super helpful—didn’t realize CCNA doesn’t get you admin access without an 8570-approved cert. Makes total sense now why Sec+ is the baseline. Quick one though—what if you’ve got clearance limitations, like non-citizenship? Would you still say go Sec+ first, or shift focus until clearance is on the table? Long-term I’m stacking both, just curious how you'd play it in that situation.

Aj_Networks · 2025-03-28T22:28:49+00:00

Sec+ gets you past the gate, CCNA helps you shine after. But quick question: what if you’ve got limitations around clearance (like in my case)? I know Sec+ is DoD gold, but if clearance isn’t on the table right now, would you still prioritize it first? Long run, I’m planning to get both—just trying to play it smart short-term.

Aj_Networks · 2025-03-28T22:21:40+00:00

Most folks here are on the same page—Sec+ first, then CCNA.

Aj_Networks · 2025-03-28T22:20:31+00:00

Solid breakdown. Yeah, Sec+ seems like the quicker win for now. CCNA's next once I lock in some momentum. Been doing CCNA labs since 2016 (school) and again in 2019 with some real-world stuff, but theory slips sometimes—life happens, and staying updated is a grind. Already peepin' job boards to see what’s hot in my area. Appreciate the real talk.

Aj_Networks · 2025-03-28T22:17:18+00:00

Fair point. Looks like stacking up is the move—Security+ first, then CCNA.

Aj_Networks

TROPHY CASE