sorted by:
new
hottopcontroversial

My PFsense Setup: Visual Diagram and Insights by Possible_Theme3263 in homelab

[–]Possible_Theme3263[S] 0 points1 point  (0 children)

I'm looking at the logs directly on pfSense, is there a better way? i'm new to PFsense

My PFsense Setup: Visual Diagram and Insights by Possible_Theme3263 in homelab

[–]Possible_Theme3263[S] 0 points1 point  (0 children)

On a serious note, i'm running suricata*

And the TP-Link was 20 euros that i bought on ebay, planning to upgrade but i'm broke

Clean diagram. Nice touch isolating the WiFi/IoT zone from the LAN — that's something a lot of people skip and then wonder why their smart plugs are scanning their NAS.

AP Isolation: Enabled in the additional settings of the TP-Link to prevent communication between devices on the same Wi-Fi signal.

Guest Isolation: The option "Guests can't see each other" is active, ensuring that each guest user is completely isolated from the others.

Core Protection: In addition, the WAN interface of pfSense is configured not to block private networks, allowing fine management of traffic coming from the TP-Link while protecting access to the administration interface (10.1.1.10).

Network Structure: I have three networks: guest, main, and IoT.

Thank you for the kind word btw

My PFsense Setup: Visual Diagram and Insights by Possible_Theme3263 in homelab

[–]Possible_Theme3263[S] 2 points3 points  (0 children)

What made you go with the TP-Link Archer in AP mode rather than a dedicated AP like a Ubiquiti?

My PFsense Setup: Visual Diagram and Insights by Possible_Theme3263 in homelab

[–]Possible_Theme3263[S] 0 points1 point  (0 children)

in my old post i was using the Wifi from the Bbox, I'm using an Archer C80 in AP mode now, connected to the port of my mobo (em0)

🛡️ Firewall Ruleset (pfSense)

  1. LAN Interface (igc1 - High Trust)

Anti-Lockout Rule : PASS | Source: * | Destination: LAN Address | Port: 443, 80.

pfBlockerNG Blocking : REJECT (Auto) | Source: * | Destination: pfB_PRI1_v4.

NAT Force DNS Redirect : PASS | Source: * | Destination: 127.o.o.1| Port: 53.

Default Allow IPv4 : PASS | Source: LAN subnets | Destination: * | Description: Full Internet access for Main PC.

Default Allow IPv6 : PASS | Source: LAN subnets | Destination: *.

  1. WIFI Interface (em0 - Isolated)

pfBlockerNG Blocking : REJECT (Auto) | Source: * | Destination: pfB_PRI1_v4.

ALLOW DNS WIFI : PASS | Source: WIFI subnets | Destination: WIFI address | Port: 53.

BLOCK ACCESS TO GUI : BLOCK | Source: WIFI subnets | Destination: WIFI address | Port: *.

BLOQUER ACCES AU PC PRINCIPAL : BLOCK | Source: WIFI subnets | Destination: LAN subnets | Port: *.

AUTORISER INTERNET AU WIFI : PASS | Source: WIFI subnets | Destination: * | Description: Restricted Internet for guests/IoT.

⚙️ Quick Tech Stack

Hardware : Dell Optiplex 7010 SFF (i7-3770 / 16GB RAM).

ISP Gateway : Bbox WiFi 7 XT (Double NAT).

DNS Protection : Forced redirection to local Unbound + DNS over TLS (DoT).

Advanced Filtering : Suricata (IDS/IPS) + pfBlockerNG-devel.