Building a Secure Home Network with OPNSense
In this project post, we pause our regular series on designing resilient homelabs (Designing Resilient Homelab: Redundancy & Availability) to provide an honest, hands-on documentation of setting up a home network using OPNSense. The focus is on establishing a stable, functional flat network with DNS filtering and a separate Work LAN before moving on to VLAN segmentation or more advanced configurations.
While we normally provide screenshots, this article relies on detailed textual instructions, sample commands, and diagrams. The goal is to give readers clear, reproducible steps to set up a secure network foundation without relying on visual cues.
This post also emphasizes lessons learned from repeated testing, troubleshooting, and rollback of configurations that didn’t work, providing insight into real-world network setup challenges.
Finally, we document the hardware and topology used in this lab, which serves as a reference for readers planning similar home or small office networks.
Hardware Overview
Fiber Media Converter / PoE: Ubiquiti GP-J240-030G (wall-mounted, converts fiber to Ethernet and powers the fiber interface)
OPNSense Router: Dell Inspiron 620
- 8 GB RAM, i5 3.00 GHz, 128 GB SSD
Access Points & Extenders:
- Linksys 1200AC (OpenWRT, AP mode)
- Wi-Fi Access Point downstream (connected via Powerline)
Switches:
- Dell 24 Port PowerConnect 2724 (Managed, 1Gb)
- 3Com Baseline 2928-P PWR Plus (Managed, PoE, 1Gb)
Other Devices:
- 2 Netgear Powerline 1000 PL1000 v2 adapters (~8 years old, single Ethernet port each)
- HP LaserJet Pro MFP M26NW
- Jellyfin server (HP Compaq 6200 Microtower, 8 GB RAM, 30 GB boot SSD, 4 TB drives x2 for media)
- Dell Small Form Factor PC for TV access (8 GB RAM, 200 GB HD)
- Main PC (AMD FX-6300 6-core, 8 GB RAM, 32 GB OS SSD + 422 GB home partition)
Network Topology
Internet (Fiber Line)
│
▼
Ubiquiti GP-J240-030G (Fiber Media Converter / PoE)
│
▼
┌──────────────────────── OPNSense Router ───────────────────────┐
│ Dell Inspiron 620, i5 @ 3GHz, 8GB RAM, 128GB SSD │
│ │
│ bce0 = WAN │ bce1 = Home LAN │ re0 = Work LAN │
└───────────────┴─────────────────────┴──────────────────────────┘
│ │
│ │
▼ ▼
Dell PowerConnect 2724 Dedicated Work LAN
(24-Port) (Isolated)
│
┌────────────────────────────┼─────────────────────────────┐
│ │ │
Linksys 1200AC (AP) Dell Optiplex 2020 SFF Netgear Powerline 1000
(Home Wi-Fi) (Media/TV PC) (PL1000 v2)
│ │
▼ ▼
Linksys RTE-6500 (Wi-Fi Extender) 3Com 24-Port PoE Switch
┌──────────────┬───────────────┬──────────────┐
│ │ │ │
HP LaserJet Pro Jellyfin Server Main PC Secondary Wi-Fi AP
MFP M26NW HP Compaq 6200 Custom AMD (Access Point)
(8GB RAM, SSD+HDD) FX-6300
OPNSense Installation and Initial Configuration
- Installed OPNSense 25.7 (vga image via
ddto flash drive). Previous 22.1 and 25.x DVD ISOs caused boot failures. - Set LAN IP to 192.168.20.1/24 via root console menu.
- DHCP range: 192.168.20.100–192.168.20.242 under Services > DHCP Server.
- DNS servers set to Cloudflare’s filtered servers: 1.1.1.3 and 1.0.0.3.
- Performed all system upgrades via root console to ensure stability.
- Restored OPNSense configuration to a known good baseline that precedes the IPv6 tunnel attempt, since the HE tunnel is blocked by the ISP and cannot be used right now.
DNS over TLS Setup
- Enabled Unbound DNS under Services > Unbound DNS > General.
- Added upstream DNS-over-TLS servers: Cloudflare, and CleanBrowsing (both provide Adult + Malware filtering).
- Adjusted Dnsmasq port to 1053 in Services > Dnsmasq DNS & DHCP > General to avoid port conflicts with Unbound.
- Browser behavior: Firefox may show DNS-over-HTTPS; Chrome can confirm DNS-over-TLS.
Adding Blocklists for DNS Filtering
- Enabled advanced mode in Services > Unbound DNS > Blocklist.
- Blocklists added:
- Enabled blocklists, applied changes, and restarted Unbound.
- Verified functionality with
nslookupand ads-blocker.com testing.
Whitelisting Microsoft and Mojang Domains
-
To maintain functionality for Minecraft and school email, whitelisted the following domains via DNS-over-TLS overrides:
- microsoft.com
- live.com
- office.com
- office365.com
- windows.net
- xboxlive.com
- xbox.com
- xboxservices.com
- microsoftonline.com
- mojang.com
- minecraft.net
- account.microsoft.com
- msftauth.net
- akamaitechnologies.com
- edgesuite.net
- cdn.office.net
- sfbassets.com
- clientconfig.microsoftonline-p.net
Forwarded to 1.1.1.1@853 with hostname cloudflare-dns.com.
Finding this list was very hard. I wasn’t able to find an actual list in one place with all domains I’d need to whitelist. Then I had to break what I did find down, remove duplicates and then determine which subdomains would be captured just by the main domain being on the list, and removing a couple that would open the door to things other than Microsoft.
DHCP Static Mappings and IP Plan
IP Allocation Plan:
- 192.168.20.1–9: Firewall, switches, APs
- 192.168.20.10–19: PCs & laptops
- 192.168.20.20–29: Servers
- 192.168.20.30–39: Phones & tablets
-
192.168.20.40–49: Printers, smart watches, etc.
- Configured static DHCP mappings under Services > Dnsmasq DNS & DHCP > Hosts tab.
- Lease time set to 0 for permanent mapping.
Work LAN Setup (192.168.30.0/24)
- Interface re0 added in OPNSense as Work LAN, static IP: 192.168.30.1/24.
- DHCP range: 192.168.30.100–192.168.30.102.
- Configured firewall rules:
| Action | Protocol | Source | Destination | Port | Description |
|---|---|---|---|---|---|
| Block | IPv4 * | work net | LAN net | * | Block access to main LAN (192.168.20.0/24) |
| Block | IPv4 TCP | work net | This Firewall | 443 | Block access to firewall GUI HTTPS |
| Block | IPv4 TCP | work net | This Firewall | 80 | Block access to firewall GUI HTTP |
| Pass | IPv4 * | work net | * | * | Allow internet access, including VPS traffic |
- Blocks placed above allow rule to enforce isolation.
- Verified Work PC gets DHCP IP and cannot access LAN or firewall GUI.
LAN Firewall Rules
| Protocol | Source | Source Port | Destination | Destination Port | Description |
|---|---|---|---|---|---|
| IPv4 * | LAN net | * | * | * | Default allow LAN to any rule |
| IPv6 * | LAN net | * | * | * | Default allow LAN IPv6 to any rule |
- Default allow rules maintain internet access for all LAN devices.
- Work network intentionally excluded from DNS block for external server access.
WAN Firewall Rules
| Action | Protocol | Source | Destination | Port | Description |
|---|---|---|---|---|---|
| Block | IPv4+6 TCP/UDP | LAN net | Any | 53 | Block all out-of-LAN DNS requests on Port 53 |
- This forces DNS over TLS externally.
- Work network remains free to use any DNS needed; the Work PC uses non-filtered DNS servers.
Backup and NTP
- Installed Nextcloud Backup plugin, retained 3 versions. Backup verified successfully.
- Added regional NTP servers, set preferred, and restarted NTP service.
Dynamic DNS & VPN Preparation
- DDNS:
jumpgate.excalibursheath.com→ DuckDNS, with DYNU backup domain. - DNS-over-TLS added for DuckDNS due to occasional DNS issues.
- WireGuard VPN tested but caused outages; configuration rolled back.
- OPNSense configuration restored to a known good baseline preceding the IPv6 tunnel attempt, as the HE tunnel is blocked by the ISP.
Lessons Learned
- Start with a stable baseline.
- Restore OPNSense to a known good configuration before adding complex features.
- VLANs are iterative.
- Flat networks are easier to stabilize before segmentation.
- DNS-over-TLS nuances.
- Dnsmasq port conflicts can block Unbound; browsers may misrepresent DoT status.
- Backup is critical.
- Nextcloud backups allow quick recovery and multiple configuration versions.
- VPNs and tunnels can break connectivity.
- WireGuard and HE tunnels may require ISP or VPS workarounds.
- Hardware topology matters.
- PoE, Ethernet-over-Power, AP modes, and switch layout all impact configuration.
- Incremental testing saves time.
- Verify DHCP, static mappings, DNS, and internet connectivity before adding advanced features.
- The network now has a stable foundation: DHCP, static IPs, DNS filtering, firewall rules, and a Work LAN functioning correctly. Future VLAN segmentation, VPN, and IPv6 features can be added with confidence.
Remaining Steps and Project Status
Completed
- Stable OPNSense installation with LAN IP, DHCP, and known good baseline configuration.
- DNS-over-TLS setup with Unbound, Dnsmasq port adjustments, and verified blocklists.
- Blocklists and domain whitelisting applied for Microsoft and Mojang services.
- Static DHCP mappings configured for key devices.
- Work LAN isolation with proper firewall rules ensuring separation from the main LAN and firewall GUI.
- Backups and NTP configuration verified.
- Dynamic DNS setup for remote access via DuckDNS and DYNU backup domain.
Up Next
-
VLAN Segmentation: Plan and implement VLANs 10 (Management), 20 (Main LAN), 30 (Work), 40 (Servers), 50 (IoT), and 60 (Guest Wi-Fi). This includes interface assignments, switch port configurations, and firewall rules to control inter-VLAN traffic. Establishing VLANs first will provide a more controlled environment for future services.
-
WireGuard VPN from OPNSense: Once VLANs are implemented and stable, revisit VPN setup. This ensures VPN traffic can be properly segmented and managed without risking disruption to the flat network. Initial attempts caused outages, so careful incremental testing will be required.
-
Optional Advanced Features: QoS, advanced routing, and monitoring can be considered after VLANs and VPN are functioning. These remain lower priority for a home/office lab but can be added incrementally as needed.
Likely Not in the Cards
- HE IPv6 tunnel: Attempts to configure the Hurricane Electric IPv6 tunnel were unsuccessful due to ISP restrictions (blocking protocol 41). This will not be possible without a workaround such as an external VPS or different ISP support.
Project Completion Assessment
The network setup is functionally complete for a flat network with secure DNS, device isolation, and a separate Work LAN. The foundation is solid for incremental improvements like VLAN segmentation, further firewall hardening, and monitoring. Certain advanced features (IPv6 tunnel, OPNSense VPN) are deferred due to technical limitations or risk of instability, but the current setup provides reliable internet access, DNS filtering, and device isolation for both home and work needs.
Final Thoughts
Setting up a reliable home/office network requires patience, careful planning, and a willingness to learn from mistakes. Throughout this project, multiple attempts—ranging from OPNSense reinstalls to failed IPv6 tunnels and initial VPN tests—highlighted the importance of maintaining known good baselines. Each rollback and retry reinforced key lessons about DNS configuration, firewall rules, and interface management.
Documenting every step, including both successes and failures, provides a reference for future changes and helps prevent repeating the same issues. Incremental testing, whether adding new devices, configuring blocklists, or isolating traffic on the Work LAN, ensures that problems are detected early and mitigated quickly.
With the current flat network and isolated Work LAN fully operational, the foundation is solid. This approach minimizes downtime and misconfiguration while providing flexibility to expand the network with VLAN segmentation, additional security measures, and VPN functionality when ready.
Incremental, cautious configuration ensures a functional, secure, and manageable network while keeping room for future growth.