Advanced Firewall Setup for Network Protection

Advanced 1-2 hours

Advanced guide to using firewalls for granular network protection including hardware firewalls, pfSense, and software firewall configuration.

Prerequisites:

  • Strong technical background recommended
  • Understanding of networking concepts
  • Dedicated hardware (for pfSense/OPNsense) or existing router
  • Time for learning and configuration

Firewall-Based Protection Overview

Firewalls provide the most granular and powerful network-level control available. While routers offer basic parental controls, dedicated firewall solutions (hardware or software) enable advanced filtering, deep packet inspection, network segmentation, and virtually bypass-proof protection.

Advanced Level: This guide is for technically proficient users. Most families should start with simpler solutions like DNS filtering and router parental controls before considering firewall-based approaches.

🔥 Types of Firewalls

Hardware Firewalls

Examples: Dedicated firewall appliance, Firewalla, Protectli box with pfSense

  • Separate physical device between modem and network
  • Most powerful and reliable
  • Can't be bypassed from client devices
  • Requires investment ($100-500+)

Best for: Tech-savvy families wanting maximum control

Software Firewalls (pfSense/OPNsense)

Free, open-source router/firewall OS

  • Install on old computer or dedicated hardware
  • Extremely powerful and flexible
  • Steep learning curve
  • Active community support

Best for: Technical users, home lab enthusiasts, ultimate control

Router-Based Firewalls

Built into existing router

  • Basic firewall features included
  • No additional hardware needed
  • Limited compared to dedicated solutions
  • Covered in our Router Configuration Guide

Best for: Most families (start here)

Host-Based Firewalls

Windows Defender, macOS Firewall, etc.

  • Runs on individual devices
  • Protects that device only
  • Can be disabled by user
  • Good as secondary layer

Best for: Additional device-level protection

🛠️ pfSense/OPNsense Setup Overview

Note: This is a high-level overview. Full pfSense setup requires multiple hours and technical knowledge. Consult official pfSense documentation for complete instructions.

Hardware Requirements

  • Dedicated computer (can be old PC or mini PC)
  • Minimum: 2 network ports (WAN and LAN)
  • 2GB+ RAM recommended
  • 8GB+ storage

Basic Setup Steps

  1. Download pfSense or OPNsense ISO
  2. Create bootable USB installer
  3. Install on dedicated hardware
  4. Configure WAN (internet) and LAN (network) interfaces
  5. Access web interface (typically 192.168.1.1)
  6. Complete setup wizard
  7. Update to latest version

Key Configuration for Parental Controls

1. DNS Filtering

  • System → General Setup → DNS Servers
  • Add filtering DNS (CleanBrowsing, OpenDNS, etc.)
  • Enable DNS Resolver or DNS Forwarder
  • Force all clients to use firewall DNS (prevent bypass)

2. Firewall Rules by Device/Network

  • Create firewall rules per IP or subnet
  • Block specific ports (e.g., VPN ports to prevent bypassing)
  • Allow/deny specific websites or services
  • Schedule rules (time-based blocking)

3. Suricata/Snort (IDS/IPS)

  • Install Suricata package
  • Enable threat detection
  • Block malicious traffic automatically
  • Monitor for concerning patterns

4. pfBlockerNG

  • Powerful blocking package
  • Subscribe to threat feeds and blocklists
  • Block ads, trackers, malware, adult content
  • Custom whitelist/blacklist management

5. Squid Proxy + SquidGuard

  • Web proxy with content filtering
  • Category-based filtering (adult, social media, gaming, etc.)
  • URL blacklists and whitelists
  • HTTPS filtering (requires SSL interception setup)

6. Captive Portal

  • Require authentication before internet access
  • Different access policies per user
  • Time-based vouchers
  • Usage monitoring

🏷️ Network Segmentation Strategy

VLAN Setup for Family Networks

VLAN 1: Admin Network

  • Parent devices, servers, NAS
  • Full internet access
  • No filtering
  • Management access to firewall

VLAN 10: Kids Network

  • Children's devices
  • Strict DNS filtering
  • Blocked VPN ports
  • Time-based access rules
  • No access to other VLANs

VLAN 20: IoT/Smart Devices

  • Smart TVs, gaming consoles, IoT devices
  • Medium filtering
  • Isolated from other networks
  • Limited bandwidth

VLAN 99: Guest Network

  • Visitor devices
  • Internet-only access
  • No LAN access
  • Bandwidth limits

Benefits:

  • Different rules for different networks
  • Enhanced security through isolation
  • Easier monitoring and management
  • Children can't access parent devices

🚫 Advanced Bypass Prevention

Blocking VPN and Proxy Services

  • Block common VPN ports (UDP 500, 4500, 1194; TCP 443 selectively, 1723)
  • Use pfBlockerNG to block known VPN/proxy IPs
  • Deep packet inspection (DPI) to detect VPN traffic
  • Block DNS-over-HTTPS (DoH) servers to prevent DNS bypass
Caution: Blocking VPNs may interfere with legitimate uses (work VPNs, privacy tools). Use targeted blocking for children's network only.

Preventing DNS Bypass

  1. Create firewall rule: Block all outbound traffic to port 53 (DNS) except to firewall
  2. Force all clients to use firewall's DNS resolver
  3. Block DNS-over-HTTPS (DoH) domains (cloudflare-dns.com, dns.google, etc.)
  4. Block DNS-over-TLS (DoT) port 853

MAC Address Filtering

  • Create whitelist of known devices
  • Block unknown MAC addresses
  • Prevents unauthorized devices from connecting
  • Note: MAC addresses can be spoofed (not foolproof)

⚖️ Pros & Cons

✅ Advantages

  • Most powerful and comprehensive protection
  • Extremely difficult to bypass when configured properly
  • Granular control per device/network
  • Deep packet inspection
  • Network segmentation for security
  • Free software options (pfSense/OPNsense)
  • Detailed logging and monitoring
  • Can block VPNs and proxies
  • Professional-grade solution

❌ Limitations

  • Very steep learning curve
  • Time-intensive setup and maintenance
  • Requires dedicated hardware or powerful router
  • Can break legitimate services if misconfigured
  • Overkill for most families
  • Requires ongoing management
  • Family members may resist "enterprise" controls
  • Single point of failure (if firewall fails)

🎯 Should You Use a Firewall?

✅ Good Fit If You:

  • Have strong networking knowledge
  • Enjoy tinkering with technology
  • Need maximum control and security
  • Have tech-savvy children who bypass simpler controls
  • Want to learn advanced networking
  • Need network segmentation for security
  • Have time for setup and maintenance

❌ Not Recommended If You:

  • Are not technically inclined
  • Want quick, simple solution
  • Don't have spare hardware
  • Have young children (simpler solutions work fine)
  • Don't want to maintain complex system
  • Need vendor support
  • Want plug-and-play solution
Recommendation: Start with simpler solutions (DNS filtering + device controls + router parental controls). Only move to firewall-based solutions if you have the technical ability and specific need for advanced features.