Don’t Trust your ISP Router
Your ISP-provided gateway is a black box. You have no visibility into traffic flows, limited control over DNS, and often outdated firmware. Replacing it with a dedicated pfSense or OPNsense box is the first step in taking back control.
Network Segmentation (VLANs)
The “flat network” is a security nightmare. If your IoT fridge gets compromised, your NAS shouldn’t be accessible on the same subnet.
Our Recommended Segments:
- LAN (Trusted): For your workstations and servers.
- IoT (Untrusted): For smart bulbs, cameras, and appliances. No internet access unless strictly necessary.
- Guest: Isolated internet access only.
- Management: For accessing switch/router interfaces.
Inspection vs. Throughput
Running Snort or Suricata for IDPS (Intrusion Detection/Prevention) is great, but be aware of the hardware limits. Deep Packet Inspection (DPI) kills throughput. If you have Gigabit fiber, ensure your router’s CPU supports AES-NI and has high single-thread performance.
DNS & Ad Blocking
We pair pfSense with pfBlockerNG. It’s not just an ad blocker; it’s a powerful IP reputation filter. We automatically block inbound traffic from high-risk countries where we have no clients.