Good Rep for Future Home Network

Written By Taylor Simmons

I spent some time recently setting up a little OPNsense lab on a mini PC I bought myself as an early Christmas present. It was mostly as a dry run for the network I eventually want to build at home. The whole point was to get my hands dirty and see the OS and tools I’d use in my future core gateway.

The hardware side was straightforward. I flashed OPNsense the old fashioned way, jumped into the BIOS, booted from a USB stick, and installed from the live image. For the initial OPNsense setup, I kept things intentionally loose. Since this was just a test, the IP scheme didn’t really matter. I left most settings at their defaults, changed the root password, and set both WAN and LAN to use DHCP. The whole lab sat behind my dad’s existing router, so everything was double NATed. That is not ideal, but for a learning setup it was totally fine.

Once it was up and reachable, I logged into the web UI and started poking at the services I care about most. First up was Unbound DNS. Unbound is cool to me because it has the potential to replace a PiHole setup while also making sure DNS queries weren’t being messed with. I enabled the service so the gateway could handle DNS for the network, then turned on DNSSEC and DNS over TLS. The idea here was simple, make sure DNS lookups are validated and encrypted by default. After that, I enabled DNS blocklists using the feeds that come with OPNsense. The effect was immediate and kind of satisfying, after restarting the service I tested it on news and recipe sites and it worked great!

Next I set up time syncing. This part is easy to overlook, but it matters more than people think. I remember during my time as an RTO that SINCGARS would just totally break for clients if they were off by more than a few seconds in either direction from the master time. I enabled NTP so all clients would pull time from the firewall, then pointed the firewall at external time servers like Cloudflare and Google. Having everything agree on what time it is makes logs, troubleshooting, and future services way less painful.

After that, I moved on to firewall rules. I pulled in IP blocklists from Spamhaus and abuse.ch and set them up as aliases. Those aliases were then used in firewall rules to block known bad IPs right at the gateway. I also locked down DNS and NTP pretty hard, I want to make sure that IOT devices in my home network would play nice and not circumvent assignments from DHCP. LAN devices were only allowed to use DNS and NTP through the firewall itself, on ports 53, 853, and 123. Anything else trying to talk on those ports got shut down. Rule ordering mattered here, and this was good practice for thinking through how traffic actually flows instead of just clicking checkboxes.

By the end of it, I had a small but fairly locked down network core. Nothing fancy, but nothing sloppy either. Overall, it was great practice. I got real hands on experience doing an install from scratch and setting up the basics. Next I want to start experimenting with IDS and IPS tools to catch more advanced behavior that DNS blocklists and IP reputation lists will never see.

Taylor Simmons https://taylorsimmons.tech
Next

Reflections on my First Month at an MSP