this post was submitted on 01 Jul 2026
37 points (97.4% liked)

Selfhosted

60366 readers
957 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Hiya, looking the a firewall for my homelab, mostly to experiment but also for a added layer of security. There are just two of us in this household with a few laptops, phones and my servers, so nothing much. Therefore looking for something affordable and not "overkill".

Anyone got any recommendations for this? Also how do you run your opensense/pfsense instance?

Appreciate any tips!

you are viewing a single comment's thread
view the rest of the comments
[โ€“] MuttMutt@lemmy.world 12 points 1 day ago (1 children)

Both OpnSense and PfSense have FreeBSD as a base. That means you really want to avoid realtek NIC's.

I'm running OpnSense on a Supermicro X10SLL-F, with a Xeon E3-1226 v3, 16GB of RAM, and an Intel X520 10G NIC with the OS installed on a mirrored pair of 240GB Intel D3-S4510's. I underprovioned the drives by about 50GB to lower write amplification and allow the drive controller a scratch pad space for garbage collection even if the drive fills up with logs and snapshots. This is simply done with:

zfs set quota=190G zroot

I have the following services (beyond the routing and firewall) running:

ACME Client - let's encrypt certificates

Caddy - to expose my home services for access via reverse proxy

Chrony - network time server

CrowdSec - running all free rules

Intrusion Detection (also known as Suricata) - just under 193K rules

Kea DHCP for IPv4 providing IP addresses for 5 vLan's

Monit

Ntopng with Redis as the database

NUT

Router Advertisements for IPv6 for 3 vLAN's

SMART - for dive testing but it basically consumes no resources

UnboundDNS with abuse.ch, Steven Blacklist, and Hagezi multi Pro++ Blocklists.

Firewall has 79 rules, NAT has 8 Destination entries, IPv6 is provided by Route64 over Wireguard, remote management access is done via Wireguard tunnel. vLAN's are Management, Trusted, Smarthome, Cameras, and a Guest network which is WiFi only. Smarthome and Cameras vLAN's do not have internet access except for my HomeAssistant server.

I'm using a Quanta LB6M for my fiber backbone which is 10G with a LAG connection to a Dell PowerConnect 5548 and 5548P gigabit network stack.

I'm utilizing approximately 62% of RAM (which begins to have issues once you get over 80% used) and a load average that generally sits at .30 unless the GUI is open. Swap is 0

I have a 1Gbps fiber internet connection through a Callix 803g and a cellular backup via a Netgear LM1200 that is controlled by OpnSense when a 20% or greater packetloss is detected.

If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

net.link.ether.inet.max_age = 540

This is because by default FreeBSD sets a 20 minute ARP maximum age while many ONT's set a 9 minute maximum age.

If you plan to use Intrusion Detection the required RAM will balloon quickly and the UnboundDNS Blocklists live in RAM as well. You can easily get a similar setup to mine on Ebay for 200 or less, old server boards or workstation boards with IPMI are great to have if something acts up and the router is living in a closet without a monitor. The old server boards IMHO are also super stable and they are designed to run for years without being shut down.

[โ€“] Monument@piefed.world 2 points 1 day ago

If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

net.link.ether.inet.max_age = 540

Oooooh.