Security10 min read

How to Set Up a Firewall in Your Homelab

A homelab without a firewall is an open door. Learn how to protect your network with OPNsense, pfSense, or Linux UFW — plus VLAN segmentation and DMZ setup.

1. Why You Need a Homelab Firewall

Your home router has a firewall — but it's designed to protect one network from the outside world. Once a device is inside your network, it typically has full access to every other device. This is the threat model a homelab firewall addresses.

A proper homelab firewall lets you <strong class="text-white">segment your network</strong> — keeping your homelab services isolated from your family's laptops and phones. It also gives you <strong class="text-white">fine-grained control</strong> over what traffic is allowed, and provides logging so you know what's happening on your network.

2. Homelab Firewall Options Compared

There are three main approaches, depending on your complexity tolerance:

UFW (Uncomplicated Firewall) — Simplest

Built into Ubuntu/Debian. Perfect for single-server homelabs. Blocks unwanted inbound traffic with one command. No web UI, but that's a feature — fewer attack surfaces.

OPNsense / pfSense — Full Network Firewall

Runs as a VM or dedicated machine. Full-featured firewall with web UI, IDS/IPS (Suricata), VPN, captive portal, and traffic shaping. OPNsense is more modern and user-friendly; pfSense has a larger community.

VLAN + Managed Switch — Network Segmentation Without a Firewall VM

If you have a managed switch (e.g., TP-Link, Netgear, or MikroTik), you can create VLANs to separate traffic without running a dedicated firewall VM. Works great for simple isolation.

3. UFW — Simple Linux Firewall (Recommended Starting Point)

UFW is pre-installed on Ubuntu. It provides everything you need for a single-server homelab without the complexity of a full firewall distribution.

1

Allow SSH (critical!)

Always allow SSH before enabling the firewall, or you'll lock yourself out.

sudo ufw allow 22/tcp comment "SSH — don't lock yourself out"
2

Set default policies

Block all incoming traffic by default. Allow all outgoing.

sudo ufw default deny incoming sudo ufw default allow outgoing
3

Allow your services

Allow specific ports for services you're running. Example for a web server and Pi-hole:

sudo ufw allow 80/tcp comment "HTTP" sudo ufw allow 443/tcp comment "HTTPS" sudo ufw allow 53/udp comment "Pi-hole DNS"
4

Enable the firewall

Confirm SSH is allowed, then enable.

sudo ufw status verbose sudo ufw enable
5

Check the status

View active rules at any time.

sudo ufw status numbered

4. VLAN Segmentation in a Homelab

VLANs (Virtual LANs) let you split one physical network into multiple logical networks that can't talk to each other without explicit firewall rules. This is the single most impactful security improvement you can make.

Common homelab VLAN setup:

VLAN 10 — Management

Network devices, switches, IPMI/iDRAC, and your hypervisor. Only accessible from your admin machine. No internet access needed.

VLAN 20 — Main LAN (Family)

Laptops, phones, TVs, and guest devices. Standard internet access, no access to homelab services.

VLAN 30 — Homelab Services

Your servers, NAS, Home Assistant, and Pi-hole. Only accessible from the management VLAN or via VPN.

VLAN 40 — IoT / Smart Home

Smart cameras, sensors, and smart speakers. Internet access allowed, but isolated from main LAN and homelab.

VLAN 50 — DMZ (Optional)

Public-facing services like a reverse proxy, VPN server, or web hosting. Has internet access but is isolated from everything else.

5. DMZ Setup for Public-Facing Services

A DMZ (DeMilitarized Zone) is a network segment that sits between your home network and the internet. Services you want accessible from outside (a reverse proxy, a personal website, a VPN server) go here.

The key principle: <strong class="text-white">services in the DMZ can reach the internet but cannot reach your internal network</strong>. Even if a DMZ service is compromised, the attacker can't reach your NAS, your main computers, or your homelab infrastructure.

Port forwarding to DMZ

Forward only the necessary ports (80, 443, and your VPN port) from your router to the DMZ IP. Never port forward directly to an internal LAN IP.

Reverse proxy in DMZ

Put Nginx Proxy Manager or Traefik in the DMZ. It terminates TLS and forwards clean requests to services in your internal homelab VLAN.

Fail2ban on public services

Install Fail2ban on any service exposed to the internet. It automatically bans IPs that attempt brute-force logins.

6. Network Hardening Checklist

Apply these practices regardless of which firewall approach you use:

Disable UPnP on your router

UPnP lets devices punch holes in your firewall automatically. Disable it — if a homelab service needs a port, forward it manually.

Change default router login credentials

Default admin passwords on routers are a common entry point. Change them on day one.

Use strong Wi-Fi passwords + WPA3

Your Wi-Fi is the gateway to your network. Use a strong, unique password and WPA3 encryption if your devices support it.

Set up IDS with Suricata (OPNsense/pfSense)

Intrusion Detection System monitors network traffic for suspicious patterns and alerts you to potential attacks.

Enable logging and review it

All firewall logs should go to a central log server (e.g., Grafana + Loki) or at minimum to a log file you check monthly.

Use VPN, not port forwarding

Instead of exposing services directly to the internet, access them via WireGuard VPN. Only expose the VPN port (51820/UDP).

Frequently Asked Questions

Do I need a dedicated firewall machine for my homelab?

Not necessarily. For a simple single-server homelab, UFW on your Ubuntu Server is sufficient. A dedicated firewall VM (OPNsense/pfSense) becomes worthwhile when you want network-wide VLAN segmentation, IDS/IPS, or more than one server.

What is the difference between a firewall and a VLAN?

A firewall controls which traffic is allowed between network segments based on rules. A VLAN creates separate network segments. Together they provide both isolation (VLAN) and control (firewall). You typically need both.

Should I use OPNsense or pfSense?

OPNsense is generally recommended for new homelabs — it has a more modern UI, faster development cycle, and cleaner default configuration. pfSense has a larger community and more third-party documentation. For most homelab use cases, they're equivalent in capability.

What is a honeypot in a homelab?

A honeypot is a decoy service or server designed to attract attackers and detect intrusion attempts. Running a low-interaction honeypot (like T-Pot) on your DMZ can give you early warning of probing or attacks targeting your network.

How do I access my homelab from outside without opening ports?

Tailscale or WireGuard. Tailscale creates an encrypted mesh VPN with zero port forwarding — install it on your homelab server and your laptop/phone, and you can access your entire network from anywhere. WireGuard requires one open port (UDP 51820).

Take It Further: Virtualization

Run your firewall as a VM alongside other services on the same hardware with Proxmox.

Proxmox Setup Guide →