I learned about UPnP the hard way.

Came home one day to find my Plex server had been accessed from IP addresses in three different countries. My “smart” ISP router had helpfully port-forwarded my entire media stack to the internet—no permission needed, no notification sent. Any device on my network could punch holes in my firewall whenever it wanted.

That Netgear router I’d been running for two years? Turns out UPnP was enabled by default. And enabled means “any device can open any port.” My smart TV had decided it needed incoming connections. My Roku wanted to be “discoverable.” And my network had zero defense against any of it.

I spent that weekend learning about VLANs, firewall rules, and why consumer routers are designed for convenience, not security.

This is Part 2 of building a proper media server stack. In Part 1, we talked about why you need three boxes. This is the deep dive on Box 1: the router that keeps everything safe, fast, and under your control.

What Actually Happened When I Switched

I ran consumer routers for years. Netgear, Asus, TP-Link—the usual suspects. They worked fine until they didn’t. Then I spent a Saturday building a dedicated router box with OPNsense.

Before (ISP Router):

Visibility: None. I could see connected devices and… that’s it. No idea what traffic was flowing, who was talking to whom, or what ports were open.

Security: A checkbox labeled “firewall enabled.” That was the extent of it. No logs. No alerts. No actual control over what was allowed.

Performance: 4K streaming while downloading? The router would randomly decide to prioritize the wrong thing. Or just give up entirely and need a reboot.

Segmentation: Everything on 192.168.1.x. My Jellyfin server could see my IoT lightbulbs. My download containers could access my NAS. My kids’ tablets were on the same network as my backup server. Zero isolation.

Updates: Whenever Netgear felt like it. Sometimes they’d change settings without telling me. Once an update re-enabled WPS without asking. Cool.

After (OPNsense Box):

Visibility: I can see every connection, every blocked attempt, every DNS query. I know exactly what my network is doing at any moment. Grafana dashboard shows real-time traffic by VLAN, by device, by service.

Security: Five VLANs with explicit allow rules between them. IDS/IPS (Suricata) catching and blocking sketchy traffic. I see attempted breaches weekly that my old router never even noticed. Logs show me exactly what happened and when.

Performance: QoS rules mean my Jellyfin streams never stutter, even when torrents are maxing out my connection. Traffic shaping actually works instead of being a placebo checkbox.

Segmentation:

• 10.0.1.x: Trusted devices (my laptop, phone, work machines)
• 10.0.2.x: Media stack (Jellyfin, Sonarr, Radarr, etc.)
• 10.0.3.x: IoT garbage (cameras, lights, smart switches)
• 10.0.4.x: Guest WiFi (isolated from everything)
• 10.0.5.x: Management (router, switch, NAS admin interfaces)

My smart lightbulbs literally cannot see my NAS. Even if they wanted to, the firewall says no.

Updates: When I decide. I test in a VM first. Nothing changes without my approval.

The difference isn’t subtle. It’s night and day. I went from hoping my network was secure to knowing it is.

Why Your Current Router is Failing You

Let’s talk about what your consumer router actually can’t do, even if the box claims it can.

The Lies Consumer Routers Tell

“Advanced Security Features!”
Translation: We scan for the most obvious malware signatures from 2015. Maybe. If the moon is in the right phase.

Real security means IDS/IPS with updated rulesets, traffic analysis, and actual logging. Your $120 Asus router isn’t doing that. It doesn’t have the CPU, the RAM, or the software architecture.

“Parental Controls!”
Translation: We’ll block some websites based on categories we chose. Good luck customizing it or seeing what actually got blocked.

Real control means VLANs, per-device firewall rules, traffic shaping, and schedules you actually define. Not some app-based checkbox system that stops working when the company shuts down their cloud service.

“QoS for Gaming!”
Translation: We’ll… try to prioritize some packets? Maybe? It mostly just adds latency.

Real QoS means you define exactly what traffic gets priority, set bandwidth limits per device or service, and actually see the results in your traffic graphs.

“Gigabit Router!”
Translation: The ports are gigabit. The actual routing performance? Let’s not talk about that.

My old Netgear claimed gigabit speeds. It topped out at about 600Mbps with any features enabled. OPNsense on a $200 box? Full gigabit with IDS/IPS, multiple VLANs, and VPN running simultaneously.

The Single Point of Failure Problem

Here’s the architecture of your typical consumer router:

• Router
• Firewall
• WiFi access point
• Switch
• DHCP server
• DNS server
• Sometimes a VPN server
• Maybe a USB file server for good measure

All in one box. When any piece fails, everything fails. When you need to reboot for a firmware update, everything goes down. When the WiFi starts acting weird, you can’t isolate that problem without taking down your entire network.

This is terrible design.

A proper network has separate components:

• Router box: Routing, firewall, DHCP, DNS
• Switch: Distributes wired connections, handles VLANs
• Access point: Just WiFi, nothing else

When the AP needs a reboot? Your wired devices keep working. Switch dies? Wireless still routes. Router goes down for maintenance? Okay, that’s a problem, but at least you can troubleshoot it independently.

What You’re Actually Exposing

Without proper network segmentation, here’s what can go wrong:

Scenario 1: IoT device compromise
Your cheap Chinese security camera gets hacked (and they all eventually do). Without VLANs, that attacker now has access to your entire network. They can see your NAS, your Plex server, your computers, everything. With VLANs? They’re trapped in the IoT sandbox with no route to anything that matters.

Scenario 2: UPnP hole-punching
Your smart TV decides it needs port 8080 forwarded. With UPnP enabled (and it usually is by default), it just opens that port to the internet. No asking, no notification. Maybe port 8080 is where your Sonarr instance lives. Congrats, it’s now public. With a real firewall? UPnP is disabled, and nothing opens ports without your explicit approval.

Scenario 3: Compromised download client
You download something sketchy (hey, it happens). Your qBittorrent or SABnzbd container gets compromised. Without network segmentation, that’s a direct path to your storage, your personal files, everything. With proper VLANs and firewall rules? The download container can only talk to specific services and can’t touch your personal data at all.

Scenario 4: Firmware backdoor
Your router manufacturer (or your ISP if they provided the router) pushes a firmware update with a backdoor. Or a security researcher finds one that’s been there for years. Without full control of your router OS, you’re at their mercy. With OPNsense or pfSense? You control every line of code that runs.

You’re not being paranoid. You’re being realistic. Every one of these scenarios has happened to real people running consumer routers.

The Features That Actually Matter

Here’s what a real router gives you, with concrete examples of why each matters.

1. VLAN Support (Network Segmentation)

What it means: You can create multiple virtual networks that can’t talk to each other unless you explicitly allow it.

Why it matters: Isolation is the foundation of security. If one thing gets compromised, it can’t spread.

Real example from my network:

My media stack runs in VLAN 2 (10.0.2.x). Firewall rules allow:

• Outbound internet access for downloading and metadata
• Inbound connections from VLAN 1 (trusted devices) for streaming
• Connections to VLAN storage shares via NFS (read/write for media, read-only for everything else)

Everything else? Denied by default. My Sonarr container can’t scan my personal files. My download client can’t touch my backup server. If a container gets compromised, the blast radius is contained.

2. Intrusion Detection/Prevention (IDS/IPS)

What it means: Your router inspects every packet and looks for known attack patterns, malware signatures, and suspicious behavior.

Why it matters: You’ll catch attacks before they succeed.

Real example:

I run Suricata on OPNsense with the Emerging Threats ruleset. Every week I see blocked attempts:

• Port scans from random IPs testing my exposed ports
• Attempts to exploit vulnerabilities in services I’m not even running
• Malware callback attempts from IoT devices (looking at you, cheap cameras)
• DNS tunneling attempts (usually from work laptops that shouldn’t be doing that)

My old router? Never saw any of it. This traffic was happening the whole time—I just had no idea.

3. Real Firewall Rules + Full Logging

What it means: You define exactly what’s allowed and what’s blocked. And you can see every decision the firewall makes.

Why it matters: “Default allow” is how networks get owned. “Default deny with explicit allows” is how they stay secure.

Real example:

My media VLAN firewall rules:

1. Allow: VLAN 2 → Internet (ports 80, 443) for app updates and metadata
2. Allow: VLAN 2 → VLAN 2 (internal service communication)
3. Allow: VLAN 1 → VLAN 2 (ports 8096, 7878, 8989, etc.) for accessing services
4. Allow: VLAN 2 → NAS (ports 2049, 111) for NFS
5. Deny: Everything else (log it)

When something breaks, I check the logs and see exactly what’s being denied. Add a rule if it’s legitimate. Investigate if it’s not.

4. Local DNS + DHCP Control

What it means: Your router handles name resolution and IP assignments. You decide what resolves to what.

Why it matters: Static IPs for all your services, custom DNS entries, and full control over what your devices can reach.

Real example:

Instead of remembering that Jellyfin is at 10.0.2.15:8096, I just go to jellyfin.home. All my services have friendly names:

• jellyfin.home
• sonarr.home
• radarr.home
• proxmox.home

Static DHCP means each device always gets the same IP. My NAS is always 10.0.2.10. My compute box is always 10.0.2.20. Services can rely on these addresses. No more “why did everything break after a reboot” because IPs shuffled.

Plus I can use DNS to block ads, tracking, and telemetry at the network level. Every device benefits without needing per-device configuration.

5. Traffic Shaping + QoS

What it means: You can prioritize certain traffic over others and set bandwidth limits per device or service.

Why it matters: Your Jellyfin stream shouldn’t stutter because someone started downloading a 50GB Linux ISO.

Real example:

My QoS setup:

• Priority 1: Real-time (VoIP, video calls) - always goes first
• Priority 2: Streaming (Jellyfin, YouTube) - high priority
• Priority 3: Interactive (web browsing, SSH) - normal priority
• Priority 4: Bulk (downloads, backups) - low priority, capped at 80% of total bandwidth

Downloads can max out the connection during the day when nobody’s streaming. But the moment someone starts watching something, those downloads automatically throttle back. No buffering, no stuttering, no manual intervention needed.

6. VPN Server (Optional but Useful)

What it means: You can VPN into your home network from anywhere.

Why it matters: Access your media server, manage your stack, transfer files—all securely, without exposing services to the internet.

Real example:

I run WireGuard on my OPNsense box. When I’m traveling, I VPN in and access everything as if I’m home. No ports forwarded. No reverse proxy exposed. No cloud dependencies. Just a secure tunnel to my LAN.

Added bonus: I can route my phone’s traffic through my home network when I’m on sketchy public WiFi. My network-level ad blocking follows me everywhere.

Is This Over My Head?

Short answer: No, but it’s not plug-and-play either.

The honest timeline:

• Initial OPNsense install: 1-2 hours (mostly waiting for downloads and reboots)
• Basic firewall rules: 2-3 hours (and lots of Googling “why can’t I access the internet”)
• VLAN setup: 3-4 hours (this is where you’ll get stuck)
• IDS/IPS configuration: 1-2 hours (mostly just enabling Suricata and picking rulesets)
• Fine-tuning and testing: Ongoing (you’ll tweak rules for months)

Total to “basically working”: One weekend
Total to “actually secure”: 2-3 weekends of tweaking

Skills You’ll Learn (Whether You Want To Or Not)

How networks actually work
Subnet masks will finally make sense. You’ll understand why 10.0.1.0/24 means something specific. You’ll learn the difference between a gateway and a DNS server. This knowledge is weirdly empowering.

How to read firewall logs
At first they’re gibberish. After a while, you’ll scan them quickly and know exactly what’s normal vs. suspicious. You’ll start to recognize patterns and understand your network’s behavior.

Why NAT is both brilliant and annoying
You’ll curse NAT when port forwarding refuses to work. You’ll love NAT when you realize it’s hiding your entire network behind one public IP. You’ll understand both perspectives.

How to troubleshoot “why can’t X talk to Y”
Is it a firewall rule? A routing issue? A DNS problem? A VLAN misconfiguration? You’ll develop a mental checklist and work through it methodically. This is the most valuable skill you’ll gain.

The Learning Curve is Worth It

I’m not going to lie: your first VLAN setup will fail. You’ll lock yourself out of the router interface at least once. You’ll create a firewall rule that blocks something you didn’t mean to block and spend 20 minutes figuring out why nothing works.

This is normal. This is the path. Everyone who runs a proper router has been there.

But here’s the thing: once it clicks, it really clicks. You’ll wonder how you ever trusted consumer gear. You’ll start seeing network problems everywhere and know exactly how to fix them. You’ll become the person your friends ask when their network is acting weird.

Your Router Hardware Options

Let’s talk actual hardware. Three tiers, specific recommendations, real prices.

Budget Build (~$200 Total)

Router Box: $80-120

• Used Dell Wyse 5070 Extended ($80-100 on eBay)
  • J5005 quad-core CPU (plenty for gigabit + IDS/IPS)
  • 8GB RAM
  • 64GB SSD (way more than you need for OPNsense)
  • Low power draw (~10W idle)
• Intel I350-T2 dual-port NIC ($40 on eBay)
  • One port to your modem, one to your switch
  • Intel NICs are rock-solid with BSD

Switch: $40-60

• TP-Link TL-SG108E 8-port managed switch ($40)
  • Supports 802.1Q VLANs
  • Web-managed (no CLI needed)
  • Fanless and quiet
  • Good enough for most home setups

Access Point: $60-80

• TP-Link EAP225 ($60-70)
  • WiFi 5, plenty fast for home use
  • VLAN support for multiple SSIDs
  • PoE powered (needs injector or PoE switch)
  • Centrally managed with free Omada controller software

Total: ~$200

What this handles:

• Gigabit routing with IDS/IPS enabled
• 5-6 VLANs without breaking a sweat
• 20-30 devices total
• Basic VPN (WireGuard or OpenVPN)

What it struggles with:

• Multi-gig (2.5GbE or 10GbE) speeds
• Heavy VPN traffic (you’ll max around 400-500Mbps)
• Lots of concurrent IDS/IPS rules (slow down rule processing)

Who this is for: 95% of home users with gigabit internet or slower. This is where I started. It works great.

Balanced Build (~$500 Total)

Router Box: $250-350

• Minisforum MS-01 or similar mini PC ($250-300)
  • Intel N100 or i3-N305 (much faster, low power)
  • 16GB RAM
  • Dual 2.5GbE ports built-in (no NIC card needed)
  • M.2 SSD slot
• Or: HP/Dell/Lenovo SFF PC ($150 used) + Intel X710 dual-port 10GbE NIC ($200)

Switch: $120-180

• TP-Link TL-SG2008P 8-port PoE+ managed switch ($120)
  • 802.1Q VLAN support
  • 4 PoE+ ports for access points
  • 2 SFP slots for future 10GbE uplinks
• Or: Netgear GS308E + separate PoE injector (~$100 total)

Access Point: $100-150

• UniFi U6 Lite ($100)
  • WiFi 6
  • Clean interface, good performance
  • Supports multiple VLANs/SSIDs
  • PoE powered

Total: ~$500

What this handles:

• Multi-gig speeds (2.5GbE throughout)
• Heavy IDS/IPS with lots of rules
• VPN at line speed (WireGuard easily hits 1Gbps+)
• 50+ devices without slowdown
• Room to grow

What it struggles with:

• Full 10GbE routing (need beefier hardware)
• Extremely complex rule sets (hundreds of rules)

Who this is for: Enthusiasts with 1-2.5Gbps internet, larger homes, people planning to expand their stack significantly.

Beast Build (~$1000 Total)

Router Box: $500-700

• Custom SFF build:
  • Intel i5-12400 or AMD Ryzen 5 5600G ($150-180)
  • 32GB RAM ($60-80)
  • 256GB NVMe SSD ($30)
  • Mini-ITX motherboard with dual 2.5GbE ($150-200)
  • Add-on Intel X710 dual 10GbE NIC ($200)
  • SFF case + PSU ($100)
• Or: Used enterprise gear like HP ProDesk 600 G4 ($200) + X710 NIC ($200)

Switch: $300-400

• MikroTik CRS309-1G-8S+IN ($300)
  • 8x 10GbE SFP+ ports
  • VLAN support
  • Quiet enough for home use
• Or: UniFi Switch Pro 24 PoE ($400)
  • 16x 1GbE PoE+, 8x 2.5GbE PoE+
  • 2x 10GbE SFP+
  • Pretty interface, good management

Access Point: $150-200

• UniFi U6 Enterprise ($200)
  • WiFi 6E
  • 2.5GbE uplink
  • Excellent range and performance
• Or: 2x UniFi U6 Pro ($150 each) for multi-AP coverage

Total: ~$1000+

What this handles:

• 10GbE routing at line speed
• Extremely complex firewall rules (hundreds of rules, no performance hit)
• Multiple simultaneous VPN connections at gigabit+ speeds
• IDS/IPS with every ruleset enabled
• 100+ devices
• Future-proof for years

Who this is for: People with multi-gig fiber (2.5-10Gbps), large homes, complex networks, or those who just want to build it once and not think about it for 5-7 years.

OPNsense vs pfSense: Which Should You Choose?

The two big players in open-source routing are OPNsense and pfSense. Both are based on FreeBSD. Both are excellent. Here’s how to decide.

The Quick Decision Tree

Choose OPNsense if:

• You’re new to this and want a cleaner, more modern interface
• You want Suricata (IDS/IPS) built-in and easy to enable
• You prefer a project with a more open development model
• You value frequent updates and new features

Choose pfSense if:

• You want the most mature, battle-tested platform
• You prioritize stability over bleeding-edge features
• You need specific packages that only pfSense has
• You want the largest community for troubleshooting help

My Recommendation

Start with OPNsense.

I ran pfSense for years. It’s great. But when I switched to OPNsense about two years ago, I was immediately happier. The interface is cleaner. Setting up VLANs is more intuitive. IDS/IPS configuration is straightforward instead of confusing.

pfSense isn’t bad—OPNsense is just friendlier for newcomers while being just as powerful for experts.

That said: Either one is infinitely better than a consumer router. You can’t make a wrong choice here. Pick one, learn it, and you’ll be happy.

Feature Comparison

Your First 48 Hours with OPNsense

Here’s what to expect and how to avoid the common pitfalls.

Day 1: Basic Setup

Hour 0-1: Installation

1. Download OPNsense ISO
2. Flash to USB drive (use Rufus or balenaEtcher)
3. Boot your router box from USB
4. Install to internal drive (takes 10-15 minutes)
5. Reboot, remove USB

Hour 1-2: Initial Configuration

1. Connect WAN port to your modem
2. Connect LAN port to your computer (or to a switch connected to your computer)
3. Access web interface at 192.168.1.1
4. Run through setup wizard:
   • Set admin password (WRITE THIS DOWN)
   • Configure WAN (usually DHCP from your ISP)
   • Set LAN subnet (I use 10.0.1.0/24)
   • Set timezone
5. Update to latest version (System → Firmware → Updates)

Hour 2-4: Getting Internet Working

1. Test that you can reach the internet from a device on LAN
2. Configure DNS (System → Settings → General)
   • I use Cloudflare: 1.1.1.1, 1.0.0.1
   • Or Quad9: 9.9.9.9, 149.112.112.112
3. Enable DNS resolver (Services → Unbound DNS → Enable)
4. Test DNS resolution

At this point, you should have working internet through your new router. Congrats! You’ve replaced your ISP router.

Day 2: VLANs and Segmentation

Hour 4-6: Creating Your First VLAN

Start with an IoT VLAN—it’s low-risk and high-reward.

1. Create VLAN on your switch (varies by model, check manual)

   • VLAN ID: 3
   • Tagged on uplink port to router
   • Untagged on ports where IoT devices connect

2. Create VLAN interface on OPNsense:

   • Interfaces → Other Types → VLAN
   • Parent: LAN
   • VLAN tag: 3
   • Description: IoT

3. Assign the interface:

   • Interfaces → Assignments
   • Assign new interface, name it “IoT”

4. Configure the interface:

   • Interfaces → IoT
   • Enable: checked
   • IPv4 Configuration: Static
   • IPv4 address: 10.0.3.1/24

5. Enable DHCP for the VLAN:

   • Services → DHCPv4 → IoT
   • Enable: checked
   • Range: 10.0.3.100 to 10.0.3.250

6. Create firewall rules:

   • Firewall → Rules → IoT
   • Allow rule: IoT net → any (destination), ports 80, 443, 53 (for internet and DNS)
   • Block rule: IoT net → RFC1918 (private networks)
   • This allows internet but blocks access to your other VLANs

7. Test: Connect an IoT device to a switch port in VLAN 3, verify it gets an IP in 10.0.3.x range, can reach internet, cannot reach devices in other VLANs.

Hour 6-8: Understanding Firewall Rules

OPNsense (and pfSense) process rules top-to-bottom, first-match-wins.

Common beginner mistakes:

• Forgetting the implicit deny: If traffic doesn’t match any allow rule, it’s blocked. You don’t need explicit deny rules at the end (but they help with logging).
• Wrong rule order: Specific rules go first, general rules go last. “Allow X to Y” should come before “Allow X to any.”
• Forgetting to apply changes: After editing rules, click “Apply Changes” or nothing happens.

Common Problems and Fixes

Problem: Can’t access the internet after installing OPNsense

• Check: Is WAN interface getting an IP from your modem? (Interfaces → Overview)
• Check: Is default gateway set correctly? (System → Gateways → Single)
• Check: Are DNS servers configured? (System → Settings → General)
• Try: Reboot your modem (some ISPs lock to MAC address, need a reboot to see new router)

Problem: Devices can get internet but can’t access other VLANs

• Check: Do you have allow rules between VLANs? (Firewall → Rules)
• Check: Is gateway set on each VLAN interface? (Should auto-populate but worth verifying)
• Try: Add temporary “allow all” rule to destination VLAN to test if it’s a firewall issue

Problem: Locked yourself out of the web interface

• Solution: Connect directly to LAN port, go to 192.168.1.1 (or whatever your LAN IP is)
• Last resort: Boot from install USB, choose “Rescue” mode, reset to defaults

Problem: VLANs not working at all

• Check: Is VLAN tagging configured on your switch?
• Check: Did you assign the VLAN interface in OPNsense? (Interfaces → Assignments)
• Check: Is DHCP enabled for the VLAN? (Services → DHCPv4)
• Try: Connect a device directly to router with VLAN tag configured on device (eliminates switch as variable)

Week 2-4: Advanced Features

Once your VLANs are working and you’re comfortable with firewall rules:

Add IDS/IPS (Week 2):

• Services → Intrusion Detection → Administration
• Enable IDS
• Download rulesets (Emerging Threats is free and excellent)
• Set to IPS mode (blocks, not just detects)
• Review alerts daily for first week

Set up traffic shaping (Week 3):

• Firewall → Shaper → Settings
• Create traffic priorities (real-time, streaming, bulk)
• Create rules to match traffic to priorities
• Test: Start a big download, then stream something—stream shouldn’t buffer

Add AdGuard Home or Pi-hole (Week 4):

• Run in a container on your compute box
• Point OPNsense DNS to it (Services → Unbound DNS → forward to AdGuard)
• Enjoy network-wide ad blocking

Configure VPN (Week 4+):

• VPN → WireGuard → add new instance
• Generate keys, set up peer
• Create firewall rules for VPN interface
• Install WireGuard client on phone/laptop
• Test remote access

The Investment Breakdown

Let’s talk about what you’re really spending and what you’re protecting.

Initial Investment by Tier

Budget: $200 (router $120 + switch $40 + AP $60)
Balanced: $500 (router $300 + switch $120 + AP $100)
Beast: $1000+ (router $700 + switch $300 + AP $200)

What You’re Protecting

Your media library: If you’ve got 10TB+ of carefully curated media, that’s thousands of hours of acquisition/organization. What’s that worth to you?

Your personal data: Photos, documents, backups, passwords. Invaluable.

Your time: Cleaning up after a breach takes 40+ hours. At $50/hour (modest estimate), that’s $2000 in lost time.

Your sanity: Not wondering “is my network secure” is worth something.

What You’re Preventing

Ransomware attacks: Average cost for individuals: $4,100 (ransom + recovery)

Data breaches: Credit monitoring: $20/month forever = $240/year

IoT botnets: Your devices mining crypto for someone else (electricity cost + ISP complaints)

ISP throttling: When they see torrenting and streaming, they throttle. With VPN and proper traffic management, they can’t tell what you’re doing (all encrypted).

The Power Bill Reality Check

Budget build: ~15W idle, ~25W under load
Balanced build: ~20W idle, ~35W under load
Beast build: ~40W idle, ~80W under load

At $0.12/kWh running 24/7:

• Budget: $1.50-2.50/month
• Balanced: $2.00-3.50/month
• Beast: $4.00-8.00/month

Even the beast build costs less than a single streaming service. And it’s protecting thousands of dollars worth of hardware, data, and time.

Your Growth Path

You don’t need to implement everything on day one. Here’s a realistic progression:

Phase 1: Get It Working (Week 1)

• Install OPNsense
• Get basic internet routing working
• Set up DHCP and DNS
• Create static assignments for your core devices (NAS, compute box)
• Test everything works

Goal: Replace your ISP router with something you control.

Phase 2: Add Segmentation (Week 2-3)

• Create your first VLAN (IoT is easiest)
• Configure switch for VLAN tagging
• Set up firewall rules between VLANs
• Move IoT devices to their isolated network
• Test that isolation actually works (IoT can’t see other VLANs)

Goal: Separate trusted devices from untrusted ones.

Phase 3: Increase Security (Week 4-5)

• Enable IDS/IPS (Suricata)
• Download and enable threat rulesets
• Review alerts and tune rules
• Set up logging to see what’s being blocked
• Maybe add a second VLAN (media stack or guest WiFi)

Goal: Start actually detecting and blocking threats.

Phase 4: Optimize Performance (Week 6-8)

• Set up traffic shaping and QoS
• Test streaming vs downloads
• Fine-tune bandwidth priorities
• Add monitoring (Grafana dashboard)
• Optimize DNS resolution

Goal: Make sure important traffic always gets through.

Phase 5: Advanced Features (Month 3+)

• Add VPN for remote access
• Set up network-wide ad blocking
• Configure advanced firewall rules
• Add automated backups of router config
• Maybe experiment with multi-WAN or failover

Goal: Add convenience features now that the foundation is solid.

Common Mistakes (And How to Avoid Them)

I’ve made all of these. Learn from my pain.

Mistake #1: Over-complicating on Day One

What I did: Tried to set up 6 VLANs, IDS/IPS, VPN, and traffic shaping all in one weekend.

What happened: Nothing worked. I couldn’t tell which piece was broken because I’d changed everything at once. Spent two days troubleshooting before giving up and starting over.

The fix: Do one thing at a time. Get basic routing working, then add VLANs one by one, then add IDS/IPS, then other features. Each step should work before moving to the next.

Mistake #2: Not Documenting Your Setup

What I did: Created complex firewall rules and VLAN configurations without writing anything down.

What happened: Three months later, I couldn’t remember why certain rules existed or what some VLANs were for. Broke things trying to “clean up” what I thought was unnecessary.

The fix: Keep a simple text file or wiki page documenting:

• What each VLAN is for
• What firewall rules do (and why they exist)
• Static IP assignments
• Any non-standard configurations

Future you will thank present you.

Mistake #3: Forgetting to Test Firewall Rules

What I did: Created rules that I thought blocked IoT from accessing my LAN. Never actually tested them.

What happened: Months later, realized the rules weren’t working as intended. My “secure” network wasn’t actually isolated.

The fix: After creating block rules, actually test them. Try to access a blocked resource from the restricted VLAN. Make sure it’s actually denied. Don’t assume your rules work—verify them.

Mistake #4: Not Setting Up Config Backups

What I did: Spent weeks perfecting my OPNsense configuration. Never backed it up.

What happened: Hardware failure killed my router. Had to rebuild everything from memory. Took two days and I forgot half the tweaks I’d made.

The fix: System → Configuration → Backups. Download your config regularly. Store it somewhere safe (not just on the router). Set up automatic backups to your NAS if possible.

Mistake #5: Using Default Passwords and Weak Security

What I did: Left some of the default settings in place. Used a simple password because “it’s just my home network.”

What happened: Realized during a security audit that my web interface was theoretically accessible from WAN (due to a misconfiguration). If I’d been using a weak password, that would’ve been bad.

The fix:

• Change default passwords immediately
• Disable web interface access from WAN (unless you really need it)
• Use strong, unique passwords
• Consider setting up 2FA for web interface access
• Regularly review what’s exposed and what’s not

Mistake #6: Ignoring IDS/IPS Alerts

What I did: Enabled Suricata, saw it was blocking things, figured “cool, it’s working” and ignored the actual alerts.

What happened: Missed that one of my IoT cameras was constantly trying to phone home to suspicious Chinese IPs. It was probably in a botnet. I only caught it months later when reviewing old logs.

The fix: Review IDS/IPS alerts at least weekly for the first few months. You’ll learn what’s normal vs suspicious. Set up alerts for high-priority events. This is your early warning system—actually use it.

Integration with Your Three-Box Stack

Let’s talk about how this router fits into the overall architecture from Part 1.

Boot Order Matters

Remember from Part 1: Router → Storage → Compute.

Why router comes first:

• Everything depends on networking
• DHCP needs to be running before other devices boot
• DNS needs to be available for name resolution
• Without routing, storage and compute can’t communicate

How to ensure this:

• Set router to auto-start on power (usually in BIOS)
• Add a 30-second delay before storage boots (in storage box BIOS)
• Add a 60-second delay before compute boots
• This ensures clean, reliable startup every time

Network Topology

Here’s how the boxes connect:

[Modem] → [Router/Firewall] → [Managed Switch]
                                     ├→ [NAS] (VLAN 2: Media)
                                     ├→ [Compute Box] (VLAN 2: Media)
                                     ├→ [Access Point] (Multiple VLANs)
                                     └→ [Other Devices] (Various VLANs)

Why this works:

• Router handles all inter-VLAN routing and security
• Switch distributes connections and VLAN tagging
• Each device lives in the appropriate VLAN
• Access point provides WiFi across multiple VLANs (separate SSIDs)

VLAN Strategy for Media Stack

Here’s how I segment my network:

VLAN 1 (10.0.1.x): Trusted Devices

• My laptop, phone, work computers
• Full access to everything (by firewall rule)
• This is where admins live

VLAN 2 (10.0.2.x): Media Stack

• NAS
• Proxmox compute box
• All LXCs running media services
• Can access internet for downloads/metadata
• Can be accessed from VLAN 1 for management and streaming
• Cannot access VLAN 1 devices (one-way trust)

VLAN 3 (10.0.3.x): IoT

• Cameras, smart lights, thermostats, etc.
• Can access internet only
• Cannot access any other VLAN
• Quarantined from everything important

VLAN 4 (10.0.4.x): Guest WiFi

• Friends, family, visitors
• Internet access only
• No access to any internal resources
• Bandwidth limited (so guests don’t kill your connection)

VLAN 5 (10.0.5.x): Management

• Router admin interface
• Switch admin interface
• NAS admin interface
• Proxmox web interface
• Only accessible from VLAN 1 (trusted devices)
• Extra layer of protection for critical interfaces

Firewall Rules for Media Stack

Here are the actual rules that make this work:

VLAN 2 (Media Stack) Rules:

1. Allow Media → Internet (HTTP/HTTPS)

   • Source: VLAN 2 net
   • Destination: Any
   • Ports: 80, 443
   • Why: For downloading media, fetching metadata, app updates

2. Allow Media → DNS

   • Source: VLAN 2 net
   • Destination: Router IP
   • Port: 53
   • Why: DNS resolution

3. Allow Media → NAS (NFS)

   • Source: VLAN 2 net
   • Destination: NAS IP (10.0.2.10)
   • Ports: 2049, 111
   • Why: Mount media shares

4. Allow Trusted → Media (Services)

   • Source: VLAN 1 net
   • Destination: VLAN 2 net
   • Ports: 8096 (Jellyfin), 7878 (Radarr), 8989 (Sonarr), 9091 (Transmission), etc.
   • Why: Access media services from trusted devices

5. Allow Media → Media

   • Source: VLAN 2 net
   • Destination: VLAN 2 net
   • Ports: Any
   • Why: Services need to talk to each other (Sonarr → Transmission, etc.)

6. Block Media → RFC1918

   • Source: VLAN 2 net
   • Destination: RFC1918 (private networks)
   • Ports: Any
   • Action: Reject
   • Why: Media stack shouldn’t access other VLANs except as explicitly allowed above

This setup means:

• Media stack can download and update
• You can stream from trusted devices
• Media services can communicate with each other
• Media stack cannot access your personal devices or IoT network
• Everything is logged for security auditing

When to Ask for Help

You will get stuck. This is normal. Here’s where to find help:

Official Resources:

• OPNsense Documentation - Start here always
• OPNsense Forum - Active community, good search
• pfSense Documentation - If using pfSense

Community Resources:

• r/OPNsenseFirewall - Active subreddit, good for troubleshooting
• r/homelab - General homelab discussion, lots of router talk
• r/selfhosted - Media server specific advice
• Lawrence Systems YouTube - Excellent OPNsense tutorials
• ServeTheHome Forums - Enterprise perspective, good for hardware advice

When posting for help, include:

• What you’re trying to do
• What you’ve already tried
• Relevant logs (System → Log Files)
• Firewall rules (screenshots okay)
• Network topology diagram (even if it’s hand-drawn)

What NOT to do:

• Post your public IP address
• Share your actual internal IPs if they’re management interfaces
• Get defensive when people point out security issues
• Ignore advice to check the basics (yes, really check that cable is plugged in)

What About Managed Routers?

“Can’t I just buy a UniFi Dream Machine and call it done?”

You can. And for some people, it’s the right choice.

UniFi Dream Machine (UDM) Pros:

• Integrated router, switch, access point, controller
• Pretty interface
• Easy VLAN setup
• Good enough IDS/IPS
• Single pane of glass management

UDM Cons:

• Expensive ($379+ for UDM Pro)
• Locked into UniFi ecosystem
• Less flexible than OPNsense/pfSense
• Firmware updates sometimes break things
• Limited VPN options (WireGuard only recently added)
• Can’t run custom packages or scripts

My take: If you want maximum control and learning, build your own with OPNsense. If you want “good enough” with less hassle, get a UDM. Both are infinitely better than ISP routers.

I run OPNsense because I like tinkering and full control. If I just wanted it to work with minimal maintenance, I’d probably go UDM.

The Bottom Line

Your ISP router is a single point of failure with no visibility, no real security, and no control. It’s a liability dressed up as convenience.

A proper router box running OPNsense or pfSense gives you:

• Network segmentation (VLANs) to contain breaches
• Real intrusion detection to catch attacks
• Full traffic visibility to know what’s happening
• Actual control over your network instead of hoping for the best
• The foundation for a media server stack that doesn’t fall apart

Is it more work? Yes, initially.
Is it worth it? Absolutely.

You’re building a media empire worth thousands of dollars and countless hours. Protecting it with a $120 ISP router is like putting a $20 padlock on a bank vault. It’s not the threat model matching the asset value.

What’s Next

You’ve got your router sorted. Your network is segmented. You can see what’s happening. You have actual security instead of security theater.

But all that beautiful network infrastructure needs somewhere to send data.

In Part 3, we build the vault: A proper NAS that won’t lose your data when (not if) drives fail. We’ll cover:

• ZFS vs SnapRAID vs Unraid (and which to actually use)
• Which drives to buy (and which to avoid)
• Budget builds using shucked drives
• Dream builds with enterprise hardware
• How to avoid the “I lost everything” disaster stories

Your media needs a home that’s actually safe. Let’s build it.

Read Part 3: Your Storage Deserves Its Own Box →

Quick Reference: OPNsense Command Cheat Sheet

Reboot router:

System → Power → Reboot

Apply firewall rule changes:

Firewall → Rules → Apply Changes (button at top)

Check what’s blocked:

Firewall → Log Files → Live View

See active connections:

Firewall → Diagnostics → States Dump

Test if device can reach another device:

Interfaces → Diagnostics → Ping

See DHCP leases:

Services → DHCPv4 → Leases

Check IDS/IPS alerts:

Services → Intrusion Detection → Alerts

Backup config:

System → Configuration → Backups → Download

Glossary

VLAN (Virtual LAN): Network segmentation that creates multiple isolated networks on the same physical infrastructure.

IDS/IPS: Intrusion Detection System / Intrusion Prevention System. Monitors traffic for known attack patterns and optionally blocks them.

NAT (Network Address Translation): How your router translates private internal IPs (10.0.x.x) to your single public IP for internet access.

DHCP: Dynamic Host Configuration Protocol. How devices automatically get IP addresses when they join your network.

DNS: Domain Name System. Translates names (google.com) to IP addresses (142.250.80.46).

QoS (Quality of Service): Traffic prioritization to ensure important traffic (streaming) gets bandwidth over less important traffic (downloads).

Subnet Mask: Defines how many IP addresses are in your network. /24 means 256 addresses (10.0.1.0 through 10.0.1.255).

Gateway: The router that connects your local network to the internet. Usually the .1 address (10.0.1.1).

RFC1918: The private IP address ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) that aren’t routable on the public internet.

Stateful Firewall: A firewall that tracks connections and understands the difference between a response to an outbound connection vs. an uninvited inbound connection.

Series Navigation

• Part 1 - The 3 Boxes That Run Your Media Server (2025 Edition)
• Part 2 - Why Your ISP Router Is Killing Your Stack ← You are here
• Part 3 - Your Storage Deserves Its Own Box
• Part 4 - Proxmox Is Your New Best Friend
• Part 5 - Backups That Actually Work (With PBS)