In our last guide, we tackled how to configure IPv4 and IPv6, set up Network Address Translation (NAT), and ensure your homelab devices could communicate both internally and with the internet. If you missed it, check it out here: Networking: Setting Up IPv4, IPv6 & NAT in Your Homelab.

Earlier in the series, we compared enterprise and consumer-grade hardware — a key decision that can shape how your homelab grows over time. Whether you’re repurposing old gear or building out a serious stack, you can revisit that discussion here: Choosing Between Professional vs Consumer Hardware.

This time, we’re moving into practical network design. We’ll sketch out a basic segmented homelab layout with dedicated zones like Guest, IoT, and Experimental networks, and look at how VLANs and additional interfaces come into play. We’ll also cover choosing firewall software, WiFi security protocols, access point placement, and introduce the idea of static DHCP mappings. By the end, you’ll have a clearer idea of how to structure a secure and flexible home network, whether you’re using OPNSense, pfSense, or something more advanced.

Wireless Bands and Frequency Behavior

WiFi operates on different frequency bands, each with its own trade-offs:

• 2.4GHz: Greater range and wall penetration; slower and more congested.
• 5GHz: Faster and less interference; reduced range and penetration.
• 6GHz (WiFi 6E): Highest throughput and lowest congestion; shortest range and limited support.

Use dual-band or tri-band access points where possible. Favor 5GHz for general devices, and reserve 2.4GHz for IoT and older hardware.

Choosing WiFi Channels

Use a WiFi scanner (e.g. WiFi Analyzer for Android, or iwlist on Linux) to find the least crowded channel.

• 2.4GHz: Stick to channels 1, 6, or 11 to avoid overlap.
• 5GHz: Channels are wider and non-overlapping, but DFS (radar detection) channels may experience interruptions.

WiFi Security Protocols

Avoid obsolete protocols such as WEP and WPA. Use:

• WPA2-AES (WPA2-PSK): The current standard for most home networks.
• WPA3-SAE: Improved protection from brute-force attacks, but limited device support.
• WPA2/WPA3 Mixed Mode: Use with caution — may downgrade security for compatibility.

On enterprise-grade setups, you may encounter:

• WPA2-Enterprise / WPA3-Enterprise: Uses RADIUS for authentication, common in corporate networks.
• 802.1X: Supports per-user credentials and certificate-based authentication.

Access Point Configuration: Same SSID vs. Different SSIDs vs. Mesh

When using multiple access points, you have three options:

• Same SSID on all APs: Devices can roam between APs, but behavior varies by client. Works best with the same security settings and channels spaced to avoid interference.
• Different SSIDs per AP or band: Allows manual selection and testing, but requires user or admin intervention for optimal connections.
• Mesh WiFi systems: APs cooperate to optimize handoffs and coverage automatically. Useful in large homes, but less flexible and often closed-source.

Choose based on your needs:

• For control and transparency: manually configured APs with separate channels.
• For convenience: mesh or controller-based solutions (e.g. UniFi, Omada).

Home Network Topology: Segmentation and Security

A segmented network offers better security and flexibility. Here’s an example layout:

                      [ Internet ]
                            |
                      [ Modem / ONT ]
                            |
                       [ Firewall ]
                         /   |   \
                        /    |    \
             [Main LAN] [IoT VLAN] [Experimental NIC]
                |          |             |
          [Switch]    [Managed Switch]   [Lab Switch]
            |             |                 |
    [Access Point]  [Access Point]     [Test Devices]
         |               |
   Home Devices      IoT Devices
                      (Cameras, Thermostats)
                     [Guest WiFi SSID]
                        (Isolated)

What’s a VLAN?

A VLAN (Virtual LAN) is a logical network segment defined at the switch level. It allows you to isolate traffic without needing separate physical switches. For example, your IoT VLAN keeps devices like cameras and smart plugs from accessing your main network.

Flashing Consumer Routers with Open Firmware

If your router supports it, replacing vendor firmware with open-source alternatives can unlock additional features:

• OpenWRT – Advanced routing, firewall, QoS, and VLAN control.
• DD-WRT – Good for basic customization; broader hardware support.
• FreshTomato – Best for Broadcom-based routers.

Be sure to:

• Check hardware compatibility.
• Back up your current config.
• Follow instructions carefully — flashing incorrectly can brick your device.

Firewall Platforms Overview

Note: This guide is written from experience with OPNsense in small homelab deployments.

Hardware for pfSense and OPNsense

Both pfSense and OPNsense run well on small-form-factor devices like:

• Protectli Vault / Qotom Boxes – Fanless, 2–6 NICs, x86.
• Old desktop PCs – Requires at least 2 NICs.
• Virtual Machines – Via Proxmox, VMware, or bare-metal hypervisors.

Minimum Requirements:

• Dual-core CPU
• 2GB RAM (4GB+ recommended)
• At least 2 NICs (1 WAN, 1 LAN)

DHCP Static Mappings

DHCP assigns IP addresses dynamically, but you may want certain devices to always get the same IP — especially servers, printers, or monitoring tools.

Set up DHCP static mappings to:

• Avoid IP conflicts.
• Make port forwarding or firewall rules more predictable.
• Simplify service discovery.

This is configured in your DHCP server (e.g. OPNsense → Services → DHCPv4 → Static Mappings).

Basic Firewall Rules for a Home Network

Most firewall platforms offer a default “allow all outbound” rule. While convenient, it’s not always secure. Here’s a minimal, secure approach:

This rule set:

• Prevents lateral movement between interfaces.
• Allows only essential outbound traffic.
• Blocks suspicious inbound traffic by default.

Do not copy this blindly. Your network may require other ports (e.g. for mail, VPN, or gaming).

Summary

Securing a home network is more than just strong passwords. With proper segmentation, up-to-date firmware, strong encryption, and open-source firewall tools, you can build a network that’s both robust and flexible — whether you’re supporting a homelab or just trying to keep IoT gadgets in their place.

Future guides will expand on VLAN configuration, advanced firewall rule management, and monitoring tools.