A simple private home network
view this post on our onion site
15 min read

A simple private home network

Build a simple private home network with off the shelf open source hardware and software.
A simple private home network

I didn't know shit about computer networking. In fact, I spent years living in a cabin in the woods without electricity. But now that I am back on the grid, I wanted to set up a private home network to use that would give me as much control as I could understand. This is intended as a basic guide to get started for the absolutely clueless like myself.

I have come to see just how important a private home network is and how complicated it can seem.  Through all my searching only a hand full of blogs helped describe how to set up a network in simple common language. Most guides assume you know what networking words mean already. There is plenty to networking that I still have no idea how to do. I hope that this helps to show that it is possible for a complete noob to set up a private home network. Not everyone is a super secret shaddow coder. Some of us are just farmers trying to maintain a little privacy.

First off lets talk about hardware. Hardware refers to the physical device and software refers to the programs running on them. Typically an all in one device from the internet service provider (ISP) is the complete network.  This device serves multiple functions in one and gives very little control over the network.  It serves as a modem, a router, and a WiFi router.  Get separate hardware for each of those functions. That will give more control over what is going on and allow the separation of those functions.

For the modem I chose the Arris Surfboard SBV3202 because it is strictly a modem. It receives and sends information. It has a coax cable in and an ethernet cable out. It does not have built in wifi or do much anything else.

SBV3202 SURFboard® DOCSIS® 3.0 Cable Modem for Xfinity Internet & VOIP
The SBV3202 delivers two lines of Voice over IP (VoIP), ultra-high speed internet access, and multiple battery pack options (sold separately) to support telephony service during power outages. It provides Xfinity subscribers the speed and performance they need to keep their home network performing a…

Next is the firewall router which is a dedicated computer that runs firewall software like pfsense or opnsense. Use an desktop like a Dell, buy specialized hardware like a netgate router or go the route I chose which was to buy a Protectli Vault 4 port firewall router with an additional wifi card. Opnsense was selected at the time of purchase to be pre installed.

FW4B - 4 Port Intel® J3160 - Protectli EU
Intel Celeron® J3160 Quad Core at 1.6 GHz (Burst to 2.24 GHz) 4 Intel® Gigabit Ethernet NIC ports AES-NI support 25% smaller than the original Vault at only 115mm × 108mm × 39mm Fanless and Silent Included Universal Power Supply, VESA mount kit, Serial Console Cable, Quick Start Guide

Here is a link to install Opnsense yourself. https://homenetworkguy.com/how-to/install-and-configure-opnsense/

Then get a dedicated wifi router to connect home devices. Having a separate wifi router allows the creation of multiple networks and isolate devices from eachother.  I chose the GliNet Flint wifi router.

GL-AX1800 / Flint
An Ultra-fast Wi-Fi 6 VPN Encrypted Router that runs on OpenWrt operating system, offering fast, secure and reliable network connection.

Set up a desktop computer preferably running linux as a network admin terminal. I set up a Raspeberry Pi 4g B plus a 1TB SSD from an old DIY Ronin Dojo Node Kit I had. I installed Ubuntu on it and connected a monitor, mouse, and a keyboard for it to function as a desktop terminal to manage the network on.

Buy a Raspberry Pi 4 Model B – Raspberry Pi
Your tiny, dual-display, desktop computer…and robot brains, smart home hub, media centre, networked AI core, factory controller, and much more.

I chose Ronin Dojo Tanto as my dedicated Bitcoin node. It is a sleek piece of metal with a brilliant plug and play design meant to compliment your Samourai Wallet stack. I have been absolutely blown away by the quality, the support and the community around this hardware.

Tanto - RoninDojo
As a Samourai Wallet user with your own Bitcoin node, running RoninOS ensures the best and smooth experience. Now RoninDojo Tanto equips you with the recommended hardware setup, stylish premium case and pre-installed RoninOS on a microSD card. You can get everything up and running in no time. Privac…

I also have a dedicated Thinkpad laptop running linux for Sparrow Wallet, Whirlpool and accessing the Tanto Tor address for web GUI. Here is a link to a Thinkpad that has libreboot installed, eliminating a range of potential backdoors. Many thinkpad options are available.

Minifree Ltd – GNU+Linux laptops with coreboot, osboot or libreboot preinstalled

That is pretty much the gear you need to set up a basic private network. You will want to have quality ethernet cables and a surge protector power strip. Now lets put this together.

Coax cable from wall connects to Arris surfboard sbv3202 modem.

Ethernet cable connects to Arris surfboard sbv3202 modem.

Plug the other end of that ethernet cable into the Protectli Vault WAN port.

Connect a different ethernet cable into the Protectli Vault LAN port.

Plug the other end of that cable into Raspberry Pi desktop LAN port.

Connect monitor, keyboard and mouse to Raspberry Pi.

Plug in Arris surfboard.

Plug in and push the power button on the Protectli Vault.

Plug in and start Raspberry Pi.

Connections are made automatically.  LAN should automatically use DHCP to connect the internet to your desktop. Open browser and navigate to which is the default ip address for the Protectli Vault.

IP addresses are formated with four sets of numbers and periods.  The backslash at the end of a ip address will define the set of sub ip addresses that the network will use for each of your devices. The ip addresses are used to identify and route information to that device.

Click through the warnings until you are on the Opnsense general user interface (GUI) and login with root as user and the default password for your device. Run the start up configuration wizard.

You will be able to change the LAN IP address and set the TCP port at this time. That would change the LAN IP from the default. The TCP port is the internal port used to access the Opnsense GUI. I changed the TCP port number so as to be able to later create a firewall rule to block access to that port from other networks. You can also set your custom DNS server at this time. More on this later.

The Opnsense gui is very simple to use once a workflow process is understood. The lobby tab takes you to a dashboard where you can see all the gateways, interfaces, and services that are running.

The system tab will take you to general settings, the setup wizard, firmware updates, admins, access and more.

Under general settings you can setup custom DNS servers on the router. Under administration you can set your own TCP Port & enable SSH.

In the initial setup and configuration take a moment to map out on a piece of paper what you would like your various networks to be, what you would like the ip addresses to be for those networks, and what networks you would like to have accessable or blocked.  This will help you set up once and not have to disconnect your devices and reset ip addresses and firewalls later on as you may change your mind.

Opnsense will have automatically created a gateway.  A gateway is a single WAN interface that allows DHCP.  I understand that to mean that it enables your devices to be given ip addresses automatically.  There are automatic firewalls created for this WAN interface. No adjustments are necessary but can certainly be customized later. Opnsense will also automatically create a LAN interface and some automatic firewalls. This allows for access to the Opnsense web GUI to create more interfaces for more networks, set firewall rules and more.

Think of each "interface" is a unique LAN network with its own ip address range. A new network is created by each interface. That network can either then be isolated or not.  This allows for the isolation of a bitcoin laptop from the network a TV is on for example. This provides a more secure way to interact with the internet and prevents malicious things from traveling across the entire network. Interfaces is where the work flow begins.

Click on the interfaces tab. Click on assignments to create a new interface. The assignments tab associates a new interface with a physical port on the router. Once assigned it will be listed with the other interfaces in the interface tab.

Click on interface tab. CLick on the new Opt1 interface. Click to enable the interface. Click to prevent from removal. Here you can name the interface, choose static IPv4 configuration and enter your static ip address. For example the first LAN was The next interface could be if desired. Click save.

Now go to the Services tab. Click on DHCP IPv4. There are all the interfaces. Click on the new Opt1 interface. Click enable DHCP on the interface and add the ip address range for the interface. This means what set of ip addresses will be given to devices that connect to that network. Create a range that leaves some addresses outside of the range to use for static DHCP mapping later. Static DHCP mapping means selecting a specific IP address for a specific device to receive based on its unique MAC ID. That can be done via Leases or on the bottom of the services interface tab by clicking the plus button. Click save.

Now that DHCP is enabled on the new interface through services and has a defined the ip address range, set the firewall rules for this new interface.

Click on the firewall tab. In order to make creating firewall rules much easier use the alias option. Click on the alias tab. Click on the plus button to create a new alias. Create an alias for hosts, ip addresses, networks, interfaces and more.  

This makes it so the specific information like an ip address only needs to be input once and then is available to refer to the alias any time in the future as new firewall rules are added.  The first alias to create is a "Private Network" alias that contains This will be the first alias we use to create internet access on the interface and block all the other networks.  

Note: By using it covers all sub ip addresses of the 192.168.x.x/24 used on the network making it easy to block all future network ips without having to create new fire wall rule for that ip change later. I think that is correct but may need some further investigation.

Click on rules under the firewall tab. Click on the new interface just created. Now create two simple rules.  The first is to allow DNS on the interface. The second is to allow access to the internet but also block the other private networks from the interface. These two rules let the entire internet in except the other interface networks.

Create a new rule by clicking on the plus button. To allow DNS set the firewall rule action to pass, quick to on, interface to the same new interface, direction is in, TCP to IPv4, protocol is TCP/UDP, source to the Opt1 net, destination Opt1 address, destination port range to DNS on both from and to ports, then hit save.

Now create the second firewall rule.  This firewall makes use of both the alias and the destination invert option.  This firewall option basically says allow everything to pass but this alias containing private network ip addresses.

Click on the rules under the firewall tab. Click on the same interface Opt1. Click on the plus button to add a firewall rule. Set the action to pass, quick to on, interface is the same Opt1 interface, direction is in, TCP to IPv4, protocol TCP/UDP, source to Opt1 net, destination invert box is checked, destination is alias "Private Network", click save.

Two new firewall rules for the interface will appear. Now make sure that the first DNS firewall rule is above the second allow internet rule with the alias. Firewall rules are followed top to bottom.  The DNS needs to be above the rule that blocks private networks.

Now run an ethernet cable from the Protectli Vault port assigned to the new interface to the GliNet Flint wifi router WAN port. Plug in the device and allow it to turn on and connect.

Plug an ethernet cable from the first LAN port on the back of the FLint into the laptop. Navigate to the default ip address for the GliNet Flint router in a browser.

Here is the Flint web GUI. Set up an admin password to access the GUI.  In the Flint GUI you can set the ip address for the Flint, ip address range for the main and guest networks, create wifi passwords for each network, see all the clients connected to the router, block clients, turn on or off networks, upgrade firmware and more.  

Flint comes with four wifi networks and four ports. The 5g and 2.4 main wifi networks each have a guest network.  Only the main networks can access the GUI which is a great default setting. By connecting all of your TV, ioT and guests to the guest networks they will not be able to access the wifi GUI at all. Under more settings a custom DNS server can be set to run on the router so all your traffic is prevented from DNS leaks. Under Applications turn on Adgaurd with one click, blocking tracking and ads to all the devices connected to the router.

Use the VPN tab to setup a VPN to run on the router and cover all the devices connected to it. Wiregaurd can be used as a client or server and Mullvad is able to be used as VPN.  Click VPN, wiregaurd client, select Mullvad, click now set up, input a valid Mullvad account number and click next. Name the profile and click the add button. Now be patient as it configures. Refresh the page if necessary. Now choose the configuration and click connect. Now the IP address and data should be showing received and sent. That is it. Now all the connected devices to the Flint are running on a Mullvad VPN.

I set up my Wifi networks to isolate groups of devices from eachother. Network one is just my daily phone. Network two is a guest network with two TVs and a tablet. Network three is my work computer and printer. Network four is a guest network for friends and family to access.  This way only my phone and laptop can access the web GUI of the flint.  Each network is isolated by a unique password an ip address range. All the traffic runs through Mullvad VPN and Adguard plus the firewall rules on the Protectli Vault interface the Flint is connected to.

The reason I did not set the Flint WiFi router on the original LAN interface is that I did not want devices connected to the WiFi to be able to access the Opnsense GUI via This is why I am running a stand alone Raspberry Pi as a network terminal on the primary LAN with single access to the Opnsense GUI. This does require setting up SSH into the GLiNet router if I wish to access it from the terminal. But it is easy enough to just connect to the GliNet GUI on my phone that I don't really bother. Besides it further isolates access to the entire network from one point of access.  

Only the Raspberry Pi is connected to the original LAN.  That way all other devices on other network interfaces can be blocked from accessing the Opnsense GUI.  By isolating the Flint on a separate interface I am able to block the interface with the most devices from accessing the TCP port with a firewall rule.

For each new interface create a firewall rule that is set to block, quick is on, direction is in, protocol is TCP, source is any, destination is "this firewall", destination port is set to the unique TCP port chosen under the general settings. Place this firewall rule above the allow internet rule and below allow DNS rule created earlier. Now only LAN interface can access the TCP Port.

Now to create another interface follow the same work flow: assigning an interface a physical port, enable the new interface, set ip address, enable DHCP under services, set ip address ranges, create firewall rules to allow DNS, firewall rules to allow internet and firewall rules to block private networks or ports to isolate the network.

The work flow is interface, services, firewall for each new isolated network. Once all the interfaces are assigned, VLAN can be added which is another topic.

I created an interface for my bitcoin node to run on all alone. I also then set up the stand alone wifi interface directly available on the protectli vault for my dedicated bitcoin thinkpad running sparrow wallet, whirlpool, and serves as my GUI access to the tor address of my Ronin Dojo Tanto node. I also connect my pixel phone with Samourai Wallet to this isolated WiFi network on the Protectli Vault.

This way I do not have my bitcoin laptop or phone connecting to WiFi via a router that also runs all my other home traffic.  Only my bitcoin laptop and phone connect to the unique wifi router interface directly off the Protectli Vault.  

To review, I have the following privacy networks isolated from eachother:

ISP -->

Arris Surfboard SBV3202 modem -->

Protectli Vault firewall router -->

LAN network --> Raspberry Pi as network desktop terminal, with Opnsense GUI access

Interface Opt1 --> GliNet Flint WiFi Router -->

WiFi Network 1 --> daily phone, with GliNet GUI access

WiFi Network 2 Guest --> TV, Tablet

WiFi Network 3 --> Work Laptop, Printer

WiFi Network 4 Guest --> Guests

Interface Opt2 --> Tanto bitcoin node

Interface Opt3 Protectli Vault WiFi  --> Bitcoin laptop and phone

I can connect to my bitcoin node from my laptop via Tor. The programs running on the laptop also run over Tor.  

Setting up the wiregaurd VPN on the Protectli Vault is a comprehensive project that requires another blog post simply dedicated to that.

My objectives with this project was to find open source hardware and software to create a privacy focused home network.  I wanted to be able to create separate interfaces, isolate networks, block access to the router, use custom DNS servers, run VPNs on the router level, separate wifi routers and networks, have ad blocking and tracking on the router level.  By taking these steps I am increasing my privacy and the security of the devices running on my home network. I believe these are the very basic steps that can be taken to create a basic private home network. Below are links to guides I found helpful in the process.


OPNSense Firewall Rules Explained
00:00 - Intro00:31 - Resources used in this video01:28 - Rule action types02:25 - Add private IP ranges alias03:26 - LAN rules management13:02 - Quick firewall “tick-box”15:35 - Rules direction16:35 - Rule cloning18:00 - WAN rules management20:27 - Additional tips22:48 - Outro PayPal Dona…
Bitcoin Home Mining Network Privacy
A privacy-focused guide on building a secure home network with a pfSense firewall. How to setup dedicated home networks to separate your family’s WiFi web browsing from your Bitcoin mining traffic. How to configure a VPN with WireGuard and how to send all your internet traffic through Mullvad VPN tu…
Found this post helpful? Consider sending the author a tip