Managing a homelab is a rewarding journey, but as soon as you start hosting services or connecting dozens of "smart" devices, your attack surface grows exponentially. At JDB-NET, security isn't just a checkbox, it's a daily practice.
Here is how I've hardened my environment using OPNsense and a "trust-nothing" approach to networking. 🛡️
Why OPNsense?
When building a custom firewall, the big question is usually "pfSense or OPNsense?" While both are incredible, I've moved JDB-NET over to OPNsense for three main reasons:
OPNsense offers a modern, responsive, and logical GUI. When you're deep in firewall rules at 1 AM, clarity matters.
OPNsense has a predictable and frequent update cycle, ensuring that the core OS and plugins (like WireGuard) stay patched against the latest vulnerabilities.
The project is truly open-source with a fantastic community that prioritises modern features like built-in Two-Factor Authentication (2FA) and easy-to-use plugins.
The Art of Segmentation: My VLAN Strategy
A "flat" network is a playground for lateral movement. If a single smart plug is compromised, an attacker can see every other device on your network. To prevent this, I split JDB-NET into five distinct VLANs:
| VLAN Name | Purpose | Trust Level |
|---|---|---|
| Servers | Internal trusted servers | High (Internal Only) |
| IoT | Home Assistant, smart bulbs, and sensors etc | Low (Restricted) |
| Devices | My "daily drivers" - Phone, Tablet, Laptop, PC | Medium |
| Guest | Visitors who just need a Wi-Fi connection | Zero (Internet only) |
| DMZ | Public-facing services (Web servers, reverse proxies) | Low (isolated) |
5 Security Basics I Use Daily
Management Hardening (MFA is Mandatory)
The keys to the kingdom live in the OPNsense dashboard. I never leave the default "root" user active for web access. Instead:
I created a dedicated admin user.
TOTP 2FA is enabled for the web GUI. 🔑
Access to the management interface is restricted only to a specific management IP on the Devices VLAN.
Duo MFA for SSH
Security shouldn't stop at the firewall GUI. For any server in my Servers or DMZ VLANs, password authentication is disabled in favor of SSH keys. However, I take it a step further by integrating Duo Security. Even with a private key, a login attempt triggers a push notification to my phone. If I didn't click "Approve," nobody is getting in. It's worth noting that Duo is free for up to 10 users. For a Homelab this makes perfect sense.
IoT Isolation: The "One-Way" Street
My IoT VLAN is where my Home Assistant devices live. These devices are notorious for being insecure. My firewall rules allow my Devices to talk to the IoT network (so I can control my lights), but the IoT network is strictly blocked from initiating any connection back to my trusted servers or my PC.
The "Public" DMZ Buffer
The DMZ is for the stuff I want to be accessible from the outside world. Even though these are my own servers, I treat them as "not necessarily untrusted, but potentially exposed." By placing them in a DMZ, I can ensure that if a public-facing service is ever exploited, the attacker is trapped in that VLAN and cannot "reach back" into my internal Servers or Devices networks.
Geoblocking via OPNsense
I don't expect much legitimate traffic from countries I don't reside in. Using OPNsense's GeoIP aliases, I block entire regions from even attempting to hit my DMZ or VPN ports. It significantly cuts down on the "noise" in my logs and prevents low-hanging-fruit attacks from automated bots across the globe. 🌍🚫
Conclusion
Hardening your homelab isn't about building an impenetrable fortress, it's about making it too much of a headache for anyone (or anything) to break in. By using OPNsense, Duo MFA, and a solid VLAN structure, you gain visibility and control over exactly what is happening.
