A privacy-focused guide on building a secure home network with a pfSense firewall, explaining how to set up dedicated home networks to separate your family's WiFi web browsing from your Bitcoin mining traffic; how to configure a VPN with WireGuard; and how to send all your internet traffic through Mullvad VPN tunnels with automatic load balancing to switch between tunnels during times of high latency; as well as how to configure an ad blocker at the firewall level.
Every Bitcoin home miner is going to need a home network. Building a secure and private network to mine from is an essential part of maintaining a permissionless operation. By following this guide, you will see how to build a robust and customizable home mining network that features the following benefits and more:
- Virtual private network (VPN) tunneling to secure and encrypt your internet traffic
- Enhanced privacy from the prying eyes of your internet service provider (ISP)
- Mitigation of the potential risk of IP address logging from your mining pool
- Configuration of a pfSense firewall
- Creation of sequestered home networks to keep your ASICs separate from your guest WiFi network, etc.
- Set up of a mesh WiFi network access point
- Configuration of an ad-blocker at the firewall level.
Undertaking this task started for me when my wife and I decided to sell our house in the city and move to the country. I had visions of setting up new mining infrastructure from scratch and I wanted to take this opportunity to build the ultimate home network that I always wanted — a home network that prevented my ISP from seeing my data and where it was going, a home network that isolated my ASICs from other network connected devices, a home network that wasn't constantly tracking me and selling my browsing information to advertisers.
This is when I started taking a close look at a blog post on the subject from k3tan. In their pfSense article, k3tan laid out many of the attributes of a home network that I wanted to build for myself and pointed to several additional resources that made me think I could do this myself if I really tried.
I had zero networking experience prior to jumping into this and although there are a lot of steps, it really is very easy to use free and open-source tools to start making leaps and bounds in guarding your privacy.
I reached out to k3tan and they were supportive of my efforts and helped me get through some obstacles that I ran into — I really appreciate this and want to say thank you, k3tan.
All together for this guide I spent $360 to build my home network. $160 on a network card and $200 on a mesh WiFi kit (which, honestly, could have been done with a $40 router but YOLO!).
Some limitations you should be aware of: I literally had zero networking experience prior to this guide. It is very possible that I made some unforeseen mistake. I highly recommend that you use this as a guide but also incorporate your own research and due diligence into your own home network setup. VPNs are a great tool in guarding your privacy but they are not a silver bullet. There are several other ways that you can leak data and diminish your privacy. The good news is that it is easy to start taking steps in developing good, privacy-focused best practices.
Let's get right to it and get your home mining network set up in a way that makes your family happy and keeps your ASICs secure and private.
Building A pfSense Firewall From An Old Desktop Computer
In 10 steps below, I will show you how I used an old desktop computer to build a pfSense firewall and how I configured my home network.
There is also a detailed guide put together by pfSense which you can find here to go over any details or options that I do not cover in this guide. You can also purchase a Netgate device with pfSense already installed and good to go out of the box.
Step One: How To Install The New Network Card
First, you will need an old desktop computer. I used a Dell Optiplex 9020 Small Form Factor (SFF). This is a powerful piece of hardware for a firewall; it features an Intel i7-4790 3.6GHz CPU, 16 GB of RAM and a 250 GB hard drive.
By default, this computer only has one RJ45 Ethernet port. However, if this is going to serve as a firewall, it will need at least two Ethernet ports. To achieve this, I purchased an Intel i350 network card which comes equipped with four Ethernet ports. The i350 network card is designed to be used in the four-lane PCIe slot on the desktop's motherboard.
For this SFF chassis, I had to swap out the full-frame-sized metal bracket with the included smaller bracket on the network card. Then simply open the chassis and flip open the external clamp covering the empty PCI slots. With a screwdriver, you can remove the blank metal bracket insert in front of the four-lane PCI slot and insert the network card. Then, close the clamp and put the chassis side-cover back on.
Once installed, it is important to note which Ethernet port is for the wide area network (WAN) and which ports are for the local area network (LAN). WAN is what faces out to the wide open public internet and LAN is what faces in to your local home network.
Once installed, you can set your desktop computer to the side for now. You will want to use your network-connected computer to download and verify the pfSense image and flash it to a USB drive.
Step Two: How To Download And Verify The pfSense Image File And Flash It To A USB Drive
First, navigate to this pfSense download page and, once there:
- Select the "AMD64" architecture
- Then "USB Memstick installer"
- Then "VGA" console
- Then select whichever mirror is closest to your geographic location, such as demonstrated in the screenshot below, and click on "Download"
Next, you can calculate the SHA-256 checksum on the compressed file you downloaded and verify it against the checksum displayed on the pfSense download page.
I like to use a freeware hex editor called HxD for calculating checksums. Just open the file you are interested in, navigate to "Tools" then "Checksums" and select "SHA256" from the menu. If the hash values don't match, do not run the executable file.
The easiest way I have found to flash an image file to a USB drive is to use a program called balenaEtcher.
Once installed, launch the application, click on "Flash from file," then navigate to the folder where you have the compressed pfSense image file.
Next, select your blank USB drive and then click on "Flash." BalenaEtcher will begin the flashing process and automatically decompress the pfSense image file. This process will take a few minutes.
After the flashing is complete, you should get a green check mark indicating that everything checks out. If you get an error from balenaEtcher, you may need to try flashing to a different USB drive.
Now you can safely eject the flashed USB drive from your computer and you are ready to flash the other desktop computer.
Step Three: How To Flash The Desktop And Install pfSense
Connect a keyboard, monitor, power cable and the flashed USB drive to your desktop computer that you installed the network card in. The monitor needs to be connected via VGA connections — DisplayPort connections won't work in my experience. Do not connect the Ethernet cables yet.
Once everything is connected, power on your desktop. Some computers will automatically detect that there is a bootable USB drive inserted and they will ask you which drive you want to boot from. In my case, the computer just defaulted to booting from the "C:\" drive and launched Windows automatically. If this happens to you, shutdown the computer and then hold down "F12" on the keyboard and turn it back on. This will launch the BIOS, where you can tell the computer which drive you want to boot from.
For example, here is my BIOS environment where I was able to select the SanDisk USB drive that I had flashed the pfSense image to. After selecting this option, a script will run briefly and then the pfSense installer will launch:
First, accept the terms and conditions. Then select "Install pfSense," then choose the keymap appropriate for you. If you speak English and live in the U.S., you will probably just want to use the default.
Next, I just chose the "Auto ZettaByte File System" (ZFS) option because I'm using a hardware platform that is way over spec'd for a home firewall. The ZFS option has more features and is more reliable than the Unix File System (UFS) option, but ZFS can be more memory hungry, which I'm not really concerned with given that I have 16 GB of RAM in this desktop.
Then, you will have some partitioning and redundancy options, which I just kept as simple as possible, e.g., no redundancy and the default configuration options. Then, select "Install."
Next, you will be asked which drive you want to install pfSense onto. The only options I had were the computer's hard drive and the USB drive, obviously I don't want to install pfSense on the USB drive so I chose the computer's hard drive. If you do this make sure any data you want to save is copied to an external drive first because it will erase your existing hard drive. The installer will warn you that this operation will destroy all existing data on the hard drive, which is what I wanted because I'm dedicating this machine to be my firewall and don't need to have Windows on it anymore. After confirming this choice, a few scripts will run and the flashing process will take a couple minutes.
Then, you will see a couple of confirmations that the pfSense installation was successful. A prompt will ask you if you want to manually make any final modifications, which I did not. Then, it will ask you if you want to reboot, select yes. Immediately remove the USB drive at this time before the reboot kicks back on because otherwise it will drop you at the beginning of the installation wizard again. You should wind up at the main terminal menu once the reboot is finished.
Now you are ready to connect your new firewall to your home network.
Step Four: How To Connect The pfSense In A Home Network
The following steps will all be completed on the keyboard and monitor connected to your new firewall:
- First, power off your ISP-provided router, power off your modem and disconnect the Ethernet cables from your modem and router.
- Next, power on your new firewall and let pfSense load. Then, power on your modem and wait for it to link to the internet.
- In the pfSense menu, select option one, "Assign Interfaces." It will ask you if you want to set up VLANs now, enter "n" for no. Then it will ask you to enter the WAN interface name, enter "a" for auto-detect.
- Connect an Ethernet cable from your modem output to your new firewall network card interface. Remember, the port on the far-right side if the RJ45 release tabs are facing up is your WAN port, or the far-left side if the RJ45 release tabs are facing down.
- Once connected, hit “enter.” It should detect link-up on interface port igb0. If it is igb3, then switch the Ethernet cable to the opposite side and try again.
- Then it will ask you to enter the LAN interface name, enter "a" for auto-detect. Connect an Ethernet cable from the next available port on the new firewall network card to your Ethernet switch or other access point. Keep in mind that if you intend on running a Virtual Local Area Network (VLAN), you will need to use a managed switch.
- Once connected, hit enter. It should detect link-up on interface port igb1.
- Then, hit enter again for "nothing" as no other network connections are configured at this time.
- Then it will inform you that the interfaces will be assigned as follows: WAN = igb0 and LAN = igb1.
- Enter "y" for yes and pfSense will write the configuration and bring you back to the main menu with your WAN IP v4 and IP v6 addresses displayed on top.
Just to illustrate an example signal path configuration, you could do a setup like this:
At this point, you should be able to enter "192.168.1.1" into your web browser on your regular desktop and launch the pfSense web interface. It is a self-signed certificate, so accept the risk when prompted and continue. The login credentials are admin/pfsense.
You can now disconnect the keyboard and monitor from your new firewall. The rest of the steps will be completed through the web interface on your regular desktop.
Step Five: How To Configure The pfSense Basic Settings
In this step, you will see how to configure basic settings like the setup wizard, change the TCP port, enable Secure Shell SSH, and set up hairpinning by default. The vast majority of the information presented here and in step six below came from watching this Tom Lawrence video on pfSense — I highly recommend watching this video, it is lengthy but packed full of valuable information and has way more details than I present in this guide.
First, click on the red warning dialog at the top of the page to change the password used to log into your new firewall. Personally, I recommend high-entropy, single-use passwords with an accompanying password manager. Then, log out and log back in to test your changes.
Once logged back in, open the "Setup Wizard" from the "System" tab:
Then, the wizard will walk you through nine basic steps to get your new pfSense firewall configured.
Click "Next" on the first step.
Then, on the second step, you can configure the hostname, domain and primary/secondary DNS servers. You can leave "Hostname" and "Domain" as their defaults or set them to whatever you want. I chose "100.64.0.3" for the primary DNS server for getting out to the internet and unchecked the "Override DNS" box to avoid having DHCP override the DNS servers. I'll go over why I used "100.64.0.3" in step 10 of this guide.
Then, you can set your timezone in step three:
On the fourth step, you can select "DHCP" for the WAN interface and leave all of the other fields as their defaults. If you want to spoof your MAC address, you can do so in this step. For the last two fields, ensure the "Block RFC1918 Private Networks" box and the "Block bogon networks" box are checked, this will automatically add the appropriate rules to your firewall.
In step five, you can change your firewall's IP address. Most home local networks will either use 192.168.0.1 or 192.168.1.1 to access the router or firewall. The reason you may want to change this to a non-default local IP address is because if you are on someone else's network and you are trying to VPN back into your home network, then you may run into an issue where you have the same address on both ends and the system won't know if you are trying to connect to the local or remote address. For example, I changed my local IP address to "192.168.69.1."
In step six, you can set your admin password. I was a little confused to see this step inserted here since I had changed the admin password at the beginning, so I just used my same high-entropy password from before, assuming it was asking for the same password that will be used to log into the router.
Then, in step seven, you can click the "Reload" button. As this is reloading, unplug the power cable from your switch. Since the router local IP address was changed to "192.168.69.1" (or whatever you chose), all the devices on the network will now have their IP addresses updated to that IP range.
So, if you have PuTTY or other SSH sessions configured to your Raspberry Pi node for example, you will now need to update those connection configurations. Unplugging the power from the switch and plugging it back in after the router is rebooted helps get all your devices reassigned.
To figure out the IP addresses for the devices on your local network, you can navigate to the "Status" tab and select "DHCP Leases" to see everything listed out:
After the reload in step seven, the wizard just skipped over steps eight and nine, so I'm not sure what happens in those steps, but we will move on and address things as necessary.
A couple of other basic settings worth noting are found under "System>Advanced>Admin Access." Here, I updated the TCP port to "10443" because I run some services that will access the same default ports like 80 or 443 and I want to minimize congestion.
Also, I enabled SSH. Then, you can choose how SSH is secured, either with a password, or keys, or both or keys only. Upon saving, give the interface a minute to update to the new port. You may need to reload the page using the local IP address and the new port, e.g., "192.168.69.1:10443." Make sure to save your changes at the bottom of the page.
The last basic setting I'll cover here is hairpinning, which means that, for example, you can have your network setup so that you can open a port to a security camera system with a public IP address. This public IP address can also be used inside your network too, which is convenient if you are at home accessing the camera system from your mobile phone on your LAN then you don't have to manually change where it connects to, because hairpinning will see that you are just trying to access a local IP and it will loop you back around by default with this setting enabled.
- Under the “System” tab, navigate to "Advanced>Firewall & NAT"
- Scroll down to the "Network Address Translator" section
- From the "NAT Reflection Mode" drop-down menu, select "Pure NAT"
- Click "Save" at the bottom of the page and "Apply Changes" at the top of the page
That is it for the basic settings. The good news is that pfSense is rather secure in it's default installation so there is not a whole lot you need to change to have a great basic foundation. Generally, the position of the pfSense developers is that if there is a more secure way to roll out pfSense, then they will just make that the default setting.
One other thing to note is that by default, pfSense enables WAN IPv6 network address translation (NAT) mapping. I chose to disable this, so I'm not opening up an IPv6 gateway to the wide-open internet.
You can do this by going to "Interfaces>Assignments" and then clicking on the "WAN" hyperlink on the first assignment. This will open up the configuration page, then just make sure that the "IPv6 Configuration Type" is set to "None." Then save and apply those changes.
Then you can navigate to "Firewall>NAT" and scroll down to the "WAN" interface with an IPv6 source and delete it.
Step Six: How To Configure The pfSense Advanced Settings
In this section I will go over some advanced features that you may be interested in for your home network. Here, you will see how to set up separate networks from your pfSense router so that, for example, guests can access the wide-open internet from a WiFi access point in your home but they cannot access your ASICs from that network.
If you used the i350 network card like I did then you have four Ethernet ports available, and if you used a Dell Optiplex like I did then you also have a fifth Ethernet port on the motherboard. Which means that I have five interfaces I can configure, four of which can be secondary local networks.
What I am going to do here is keep my work desktop and my dedicated Bitcoin desktop on one network (LANwork). Then, I will configure a secondary LAN that my home's WiFi access point will be on (LANhome). This way, I can keep traffic from my family's web browsing totally separate from my work and Bitcoin-related activities.
Then, I will set up another LAN which will be dedicated for my ASICs (LANminers), separate from the other two networks. Finally I'll create a test network (LANtest) which I will use to integrate new ASICs and ensure there is no malicious firmware on them before exposing my other ASICs to them. You could also add a security camera network on one of the interfaces, the possibilities are endless.
If you navigate to the "Interfaces" tab, then "Interface Assignments," you will see all of your available network card RJ45 ports. They should be labeled "igb0,” “igb1,” “igb2," etc. Now, simply add the one you are interested in by selecting it from the drop-down menu and clicking on the green "Add" box.
Then, click on the hyperlink on the left-hand side of the interface you just added to open up the "General Configuration" page for that interface.
- Click the "Enable Interface" box
- Then, change the "Description" to something that helps identify its function, like "LANhome," for example
- Then, set the "IPv4 Configuration" type to "Static IPv4" and assign a new IP range. I used "192.168.69.1/24" for my first LAN so for this one, I will use the next sequential IP range, "192.168.70.1/24."
You can leave all of the other settings on their defaults, click "Save" at the bottom of the page and then "Apply Changes" at the top of the page.
Now, you need to set up some firewall rules for this new LAN. Navigate to the "Firewall" tab, then "Rules." Click on your newly-added network, "LANhome," for example. Then, click on the green box with the up arrow and the word "Add."
On the next page:
- Make sure the "Action" is set to "Pass"
- The "Interface" is set to "LANhome" (or whatever your secondary LAN is called)
- Be sure to set the "Protocol" to "Any" otherwise this network will restrict the type of traffic that can be passed on it
- Next, you can add a short note to help indicate what this rule is for, such as "Allow All Traffic"
- Then all other settings can remain in their defaults and click "Save" at the bottom of the page and "Apply Changes" at the top of the page
Before you can test your new network, you need to have an IP address set up on it:
- Navigate to "Services," then "DHCP Server"
- Then click on the tab for your new LAN
- Click on the "Enable" box and then add your IP address range in the two "Range" boxes. For example, I used the range from "192.168.70.1 to 192.168.70.254." Then, click on "Save" at the bottom of the page and "Apply Changes" at the top of the page.
Now you can test your new network by physically connecting a computer to the corresponding RJ45 port on the network card and then try to access the internet. If everything worked, then you should be able to browse the wide-open web.
However, you may notice that if you are on your secondary LAN and you try to log into your firewall, you will be able to do so using the "192.168.70.1" IP address. Personally, I only want my firewall accessible from my "LANwork" network. I do not want my wife and kids or guests to be able to log into the firewall from their designated "LANhome" network. Even though I have a high-entropy password to get into the firewall, I am still going to configure the other LANs so that they cannot talk to the router.
One area of concern I have, that this kind of configuration will help alleviate, is if I plug an ASIC into my network with some malicious firmware installed on it, I can keep that device isolated and prevent that security concern from affecting other devices and information that I have, which is why one of the LANs I am setting up is called "LANtest," which will be dedicated to keeping new ASICs totally isolated so I can test them in safety without allowing a potential attack to occur on my other ASICs or other devices on my home's networks.
To set up a rule so that port 10443 cannot be accessed from your other LAN networks, navigate to "Firewall>Rules" and then select the tab for your corresponding network of interest. Click on the green box with the up arrow and word "Add" in it.
- Make sure "Action" is set to "Block"
- Then, under the "Destination" section, set the "Destination" to "This Firewall (self)" and then the "Destination Port Range" to "10443" using the "Custom" boxes for the "From" and "To" fields
- You can add a description to help you remember what this rule is for. Then click on "Save" at the bottom of the page and then "Apply Changes" at the top of the page.
Having a high-entropy password to log into the router and locking down the port is a great start, but you can further sequester your LAN networks and ensure that devices on one network cannot get onto any of the other networks at all by setting up an alias for your primary LAN.
Navigate to "Firewall>Aliases," then under the "IP" tab click on the "Add" button.
- Then, I named this alias "SequesteredNetworks0"
- I entered a description to remind me of what it's function is
- Since I will be adding a firewall rule to my "LANhome" network referencing this alias, I added the other LANs to the "Network" list. This way, "LANhome" cannot talk to "LANwork," "LANminers" or "LANtest."
- Click on "Save" at the bottom of the page and then "Apply Changes" at the top of the page
Now I can add additional aliases that will be referenced in firewall rules on the other LANs to prevent "LANminers" from talking to "LANwork," "LANhome," and "LANtest" — so on and so forth until all my networks are sequestered in a way that only my firewall can see what is connected on the other networks.
With the alias created, a new firewall rule can be applied referencing this alias on the secondary LAN.
- Navigate to "Firewall>Rules," select the LAN you want to apply the rule to, e.g, "LANhome"
- Then for "Action" set it to "Block. For "Protocol" set it to "Any."
- For "Destination" set it to "Single host or alias"
- Then enter your alias name
- Click on "Save" at the bottom of the page and then "Apply Changes" at the top of the page.
Once I created the aliases and set the firewall rules, I was then able to connect my laptop to each network card RJ45 interface port and attempt to ping each of the other networks. I could get out to the wide-open internet from each LAN but I was not able to communicate with any of the other LANs or the firewall. Now I know any devices on any of my LANs will not have access to devices on any of my other LANs. Only from my primary "LANwork" network am I able to see what is connected on all of the other LANs.
That takes care of the advanced features that I wanted to share with you. You should now have some firewall rules set up and multiple networks sequestered. Next, we'll get into setting up a WiFi access point on one of the secondary LANs.
Step Seven: How To Set Up And Configure A WiFi Access Point
In this section I'll show you how I configured my home's mesh WiFi using the secondary "LANhome" network. The key points to keep in mind here is that I made this a dedicated LAN specifically for a WiFi access point for my family and guests to link to without giving them access to my pfSense firewall or any other LANs. But they still have unrestricted access to the wide-open web. I will add a VPN tunnel for this LAN later in this guide.
To ensure that I was providing adequate WiFi signal to the entire house, I decided to go with a NetGear Nighthawk AX1800 kit.
Inside this kit is a WiFi router and a repeater satellite. The basic idea is that the WiFi router gets connected to the pfSense firewall directly with an Ethernet cable on the igb2 "LANhome" port. Then, the WiFi router broadcasts the signal to the repeater satellite in another area of the house. Like this, I can increase the WiFi signal coverage to a wider area.
To accomplish this I simply followed these steps:
- 1. Plug the WiFi router in the pfSense firewall on port igb2 "LANhome" using an Ethernet cable to the port labeled "Internet" on the back of the WiFi router.
- 2. Plug a laptop into the port labeled "Ethernet" on the back of the WiFi router with an Ethernet cable.
- 3. Plug the WiFi router into power using the supplied power adapter.
- 4. Wait for the light to turn solid blue on the front of the WiFi router.
- 5. Open a web browser on the laptop and type in the IP address for the WiFi router. I found the IP address next to the "MR60" device in my pfSense dashboard under "Status>DHCP Leases."
- 6. Immediately, I was prompted to change the password. Again, I used a high-entropy, random password with an accompanying password manager. I don't want my family or guests to be able to access this WiFi access point administrative settings, so placing a strong password here is recommended. You may also be prompted to update the firmware as well, which will result in a reboot.
- 7. Then, you can log back in with your new admin password and change the default network name to whatever you want and add a WiFi password to access the WiFi network; this is the password shared with family and guests so this one I made pretty easy to remember and share. Even if a nefarious actor cracks the password and gains access to the WiFi network, it is totally sequestered from everything else and the WiFi router itself has a high-entropy password.
- 8. Then, navigate to "Advanced>Wireless AP" and enable "AP Mode." "AP" stands for access point. Then, apply the changes.
- 9. The router will reboot again. At this point, the local IP address will be updated, this change can be monitored in the "DHCP Leases" status page. Now, the laptop can be unplugged from the WiFi router and the WiFi router can be logged into from the same machine as the pfSense interface is running.
- 10. Once logged in again, click on "Add Device" and you will be prompted to set the satellite repeater in place and connect it to power. Then follow the prompts on the interface to sync the satellite.