How to build a custom router and firewall with Opnsense in your Homelab
A complete guide to deploying a production-grade firewall with remote management
Introduction
Navigating the world of home networking can be a “plug-and-play” experience — until you decide to build a professional-grade lab. When I set out to install OPNsense on an Intel N150 fanless mini-PC, I ran into the classic “locked out” scenarios, interface mismatches, and DNS rebind attacks.
Here is the definitive guide on how I moved from a broken installer to a fully headless, domain-accessible firewall that I can manage from anywhere in the world.
The Hardware Architecture
Component Specifications:
Device: Intel N150 (4 Cores, 4 Threads)
Port ETH0 (igc0): LAN (Connected to Mac Studio)
Port ETH1 (igc1): WAN (Connected to Home ISP Router)
Network Target: 10.0.1.1/16
Management: TinyPilot Voyager KVM (headless control)
I Spent 3 Days Locked Out of My Own Firewall — The OPNsense Guide That Would Have Saved Me
You know that feeling when you buy new hardware and think "I'll have this running in an hour"?
Yeah. Three days later I was still locked out of my OPNsense box, toggling cables like some kind of network rain dance, wondering why I didn't just buy a pre-configured Ubiquiti.
The Intel N150 mini-PC sat there silently judging me (it's fanless, so literally silent). Two ethernet ports. One job. Somehow I managed to hit every possible failure mode.
The interface detection bug. The Live mode trap. The IP conflict with my home router. DNS rebind attacks blocking my own domain. The "Block private networks" checkbox that exists specifically to ruin your day.
I hit them all. Here's what I wish someone had told me.
The Hardware
Nothing exotic:
Device: Intel N150 — 4 cores, fanless, silent
Port 1 (igc0): LAN, connected to my Mac Studio
Port 2 (igc1): WAN, connected to home ISP router
Network: 10.0.1.0/16
Backup plan: TinyPilot Voyager KVM for console access when (not if) I lock myself out
┌─────────────────┐ ┌─────────────────┐
│ Home Router │ WAN │ OPNsense N150 │
│ 192.168.1.xxx │─────▶│ WAN: igc1 │
└─────────────────┘ │ LAN: igc0 │
└────────┬────────┘
│ LAN
┌────────▼────────┐
│ Mac Studio │
│ 10.0.1.xxx/16 │
└─────────────────┘
The Failures (Learn From Mine)
Failure 1: The Live Mode Trap
OPNsense boots into Live mode by default. Everything works. You configure interfaces, set IPs, enable DHCP. Reboot. Gone. All of it.
Because Live mode doesn't persist anything. You have to actually run the installer.
What to do: Select "Install" from the boot menu. Login as installer with password opnsense. Actually install to the SSD.
This seems obvious in retrospect. Cost me an entire evening.
Failure 2: The Cable Timing Bug
Here's a weird one. During initial setup, if both ethernet cables are plugged in, interface detection gets confused. Sometimes igc0 becomes igc1. Sometimes neither works.
What to do:
Only plug in WAN cable first
Assign WAN to igc1
Then plug in LAN cable
Assign LAN to igc0
Now reboot
Three fresh installations before I figured this out.
Failure 3: IP Conflict
OPNsense defaults LAN to 192.168.1.1. My home router is also 192.168.1.1. Same subnet. Routing table confusion. Web UI unreachable.
What to do: From the console, select Option 2 and change LAN to 10.0.1.1/16 (or whatever doesn't conflict with your home network).
Failure 4: Wi-Fi Management Blocked
I wanted to manage the firewall from anywhere in my house without being physically cabled to it. But traffic from my Wi-Fi comes in on the WAN interface, and OPNsense blocks that by default.
What to do:
Interfaces → WAN — Uncheck "Block private networks"
Your home router gives OPNsense a private 192.168.x.x IP. This checkbox blocks all traffic from private ranges. Including your Wi-Fi.
Firewall → Rules → WAN — Add a rule:
- Pass TCP to WAN address on port 443
System → Settings → Administration — Set Listen Interfaces to "All"
Failure 5: DNS Rebind Attack Protection
I set up firewall.homelab.com to point to my OPNsense WAN IP. Loaded it in my browser. Blocked.
OPNsense has built-in protection against DNS rebind attacks — it blocks external domains that resolve to internal IPs. Great security. Terrible for homelabs.
What to do: Either disable DNS Rebind checks entirely, or add your domain to "Alternate Hostnames" in System → Settings → Administration.
The Working Configuration
After all the failures, here's what actually works.
LAN Rules (igc0 / 10.0.1.0/16)
| Priority | Action | Source | Destination | Why |
|---|---|---|---|---|
| 10 | Pass | LAN net | Any | Internet access |
| 20 | Pass | LAN net | 10.0.1.1:443 | Local management |
| 30-60 | Pass | DC subnets | DC subnets | Inter-datacenter traffic |
| 999 | Block | Any | Any | Default deny |
WAN Rules (igc1)
| Priority | Action | Protocol | Port | Why |
|---|---|---|---|---|
| 10 | Pass | TCP | 443 | Wi-Fi management |
| 20 | Pass | UDP | 51820 | WireGuard VPN |
| 999 | Block | Any | - | Default deny |
NAT Outbound
Hybrid mode. Let OPNsense auto-create masquerade rules for your internal networks.
WireGuard Remote Access
I travel to Nigeria regularly. Needed a way to access my homelab from anywhere.
Install: System → Firmware → Plugins → os-wireguard
Server config:
Enable WireGuard
Listen Port: 51820
Tunnel Address: 10.0.100.1/24
DNS: 10.0.1.1
Client peer:
Name: Nigeria_Laptop
Public Key: (from client device)
Allowed IPs: 10.0.100.2/32
Don't forget: Firewall rule for UDP 51820 on WAN.
Now I can hit my homelab from 5,000 miles away through an encrypted tunnel.
Ansible Automation
Once it was working manually, I immediately codified everything. If this N150 dies, I'm not spending another three days on it.
- name: Deploy Core Rules
hosts: opnsense
tasks:
- name: LAN to Internet
oxlorg.opnsense.rule:
description: LAN_to_Internet
interface: igc0
protocol: any
source_net: 10.0.1.0/16
action: pass
sequence: 10
- name: Wi-Fi Management
oxlorg.opnsense.rule:
description: WiFi_Mgmt
interface: igc1
protocol: tcp
destination_port: 443
action: pass
sequence: 10
Using the oxlorg.opnsense Ansible collection. The full playbook covers everything — interfaces, DHCP, DNS, WireGuard, static reservations.
One command rebuild:
ansible-playbook -i inventory.yml playbooks/99_full_rebuild.yml --ask-vault-pass
Sanity Checklist
Before you call it done:
[ ] WAN Interface: "Block private networks" is UNCHECKED
[ ] WAN Rules: Port 443 management rule exists
[ ] WAN Rules: Port 51820 WireGuard rule (if using)
[ ] Admin Settings: DNS Rebind checks disabled or alternate hostname set
[ ] Admin Settings: Listen Interfaces = All
[ ] Unbound DNS: Domain override configured
[ ] NAT Outbound: Hybrid mode, networks masqueraded
Troubleshooting
Can't reach 10.0.1.1? Mac Ethernet set to DHCP? Cable in igc0?
Wi-Fi management broken? "Block private networks" still checked. Or WAN rule missing.
Domain doesn't resolve? DNS Rebind protection. Disable it or add alternate hostname.
WireGuard won't connect? Port 51820 not open on WAN.
Inter-subnet traffic blocked? Your LAN rules have wrong source/destination subnets.
The Result
Four ways to access my firewall now:
| Location | How |
|---|---|
| At desk | https://10.0.1.1 (Ethernet) |
| Home Wi-Fi | https://192.168.1.x (WAN IP) |
| Nigeria | https://10.0.1.1 (WireGuard) |
| Anywhere | https://firewall.homelab.com |
Silent fanless box sits in the corner. Accessible from anywhere. Fully automated rebuild if needed.
Worth the three days? Probably. Would I do it again? With this guide, it takes about 45 minutes.
Resources
This is part of my homelab series. Next up: Proxmox clustering, Kubernetes on bare metal, and eventually some low-latency trading infrastructure.
Hit me up in the comments if you're stuck. I've probably made your exact mistake.
