My Network Has No Firewall Right Now. Here's Why That's Temporary.

1,250 Square Meters. 30+ Devices. No Logic.

WHERE IT STARTED

The property has around 1,250 square meters — house, offices, storage, and a store. At any given time there are 20+ active devices on the network. On busy days that number climbs to 30. TVs, phones, tablets, PCs, POS systems, security cameras, and everything in between.

The original setup was a collection of repeaters with no logic behind them. Each one doing its own thing, creating its own network, fighting with everything else. The result: devices losing connection constantly, having to manually switch WiFi every time you moved across the property, IP conflicts between wired and wireless devices, and zero visibility into what was actually happening on the network.

This wasn't a simple home network anymore. It hadn't been for a long time. It needed a proper solution.


The Decision: Skip the Easy Option.

WHY OPNSENSE

The ISP router does what ISP routers do — basic connectivity, no real control. For a network this size with this many different types of devices and use cases, that wasn't enough. I needed something more robust.

I chose OPNsense. And I'll be honest — it's more complex than it looks. The learning curve is real. But what it gave me in return was worth every hour spent figuring it out.


What OPNsense Actually Did.

THE SETUP

The first step was identifying every device on the network. Every single one. Then assigning DHCP static mapping — each device gets the same IP every time, no exceptions. That alone solved half the problems.

Then came the rules:

  • Safer DNS — blocked adult content at the network level, for every device
  • Kids schedule — no internet after 9:30pm, automatically, no arguments
  • Employee limits — messaging works, voice calls don't. This one was a delight.
  • Guest bandwidth — visitors get connection, but not comfortable connection
  • Moonlight priority — clean, uninterrupted path for game streaming
  • Office file sharing — local network visibility between the right machines
  • Odoo access — business software reachable only by the right people

Everything was working exactly as it should. The network was finally under control — device by device, rule by rule. And most importantly: one place to see everything that was connected.


Until It Wasn't.

THE FAILURE

The Intel NUC running OPNsense was a 2014 model. A solid machine for its time — but running 24/7 as a firewall took its toll. It started shutting down every 15 minutes. No warning, no gradual degradation. Just off.

That was the end of OPNsense — at least for now.

As an immediate fix, I handed control back to the ISP router. The APs are still in bridge mode, which solved the roaming problem. But everything else fell apart — IP management, rules, filters, visibility. All gone.

And that last one — visibility — is what I feel most right now. Look at what I'm working with:


Each AP sees only the devices connected to it. The Tenda shows its 4. The TP-Link shows its clients. Nobody sees the full picture. There's no single place where I can look and know exactly what's on my network — who's connected, what IP they have, how much bandwidth they're using. That visibility is gone.

With OPNsense, I had one dashboard. Every device. Every IP. Every connection. Now I have three separate AP panels that each tell part of the story — and no way to see the whole thing at once.

The part that bothers me most isn't just the technical side — it's the practical impact on the people using the network every day.

My kids now have unrestricted access to content that wasn't appropriate before. The 9:30pm cutoff is gone. There's no schedule, no filter, no DNS blocking adult content at the network level. That's not a minor inconvenience — that's something I want fixed as a priority.

The employees have full internet access during work hours. They can connect to anything, stream anything, use bandwidth freely while they're supposed to be working. It's not that I want to block them completely — it's that I want to make entertainment uncomfortable enough that work stays the priority. Right now that control doesn't exist.

Going from full network control to no network control is a specific kind of frustration. Especially when you know exactly what you're missing — and exactly who it's affecting.


This Isn't About Control. It's About Peace of Mind.

THE REAL REASON

I don't want to sound like someone who controls everything. That's not the point. The point is that having clear rules in place gives you peace — and removes daily decisions that shouldn't need to be made manually every day.

Right now one of my kids' devices has no internet connection at all. That was the safest option available to me without the firewall. It's not elegant. It's not the solution I want. It's what I have until OPNsense comes back online.

Another one of my kids is starting secondary school. That means a school-assigned laptop coming into the house — locked down by the school, but with limited filtering. The school controls what they can control. What happens on my network is my responsibility. I need to be able to create real controls before that device arrives, not after.

When I get ISP bridge mode, I'm also changing the SSID to something different and hidden. No ambiguity about where to connect. One network, known only to the people who should know it.

This kind of setup isn't pretty or elegant. It's only justified while it works. But the alternative is spending thousands of dollars on managed network equipment controlled by someone else — or handing your network over to a cloud service that makes the rules for you. That level of control is exactly what I'm not willing to give up.


The Plan to Bring It Back.

WHAT'S NEXT

The NUC isn't dead yet. The next step is replacing the thermal paste — 10-year-old paste on a machine that ran 24/7 is a likely culprit. I'm planning a stress test after the repaste to see if the hardware is salvageable. If it is, it goes back into service. If it isn't, it gets replaced.

The longer term plan: move OPNsense to the Optiplex 780 — more thermal headroom, more reliable hardware for continuous operation. The ISP has already confirmed they'll switch to bridge mode on their end when I'm ready. When that happens, OPNsense sits between the ISP modem and everything else, running the whole property the way it should be run.

  • Thermal paste replacement + stress test on the NUC — upcoming post
  • OPNsense back online on the Optiplex 780 — upcoming post
  • ISP bridge mode — full network control returns
  • Rules back in place — kids schedule, employee limits, Moonlight priority, everything
  • One dashboard. Every device. Full visibility.

The firewall is coming back. It's just temporary.


Questions about the setup or OPNsense? Drop them below.


This post contains Amazon affiliate links. If you purchase through them, I may earn a small commission at no extra cost to you. Every product listed here is something I personally own and use daily.


RELATED POSTS

  • 100 Meters. One Network. How I Built a DIY Mesh With What I Had — Post #005
  • Moonlight Looks Easy. The Network Isn't. — Post #003

Comments

Popular posts from this blog

From Fear to Control: What Self-Hosting Gave Me

When One Problem Turns Into Two

Google Photos Was Free. Until It Wasn't. Here's My Setup Now.