# Why a Dedicated Firewall Appliance
The first iteration of this homelab ran on a consumer travel router (a GL.iNet Beryl AX flashed with OpenWrt). It worked, but VLAN support, rule management, and visibility were all compromises. Rebuilding the lab meant moving the gateway to something built for the job.
A Protectli Vault running pfSense gives the lab enterprise-grade firewall features, first-class VLAN handling, proper rule ordering and state tracking, and a clean path to add packages like Suricata, pfBlockerNG, and Tailscale down the road.
# Hardware
The Protectli Vault is the firewall appliance: fanless, multiple Intel NICs, low power draw, designed to run pfSense 24/7.
A NETGEAR GS308EP managed switch sits behind the firewall and handles VLAN tagging plus port mirroring to a Raspberry Pi running Suricata and Zeek.
A Dell laptop hosts Proxmox VE as the virtualization host for pfSense (optional VM install), the ELK Stack SIEM, and lab VMs like Kali Linux and vulnerable targets.
# Network Plan Before Touching Hardware
The biggest lesson from the v1 build was that upfront planning beats refactoring. Before installing pfSense I documented the VLAN layout, IP schemes, and trust boundaries so the firewall rules would have something concrete to enforce.
| Network | VLAN | Subnet | Purpose |
|---|---|---|---|
| Management | 10 | 192.168.10.0/24 | Firewall, Proxmox, monitoring |
| User | 20 | 192.168.20.0/24 | Client access |
| Lab | 30 | 192.168.30.0/24 | VMs, vulnerable apps, pen testing |
# pfSense Install & Initial Configuration
The full install walkthrough (boot media, console setup, WAN/LAN interface assignment, admin password, and the first web UI pass) is covered in detail in the Medium article. Work in progress.
# What's Next in the Series
Future posts cover VLAN enforcement on pfSense and the NETGEAR switch, the Raspberry Pi IDS sensor running Suricata and Zeek, ELK Stack as the SIEM, and Kali-vs-lab exercises that drive alerts end to end.