Networking isn't my strong suit, so this might be a stupid question. But what exactly is a hardware firewall? Is it the same thing as my Internet facing router blocking incoming packets which haven't been requested from "inside the home" network?
this post was submitted on 31 Jan 2026
294 points (99.7% liked)
Selfhosted
60093 readers
773 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam.
-
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
-
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, your post is exempt from this rule as long as you continue to engage in comments.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
A hardware firewall generally indicates a standalone appliance that is dedicated to being a firewall. Not to be confused with a software firewall as you would see with UFW, or Windows Defender. Modern routers do possess some of the same tenets of a hardware firewall, but a dedicated hardware firewall usually gives a broader range of defenses such as IDS/IPS, filtering, etc.
I have a dedicated hardware firewall in the form of pFsense. The 'black box' in OP's picture is the hardware firewall.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| AP | WiFi Access Point |
| DNS | Domain Name Service/System |
| IP | Internet Protocol |
| IoT | Internet of Things for device controllers |
4 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #47 for this comm, first seen 31st Jan 2026, 16:30] [FAQ] [Full list] [Contact] [Source code]
Doing the lords work! π«Ά
Good for you. I use OpenWrt on a decent router yet it's so flexible. I can create multiple VLANs with different firewall rules, multiple APs, Ad and IP blocking etc.
Honestly I can't imagine going back to a shitty ISP router ever.
Even the wrong non-isp routers are ridiculous compared to OpenWrt capable ones. You're telling me I'm paying a huge premium to get a cutting edge Nighthawk, and then they shove a subscription service in my face to use any of these features? Let alone the security implications of having all your traffic routed through proprietary software. No thank you.
I don't think we are the target audience for those, though, as weird as that sounds. More likely intended to be sold to less tech savvy people who are willing to pay for the convenience of some company handling their security.
I always get my isp outers as pass through so network is controlled by my entry. I have never bothered doing much with it but it's nice to have the option.
I used to use a ddwrt firmware for years but eventually my hardware could never keep up with my net speeds and manufacture firmware was faster. Trying an Omada network now seems alright but haven't added their wifi.
That looks exactly like the box I grabbed. Are you running your opnsense on the bare metal, or are you virtualizing it? My only regret for mine was not picking up more ram.
Iβm running on bare metal. I have a physical homelab behind. Canβt you add ram?
I could, if it wasnβt so damn expensive for 32gb
I can't imagine why you need 32gb for opnsense. I can run it on a single core and 1gb, unless I literally want every DNS blacklist loaded in which case 4gb
Iβm running a proxmox instance on mine, with opnsense in a vm and plex, Jellyfin pihole and my omada controller on lxc. 16gb is just enough for everything, but I like to future proof and buffer things, so it makes me a bit nervous utilizing 12 of that 16 gb and only leaving 4gb for proxmox.
In some places you can still get 32GB DDR4 for a kidney if youβre lucky.
OP, you may want to look into ntopng. I think opnsense has a ntopng plugin. I find it very useful for traffic analysis.
Will have a look, thanks!
Share some pictures and stats of you could. Do u see many probes?
You want pictures and stats of what?
Cats, if you have them, dogs if not.
Nice.
Running different SSIDs too?
I put all my IoT stuff on a dedicated 2.4-only network, VLANd it to the (pfsense) firewall which allows the VLAN trunk to be split into separate logical NICs that I apply different policies to, like no access to the internet, etc...
At the moment I only have one WiFi instance, not planning to separate yet but it could be a future upgrade since I have a few IoT devices.
What do you think of Keenetic? Security-wise, do you trust it?
I just got it, itβs only being used as an access point so canβt really say about all their features.
The reason I ask is that Keenetic has substantial ties with Russia. And there is a big chance the firmware development is still done in Russia.
I have crowdsec running on opnsense to block attacks
Crowdsec is a pretty good package. It does blocking, but is geared more to being an IDS. Opnsense supports Suricata which is a more aggressive, and all encompassing IDS/IPS. I don't think opnsense supports it's cousin Snort.
I considered suricata but for now I think crowdsec works well enough, Iβll see later if I think suricata could be more useful
Cool, cool. I was just throwing it out there if you hadn't considered it. It's quite a powerful package.
Why crowdsec?
Personal preference, itβs what Iβve been using since I started my homelab and I think it works well enough.