Skip to main content
Networking

Home Network Security

Configure Unifi firewall rules, set up Pi-hole for DNS filtering, deploy IDS/IPS, and monitor traffic across your home network.

Back to Security Lab

Your home network is the foundation of everything you self-host. If the network is compromised, every service behind it is exposed. This guide covers practical steps to secure your home network — from gateway configuration to DNS filtering to intrusion detection.

1. Gateway Hardening

Your router or gateway is the perimeter. Whether you use Unifi, pfSense, OPNsense, or even an ISP router, these fundamentals apply.

  • Change default credentials — the first thing any attacker tries. Use a strong, unique password for the admin interface and store it in your password manager.
  • Disable remote management — if your router has a "remote access" or "cloud management" option, disable it unless you specifically need it.
  • Disable UPnP — Universal Plug and Play lets devices punch holes in your firewall automatically. Turn it off and create port forwards manually.
  • Update firmware — check for updates monthly. Subscribe to your vendor's security advisory mailing list.
  • Disable WPS — Wi-Fi Protected Setup has known vulnerabilities. Use WPA3 if your devices support it, WPA2-AES minimum.

2. DNS Filtering with Pi-hole

DNS filtering blocks malicious domains, ad trackers, and telemetry at the network level — before the traffic even reaches your devices.

Deploy Pi-hole with Docker

services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8053:80/tcp"
    environment:
      TZ: 'Europe/London'
      WEBPASSWORD: '${PIHOLE_PASSWORD}'
    volumes:
      - ./etc-pihole:/etc/pihole
      - ./etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped

Recommended blocklists

  • Steven Black's unified list — combines multiple sources: ads, malware, fakenews, gambling.
  • OISD (full) — one of the most comprehensive and well-maintained blocklists.
  • Phishing Army — specifically targets phishing domains, updated frequently.
  • Regex filters — block patterns like .*telemetry.*, .*tracking.*, and .*analytics.* for broad coverage.

Point your DHCP server to use Pi-hole as the primary DNS. For devices that hardcode DNS (Google Home, Chromecast), create a firewall rule to redirect port 53 traffic to Pi-hole.

3. Unifi Firewall Rules

If you run Unifi, the firewall is powerful but the defaults are wide open. Here is a practical rule set for a segmented home network.

Rule Source Destination Action
Block IoT to LANIoT VLANTrusted VLANDrop
Block IoT to ServersIoT VLANServer VLANDrop
Allow IoT to DNSIoT VLANPi-hole IP :53Allow
Block Guest to allGuest VLANAll privateDrop
Allow Trusted to ServersTrusted VLANServer VLANAllow
Block Servers to TrustedServer VLANTrusted VLANDrop

Place allow rules above deny rules. Unifi processes rules top-to-bottom and stops at the first match. Use "Established and Related" rules at the top to allow return traffic without opening new connections.

4. Intrusion Detection (IDS/IPS)

An IDS watches your traffic for known attack patterns and alerts you. An IPS goes further and blocks the traffic automatically.

  • Unifi Threat Management — built into UDM/UDR/USG. Enable it at level 3 (Medium) to start. Level 5 is aggressive and may cause false positives.
  • Suricata — if you run pfSense or OPNsense, Suricata is the go-to IDS/IPS engine. Use the ET Open ruleset for free community rules.
  • CrowdSec — a collaborative IDS that shares threat intelligence across its community. Install it on your reverse proxy or Docker host.

CrowdSec quick setup

# Install CrowdSec
curl -s https://install.crowdsec.net | sudo bash
sudo apt install crowdsec

# Install the firewall bouncer (blocks bad IPs)
sudo apt install crowdsec-firewall-bouncer-iptables

# Check decisions (blocked IPs)
sudo cscli decisions list

5. Wi-Fi Security

Your wireless network is the easiest entry point for an attacker who is physically nearby.

  • WPA3 or WPA2-AES — never use WPA/TKIP or WEP. If your devices do not support WPA3, use WPA2-AES (CCMP) only.
  • Separate SSIDs per VLAN — create a distinct SSID for IoT, Guest, and Trusted. Tag each SSID to its VLAN.
  • Strong passphrases — 20+ characters. Use a passphrase like correct-horse-battery-staple — easy to type, hard to crack.
  • Disable SSID broadcast (optional) — hiding your SSID does not provide real security, but it removes your network from casual scan lists.
  • Client isolation — enable on Guest and IoT SSIDs so devices on the same SSID cannot see each other.
  • 802.1X / RADIUS (advanced) — for enterprise-grade Wi-Fi auth using individual certificates or credentials per device.

6. Traffic Monitoring

You cannot secure what you cannot see. Monitor your network traffic to catch anomalies early.

  • ntopng — real-time traffic analysis with a web UI. Shows bandwidth per host, protocol breakdown, and suspicious flows.
  • Unifi Traffic Stats — built into the Unifi controller. Good for a quick overview but lacks depth for forensics.
  • Netflow/sFlow — configure your switch to export flow data to a collector. Analyse with ntopng or Grafana + Elasticsearch.
  • Alerts — set up alerts for: new devices on your network, unusual outbound connections (especially from IoT), large data transfers at odd hours, and DNS queries to known malicious domains.
Next step: Your network is locked down — now make sure you can recover from the worst case. Read the Backup & Disaster Recovery guide.