Router Firmware Guides

Router firmware like pfSense and OpenWRT are crucial for privacy, I think we all should at least have a router running either OpenWRT or pfSense. This is because your ISP can see everything you do on WiFi. Any compatible router will do really for a start but I recommend looking into stronger options down the road.

pfSense is an excellent choice for enhancing both network security and privacy. I believe everyone should have a physical firewall, as it significantly strengthens your Wi-Fi protection. For example, I have noticed that my network has become much faster. I use ProtonVPN with Secure Core, and my download speeds still reach over 300 MB/s.

It’s important to keep in mind that the quality of your hardware can greatly affect your speed. Also, your VPN setup should not block anything if you want to use a custom DNS. Before we proceed, ensure that you have a router compatible with pfSense.

Before we begin make sure that your router/firewall is compatible with pfSense.

Flashing pfSense

  • First go to the download page (if you pick the wrong one, it won’t work).
  • Therefore, make sure to select “pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz.”
  • Next, download the “.gz” file and decompress it; if you can’t decompress it, use 7-zip.
  • After that, we need to get balenaEtcher
  • Open balenaEtcher and select “Flash from file,” then choose the .img file.
  • Then, select the target USB drive.
  • Finally, execute the process by clicking “Flash.”
  • Wait until it’s done and then remove the USB drive.

Initial Setup

Gather a keyboard, a display cable, a power cable, and a power brick (either USB-A or USB-C). First, connect the firewall to any screen. Next, attach the keyboard. After that, plug the firewall into a power source; it should power on. If you encounter an issue where it fails to boot into pfSense, try changing the port for the USB drive and attempt the process again.

  • First, stick the USB drive into the Firewall.
  • Then, press the start button.
  • After that, keep spamming F11 as it starts up.

You should now be at the installation screen. At this point, press Enter to begin the installation process. Then, use all default installation options; you may need to press Enter several times. During the default “ZFS Configuration” screen, select the device’s drive, which will appear as “SSD” or “ada.” Use the arrow keys to navigate and press the space bar to select the correct drive. Once selected, press Enter to continue, and choose “Yes” to confirm.If prompted to open a shell, select “No” and then choose “Reboot” when complete. Finally, shut down the device and remove all peripherals from your firewall, including the USB drive, keyboard, and screen.

Now, we’re going to log in to our firewall using our pfSense credentials.

pfSense Port Activation

  • First, navigate to Interfaces > Assignments and add any pending ports, then click on Save.

  • Next, go to Interfaces > OPT1 and select Enable interface. Change the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.2.1. Change /32 to /24, then click Save and Apply Changes.

  • Proceed to Firewall > Rules and click on OPT1. Click on Add (up arrow) and change the Protocol to Any. Press Display Advanced and change the Gateway to Wan_DHCP…. Click Save and Apply Changes.

  • Now, navigate to Services > DHCP Server. Click on OPT1 and enable Enable DHCP Server on the OPT1 interface. Enter the range as From: 192.168.2.10 To: 192.168.2.250. Click Save and Apply Changes.

OPT2

  • Next, go to Interfaces > OPT2 and select Enable interface. Set the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.3.1. Change /32 to /24, then click Save and Apply Changes.

  • Proceed to Firewall > Rules and click on OPT2. Click on Add (up arrow) and change the Protocol to Any. Press Display Advanced and set the Gateway to Wan_DHCP…. Click Save and Apply Changes.

  • After that, go back to Services > DHCP Server. Click on OPT2 and enable Enable DHCP Server on the OPT2 interface. Enter the range as From: 192.168.3.10 To: 192.168.3.250. Click Save and Apply Changes.

Enable OPT3
  • Next, go to Interfaces > OPT3 and select Enable interface. Change the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.4.1. Change /32 to /24, click Save, then Apply Changes.
More OPT2

  • Now, navigate to Firewall > Rules and click on OPT2. Click on Add (up arrow) and change the Protocol to Any. Press Display Advanced and change the Gateway to Wan_DHCP…. Click Save and Apply Changes.

  • Then, go to Services > DHCP Server. Click on OPT2 and enable Enable DHCP Server on the OPT2 interface. Enter the range as From: 192.168.4.10 To: 192.168.4.250. Click Save and Apply Changes.

Enable OPT4
  • Proceed to Interfaces > OPT4 and select Enable interface. Set the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.5.1. Change /32 to /24, click Save, then Apply Changes.
More OPT2

  • Next, navigate to Firewall > Rules and click on OPT2. Click on Add (up arrow) and set the Protocol to Any. Press Display Advanced and change the Gateway to Wan_DHCP…. Click Save and Apply Changes.

  • Finally, go to Services > DHCP Server. Click on OPT2 and enable Enable DHCP Server on the OPT2 interface. Enter the range as From: 192.168.5.10 To: 192.168.5.250. Click Save and Apply Changes.

pfSense Configuration

Go to System > Package Manager > Available Packages.

Enable WireGuard

Search for WireGuard, click Install next to it, and then confirm the installation. Wait for the installation process to finish.

Next, navigate to VPN > WireGuard and click the +Add Tunnel button. Set the Description to ProtonTunnel and the Listen Port to 51820.

Copy the PrivateKey data from the Proton file you downloaded and paste it into the Interface Keys field. Click on the Public Key field to generate the public key automatically. Press Save Tunnel, then select Peers from the top menu.

Click the +Add Peer button. Set the Tunnel to your previously created ProtonTunnel. Apply a Description of ProtonPeer. Disable the Dynamic Endpoint option.

Enter the endpoint address and port from your downloaded file. Set the Keep Alive value to 25. Copy the PublicKey data from the Proton file and paste it into the Public Key field. Set Allowed IPs to 0.0.0.0 and change 128 to 0.24. Click Save Peer, then click Settings in the upper menu.

Enable WireGuard and click Save, then Apply Changes. Go to Status in the upper menu and verify that the connection shows as green Up.

VPN Interface

Select Interfaces and then Assignments. Click Add next to tun_wg0 at the bottom, then click Save. Select the new option, like OPT5. Enable the Interface and provide a Description of ProtonInterface.

Change the IPv4 Configuration Type to Static IPv4 and enter 10.2.0.2 in the IPv4 Address field, then click Save and Apply Changes.

VPN Gateway

Navigate to System > Routing and click Add. Set the Interface to ProtonInterface, change the name to ProtonGateway, and set the Gateway to 10.2.0.1. Disable Gateway Monitoring Action and select Kill states using this gateway….

Click on Display Advanced and check Use non-local gateway. Click Save and Apply Changes.

Now, go to Interfaces > ProtonInterface, change the IPv4 Upstream Gateway to ProtonGateway, enable Block private networks and loopback addresses, and enable Block Bogon Networks. Click Save and then Apply Changes.

Navigate to System > Advanced > Miscellaneous. Set State Killing on Gateway Failure to Kill states for all gateways…, and enable the option to Skip rules when gateway is down. Click Save.

Apply VPN

To apply the VPN to LAN, go to Firewall > NAT > Outbound. Choose Manual Outbound NAT rule generation, then click Save and Apply Changes.

Select the checkbox for all entries that have ProtonInterface as the interface to delete them.

Next, click the pencil icon next to the entry labeled similarly to Auto created rule LAN to WAN with the IP address 192.168.1.0/24. Change the interface to ProtonInterface and click Save.

Then, click the pencil icon next to the entry labeled similarly to Auto created rule for ISAKMP – LAN to WAN with the same IP address 192.168.1.0/24. Update the interface to ProtonInterface and click Save, followed by Apply Changes.

Now, navigate to Firewall > Rules > LAN.

Then click the pencil icon (edit) next to the Default allow LAN to any rule. Choose the Display Advanced option located at the bottom. Change the gateway to ProtonGateway and click Save.

Lastly, click the disable icon next to the Default allow LAN IPv6 to any rule.
Click Apply Changes

 

pfSense & VPN

VPN on your router is one of the most important things you can do for your network when it comes to configuration after all, it will hide your searches from your ISP and hide your true IP from the websites.
 
Navigate to Firewall > Rules > OPT1.
 
Click the pencil icon to edit the settings. If necessary, click the Display Advanced button. Change the Gateway to ProtonGateway, then click Save and Apply Changes.
 
Next, go to Firewall > NAT > Outbound. Click the pencil icon (edit) next to the entry labeled similarly to Auto created rule – OPT1 to WAN. Change the Interface option from WAN to ProtonInterface. Then after that set the Address Family to IPv4, then click Save.
 
Click the pencil icon (edit) next to the entry labeled similarly to Auto created rule for ISAKMP – OPT1 to WAN with the Source IP address of your target port. Afterwards change the Interface option from WAN to ProtonInterface. Click Save and then Apply Changes.
 
You can replicate these steps on all ports so if you got 4 ports OPT1 would be replaced with OPT2 and if you have 6 then OPT3 and OPT4.
 

pfSense & DNS

Navigate to System > General Setup.
Add 45.90.28.0 as the first DNS server. (Replace the IP with your own).
Input nextdns.io as the first DNS hostname.
Select ProtonGateway.
Click on “Add DNS Server.”
Add 45.90.30.0 as the second DNS server. (replace the IP with your own).
Input nextdns.io as the second DNS hostname.
Select ProtonGateway.
Disable DNS server override.
Change DNS Resolution Behavior to “Use local DNS (127.0.0.1), ignore remote DNS,” and click on Save.
Navigate to Services > DNS Resolver.
In Outgoing Network Interfaces, select ProtonInterface.
Enable “Strict Outgoing Network Interface Binding”, “DNSSEC”, “DNS Query Forwarding”, “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers.”
Click on “Save” and Apply Changes.
Back to the Top

OpenWRT is an exceptional open-source router firmware designed to give you complete control over your network. Unlike many commercial options, OpenWRT does not spy on you, allowing you to maintain your privacy without unwanted surveillance. With OpenWRT, users can enjoy custom configurations that enable tailored network settings, making it perfect for those looking to fine-tune their internet experience.

The security features built into OpenWRT are robust and designed to protect your network from potential threats. By using OpenWRT, you can implement advanced security measures such as firewall configurations and VPN support, ensuring that your network remains secure while allowing for customization according to your needs.

Moreover, the privacy features of OpenWRT are noteworthy. Because it is open-source, you have the ability to audit the code, ensuring that there are no hidden backdoors or tracking mechanisms. This transparency allows you to confidently maintain your data privacy. Additionally, one of the standout aspects of OpenWRT is the capability to install additional packages. This means you can enhance your router’s functionality with custom applications, parental controls, or advanced network monitoring tools.

OpenWRT allows you to take control of your home network. Its open-source nature ensures you are protected from spying while providing unrivaled customization options. Choosing OpenWRT means investing in a solution that respects your privacy and enhances your digital life.

Official Website

OpenWRT Setup Instructions 

  1. Turn on the OpenWRT device.
  2. Connect an Ethernet cable from the WAN port to the LAN port. I prefer to connect it next to the WAN port. If you set up a VPN on one port, then use that port.
  3. Use a cable to connect the router to a computer.
  4. Open your browser and to navigate to the default gateway usually 192.168.1.1 to connect to your Router’s OpenWRT.
    • If the connection is successful, proceed to “Provide a new secure password” below.
    • If the connection is denied, press and hold the reset button for 15 seconds, allow the device to reboot completely, and try again.
    • If the connection still fails, access the pfSense portal in your browser, go to “Status” > “DHCP Leases,” and note the router’s IP address. Then, navigate to that IP address in your browser.
  5. Choose your preferred language and set a new secure password when prompted.
  6. Go to “System” > “Upgrade” and install any available updates.
  7. Allow the device to reboot completely and reconnect to it.
  8. Proceed to “System” > “Time Zone” and select your preferred option.
  9. Under “Wireless” > “2.4G WiFi,” click on “Modify.”
    • Rename the SSID to something more private.
    • Change the security password to a more secure option and click “Apply.”
  10. Repeat this process for the “5G WiFi” option to rename and secure it.
  11. If needed, disable “Wireless” > “2.4GHz” > “Guest WiFi.”
  12. If needed, disable “Wireless” > “5GHz” > “Guest WiFi.”
  13. Click on “Network” > “Network Mode” > “Access Point” > “Apply.”
  14. Reboot the router, reconnect, test the login, and ensure your VPN is active.
  15. Connect your Wi-Fi to either SSID on the router and confirm the connection.
Back to the Top
Privacy & Security For All!