So lots of people are starting to get more serious about their online security, I have a bit of experience setting up simple home solutions that provide you with at least some peace of mind on the attacks and who's harvesting your data front.

As a reminder, none of this makes you invulnerable to exploitation or totally safe. The best was to practice network security is to log off and unplug your router.

Hardware

There are two good options you have for hardware firewalls/DNS filters: pi-hole and opnsense / pfsense. Pi-hole is incredibly cheap and simple to set up. Once you have all the hardware, installing it takes about 10 minutes and you won't lose internet. Pfsense and it's opnsense fork are a bit more involved, but still simple enough that anyone who knows how to install Linux can use them. You'll need a computer with at least 2 Ethernet ports so keep that in mind.

Pi-hole

What it does

Pi-hole is an open source DNS filter that allows you to block unwanted connections and websites from phoning home or serving you data. At the user level, it blocks all ads, but it's better than a standard ad-blocker because it's network wide and never actually allows the connections to be made past the pi-hole.

Requirements

Pi-hole only requires a raspberry pi (any one of them) and a 8GB+ SD card. Total all in cost is around $35 if you don't already have a pi. You can also just run it on an old laptop or even in Docker or Virtual-box on your computer.

Set-up

Download the latest Raspbian and use a tool like Rufus on Windows or dd on Linux.

After you have a bootable SD card, open it in your file explorer or CLI of choice and add a file called "ssh" with no file extension to the root directory. This will allow you to remote into your pi once you have it plugged into your router. If you're going to connect the pi over wireless, you can edit the "wpa-supplicant.conf" file with your log in info so it connects automatically.

Now that the pi is set up, connect it to your router either with an Ethernet cable or wirelessly. If you feel more comfortable setting it up with a GUI, that's fine, just do all the initial setup with the pi plugged into a monitor then plug it into the router last.

If you're using SSH to connect to your pi, open your router's main menu (usually by going to 192.168.1.1 or 192.168.0.1 in your browser). If you don't know your router ip address, type "ipconfig" into a windows command line or "ifconfig" in Linux. The ip address after "default gateway" is your router. On your router there should be a client list that will show all the connected devices. Look for your pi on there and remember/write down the ip address. Then open powershell or a terminal and type:

ssh pi@{pi-ipaddress}

This should give you a yes/no question about security, type "yes" to connect. The default password for Raspbian is "raspberry". Once you're in, you want to set the pi's ip address to be static. This can be done by typing:

ifconfig eth0 {pi-ipaddress} netmask 255.255.255.0

I'd also recommend changing the password with the "passwd" command and updating everything to the latest version with:

apt-get update

As a reminder, for a lot of actions in Linux, you need to type "sudo" before them. I won't include that in any of my example commands, because it's your responsibility to invoke that. Only use sudo if you're sure you want the command you're using to have admin privileges. It'll tell you if that's the case.

Once that's done, you're ready to install pi-hole

Installation

In the pi terminal, you can quick install pi-hole with the command:

curl -sSL https://install.pi-hole.net | bash

Or if you want to do it manually, the github has instructions.

This will start an automated setup script that installs everything you need. Write down the password it creates, or change the password to something you want by typing:

pihole -a -p

Once it's done, you should be able to type:

{pi-ipaddress}/admin

or

http://pi.hole/admin

Into any browser and get to the admin console. Log in and configure your DNS settings under the "settings" tab. I use Cloudflare and OpenDNS as my upstream DNS providers, but that's up to you. From here you have a few options, either manually assigning the pi-hole as your DNS server on all your devices, or having your router DHCP assign it. You can also set-up the pi-hole to be your DHCP server if you want (this is a good option if you aren't attached to your router DHCP server).

Router DHCP: Go to your router interface and find the DHCP options. There should be an option to set the default DNS servers. Put your pi-hole ip as the only DNS server and apply the changes. This step is different for every router, so I can't really help much. Just look up your router model number for a good idea on how to do this.

Pi-hole as DHCP: Disable DHCP in your router settings and enable it on the pi-Hole. You might need to plug in the pi-hole address as the DHCP server somewhere on your router. Again, this is different with all routers.

Manual: On any devices you want to use pi-hole with, go to the network settings and find the DNS option and set it to your pihole.

Once this is done, you can refresh the admin console and you should start seeing queries being logged. Try cycling your device if it doesn't show up. Sometimes you'll only see your router's ip address if pi-hole isn't your DHCP server. The "conditional forwarding" option in the DNS settings can be a work around for this problem.

Ad-lists

This part is entirely up to you. The default lists are pretty good at blocking ads, but for other stuff you might want to search around. This writeup on the pi-hole forums has some links to blocklists and upstream DNS servers you can use. To test that your pi-hole is working properly, you can go to a site like https://dnsleaktest.com/ to see that only the upstream DNS servers you assigned are being queried. Sites like https://canyoublockit.com/ are good for testing the ad and tracker blocking of your pihole. When you run it, keep your query log open in another tab and blacklist anything that gets forwarded from that site.

This turned out to be a pretty long write-up, so I'm going to do the opnsense/pfsense ones in a separate post. If anyone has any questions I'll try and answer to the best of my ability and if you see something wrong with my writeup, call me out and I'll edit it.