Most home networks leak data relentlessly. Your ISP logs all DNS queries (every website you visit), intercepts unencrypted traffic, and sells this information to data brokers. Smart home devices (thermostats, doorbells, TVs) exfiltrate telemetry constantly. Mobile devices on your WiFi betray your location to advertising networks. Even encryption between your device and websites doesn’t prevent your ISP from seeing which sites you access.

Building a privacy-hardened home network requires layered controls: DNS filtering (blocking trackers before they load), VLAN segmentation (isolating untrusted devices), encrypted DNS (preventing ISP snooping), and a home VPN (encrypting all traffic). This guide covers the complete setup using open-source tools: Pi-hole (DNS filtering), pfSense or OPNsense (firewall), VLAN segmentation, and WireGuard (VPN).

Privacy Network Architecture Overview

Your hardened network will have:

                    ISP Modem
                        |
                   [Home Router]
                   (pfSense/OPNsense)
                   - Firewall rules
                   - VLAN enforcement
                   - Encrypted DNS
                   - WireGuard VPN
                        |
        ______________|______________
        |              |             |
    [Trusted]     [Untrusted]   [IoT Devices]
    VLAN10        VLAN20         VLAN30
    - Laptops     - Guest        - Thermostat
    - Phones      - Visitors     - Doorbell
    - Desktops                   - Smart TV
                                 - Alexa
    Can access    Can't access   Restricted to:
    all resources untrusted VMs   - NTP (time)
                 Can't see       - DNS (pi-hole)
                 Trusted VLAN    - Updates only

Architecture Decision: Hardware Requirements

Option A: Dedicated Router (Recommended for Most)

Hardware: Used enterprise router (Ubiquiti EdgeRouter X, Netgate SG-2100) or mini PC (Intel NUC, Raspberry Pi 4 with cooling)

Cost: $150–500 (used) or $300–800 (new)

Pros:

• Full control over all traffic
• Can run Pi-hole + pfSense together
• No conflicts with ISP router
• Better performance than ISP routers
• Warranty/support available for commercial hardware

Cons:

• Requires technical setup
• Moderate learning curve
• Need to manage two pieces of hardware (modem + router)

Option B: ISP Router with Pi-hole Only

Hardware: Keep ISP router + add Raspberry Pi 4 ($50)

Cost: $50–100 (if buying Pi-hole only)

Pros:

• Minimal setup, Pi-hole is simple
• Least disruptive to existing network
• Can run on Raspberry Pi (low power)

Cons:

• Can’t segment VLANs (ISP routers don’t support)
• Can’t enforce firewall rules between devices
• Limited privacy (DNS filtering only, not network segmentation)

Recommendation: Option an if you have technical skills. Option B if you want quick wins without major network redesign.

Component 1: Pi-hole (DNS Filtering & Blocking)

Pi-hole intercepts all DNS queries from your network and blocks trackers before they load. Instead of your ISP seeing “device queried www.google-analytics.com”, Pi-hole blocks that query locally.

Installation

Hardware: Raspberry Pi 4 (4GB RAM minimum), 8GB microSD card

Cost: ~$50

Setup Time: 30 minutes

Step 1: Download and Flash Operating System

# On your laptop, download Raspberry Pi Imager
# https://www.raspberrypi.com/software/

# Flash a 64-bit Raspberry Pi OS (Lite version—no GUI needed)
# Insert microSD card into imager
# Select: Raspberry Pi 4 → OS: Raspberry Pi OS (64-bit)
# Write and wait ~5 minutes

Step 2: Headless Setup (No Monitor Needed)

# Create empty file on microSD card's boot partition
# This enables SSH immediately
touch /Volumes/boot/ssh

# If you want WiFi instead of Ethernet:
# Create /Volumes/boot/wpa_supplicant.conf
cat > /Volumes/boot/wpa_supplicant.conf <<EOF
country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
    ssid="YOUR_SSID"
    psk="YOUR_PASSWORD"
}
EOF

Step 3: Install Pi-hole

# Boot Raspberry Pi with microSD card
# Find its IP on your router (usually 192.168.1.x)
# SSH into it

ssh pi@192.168.1.50

# Update system
sudo apt update && sudo apt upgrade -y

# Install Pi-hole (automated script)
curl -sSL https://install.pi-hole.net | bash

During installation, you’ll be prompted for:

• Installation destination (keep default)
• Admin interface password (set strong password)
• Upstream DNS servers (see below for recommendations)
• Database installation (yes, needed for query logging)

Step 4: Configure Upstream DNS

Pi-hole needs upstream DNS servers to query. Use privacy-respecting options:

Option 1: Quad9 (Recommended)

• Primary: 9.9.9.9
• Secondary: 149.112.112.112
• Blocks malware/phishing automatically
• Zero-logging, GDPR compliant

Option 2: Cloudflare (1.1.1.1)

• Primary: 1.1.1.1
• Secondary: 1.0.0.1
• Faster for most users
• Blocks CCPA opt-out selling

Option 3: Mullvad DNS

• 194.242.2.3
• Ultra-privacy focused
• Slower than Quad9/Cloudflare but strongest privacy

Configuration in Pi-hole web interface:

Web Admin → Settings → DNS → Upstream DNS Servers
Add:
- 9.9.9.9 (Quad9)
- 149.112.112.112 (Quad9 secondary)
Save and restart DNS resolver

Step 5: Configure DNS Over HTTPS (DoH)

By default, Pi-hole queries upstream DNS over unencrypted UDP. ISP can’t see what Pi-hole queries specifically, but can infer from traffic patterns.

Enable DNS over HTTPS to encrypt all upstream DNS traffic:

# SSH into Pi-hole
ssh pi@192.168.1.50

# Edit Pi-hole FTL (faster than light) config
sudo nano /etc/pihole/pihole-FTL.conf

# Add this line:
PRIVACYMODE=3
PRIVACYMODE.LEVELS.ZERO_IP=false

# Then edit dnsmasq config for DoH
sudo nano /etc/dnsmasq.d/cloudflare.conf

# Add (for Quad9 with DoH):
server=9.9.9.9
server=149.112.112.112

Verify configuration:

# Query Pi-hole's logs
pihole -q "query.log" | tail -20

# Should show upstream queries via HTTPS tunnel

Step 6: Point Your Router’s DHCP to Pi-hole

Now devices need to use Pi-hole as their DNS server. Two approaches:

Approach 1: DHCP Server on Router (Preferred)

In your router’s DHCP settings:

DHCP → DNS Servers
Primary: 192.168.1.50 (Pi-hole IP)
Secondary: 9.9.9.9 (fallback if Pi-hole down)

This ensures all devices automatically use Pi-hole.

Approach 2: Manual per Device

If router doesn’t support custom DHCP DNS:

• iPhone: Settings → WiFi → Network Info → DNS: Manual, add 192.168.1.50
• Windows: Settings → Network → Change adapter options → DNS: 192.168.1.50
• Mac: System Preferences → Network → Advanced → DNS: 192.168.1.50

Step 7: Add Blocklists to Pi-hole

Pi-hole ships with basic blocklists. For privacy, add aggressive blocklists:

Web Admin → Adlists → Add

Recommended blocklists:

# Privacy-focused blocklists
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
(Blocks Microsoft telemetry, Adobe tracking, etc.)

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
(Comprehensive ad/malware blocking)

https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
(Blocks smart TV data collection)

https://raw.githubusercontent.com/stopforumspam/stopforumspam/master/src/blacklist.csv
(Blocks spam/abuse)

https://v.firebog.net/hosts/static/w3kbl.txt
(Aggressive ad blocking)

Warning: Too many blocklists cause false positives (legitimate sites blocked). Start with 3–4, monitor your web traffic for a week, then add more.

Step 8: Check Pi-hole Dashboard

Access the web admin interface:

http://192.168.1.50/admin/
Login with password you set during installation

Dashboard shows:

• Queries blocked: How many tracker queries Pi-hole is blocking (expect 15–30% of all queries)
• Top blocked domains: Common trackers trying to load
• Top permitted domains: Sites that load normally
• Client activity: Which devices are querying what

Example healthy dashboard:

Total queries: 2,500
Blocked: 450 (18%)
Gravity list domains: 500,000

Top blocked domains:
- ads.google.com (143 blocks)
- tracker.doubleclick.net (89 blocks)
- facebook.com (76 blocks)

Component 2: pfSense or OPNsense (Firewall + VLAN Control)

Pi-hole handles DNS filtering. Now add network-level controls: firewall rules, VLAN segmentation, and encrypted DNS to WAN.

Hardware Selection

Option A: Netgate SG-2100 (Commercial, Recommended)

• Cost: $500
• Performance: Good for home networks
• Specs: 2-core ARM, 4GB RAM
• Support: Warranty + professional support available
• Pre-installed: pfSense
• Link: https://www.netgate.com/products/SG-2100

Option B: Used Netgate Box (Budget)

• Cost: $100–300 used (eBay, Reddit r/homelabsales)
• Example: SG-1100 ($150), APU2c4 ($200)
• Slightly older hardware but runs pfSense fine
• No warranty but 10x cheaper

Option C: Mini PC Running pfSense

• Cost: $300–600
• Example: Intel NUC with 8GB RAM
• Most flexible (can run other services)
• Requires software installation

For this guide, I’ll assume Netgate SG-2100 or equivalent pfSense box.

pfSense Initial Setup

Step 1: Physical Setup

ISP Modem → pfSense WAN Port
pfSense LAN Port → WiFi Access Point
              → Ethernet switches (for wired devices)

Step 2: Web Interface Setup

Connect to pfSense via Ethernet
Open browser: https://192.168.1.1
Default credentials: admin / pfsense

Change password immediately:
System → User Manager → admin → Edit → Set new password

Step 3: Configure WAN Interface

Interfaces → WAN
Set to DHCP (gets IP from ISP modem)
Save

Step 4: Configure LAN Interface

Interfaces → LAN
IPv4 Address: 192.168.1.1 (or your preferred subnet)
Subnet Mask: 255.255.255.0
Enable DHCP: Yes
DHCP Range: 192.168.1.10 to 192.168.1.254
Save

Setting Up VLANs (Network Segmentation)

VLANs separate devices so untrusted devices (guests, smart TVs) can’t access your computers.

Step 1: Create VLANs

Interfaces → Assignments → VLANs

VLAN 1: Trusted (192.168.1.0/24)
  - Computers, phones, NAS
VLAN 2: Guests (192.168.2.0/24)
  - Visitor WiFi, temporary access
VLAN 3: IoT (192.168.3.0/24)
  - Smart home devices (can't talk to other VLANs)

Step 2: Assign VLAN to Interfaces

Interfaces → OPT1 (for Guest VLAN)
Enable: Yes
IPv4 Address: 192.168.2.1
Subnet Mask: 255.255.255.0
Enable DHCP: Yes
DHCP Range: 192.168.2.10–254

Interfaces → OPT2 (for IoT VLAN)
Enable: Yes
IPv4 Address: 192.168.3.1
Subnet Mask: 255.255.255.0
Enable DHCP: Yes
DHCP Range: 192.168.3.10–254

Step 3: Create Firewall Rules Between VLANs

Firewall → Rules → LAN

Add Rule:
  Protocol: Any
  Source: LAN subnet (192.168.1.0/24)
  Destination: any
  Action: Pass (Trusted devices can talk to anyone)

Firewall → Rules → OPT1 (Guest VLAN)

Add Rule:
  Protocol: TCP/UDP
  Source: OPT1 (Guest)
  Destination: LAN (192.168.1.0/24)
  Action: Block (Guests can't see Trusted computers)

Add Rule:
  Protocol: TCP/UDP
  Source: OPT1
  Destination: OPT2 (IoT)
  Action: Block (Guests can't see IoT)

Add Rule:
  Protocol: Any
  Source: OPT1
  Destination: any (WAN)
  Action: Pass (Guests can access internet)

Firewall → Rules → OPT2 (IoT VLAN)

Add Rule:
  Protocol: UDP
  Source: OPT2
  Destination: Any
  Port: 123 (NTP, for time sync)
  Action: Pass (IoT can access time servers)

Add Rule:
  Protocol: TCP
  Source: OPT2
  Destination: Any
  Port: 80, 443 (HTTP/HTTPS)
  Action: Pass (IoT can update firmware)

Add Rule:
  Protocol: Any
  Source: OPT2
  Destination: LAN (192.168.1.0/24)
  Action: Block (IoT can't see Trusted devices)

Add Rule:
  Protocol: Any
  Source: OPT2
  Destination: OPT1
  Action: Block (IoT can't see Guests)

Enabling DNS Over HTTPS in pfSense

Configure pfSense to use DNS over HTTPS to your chosen upstream (so ISP can’t see which sites pfSense/Pi-hole queries):

This is advanced and requires DOH proxy setup—see WireGuard section below for simpler alternative.

Component 3: WireGuard Home VPN (Access Home Network Remotely + Encrypt Upstream)

WireGuard is a modern VPN protocol much faster and simpler than OpenVPN. Install it on pfSense to:

1. Access your home network remotely while encrypted
2. Encrypt all traffic destined to ISP (no ISP monitoring of your sites)

Step 1: Install WireGuard on pfSense

System → Package Manager → Available Packages

Search: WireGuard
Install

Step 2: Configure WireGuard Interface

VPN → WireGuard → Tunnels

Add Tunnel:
  Name: WireGuard
  Description: Home VPN
  Listen Port: 51820
  Interface Keys: Generate (auto)
  Enable: Yes
  Save

Copy Public Key (you'll need this for clients)

Step 3: Create WireGuard Peers (Clients)

Each device that connects to your VPN needs a peer entry:

VPN → WireGuard → Peers

Add Peer:
  Tunnel: WireGuard
  Endpoint Address: 10.0.0.2 (internal IP for this client)
  Allowed IPs: 10.0.0.2/32
  Generate Keypair: Yes
  Description: iPhone
  Enable: Yes

Add Peer:
  Tunnel: WireGuard
  Endpoint Address: 10.0.0.3
  Allowed IPs: 10.0.0.3/32
  Description: MacBook Pro

Export client configs:

VPN → WireGuard → Status

For each peer, click QR Code icon
Scan with phone or save config file for laptop

Step 4: Create Firewall Rules for WireGuard

Firewall → Rules → WireGuard (new interface)

Add Rule:
  Action: Pass
  Protocol: Any
  Source: WireGuard net
  Destination: LAN (192.168.1.0/24)
  Description: WireGuard clients can access LAN

Add Rule:
  Action: Pass
  Protocol: Any
  Source: WireGuard net
  Destination: any (WAN)
  Description: WireGuard clients can access internet

Step 5: Configure Dynamic DNS (for Changing ISP IP)

Your ISP assigns you a dynamic IP that changes weekly. WireGuard clients need a static hostname:

Dynamic DNS Provider:
  Go to noip.com or duckdns.org
  Register free account
  Create subdomain: myhome.noip.com

pfSense Configuration:
Services → Dynamic DNS → Add
  Service Type: No-IP or DuckDNS
  Username/Token: (from noip.com)
  Hostname: myhome.noip.com
  Enable: Yes

Step 6: Configure WireGuard Client on iPhone

Install WireGuard app (App Store)
Tap + to add interface
Scan QR code from pfSense step 3

Connection settings auto-populate:
  [Interface]
  Address = 10.0.0.2
  PrivateKey = [auto]
  DNS = 192.168.1.50 (your Pi-hole)

  [Peer]
  PublicKey = [pfSense public key]
  Endpoint = myhome.noip.com:51820
  AllowedIPs = 192.168.1.0/24, 10.0.0.0/8

Toggle "On" to connect

When connected:

• All traffic from iPhone goes through your home network
• DNS queries go to Pi-hole (DNS filtered)
• ISP can’t see which sites you visit
• Home network can access iPhone

Component 4: WiFi Access Point Configuration

Your pfSense router should have WiFi, or connect a separate AP (access point) to it.

Recommended Access Points

Ubiquiti UniFi 6E (U6+ or newer)

• Cost: $150–200
• Performance: Excellent, tri-band
• VLAN support: Yes, native
• Setup: Via UniFi Controller app

TP-Link Deco X95 (WiFi 6)

• Cost: $200–300 (3-pack)
• Performance: Good, mesh support
• VLAN support: Limited (not recommended for VLAN setup)

TP-Link Archer AXE300

• Cost: $80–120
• Performance: Decent, WiFi 6E
• VLAN support: Not recommended
• Good secondary AP

Configuring WiFi Networks for VLANs

If using Ubiquiti UniFi:

UniFi Controller → Networks

Create Network 1: Trusted
  VLAN ID: 1
  Subnet: 192.168.1.0/24

Create Network 2: Guests
  VLAN ID: 2
  Subnet: 192.168.2.0/24

Create Network 3: IoT
  VLAN ID: 3
  Subnet: 192.168.3.0/24

Wireless Networks:

Create SSID: "MyHome"
  Network: Trusted (VLAN 1)
  Security: WPA3
  Password: [strong]

Create SSID: "Guests"
  Network: Guests (VLAN 2)
  Security: WPA3
  Password: [separate]

Create SSID: "IoT-Devices"
  Network: IoT (VLAN 3)
  Security: WPA3
  Password: [separate]

Result: Three WiFi networks, each isolated, each with different DHCP ranges.

Complete Network Diagram (Final Configuration)

Internet
    ↓
ISP Modem
    ↓
pfSense Router (192.168.1.1)
├─ WAN: DHCP from ISP
├─ LAN: Trusted VLAN (192.168.1.0/24)
├─ OPT1: Guest VLAN (192.168.2.0/24)
├─ OPT2: IoT VLAN (192.168.3.0/24)
└─ WireGuard: Remote access tunnel (10.0.0.0/8)

WiFi Access Point
├─ SSID "MyHome" → Trusted VLAN (192.168.1.0/24)
│   ├─ Your MacBook Pro (192.168.1.10)
│   ├─ Your iPhone (192.168.1.11)
│   └─ Your Desktop (192.168.1.12)
├─ SSID "Guests" → Guest VLAN (192.168.2.0/24)
│   └─ Visitor laptops can't see Trusted devices
└─ SSID "IoT-Devices" → IoT VLAN (192.168.3.0/24)
    ├─ Smart Thermostat (192.168.3.10)
    ├─ Door Camera (192.168.3.11)
    ├─ Smart TV (192.168.3.12)
    └─ Alexa (192.168.3.13)
        [Can't access Trusted VLAN, can only access internet]

Pi-hole DNS Server (192.168.1.50)
├─ Gets queries from all VLANs
├─ Blocks trackers from all blocklists
├─ Queries upstream via DoH to Quad9 (9.9.9.9)
└─ No ISP sees domain queries (just network traffic)

Privacy Result:
✓ ISP can't see which sites you visit (blocked by firewall rules)
✓ ISP can't see which sites your devices visit (Pi-hole handles DNS)
✓ Trackers blocked before loading (Pi-hole blocklists)
✓ Devices can't spy on each other (VLAN rules)
✓ Remote access encrypted (WireGuard)
✓ All DNS encrypted (DoH via Pi-hole)

Monitoring & Maintenance

Weekly

Log into pfSense web interface
Firewall → Logs
Check for unusual traffic:
  - Blocked IoT attempting to contact Trusted?
  - Guest VLAN attempting to access LAN?
  - If yes, this is expected (rules working)

Monthly

Check Pi-hole dashboard
Review "Top Blocked Domains"
  - If legitimate site is blocked, whitelist it
  - If suspicious tracker, ensure blocklist is current

Update software:
  System → Firmware
  Check for updates
  Install if available

Quarterly

Review WireGuard connection logs
Verify all peers still reachable
Test remote connection from mobile network
Update blocklists in Pi-hole

Troubleshooting Common Issues

Problem: Website loads but images don’t Solution: Blocklist is too aggressive. Whitelist in Pi-hole:

Pi-hole Admin → Whitelist → Add domain

Problem: Smart TV won’t connect Solution: TV needs firmware access. Allow IoT VLAN:

Firewall → Rules → OPT2 (IoT)
Add rule: Destination port 443, Allow

Problem: WireGuard won’t connect Solution: Check dynamic DNS:

Services → Dynamic DNS
Verify domain resolves: ping myhome.noip.com
Check firewall passes port 51820 (UDP)

Problem: Guests can’t connect to WiFi Solution: DHCP not running on Guest VLAN:

Interfaces → OPT1
Verify DHCP enabled
Restart DHCP: Services → DHCP Server

Maintenance Timeline

• Day 1: Install Pi-hole, configure DNS
• Day 2: Configure pfSense, create VLANs
• Day 3: Set up firewall rules, test isolation
• Day 4: Install WireGuard, test remote access
• Day 5–7: Deploy devices to appropriate VLANs, test functionality
• Weekly: Monitor Pi-hole for blocked domains
• Monthly: Update firmware and blocklists

After initial setup (1 week), maintenance is <30 minutes monthly.

Privacy Gains vs. ISP

Before:

• ISP logs every site you visit (100% visibility)
• ISP knows your location (GPS from phone)
• ISP sees your device fingerprints
• ISP sells data to brokers

After:

• ISP sees encrypted WireGuard tunnel (can’t see sites)
• ISP sees DNS encrypted (can’t see domains)
• ISP sees blocked tracker queries (but not your browsing)
• ISP data on your traffic is useless (no insight)

Result: ISP knows you use internet, not which sites/apps.

This isn’t theoretical—Comcast and AT&T have been prosecuted by FTC for selling supercookie data. A hardened network prevents this completely.

Related Reading

• Set Up VLAN Isolation for IoT Devices on Home Network 2026
• Home Network Privacy Pihole Dns Filtering Guide 2026
• Set Up a Secure Home Server for Self-Hosting Privacy Tools.
• How To Set Up Privacy Focused Crm That Minimizes Customer Da
• How To Set Up Privacy Focused Phone Specifically For Dating

Built by theluckystrike — More at zovo.one