Building The "Ultimate" Router - [PFSense + Pi-hole + PIVPN]

I've been running a virtualized router using an old system called Smoothwall for seven years problem-free. I recently upgraded the whole thing to ProxMox, pfSense, and piHole and it has been fabulous. I've got in-house 2.5Gb over WiFi6 and a 12TB NAS. Even did a video on the server rebuild and install, just have to edit it all down - you and a few other channels were a great inspiration!!

When I was setting up my home lab/servers, I initially virtualized my router (also on Proxmox, on a "normal" x86 platform). Since I was still tinkering a fair amount with the whole (new) system, that meant that every time I did something physical, the internet went down as well. Having VLans and local routing as well means that even things that were still all on weren't reachable either. So I ended up swapping to a dedicated virtualized physical router similar to the one used in this build (Intel N5095 based, running network services only on a proxmox host dedicated to network), but quickly realized it was far more capable than what I needed. So I eventually swapped to a bare-metal, non-virtualized Zima Board (still x86, but more rapi-sized) for my router doing anything network related just via plugins. I'm now very happy with this very low power solution, and I can tinker with the main "lab" all I want without any service interruptions to stuff that isn't rebooted or shutdown.
Note that pfSense and OPNsense can do WireGuard and piHole-like DNS services natively (via Unbound or many other options), and virtualization or containerization isn't really needed.

I'd love to see a video on your full homelab. Setup, machines (truenas server, pf sense router, your and your wife's pcs) a full tour would be awesome! (Time to clean up that cable management lol). Also I just realized you composed your own theme. Very nicely done. Love it. Hope to see your music set up as well

thank you, watching hardware stuff always feel so interesting!

I really appreciate your honesty during commentary. Great vid!

Currently I'm using a traditional (albeit quite high-end) router but I'm using it mostly for its incredible wireless performance and as the network gateway. I've actually offloaded most of its functions onto a Raspberry Pi with the 64-bit Lite OS installed, such as DHCP, DNS, and PiHole and it has been working very well for me thus far. I would love to do this all in one complete solution one day though.

Every new video u make gets better and better and I know it means nothing but I'm so proud of you, and I'm so happy I got to see ur channel grow from the start

I love these builds. Super cool video and you get to turn a small pc into something incredibly useful for home use.

I've been running a Netgear Cable Modem / Router combo since 2015. It's performed okay but I think this video finally gave me the inspiration to go PFSense.

watching your videos and getting into nas and more technical of the technical stuff has me feeling the same way i have felt when i was just getting into pc's
at first i didnt know how it all worked or what the terminology all was but now a pc is the same as legos to me.
now i hope to learn everything about nas and whatnot and make my own nas with a pc someday with the help of your videos

I’m literally doing almost exactly this project right now, and have been really struggling to get my Realtek 8125B 2.5Gbe NICs working, I ended up getting them *kinda* working with PfSense 2.5.2 yesterday, but wasn’t super stoked on having to use older software. Luckily I’ve barely gotten through configuration before coming across this video, so I’m going to re-flash 2.6.0 and try out the package from the Reddit post you linked. Man, my RUclips recommendations are usually pretty good, but this? *Chef’s Kiss*.

That is a pretty nice router you got there,
Thanks for the good video!

Not sure if it's been mentioned below, but what if you connect the LXC containers to a virtual switch and an extra interface for pfsense to route the LXC traffic without passing through a physical switch. This would force traffic directed to the LXC containers through PFSense (like PiHole) but ultimately would eliminate PFsense from routing from one physical interface to another physical interface to virtual interface in the container

Never thought I'd get excited over a router
Subscribed lol

Nice job. For services like pihole and httpd I switched to Docker containers a while ago, it makes management and backups nice and easy.

Love this. I have been running same Seeed Odyssey for my router, but only for PFSense. This would be a fun modification... You got me thinking, but I already have an ESXi cluster in the house.

Thats is some clean hardware!

Love that video. I will be building my ultimate pfsense router soon

One thing you could do, although it’d be a bit more dependent on your router, but you could create a virtual bridge and attach it to proxmox and your pfsense VM, so proxmox would connect via pfsense, and all physical NICs would go to pfsense. Not necessarily a good idea, but an idea none the less

FAQ BELOW!!!
For 21 FREE meals with HelloFresh plus free shipping, use code HARDWAREHAVEN21 at bit.ly/3WdgdSU!
FAQ and Concerns:
- Why didn’t I use OPNSense?
I just don’t have much experience with it, but I will try it out later, maybe even before I set this up in my home!
- PFSense can do basically all of those things with other packages; why not do that?
Honestly, I wasn’t aware of all the packages available, especially the experimental ones. But I also like the flexibility of containers and VMs. I can easily swap to OPNSense later without having to set everything else up again if I want for example. Also, software preference is a thing. It doesn’t mean I think running everything bare metal is a bad idea. Quite the opposite!

thank you. i would like to follow in your footsteps to create a similar setup. i have been using cloudflare tunnels instead of setting up wireguard... but i totally used to run pi hole and pivpn on bare metal raspberry pis and it worked great. i would like to setup those services again as part of my proxmox

Nice! Been looking to build a box like this!

I love this channel. Thank u shareing your experince and Knowledge with us❤❤

All I would offer as a critique is that pfSense can run OpenVPN so there's no need to separately run piVPN. Having said that, I LOVE piVPN for it's ease of set up, and use of WireGuard for a client. Great system. pfSense and piHole are awesome, love them. Thanks for the video :)

I like it, i would like to make one my own too, and thank you for telling us about this, love your project.

So nice !

When setting up containers, i find it is good practice to always set up individual software on one container. Its easy for maintenance but its also easier to manage in general because you are not forgetting which container is what.

Is this better than a gaming router?

this is all so much for me but I can't wait to learn all this, I have a bunch of old laptops that I know they still have life in them just not as a traditional laptop! Maybe more so as a storage server, security camera service, and router!

ive personally tried opnsense first, then pfsense
i had some issues with opnsense (specifically the freeradius package was broken) but pfsense tends to work better. however pfsense is a bit less opensource than it claims to be

Love your videos sir!!

I have several Seeed Odyssey's. Surprised both onboard NICs work with the M.2 NIC card plugged in, the Odyssey X86's have a hardware bug that kills one on-board NIC when some PCIE devices are plugged into the M.2 port. That said I also have alot of Odroid H2/H3 boards as well. The Odroid's are similar to the Seeed Odyssey but have 2 2.5gb NICs onboard and Odroid makes a "net-card" that adds 4 more 2.5gb NICs for a total of 6. I've been using one as my router for about 2 years now without a hitch. They also have cases that don't require mods for the net-card

Good that i can learn from you and the people from the comments that tell about more eficient/alternative ways to do these things. Also have to wait for family to go out to tinker with the network lol

That looks interesting. I would love to try a similar build myself at some point. I think I would use Bind instead of PiHole for my DNS though 😄

12:29 You being lame is actually really smart. I did the same when I switched from a "real" router to a pfsense box.
I put the pfsense box behind the router and migrated things behind the pfsense box over time. Once everything was behind the pfsense box, it just needed a few WAN setting changes and then I pulled the "real" router from the front of the chain, switched the router to AP mode and put it behind the pfsense box for WiFi connectivity. Since I got my bearings and learned the pfsense settings while just a couple machines were behind the pfsense box, there was no real downtime ever involved.

I only understand the surface-level of the features that you discussed here, but I would love to build a router like this with a built-in VPN and PiHole. Would you recommend a beginner just stick to PFSense for those features if they don't feel the need to separate it onto a VM?

I just heard about using Pfsense & Pi hole recently and I want to emulate this project!!

hahaha I raised my eyebrow real hard when the QR for your wireguard access token popped up on the screen... very clever!

Hello, I am a network administrator and we use pfsense for some customers as a VM on VMware, and it is super stable and reliable. Honestly, it is more reliable than some of our SonicWall appliances. One customer has high uptime requirements, and the primary wan firewall has been up for about a year and no issues. (I know it needs a reboot. Again, high up time customer. Very specific case lol) but I highly recommend turning an old PC into a router if you want a fun project or your router shows inconsistencies or issues. You just need two ethernet ports, and add-in cards can be cheap. I do recommend Intel NICs if you are doing bare metal port forwarding. Non Intel cards can have issues on pfsense

I was wondering how to do you access your proxmox web interface from? Did you connect the proxmox lan bridge to the pfsense lan physically or virtually? Or are you accessing your proxmox web ui from your other router and on a different network?

Pretty neat router you got there! I recently just added a 2nd Wireguard VPN on my Pi5 as a backup for those public wi-fi areas that doesn't allow you to connect using the default 51820 port. I have it running on a docker container and everything is running great after a few tweaks. My main router is a Firewalla Gold Plus that is also a hardware firewall and has tons of features. It also has a built-in Wireguard/OPVN and ads & telemetry blocking features. I'm still curious to run Pi-Hole with Wireguard on my Pi5 though and I'm having a little trouble with that on my network. I was able to successfully run Pi-Hole on another docker container and even have it running on https complete with SSL certs using NGINX proxy manager but when I use it as my DNS on my Wireguard on my Pi5, there is no Internet. I see the traffic being blocked though by Pi-Hole and all the stats in the Dashboard are running. I think I need to forward the traffic correctly but time is limited and I'll try to troubleshoot that on another time. 😮‍💨

Great videos Colten!! what about using tailscale on an lxc as an exit node for tailscale and also allowing LAN??

Bro, wdym goofy? It's a work of art I love it!

I was running similar setup, but it was too much hassle to tinker with it and even my current Mikrotik AX3 is way easier to maintain while running Pihole and Unboud in the container direactly on it. I haven't noticed any performance diffrenece. Another advantage is decent wifi coverage which AX3 has. Power consumtion is also way lower.

Always nice to have more control over router and clans ect.
But setting up iptv from the ISP can be a pain to setup properly.
I noticed myself doing so. IGMP needs to be enabled or other protocols, depending on how your ISP handles iptv.
And you don't want to piss off others in the household. 😋
Going fiber is also a different challenge depending on compatible hardware.

Cool project box but you better have a backup one for when the main goes down.
For quite less that price, you can get a fully enclosed device with same cpu and 4 Ethernet ports, ready to go.

Can I request that you can provide links to get the adapter, the computer case component, and the NIC? It helps to buy the exact thing since you've done a proven proof-of-concept. Also, I want to thank you for showing us this awesome build.

Great vid! I've been watching a few of your videos and really enjoying your music as well(Town Groove is a bop!). Any plans on releasing any of these?

Thats super sweet quick question can i put my phone tu run okta an dpoint it to read different location

This is cool. I used XCP-ng when I virtualized my router because you don't need to passthrough the nics you just assign the lan and the wan ports to the vm xen routes the traffic from the physical to the virtual

Are there any throughput stats on this as a working router? So it can be compared to a Draytek router for example.

I have seen those dual 2.5g nics on Aliexpress before, as you know a 2.5g nic can operate at 5gb in full duplex mode if transferring files from machine to machine over the lan. With 2, that's 10gbs worth of bandwidth. Can the PCIE interface support that much speed?

do you need to have that specific seeed board with the RP2040 raspberry pi chip for this, or can you use older seeed model 4105 = ATSAMD21 chip?

Awesome video!
I quite liked the idea of being able to boot from the passthrough drive in case something happens to Proxmox. In fact, I was trying to replicate it, moving my currently virtualized OPNSense to a spare drive, and realised something...
If the EFI Disk lives in the LVM/ZFS Proxmox pool, would one still be able to boot from the OPNSense drive, bypassing Proxmox?

Same camp with the swap lol. Still running the old Unifi USG-3P even after I've started getting a pfsense box ready and have been doing some testing. It's currently been good and I have other Unifi gear, dynamic DNS and OpenVpn access server but I've considered switching to wireguard.

Brilliant

What connecters are you using on your bottom NIC. That thing lights up the whole LAN connector likes it is a Christmas tree, or is they just the angle of the camera?

What through put are you getting with this will it do gig-bite through put from isp to network

im after a 1 stop box that can connect to vdsl via pstn (here in Australia most of our net comes from vdsl) and would rather not have an extra modem. any suggestions on hardware to do it all?

Virtualizing these services, how does ram utilization work with Proxmox?

do you have any good links to the seeed box you were running and any of the other hardware?

I'll be waiting for the followup

Do you have a link to the sata cable? So I can try it on my ASRock mb

the dedicated ssd for pfsense is a great idea

Really cool

4:55 interesting use for pi-hole, PFSense (or at least OPNSense) actually comes with Unbound DNS which I use personally that supports what you mean, it is under DNS Overrides tab and you can do exactly what you described.

Cool idea, but pfsense has all of this without the need for other VMs.
Pi-hole - pfblocker package
PiVPN - openvpn or wireguard experimental packages
Reverse proxy - ha proxy package
Ddns - native Ddns function

The blackhole router. Cool shit broski!

This comment section is definitely full of alternatives but if you want a few more, a useful alternative to pihole is adguard home. Does basicslly the same thing but it supports service based and regex based blocking. Additionally you can use unbound, either built into pfsense or installed in a vm or container. It allows for recursive dns lookups so you dont need a middle man like cloudflare and it offers great caching and speed.

Why not using the wireguard that pfsense already have?

Your link to the Shure SMB7 is wrong in the description, takes people to their orders ;)

What about ventilation? Does it get hot? Over heat c/would be an issue. How is it running after 4mo.?

Great video. I play with such things quite a lot. Is there a reason why you used iommu pass through instead of just making network bridges to the network card ?

Would help to say the expected price point to build such system. What about using OPNsense instead as I heard that pfsense does not receive updates often?
I still have an old Apple AirPort Extreme router, which I haven’t use for years. Any chance I can hack into it by installing third party software replacing Apple’s software? Or better to build new hardware?

For just local DNS resolution you don’t need pihole. Pfsense has that built in. And it may actually be counterproductive not to use the pfsense one since you loose the automatic registration of dhcp client names in the dns namespace.

I think I may go this route, proxmox, pfsense, pi-hole, VPN, home assistant, NAS.
Sick of my current router dropping out

you are pro!

I just built my firewall out of an old recycled Lenovo system with an i7 4770, threw in 16gb of ram, a 128gn boot SSD and a 10gb SFP+ card. I shoved it all in a 2u chassis and it's pretty solid for the age of it.

Bit odd. What font is used in the chapter titles? Loving your work.

looks like i found my next project. cheers bro ill sub to that!

Hi, we have captive portal networking in our building with radius server and voucher system,
to access the internet each user have to purchase its own voucher,
In our area internet is very expressive so plz tell us how can we use a router to login in to this network using single voucher and using router as a bridge to connect other 5 smart phones, and please also tell us which router is suitable for this type of networking
Thanks

Built something similar here with a N5105 + 4 x 2.5 G eth ready made system with passive cooling. IMHO a quite solid base for a small network centric VM host. Where there specific reasons you opted for a more diy approach?

you can save more resources by using pfblocker on pfsense itself instead of pihole. Its the same with more features.

does this need an existing router to make pfsense make a 2nd router or pfsense is the router and doesnt need any existing ones? cuz i changed home and idont have router but i have a raspberry pi

This feels like a BUNCH of work that just isn't needed.
Pickup a Lenovo Tiny M720q, which has an optional PCIe slot where you can drop in a 2nd NIC (I have a 4x1Gb in mine)
Run the onboard NIC for the Hypervisor and pass through the entire PCIe NIC into the pfSense VM.
You ARE limited to 1 x NVMe M.2 drive for storage with this design however.
You can do a M720x instead which has Dual NVMe M.2 if you really want a dedicated pfSense drive.
If you do this, look into the 32GB Intel Optane M.2 drive. pfSense doesn't need much storage and these are wicked fast.
Anyway, no soldering, no weird adapters from Ali Express, and you can get up to 6 cores if you get the 8600/9600 or higher CPUs.

im new to all this but turning your pc into a router sounds amazing, and with you changing your router entirely, what do isp say about doing that?

Well, what about 10G network cards? Can you do that with an m.2 nvme?

You should look into Ansible in case you haven't used it before :)

I recently switched back to pfSense on bare metal because it is quite complicated to configure VLANs on a linux network bridge if you cant passthrough two dedicated nics.

It's possible to do it all on one nic using a managed switch (I have the unifi 5 port), you just have to use vlans. It's how I have my network setup right now, proxmox with OPNsense.

I’m confused, by the time you put all the hardware together it’s the same cost as a Protectli Vault 4 Port 🤷‍♂️ and the VPN and DNS filtering with PfSense native?

Question about the hardware.
I really like this and want to build it for my own network. I've tracked down all the hardware you used in the video, except I'm having a little trouble finding the M.2 to dual NIC card. The normal places I buy don't have anything like it, or it's $70+. I tried finding exactly what you bought on aliexpress and found something similar, but it has slightly different information on the page then what you showed in the video at 3:51 (price, rating, number of orders). Could you tell me what the company name was for the card you bought or even better just directly link it?
(sorry if you already linked it, I've double checked and didn't see it anywhere in the description, video, or comments.)
I've not used aliexpress before and am a bit worried I'm going to buy a bad product.

how did this entire project cost?

can you check what a typical power consumption is when idle/under heavy load?

Found this video not too longer ago, and thought I would assemble the components and try to build out the same "ultimate" router. I am only at the parts assembly stage, and I think my question is a simple one.
Anyone know the part number for the HDD/SSD power cable?

I have a single question for a more personal preference...can this be done with OpenWRT?

What would you recommend for a good AP to pair with this?

You should of cut the extra screw length popping out of the diy shield, just in case it doesn’t make ground somehow

Please make a dedicated video on setting up a home vpn

i need a refresher course on setting up proxmox with pci passthrough. i have this gpu i want to use that's just collecting dust