Linux Home Networking — Setup and Best Gear
Six years of running a Proxmox cluster, pfSense firewall, and fully automated Linux smart home in a Portland basement — distilled into one guide.
Why Linux Home Networking Is Different
Most home networking guides assume you want a simple plug-and-play setup. Consequently, they recommend consumer mesh systems, app-based routers, and cloud-dependent smart home devices. That approach works fine if simplicity is your only goal. However, if you care about local control, privacy, performance, or long-term reliability, consumer gear frequently falls short.
A Linux-based home network is fundamentally different. You control the routing, the DNS, the firewall rules, and the smart home automation logic. Furthermore, nothing depends on a third-party cloud service that can go offline, change its API, or get acquired and shut down. The tradeoff is complexity — but the payoff is a network that keeps working regardless of what any manufacturer decides to do.
This guide covers the complete setup I run in my Portland basement. Additionally, it includes the mistakes I made along the way and the gear I would buy differently if I were starting over today.
You do not need to implement everything in this guide at once. In fact, most people start with a better router and work outward from there. Each section stands alone — consequently you can apply just the parts that are relevant to where you are right now.
Step 1 — Choosing the Right Router
The router is the foundation of everything else. A bad router limits everything downstream — WiFi performance, VLAN capability, VPN speed, and DNS filtering all depend on what your router can handle. Furthermore, most ISP-provided routers are not capable of running a proper home network without significant compromises.
The Case for pfSense
After running consumer routers for years, I switched to pfSense on a Protectli Vault appliance in 2019. It was the single biggest improvement I made to my home network. pfSense gives you enterprise-grade firewall rules, proper VLAN support, a built-in VPN server, DNS resolver with local overrides, and detailed traffic logging. Moreover, it runs on commodity x86 hardware that you own outright — no subscription, no cloud dependency.
The main limitation is the learning curve. pfSense requires you to understand basic networking concepts like subnets, firewall rules, and NAT. Nevertheless, the Netgate documentation is excellent, and the community forums have answers to almost every question you will encounter during setup.
Consumer Router Alternatives
Not everyone wants to run pfSense. If you prefer a simpler setup, several consumer routers offer meaningful Linux-adjacent capabilities. For instance, Asus routers running Asuswrt-Merlin firmware give you VLAN support, a proper VPN client, and SSH access without the full complexity of pfSense. Similarly, GL.iNet travel routers run OpenWRT natively and consequently make excellent starting points for people new to router firmware.
pfSense on Protectli Vault
Full enterprise firewall on dedicated hardware. Runs pfSense, OPNsense, or any other x86 OS. Fanless, silent, and reliable for years of continuous operation.
Asus RT-AX86U with Merlin
Consumer router with Merlin firmware support. Gives you VLAN capability, WireGuard VPN, and SSH access without building a dedicated firewall appliance.
Step 2 — VLAN Segmentation
VLAN segmentation is the most important security improvement you can make to a home network. Without VLANs, every device on your network can communicate with every other device. As a result, a compromised smart bulb or cheap IP camera has potential access to your workstation, NAS, and everything else on the network.
The VLAN Structure I Use
After experimenting with different approaches, I settled on four primary VLANs. Each serves a distinct purpose and has specific firewall rules controlling what it can and cannot communicate with.
| VLAN | Devices | Internet | Access to Other VLANs |
|---|---|---|---|
| Trusted | Workstations, phones, laptops | Yes | Can reach server VLAN |
| Servers | Proxmox, NAS, Home Assistant | Restricted | Can reach trusted VLAN |
| IoT | Smart bulbs, plugs, cameras, thermostats | Yes — monitored | None — isolated completely |
| Guest | Visitor devices, temporary access | Yes | None |
Why IoT Isolation Matters
The IoT VLAN is the most important isolation in the entire network. Most smart home devices are consumer-grade products with minimal security. Furthermore, many of them run outdated Linux kernels with known vulnerabilities that manufacturers never patch. Consequently, isolating them onto a separate VLAN means a compromised smart plug cannot reach your NAS or your workstation regardless of what it tries to do.
Important note on local control
Complete IoT isolation blocks local control APIs on some devices. When setting up VLAN rules, allow traffic from your Home Assistant server to the IoT VLAN on specific ports. This preserves local control while maintaining isolation from your trusted devices.
Step 3 — WiFi Setup and Coverage
Consumer mesh systems handle WiFi reasonably well for most homes. However, if you are running VLANs, you need access points that support VLAN-tagged SSIDs — the ability to broadcast different WiFi networks that route to different VLANs. Moreover, not all consumer mesh systems support this correctly.
Why I Use Ubiquiti UniFi
After testing several enterprise-grade and prosumer WiFi systems, I settled on Ubiquiti UniFi access points managed through a self-hosted UniFi Network Controller. Each access point broadcasts four SSIDs — one for each VLAN — and traffic is tagged correctly at the access point and handed off to pfSense for routing. Furthermore, the UniFi controller gives me detailed client information, RF environment data, and historical usage graphs that consumer systems simply do not provide.
Alternatives Worth Considering
Ubiquiti is not the only option. For example, TP-Link’s Omada system offers similar VLAN-capable access points at a lower price point with a comparable self-hosted controller. Additionally, if you want to avoid a self-hosted controller entirely, several Asus access points in AiMesh mode support VLAN-tagged SSIDs when paired with a VLAN-capable router.
Step 4 — NAS and Local Storage
Local storage transforms a home network from a collection of cloud-dependent devices into something genuinely self-sufficient. With a NAS, you can run your own media server, photo backup, security camera recording, and file sharing — all without paying monthly subscription fees or trusting your data to a third party.
Synology vs QNAP
I have run both Synology and QNAP NAS units for extended periods. In my experience, Synology DSM is the more polished operating system for most users. The interface is intuitive, the package ecosystem is comprehensive, and updates are reliable. QNAP, by contrast, offers more raw Linux flexibility but requires more maintenance and has had a worse track record with security vulnerabilities in recent years.
For most people building a Linux home network, consequently, a Synology DS923+ or DS723+ is the right starting point. See the complete NAS buying guide for a full breakdown of current recommendations across all budgets.
Hard Drive Selection
NAS drives matter more than most buyers realize. Standard desktop drives are not designed for the always-on vibration environment of a multi-drive NAS enclosure. As a result, I exclusively use drives rated for NAS use — specifically WD Red Plus or Seagate IronWolf for most setups. Furthermore, for any data you cannot afford to lose, RAID is not a backup. It protects against drive failure but not against accidental deletion, ransomware, or NAS hardware failure.
Step 5 — Smart Home Integration
Home Assistant is the only smart home platform worth running if you care about local control and Linux compatibility. It runs locally on your own hardware, supports thousands of integrations without cloud dependency, and gives you complete control over automation logic. Moreover, when your internet goes down, your automations keep running.
Running Home Assistant on Proxmox
I run Home Assistant as a virtual machine on my Proxmox cluster rather than on dedicated hardware. This approach has several advantages. First, it simplifies backups — VM snapshots capture the entire Home Assistant state including configuration and history. Second, it allows resource allocation to be adjusted without replacing hardware. Third, it runs alongside other home server services on the same physical hardware.
Zigbee and Z-Wave
WiFi-based smart home devices work adequately but consume IP addresses and depend on your router staying healthy. Zigbee and Z-Wave devices, by contrast, form their own mesh networks and communicate directly with a coordinator plugged into your Home Assistant server. Consequently, they are more reliable for devices you genuinely depend on — light switches, door sensors, smoke detectors.
Zigbee2MQTT
Open source Zigbee integration that works with hundreds of devices and does not require any cloud connectivity. Runs as a Home Assistant add-on or standalone Docker container.
Z-Wave JS
The standard Z-Wave integration for Home Assistant. More reliable than Zigbee in RF-noisy environments and better suited for security devices like locks and sensors.
Step 6 — Network Security
A home network with a NAS, smart home devices, and remote access has a meaningful attack surface. However, securing it does not require enterprise-level complexity. Furthermore, most of the important security improvements are straightforward to implement once you have pfSense or a capable router in place.
DNS Filtering with Pi-hole
Running Pi-hole as your local DNS resolver blocks ads and tracking at the network level for every device on your network — including smart TVs, IoT devices, and phones that ignore browser-level ad blockers. I run Pi-hole as a Docker container on Proxmox with pfSense configured to use it as the upstream DNS resolver. Consequently, every DNS query on my network passes through Pi-hole before going to an upstream resolver.
Remote Access Without Port Forwarding
Port forwarding is a security risk. Instead of exposing services directly to the internet, I use WireGuard VPN running on pfSense to access my home network remotely. WireGuard is built into the Linux kernel as of version 5.6, which means it is available on virtually every Linux device you might want to connect from. Furthermore, the performance overhead is minimal compared to older VPN protocols like OpenVPN.
What to Do Right Now
If you are building a Linux home network for the first time, start with these three steps before anything else. First, replace your ISP router with something you control. Second, set up Pi-hole for DNS filtering. Third, put your IoT devices on a separate network segment. As a result, you will have a meaningfully more secure and controllable network than the majority of home setups — even before adding NAS storage or Home Assistant.
What I Would Buy Today
Based on six years of running this setup, here is the hardware I would recommend to someone building a Linux home network from scratch in 2026. Consequently, each recommendation reflects real testing rather than spec sheet comparison.
- Router / Firewall: Protectli Vault FW4B running pfSense — see the VPN router buying guide
- WiFi Access Points: Ubiquiti UniFi U6 Lite — excellent range, VLAN support, self-hosted controller
- Network Switch: Ubiquiti UniFi Switch Lite 16 PoE — powers access points and IP cameras over ethernet
- NAS: Synology DS923+ — see the full NAS buying guide for current recommendations
- Smart Home Hub: Home Assistant on Proxmox with SkyConnect USB Zigbee coordinator
- UPS: APC Back-UPS Pro 1500VA on the network rack — see UPS recommendations
- DNS Filtering: Pi-hole running as a Docker container on Proxmox
Browse the Full Review Categories
Every product category has its own detailed buying guide with real home lab testing behind every recommendation.