--- owner: gmikcon status: active last_reviewed: 2026-05-10 review_interval: 90d confidence: high source_of_truth: owner-confirmed-and-ssh-pfsense --- # pfSense Router Central router and firewall for the local network. ## Access - Web UI: `https://192.168.1.1/` - SSH: `ai_agent_ro@192.168.1.1:22`, read-only access for documentation agents. - SSH authentication: owner-managed key. - Secret values are not stored in this repository. ## Role - Local network edge. - Firewall and routing point for internal infrastructure. - DHCP server for `home-lan` and `home-iot-lan`. - Local DNS resolver through Unbound. - Local NTP endpoint. - Part of the path between local infrastructure and services reachable through trusted network paths. ## Platform - Hostname: `pfSense.home.arpa`. - OS: pfSense CE `2.7.2`. - Base system observed over SSH: FreeBSD `14.0-CURRENT`, amd64. ## Interfaces | Interface | Description | Role | Address | MAC | Status | | --- | --- | --- | --- | --- | --- | | `re0` | `LANTECH` | `home-iot-lan` | `192.168.2.1/24` | `00:e0:4c:68:07:9f` | active, 1000baseT full-duplex | | `re1` | none | unused | none | `00:e0:4c:68:39:03` | no carrier | | `re2` | `LANMAIN` | `home-lan` | `192.168.1.1/24` | `00:e0:4c:68:35:ba` | active, 1000baseT full-duplex | | `re3` | `WAN` | WAN uplink | `172.32.2.78/24` | `70:85:c2:24:ee:4b` | active, 1000baseT full-duplex | ## Routing Observed routes: - Default route: `172.32.2.1` through `re3`. - `192.168.1.0/24` is directly connected through `re2`. - `192.168.2.0/24` is directly connected through `re0`. - Host routes for `8.8.8.8` and `2.2.2.2` are present through `re3`. ## Local Services Observed listening services: - SSH: `*:22`. - Web UI through nginx: `*:80`, `*:443`. - DHCPv4 through Kea: `192.168.1.1:67`, `192.168.2.1:67`. - DNS resolver through Unbound: `*:53`. - Unbound control: `127.0.0.1:953`. - Syslog: UDP `*:514`. - NTP: UDP `*:123`, including bindings on `192.168.1.1`, `192.168.2.1`, `172.32.2.78`, and `127.0.0.1`. Resolver configuration: - `127.0.0.1` - `8.8.8.8` - `2.2.2.2` - Search domain: `home.arpa` ## Local Network Topology The home network currently consists of two local networks implemented through one custom router with multiple network interfaces. Each local network goes from the router into a switch and then is distributed through the home. The access layer includes wired TVs, PCs, servers, and Wi-Fi access points. ### Home LAN - Inventory id: `home-lan`. - CIDR: `192.168.1.0/24`. - Gateway: `192.168.1.1`. - Router interface: `re2` / `LANMAIN`. - Main Wi-Fi SSID: `home`. - Wi-Fi mode: access points, not a separate routed Wi-Fi network. - Access points: 2 nodes. - Mesh mode: enabled for the main Wi-Fi nodes. ### Home IoT LAN - Inventory id: `home-iot-lan`. - CIDR: `192.168.2.0/24`. - Gateway: `192.168.2.1`. - Router interface: `re0` / `LANTECH`. - Purpose: service network for smart-home and IoT devices. - Wi-Fi mode: access points. - Mesh mode: intentionally disabled. - IoT Wi-Fi nodes: - `home_iot_0` - `home_iot_1` - `home_iot_2` ### Current And Planned Policy Current policy: - full access between `home-lan` and `home-iot-lan`; - IoT internet access is currently allowed. Possible future policy: - isolate the two networks from each other; - cut off the IoT network from the internet. ## Dual-Homed Smart Home Server The smart-home server is present in both networks: - `192.168.1.101` on `home-lan`; - `192.168.2.101` on `home-iot-lan`. Further details still need to be documented: firewall rules, port forwards, VPN routes, DHCP static mappings, and DNS host overrides.