At the root of my homelab mini datacenter is a hypervisor running on Windows Server Datacenter 2025.
My goal is to replicate an enterprise-style topology while considering a security-first approach. With that in mind, I used Hyper-V to create four virtual switches for my environment: External, Internal 1, Internal 2, and Private. Each switch represents a different network zone and subnet, with the intent to assign VMs to their appropriate zone based on their role.
This is how I envisioned and structured it:
- External — This switch represents the WAN. It handles traffic to and from the internet through my router. It’s an untrusted zone that allows for direct internet access.
- Internal Switch 1 — The LAN. This one allows traffic between my host and the VMs. My AD, file server, and Linux VMs will sit on this subnet.
- Internal Switch 2 — The DMZ. This is a semi-trusted zone for public-facing or externally reachable services. My web server VM and VPN will live here.
- Private Switch — This allows communication directly between VMs, excluding the host. My SQL Server VMs will be housed here.
Once the network structure was in place, I needed a firewall that could properly route traffic, handle VLANs, and manage VPN connections. That’s where pfSense comes in.
pfSense Plus is an open-source firewall built on FreeBSD, but calling it just a “firewall” doesn’t do it justice. It handles security, routing, and network services exceptionally well; it’s also great for VPN setup, monitoring, reporting, and automation. You can even extend it with packages for advanced functionality.
pfSense gives me enterprise-grade network control and management in an open-source package, so it checks all the boxes for what I want to accomplish in my homelab-isolate network segments, secure access through VPN, monitor and optimize bandwidth, simulate an enterprise firewall setup for certification prep, and automate configuration through scripting. It’s a key piece of building toward an infrastructure-as-code approach.
To get started, I downloaded pfSense from pfsense.org/download. The download requires a quick registration with Netgate, the team that supports pfSense. Once that was done, I pulled down the ISO file. Staying true to the automation mindset, I wrote a PowerShell script that builds out PF01, my VM for pfSense, and handles the installation automatically.
You can find that PowerShell script on my Github repository.
With pfSense now installed, the next step will be configuration: VLANs, routing rules, VPN setup, and monitoring. That’ll be the focus of the next post.