Running an office network on a consumer router works until it doesn’t. More connected devices tank the speeds, there’s no VLAN segmentation, and hosting a VPN server is out of the question. We installed OPNsense on an Intel N100 mini PC and built enterprise-grade networking for our small office — VLANs, granular firewall rules, WireGuard VPN, and real-time monitoring — all for under $250.
6W
N100 TDP
3
VLAN Subnets
940Mbps
Routing Throughput
24/7
Always-On
1Why Consumer Routers Fall Short
Consumer routers are optimized for a single purpose: connecting a household to the internet. The moment you run servers, need to isolate wireless devices from wired infrastructure, or require VPN access from outside, they hit a wall.
No VLAN Support
Servers, laptops, and IoT devices all share the same subnet. One compromised device threatens the entire network.
Limited Firewall Rules
Port forwarding is about all you get. Fine-grained traffic control and logging are impossible.
No VPN Server
Accessing internal servers remotely requires a separate device or third-party service.
No Monitoring
There is no way to see which device is consuming how much bandwidth.
Core Requirements for Office Networking
Network segmentation between servers and workstations, granular firewall control, VPN access, and traffic monitoring. Meeting all four on a single consumer router is practically impossible.
2Hardware Selection — N100 Mini PC
We chose an Intel N100 mini PC as the platform for OPNsense. Dedicated firewall appliances exist, but mini PCs offer far better value and upgradeability for the price.
| Spec | Detail | Notes |
|---|---|---|
| CPU | Intel N100 (4-core, TDP 6W) | More than enough for routing |
| RAM | 8 GB DDR4 | OPNsense recommends 4 GB+ |
| Storage | 128 GB eMMC | Plenty of room for logs |
| NICs | 2.5 GbE x 2 ports | Separate WAN and LAN required |
| Power Draw | 8–12 W average | ~$1/month in electricity |
| Price | $110–$150 USD | Dual-NIC model |
NIC Count Is the Key Spec
The most important requirement when using a mini PC as a router is having at least two NIC ports. One port handles WAN (internet uplink) and the other serves LAN. If you use VLANs, a single LAN port paired with a managed switch is sufficient.
3Installing and Configuring OPNsense
OPNsense is an open-source firewall OS built on FreeBSD. It started as a fork of pfSense but now has more active development and a noticeably cleaner UI.
Installation Steps
# 1. Download OPNsense ISO (official site) # https://opnsense.org/download/ # 2. Create a bootable USB drive (Linux/macOS) dd if=OPNsense-24.7-dvd-amd64.iso of=/dev/sdX bs=4M status=progress # 3. Boot from USB and install # Log in as "installer" (default password: opnsense) # Select disk → choose ZFS or UFS filesystem → complete installation # 4. Assign initial interfaces # WAN: igc0 (connect internet uplink) # LAN: igc1 (connect internal network) # 5. Access the web interface # Connect a PC to the LAN port, then open https://192.168.1.1 # Default credentials: root / opnsense # ⚠️ Change the password immediately — never run with the default
Post-Install Checklist
- - Change admin password (System > Access > Users)
- - Set timezone (System > Settings > General)
- - Configure DNS servers: 1.1.1.1, 8.8.8.8 (System > Settings > General)
- - Check for firmware updates (System > Firmware > Status)
- - Change the web interface HTTPS port (e.g., 443 → 8443)
4VLAN Segmentation
VLANs let you split a single physical network into logically isolated segments. By placing servers, wireless devices, and VPN clients on separate subnets, a problem in one zone stays contained — it doesn’t spill over to the others.
| VLAN | ID | Subnet | Purpose | DHCP Range |
|---|---|---|---|---|
| Servers | VLAN 10 | 10.x.10.0/24 | AI servers, NAS, backup servers | Static IP only |
| Wireless | VLAN 20 | 10.x.20.0/24 | Laptops, phones, tablets | .100 – .200 |
| VPN | VLAN 30 | 10.x.30.0/24 | WireGuard VPN clients | .10 – .50 |
Creating VLANs in OPNsense
# Create VLANs in the OPNsense web interface # Interfaces > Other Types > VLAN # VLAN 10 (Servers) Parent Interface: igc1 (LAN) VLAN Tag: 10 Description: SERVER_VLAN # VLAN 20 (Wireless) Parent Interface: igc1 (LAN) VLAN Tag: 20 Description: WIRELESS_VLAN # VLAN 30 (VPN) Parent Interface: igc1 (LAN) VLAN Tag: 30 Description: VPN_VLAN # Assign each VLAN as an interface # Interfaces > Assignments > click + to add # Set a static IP on each interface (gateway address)
Real-World Impact of VLAN Segmentation
Devices on the server subnet (VLAN 10) cannot directly reach the wireless subnet (VLAN 20), and vice versa. With firewall rules allowing only the traffic you explicitly permit, malware on a Wi-Fi device cannot spread to your servers.
5Firewall Rules and Bandwidth Control
Once VLANs are in place, you control inter-VLAN traffic with firewall rules. The principle is simple: deny everything by default, then allow only what’s needed.
Key Firewall Rules
| Source | Destination | Port | Action | Purpose |
|---|---|---|---|---|
| VLAN 20 (Wireless) | Internet | ANY | Allow | General internet access |
| VLAN 20 (Wireless) | VLAN 10 (Servers) | ANY | Block | Prevent direct server access |
| VLAN 30 (VPN) | VLAN 10 (Servers) | 22, 443 | Allow | SSH and HTTPS via VPN |
| VLAN 10 (Servers) | Internet | 80, 443 | Allow | OS updates and API calls |
Bandwidth Control (Traffic Shaper)
OPNsense’s Traffic Shaper lets you cap bandwidth per VLAN. For example, limiting the wireless subnet to 500 Mbps download ensures that a large file transfer on Wi-Fi doesn’t starve server traffic.
# OPNsense Traffic Shaper configuration # Firewall > Shaper > Pipes # Pipe 1: Wireless subnet download limit Bandwidth: 500 Mbps Description: WIRELESS_DOWN_LIMIT # Pipe 2: Wireless subnet upload limit Bandwidth: 100 Mbps Description: WIRELESS_UP_LIMIT # Link queues to rules # Firewall > Shaper > Rules — apply pipes to VLAN 20 traffic
6Managed Switch Integration
To map VLANs onto physical switch ports, you need a managed switch. Unmanaged switches do not understand VLAN tags, so a managed model is non-negotiable.
| Port | Mode | VLAN | Connected Device |
|---|---|---|---|
| Port 1 | Trunk | 10, 20, 30 (Tagged) | OPNsense LAN port |
| Ports 2–4 | Access | 10 (Untagged) | Server A, Server B, NAS |
| Ports 5–6 | Access | 20 (Untagged) | Wireless APs |
| Ports 7–8 | Access | 20 (Untagged) | Workstation PCs |
Trunk vs Access Ports
A trunk port carries multiple VLAN tags simultaneously. The port connecting OPNsense to the switch must always be trunk. An access port carries a single VLAN and strips the tag — the connected device doesn’t need to be VLAN-aware.
7Monitoring and Log Management
OPNsense’s built-in monitoring tools give you full visibility into your network without needing a separate monitoring server. The dashboard shows real-time traffic right out of the box.
Real-Time Traffic Graphs
Reporting > Traffic shows per-interface bandwidth in real time. Instantly see which VLAN is consuming how much.
Firewall Logs
Firewall > Log Files > Live View streams blocked and allowed traffic in real time. Monitor suspicious access attempts as they happen.
Intrusion Detection (IDS/IPS)
Install the Suricata plugin to add full intrusion detection and prevention. Uses the free ET Open ruleset.
System Health
The dashboard displays CPU, memory, and disk usage. With N100 handling routing, CPU sits at 5–15%.
8Consumer Router vs OPNsense
| Feature | Consumer Router | OPNsense + N100 |
|---|---|---|
| Price | $40–$120 | $110–$150 (mini PC) |
| VLANs | Not supported | Unlimited |
| Firewall Rules | Basic port forwarding | Granular rule engine |
| VPN Server | Limited (premium models only) | WireGuard, OpenVPN |
| Monitoring | Connected device list | Real-time traffic, IDS/IPS |
| Bandwidth Control | Basic QoS | Traffic Shaper |
| Power Draw | 5–10 W | 8–12 W |
| Wi-Fi | Built-in | Separate AP required |
Wi-Fi Needs a Separate AP
OPNsense has no Wi-Fi capability, so you’ll need a dedicated access point (AP) for wireless clients. You can repurpose your existing consumer router in AP mode at zero additional cost. Separating the router and AP roles actually improves stability — each device does one job well instead of two jobs poorly.
Summary
OPNsense Office Network Build Checklist
- Get a dual-NIC (2+ port) mini PC — N100 at TDP 6W runs 24/7 with no issues
- Install OPNsense, then set admin password, timezone, and DNS immediately
- Create 3 VLANs — Servers (10), Wireless (20), VPN (30) on separate subnets
- Configure firewall rules — default deny, selectively allow needed traffic
- Connect a managed switch with trunk and access ports mapped to VLANs
- Set per-VLAN bandwidth caps with Traffic Shaper
- Regularly check the monitoring dashboard and firewall logs
- Switch your old router to AP mode for Wi-Fi coverage
Switching from a consumer router to OPNsense costs about $110–$150 for the mini PC. Add a managed switch and the total still stays under $250 — for enterprise-grade network infrastructure. Once it’s up, you can flexibly handle future requirements like adding servers, setting up VPN access, or monitoring traffic. After building your network, verify actual throughput with an iperf3 speed test, and when managing multiple servers, set up SSH key authentication for secure access.
This article is based on an actual small office deployment. Network configurations vary by environment; IP addresses and port numbers shown are examples. OPNsense menu locations and settings may differ across versions. Non-commercial sharing of this content is welcome. For commercial use, please contact us.
Need an Office Network Built Right?
Treeru designs and deploys enterprise-grade networks based on OPNsense — from VLAN architecture to firewall rules and VPN configuration, all in one engagement.
Get a Network Consultation