Zero-Trust in Plain Terms
Zero-trust means "never trust, always verify." No device — regardless of whether it's inside your network — is implicitly trusted. Every connection is authenticated, every request is authorized, and lateral movement between segments is blocked by default.
pfSense as Your Enforcement Point
pfSense (or its fork OPNsense) is a free, open-source firewall that handles routing, NAT, VLANs, and ACLs. It's the backbone of most self-hosted zero-trust setups because it gives you granular per-interface and per-VLAN rule control without a per-seat license.
Firewall Rule Baseline
The default posture should be deny-all with explicit allows. A workstation VLAN rule set might look like:
# Allow workstations to reach DNS on VLAN 20 servers
pass in on VLAN30 proto udp from VLAN30:network to 10.0.20.10 port 53
# Allow workstations to reach file server on VLAN 20
pass in on VLAN30 proto tcp from VLAN30:network to 10.0.20.20 port 445
# Block all other inter-VLAN traffic from workstations
block in on VLAN30 from VLAN30:network to !VLAN30:network
# Allow workstations to reach the internet
pass in on VLAN30 from VLAN30:network to anyInstalling Suricata for IDS/IPS
Suricata runs as a pfSense package and inspects traffic in real time against community rulesets (ET Open, Snort VRT). Enable it on your WAN interface for inbound threat detection and on your internal interfaces to catch lateral movement. Set it to IPS mode (inline) rather than IDS mode (passive) once you're confident in your ruleset tuning.
Certificate-Based Authentication for VPN
Pair pfSense's OpenVPN server with a local CA and client certificates. No username/password-only access — every remote device must present a valid cert issued by your CA. Revoke compromised devices instantly via CRL without touching firewall rules.