The Protectli Vault: Your Perimeter in a Box

The router your ISP shipped is a plastic box built to a margin. It speaks PPPoE or DHCP to the carrier, runs a busybox-grade Linux from 2019, hosts a Wi-Fi radio designed by the lowest bidder, and exposes a web UI written by someone who has since moved on. It is your perimeter. It is also, almost without exception, the weakest device on your network, and the only one that sees every packet you send.

The perimeter is where adversaries spend their cheapest effort: mass scans, default-credential sweeps, UPnP abuse, DNS hijacking, firmware CVEs that take eighteen months to patch because nobody at the carrier owns the update pipeline. None of this requires a sophisticated attacker. It requires a Tuesday.

A hardware firewall is the unglamorous answer. Not a feature toggle on a combo box, a dedicated, fanless x86 appliance whose only job is inspecting packets, running software you chose, updated on a schedule you control. Protectli builds the canonical version of that appliance for households and small labs. This guide is the honest case for why it matters and how to pick the right one.

Your perimeter is a building you live behind. Stop letting the carrier own the front door.

By the end of this guide you will know exactly what a hardware firewall changes about your threat model, why Protectli is the default recommendation rather than "build your own 1U", which Vault model fits your link speed and ambitions, and how to slot it into your existing network without an outage. The actual firewall OS install, pfSense, end to end, is the next guide in this track.

A consumer combo router is competent at three jobs: NAT, DHCP, and not catching fire. It is structurally incompetent at five others that matter:

None of this is hypothetical. The CISA, ENISA, and NCSC have all published guidance over the past five years that amounts to the same sentence: assume the consumer router is the adversary's foothold, and architect around it.

The phrase gets abused. Every $90 router on Amazon claims a "hardware firewall" because it has an iptables rule. The meaningful definition is narrower:

• · A dedicated x86 (or occasionally ARM) appliance whose only job is packet inspection and routing.
• · No Wi-Fi radio. Wireless lives on a separate access point so the firewall doesn't have to play two roles badly.
• · Multiple physical NICs, typically four or six, so you can split WAN, LAN, IoT, and management onto isolated interfaces.
• · Enough CPU to run stateful inspection and an IDS/IPS without dropping line rate.
• · Open firmware and an OS you chose (pfSense, OPNsense, VyOS, OpenWRT on x86) rather than a vendor blob.

Everything else, UTM appliances from Fortinet, Sophos home edition, Ubiquiti's UDM, is some compromise on that list, usually trading openness for ease. None of those are wrong; none of them are what this guide is about.

You can build the same box yourself from a refurbished SFF Dell with an Intel quad-port NIC. Many people have. Protectli wins for the same reason the official Raspberry Pi PSU wins: it is the dull, supported, known-good version that lets you stop worrying about the hardware and start worrying about the configuration.

The specifics that matter, in order: Intel NICs (igc/igb/ix drivers are first-class in FreeBSD and Linux; Realtek is a long-running headache on BSD), coreboot availability on most current SKUs (which gives you an auditable boot chain and disables the Intel Management Engine on supported boards), passive cooling on every model up through the VP46xx line, and a 5-year warranty that the company actually honours.

Buy for your WAN speed and your IDS ambitions, not for future-proofing. CPU is the limit on a firewall, and CPU goes out of date faster than RJ45 jacks.

• VP2410, Intel J4125, 4× i225-V 1 GbE

  ref ↗

  ≤ 1 Gbps WAN · no IDS · ~$330 barebones

  The entry box. Plenty for routing and firewalling a gigabit link. Will choke if you turn on Suricata with the full ET Open ruleset. Fine for most homes.

• VP2420, Intel J6412 (Elkhart Lake), 4× i225-V 2.5 GbE

  ref ↗

  1 Gbps WAN with IDS · 2.5 Gbps without · ~$430

  The current sweet spot. Faster cores than the VP2410, AES-NI, and 2.5 GbE ports that match modern carrier handoffs. This is the model most people should buy.

• VP4630 / VP4650, Intel i3-N305 or i5-1235U, 6× i226-V 2.5 GbE

  ref ↗

  2.5 Gbps WAN with IDS · 10 Gbps via SFP+ on VP6650 · ~$700+

  Six ports gives you WAN + LAN + IoT + GUEST + MGMT + spare without a managed switch. Genuinely overkill for most homes; correct for labs and small offices.

• VP6630 / VP6650, Intel i3-1315U / i5-1335U, 4× 2.5 GbE + 2× SFP+

  ref ↗

  Multi-gig with 10 GbE uplink · serious lab use · ~$900+

  If your WAN is 5 Gbps or you're running this between segments at 10 Gbps internally. Otherwise unnecessary.

• RAM: 8 GB DDR4 SO-DIMM (Crucial or Kingston)

  Memory · not included in barebones

  8 GB is comfortable for pfSense with Suricata + pfBlockerNG + a couple of VPN tunnels. 16 GB if you want headroom.

• Storage: 120 GB SATA SSD or NVMe (VP46xx+)

  Boot + logs · not included in barebones

  Avoid 32 GB mSATA, too small for ZFS plus logs plus pfBlockerNG feeds. 120 GB is the floor; 250 GB is comfortable.

Every current Vault ships with AMI BIOS by default and offers a Protectli-maintained coreboot image as a free download. The decision is not religious; it has tradeoffs.

1. STEP 01

   Pick the location with airflow.

   Vaults are fanless and dissipate heat through the chassis. Do not stuff one into a closed media cabinet. A shelf with two inches of clearance on every side stays cool indefinitely. The chassis will get warm to the touch under load, that is the design, not a failure.

2. STEP 02

   Cable the WAN and LAN, port assignment is convention, not physics.

   By convention port 1 is WAN, port 2 is LAN. pfSense and OPNsense both let you assign any physical port to any role during install, so labelling is for your sanity, not the OS's. Use a different colour cable for WAN; your future self will thank you.

3. STEP 03

   Wire up console access before you need it.

   Every current Vault exposes a serial console, older models on a dedicated DB9, newer models (VP24xx and up) over the USB-C port on the front. Buy the right cable now. The day you lock yourself out of the web UI is not the day to order one from Amazon.

4. STEP 04

   Put it on a UPS.

   A firewall that loses power mid-write to its config XML is a firewall that boots to defaults. Any 600 VA consumer UPS handles a Vault plus a switch and an AP for thirty minutes, long enough to ride out the brownouts that actually corrupt filesystems.

The firewall replaces your ISP router as the edge device. The ISP box is demoted to "the modem", sometimes literally, by flipping it into bridge or passthrough mode; sometimes functionally, by leaving it in router mode but only using its modem half. Wi-Fi moves to a dedicated access point on the LAN side.

Internet
   │
   ▼
┌──────────────────┐
│  ISP modem/ONT   │  ← bridge mode if it supports it
└────────┬─────────┘
         │  (single ethernet, public IP terminates here)
         ▼
┌──────────────────┐
│  Protectli Vault │  ← runs pfSense; the only public IP on your network
│  (firewall)      │     lives on this WAN interface
└────────┬─────────┘
         │  (LAN, trunked VLANs to the switch)
         ▼
┌──────────────────┐
│  Managed switch  │  ← splits VLANs to APs and wired drops
└──┬──────┬────────┘
   │      │
   ▼      ▼
 [AP]   [Wired devices]
 (TRUSTED / GUEST / IOT SSIDs → VLAN-tagged)

A firewall is not an appliance you forget. It is the most important managed system in your house. The discipline is light if you build the habit early.

# Replace 203.0.113.42 with your WAN IP
nmap -Pn -p- --min-rate 1000 203.0.113.42

# Expected output: 0 ports open, host appears down (Pn forces the scan).
# If anything is open that you didn't put there, find it before you sleep.

The Vault on your shelf is potential energy. The next guide is where it becomes kinetic.

• NEXT IN TRACK

  pfSense on Bare Metal →

  The reference build, end to end.

• COMPLEMENTS THIS

  Your First Private Server →

  The node that deserves to sit behind this firewall.