Home Lab with FortiGate 60D
I run a small home lab, and at the core of my network stands a FortiGate 60D—a firewall model released around 2013, making it over 10 years old today. This device hasn’t had any active Fortinet security subscriptions for several years, and I don’t plan to purchase them either. Despite that, the 60D still plays a vital role in securing and organizing my home environment. Its hardware may be outdated by enterprise standards, but its built-in capabilities are far from obsolete.
Here’s how I use the FortiGate 60D in my network without any licensed services:
- Firewall rules and network segmentation
- Geo-blocking to restrict access from unwanted countries
- Security profiles: IPS, Antivirus, and Application Control
- DNS Server Together with PiHole and AdGuard
- SSL VPN server for secure remote access
- Internal and external traffic routing
- Hosting self-hosted applications like Nextcloud, Immich, and WordPress
Main Functions I Use
Even though my FortiGate 60D hasn’t had active security subscriptions in years, I still take full advantage of the built-in features. These functions are more than enough to secure and manage a small home lab or advanced home network. Below are the key features I rely on daily.
At the core of any firewall is the ability to define access rules between network segments. I’ve configured the FortiGate to divide my home network into multiple zones—such as IoT devices, servers, test machines, and user devices. Each zone has its own set of firewall rules that limit what kind of traffic can flow in or out.
Firewall Rules and Network Segmentation
At the core of any firewall is the ability to define access rules between network segments. I’ve configured the FortiGate to divide my home network into multiple zones—such as IoT devices, servers, test machines, and user devices. Each zone has its own set of firewall rules that limit what kind of traffic can flow in or out.
For example, my IoT devices cannot communicate with my NAS or management systems. Similarly, guest devices get internet access but have no visibility into the internal network. This segmentation greatly reduces risk in case one of the devices becomes compromised.
If you want to dive deeper into FortiGate firewall policies and how to implement them effectively, check out these detailed guides on my blog:
Geo-Blocking to Restrict Access from Unwanted Countries
To further harden my home network, I’ve implemented geo-blocking using FortiGate’s built-in capabilities. Even without a FortiGuard subscription, the firewall allows me to create policies that block or allow traffic based on geographic location.
For example, I only allow SSL VPN and management access from specific countries where I live or frequently travel. All other regions are denied by default. This drastically reduces the number of scanning attempts, brute-force logins, and other unwanted access from high-risk IP ranges.
Geo-blocking is also applied to public-facing services like my WordPress test environments, where I restrict access to only a few selected countries. This adds another layer of security on top of strong passwords, firewall rules, and segmentation.
If you’re interested in applying geo-based restrictions to your FortiGate setup, check out this detailed guide on my blog:
Security Profiles (Without Active Subscription)
While the IPS, Antivirus, and Application Control profiles work best with active FortiGuard updates, the base definitions and logic still remain usable. I apply these profiles to certain internal policies, especially between the less trusted zones.
The IPS module helps detect basic intrusion patterns and web attacks, while Application Control restricts unauthorized or risky applications. Even with outdated signatures, the Antivirus module can catch known threats circulating inside the home network. Although it’s not as powerful as a fully licensed setup, these security profiles add a meaningful layer of defense.
If you want to learn more about configuring and optimizing these features on FortiGate, here are some useful articles from my blog:
- FortiGate Antivirus Configuration: Best Practices and Troubleshooting
- FortiGate IPS: Detect Web Attacks
- Protect a Self-Hosted Application from Brute-Force Attacks with FortiGate
- FortiGate DDoS Protection
DNS Server Together with PiHole and AdGuard
In my home lab, DNS resolution is handled through a combination of FortiGate’s built-in DNS features and two powerful tools: PiHole and AdGuard Home. I’ve configured the FortiGate as the main DNS forwarder on the network. All client DNS requests are forwarded from FortiGate to either PiHole or AdGuard, depending on the segment or specific need.
This layered approach gives me flexibility and visibility. PiHole is great for blocking ads and trackers across all devices, while AdGuard Home adds more fine-grained control and filtering features, including DNS rewrites and HTTPS blocking.
Having the FortiGate in front allows me to define access policies, log DNS traffic, and even segment DNS behavior per VLAN. This is especially useful for isolating IoT devices or testing different DNS filtering setups.
If you want to implement a similar setup in your network, these articles will guide you step-by-step:
SSL VPN Server for Remote Access
One of the most useful features I rely on is the SSL VPN server built into the FortiGate 60D. It allows me to securely access my home network from anywhere in the world. Whether I’m traveling or working remotely, I can connect to internal resources such as my Nextcloud, WordPress development servers, or Immich media library with full encryption.
The setup doesn’t require any active license or FortiGuard subscription. I use the FortiClient VPN on both desktop and mobile devices to establish the connection. Once connected, I have access to my internal VLANs just as if I were physically at home.
The FortiGate also gives me full control over who can connect and what resources they can reach, thanks to user-based firewall policies and group restrictions.
For additional insight, especially if you’re troubleshooting more advanced VPN scenarios, such as site-to-site connectivity or routing issues, take a look at this guide:
Internal and External Traffic Routing
The FortiGate 60D also handles all routing tasks in my network. Whether it’s routing between VLANs or directing specific traffic via different gateways (for example, VPNs), the firewall provides full control.
Policy-based routing allows me to define traffic paths based on source, destination, or service. This helps when I want certain devices to use a different WAN connection or bypass DNS filtering for testing purposes. Despite its age, routing performance remains solid for typical home lab traffic.
For a deeper look into how I manage routing on the FortiGate, explore the following posts:
Hosting Multiple Servers and Applications on My Network
Inside my home lab, I run several servers hosting different applications that I rely on daily. For example, I use Nextcloud for personal cloud storage and file synchronization across devices. It gives me control over my data without depending on third-party cloud providers.
Nextcloud – Personal Cloud Storage and Sync
Nextcloud serves as my private cloud platform for storing files, syncing data across devices, and sharing documents securely. It gives me full control over my data without relying on public cloud services, which is especially important for privacy.
Thanks to integration with my FortiGate firewall, I can control access tightly and protect Nextcloud from external threats. For deeper insights on Nextcloud in my network, check out these articles:
- Nextcloud Security Concept with FortiGate Firewall
- Nextcloud Manual Upgrade from 25.0 to 26.0
- Nextcloud Top 5 Apps
Immich – Photo and Video Backup Solution
I use Immich, an open-source application designed for organizing and backing up photos and videos securely within my home network. Immich simplifies media management and keeps my personal memories safe from cloud vulnerabilities.
By running Immich behind the FortiGate firewall, I ensure it remains accessible only to authorized users and protected against internet threats. Learn more about how I use Immich and manage it here:
- Immich Migration to New Server
- Organizing and Managing Photos with Immich
- Immich Resource Usage Monitoring for 4 Users
WordPress – Hosting Multiple Websites
I also host several WordPress websites on my home lab servers. These sites serve various purposes—from blogging to testing new configurations and plugins.
The FortiGate firewall helps me isolate these web servers on dedicated VLANs with specific firewall policies. This way, I protect my main network while still maintaining easy remote access for updates and maintenance via the SSL VPN.
Conclusion
Even though the FortiGate 60D is over a decade old and runs without any active security services, it still performs exceptionally well in a home lab setup. With smart configuration, it provides reliable segmentation, secure remote access, and decent inspection capabilities. It’s a reminder that older enterprise hardware can still serve a valuable role—especially when you know how to leverage its features.
About The Author
