Jump to content

pfSense in this configuration?

ZeusXI
By ZeusXI
in Networking
 Share
Posted

So I have my Modem then it goes to my home router. Is it a good idea to put a pfSense box behind the router, so its Modem > Router > pfSense? Or does this not make much sense? 

 

Reason why I am wondering about this method, is I do not want to mess with my families router settings, and I want have pfSense for my personal stuff like servers.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, ZeusXI said:

So I have my Modem then it goes to my home router. Is it a good idea to put a pfSense box behind the router, so its Modem > Router > pfSense? Or does this not make much sense? 

 

Reason why I am wondering about this method, is I do not want to mess with my families router settings, and I want have pfSense for my personal stuff like servers.

You can do this, it’ll just put pfSense devices in double NAT, and you won’t be able to connect to pfSense or the devices from the normal home LAN unless you either enable port forwarding rules or allow access from WAN into pfSense, which if you then ever plug pfSense into a modem directly, make sure you remember to change those settings back to default because you’d be fully exposing everything to WAN…. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

LIGISTX answered it well.

 

I would like to provide some ideas for your pfsense box:

 

Enable the NTP server and redirect any domains for "time" to the pfsense box IP address.  This will take away some device tracking and reduce server use for redundant time request from every one of your devices.

 

Change the unbound dns resolver cache settings to keep dns IP resolutions for 259,200 seconds (because by default, websevers online set it to 175 seconds, so the setting is also in seconds).

 

This is three full days, and will not only help reduce the delay between dns resolution and connecting to a resolved IP address, but also reduces outbound network use, and reduces the load on dns servers, thus, possibly reducing energy use, maybe.

 

Setup a pi-hole (not directly UNIX compatible, so an alternative is pfblocker-ng) in a debian vm would not use much resources (less than 250MB of memory, and half that once booted into debian at the command line with pi-hole active) but I'm completely clueless how to run a virtual machine on pfsense, so if you are interested, I hope it's easy, or just use yet another device.

 

Here's why you may want to run pi-hole, online tracking is comoletely off the rails:

 

https://pi-hole.net/blog/2017/02/22/what-really-happens-on-your-network-find-out-with-pi-hole/

 

Even large organizations are now recommending adblockers to prevent malware!

: JRE #1914 Siddarth Kara

How bad is e-waste?  Listen to that Joe Rogan episode.

 

"Now you get what you want, but do you want more?
- Bob Marley, Rastaman Vibration album 1976

 

Windows 11 will just force business to "recycle" "obscolete" hardware.  Microsoft definitely isn't bothered by this at all, and seems to want hardware produced just a few years ago to be considered obsolete.  They have also not shown any interest nor has any other company in a similar financial position, to help increase tech recycling whatsoever.  Windows 12 might be cloud-based and be a monthly or yearly fee.

 

Software suggestions


Just get f.lux [Link removed due to forum rules] so your screen isn't bright white at night, a golden orange in place of stark 6500K bluish white.

released in 2008 and still being improved.

 

Dark Reader addon for webpages.  Pick any color you want for both background and text (background and foreground page elements).  Enable the preview mode on desktop for Firefox and Chrome addon, by clicking the dark reader addon settings, Choose dev tools amd click preview mode.

 

NoScript or EFF's privacy badger addons can block many scripts and websites that would load and track you, possibly halving page load time!

 

F-droid is a place to install open-source software for android, Antennapod, RethinkDNS, Fennec which is Firefox with about:config, lots of performance and other changes available, mozilla KB has a huge database of what most of the settings do.  Most software in the repository only requires Android 5 and 6!

 

I recommend firewall apps (blocks apps) and dns filters (redirect all dns requests on android, to your choice of dns, even if overridden).  RethinkDNS is my pick and I set it to use pi-hole, installed inside Ubuntu/Debian, which is inside Virtualbox, until I go to a website, nothing at all connects to any other server.  I also use NextDNS.io to do the same when away from home wi-fi or even cellular!  I can even tether from cellular to any device sharing via wi-fi, and block anything with dns set to NextDNS, regardless if the device allows changing dns.  This style of network filtration is being overridden by software updates on some devices, forcing a backup dns provuder, such as google dns, when built in dns requests are not connecting.  Without a complete firewall setup, dns redirection itself is no longer always effective.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, E-waste said:

even large organizations are now recommending adblockers to prevent malware!

Are they using Pi-Hole or is there some other appliance they are using? Or just installing on each workstation? 

 

Breaking things 1 day at a time

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

No idea, but here is more information, from the forum tech news section, page 9.

 

https://linustechtips.com/topic/1480218-fbi-recomends-adblock/

: JRE #1914 Siddarth Kara

How bad is e-waste?  Listen to that Joe Rogan episode.

 

"Now you get what you want, but do you want more?
- Bob Marley, Rastaman Vibration album 1976

 

Windows 11 will just force business to "recycle" "obscolete" hardware.  Microsoft definitely isn't bothered by this at all, and seems to want hardware produced just a few years ago to be considered obsolete.  They have also not shown any interest nor has any other company in a similar financial position, to help increase tech recycling whatsoever.  Windows 12 might be cloud-based and be a monthly or yearly fee.

 

Software suggestions


Just get f.lux [Link removed due to forum rules] so your screen isn't bright white at night, a golden orange in place of stark 6500K bluish white.

released in 2008 and still being improved.

 

Dark Reader addon for webpages.  Pick any color you want for both background and text (background and foreground page elements).  Enable the preview mode on desktop for Firefox and Chrome addon, by clicking the dark reader addon settings, Choose dev tools amd click preview mode.

 

NoScript or EFF's privacy badger addons can block many scripts and websites that would load and track you, possibly halving page load time!

 

F-droid is a place to install open-source software for android, Antennapod, RethinkDNS, Fennec which is Firefox with about:config, lots of performance and other changes available, mozilla KB has a huge database of what most of the settings do.  Most software in the repository only requires Android 5 and 6!

 

I recommend firewall apps (blocks apps) and dns filters (redirect all dns requests on android, to your choice of dns, even if overridden).  RethinkDNS is my pick and I set it to use pi-hole, installed inside Ubuntu/Debian, which is inside Virtualbox, until I go to a website, nothing at all connects to any other server.  I also use NextDNS.io to do the same when away from home wi-fi or even cellular!  I can even tether from cellular to any device sharing via wi-fi, and block anything with dns set to NextDNS, regardless if the device allows changing dns.  This style of network filtration is being overridden by software updates on some devices, forcing a backup dns provuder, such as google dns, when built in dns requests are not connecting.  Without a complete firewall setup, dns redirection itself is no longer always effective.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
4 hours ago, E-waste said:

 

 

Setup a pi-hole (not directly UNIX compatible, so an alternative is pfblocker-ng) in a debian vm would not use much resources (less than 250MB of memory, and half that once booted into debian at the command line with pi-hole active) but I'm completely clueless how to run a virtual machine on pfsense, so if you are interested, I hope it's easy, or just use yet another device.

 

Here's why you may want to run pi-hole, online tracking is comoletely off the rails:

 

https://pi-hole.net/blog/2017/02/22/what-really-happens-on-your-network-find-out-with-pi-hole/

 

Even large organizations are now recommending adblockers to prevent malware!

personally I have been using Adguard over PiHole.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
22 hours ago, TubsAlwaysWins said:

Are they using Pi-Hole or is there some other appliance they are using? Or just installing on each workstation? 

Enterprise firewalls have URL, DNS and Domain blocking features with category lists updated by the vendor so on your outbound internet access rule you just enable the feature set and choose 'advertising' category to block.

 

Each firewall vendor is slightly different but that's the generic steps.

 

Do note however that the advertising category doesn't typically block Google Ads or other "legitimate" advertising services, which have had malicious ads services through them before. You can block Google Ads etc, it's just that on the enterprise side of things trying not to break things and also play nice with legitimate services and maintaining relationships is the typical chosen path, unlike Pi-hole etc.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 8/12/2023 at 9:40 AM, leadeater said:

Enterprise firewalls have URL, DNS and Domain blocking features with category lists updated by the vendor so on your outbound internet access rule you just enable the feature set and choose 'advertising' category to block.

 

Each firewall vendor is slightly different but that's the generic steps.

 

Do note however that the advertising category doesn't typically block Google Ads or other "legitimate" advertising services, which have had malicious ads services through them before. You can block Google Ads etc, it's just that on the enterprise side of things trying not to break things and also play nice with legitimate services and maintaining relationships is the typical chosen path, unlike Pi-hole etc.

Yeah for sure. I work with alot of Sophos XG firewalls, just wasnt sure if we were talking on a scale larger than what I use. I dont see alot of malicious ads but I also have adblock installed. 

I have seen malicious Google advertising links. Example is a user searched "Home Depot" and clicked the first result (A google ad) with a legitimate URL shown, that redirected to a malicious site. I dont know how Google is letting stuff like this through. Seen it a few times too

 

Breaking things 1 day at a time

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

What do you hope to achieve with this setup? What is the end goal? 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 8/11/2023 at 4:40 PM, ZeusXI said:

personally I have been using Adguard over PiHole.

Pfsense comes with unbound dns I believe, have you changed the caching settings, or redirected NTP requests locally back to pfsense?  Not only would that reduce outbound server equipment use, but it would also be far more accurate, especially combined with NTPd or chrony.  You can even set it to use your Ethernet hardware clock instead of the motherboard clock, for more accuracy and network timestamping, increasing accuracy even further!

: JRE #1914 Siddarth Kara

How bad is e-waste?  Listen to that Joe Rogan episode.

 

"Now you get what you want, but do you want more?
- Bob Marley, Rastaman Vibration album 1976

 

Windows 11 will just force business to "recycle" "obscolete" hardware.  Microsoft definitely isn't bothered by this at all, and seems to want hardware produced just a few years ago to be considered obsolete.  They have also not shown any interest nor has any other company in a similar financial position, to help increase tech recycling whatsoever.  Windows 12 might be cloud-based and be a monthly or yearly fee.

 

Software suggestions


Just get f.lux [Link removed due to forum rules] so your screen isn't bright white at night, a golden orange in place of stark 6500K bluish white.

released in 2008 and still being improved.

 

Dark Reader addon for webpages.  Pick any color you want for both background and text (background and foreground page elements).  Enable the preview mode on desktop for Firefox and Chrome addon, by clicking the dark reader addon settings, Choose dev tools amd click preview mode.

 

NoScript or EFF's privacy badger addons can block many scripts and websites that would load and track you, possibly halving page load time!

 

F-droid is a place to install open-source software for android, Antennapod, RethinkDNS, Fennec which is Firefox with about:config, lots of performance and other changes available, mozilla KB has a huge database of what most of the settings do.  Most software in the repository only requires Android 5 and 6!

 

I recommend firewall apps (blocks apps) and dns filters (redirect all dns requests on android, to your choice of dns, even if overridden).  RethinkDNS is my pick and I set it to use pi-hole, installed inside Ubuntu/Debian, which is inside Virtualbox, until I go to a website, nothing at all connects to any other server.  I also use NextDNS.io to do the same when away from home wi-fi or even cellular!  I can even tether from cellular to any device sharing via wi-fi, and block anything with dns set to NextDNS, regardless if the device allows changing dns.  This style of network filtration is being overridden by software updates on some devices, forcing a backup dns provuder, such as google dns, when built in dns requests are not connecting.  Without a complete firewall setup, dns redirection itself is no longer always effective.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×