Default block policy (allow ntp and https). Automatically updated IP blacklists (hourly). Snort IDS. Blocking all unencrypted HTTP traffic. Using dnscrypt to ensure encrypted DNS requests. Email alerts for blacklisted IP communications and IDS. Alerts to ensure IDS and blacklist downloader running OK.
Can't think of anything else to add right now, other than separate VLAN for WiFi in case some faggot cracks my WPA2.
Having fun with false positives, marking them in snort. Got a few false IP alerts for torrenting, that was fun, was worried I had a virus.
dnscrypt kinda sucks, i'd recommend cloudflare dns over tls with unbound instead, using tor for anonymity. also recommending adblocking via your dns cache. an ipsec/wireguard vpn and key-protected ssh. pflow for measuring some traffic statistics.
how's life without http? i've considered it but i imagine there's still plenty of sites that require it. maybe mitm-ing unencrypted http with some sort of automatic 302-redirect-to-https would be more convenient, if i knew how to set that up.
dont have screwholes for external propeller rejected
Lucas Brooks
dnscrypt is abandonware anyway, i use opennic just so time warner can't hijack my typos
Dylan Nguyen
>dnscrypt kinda sucks, i'd recommend cloudflare dns over tls with unbound instead, using tor for anonymity. Pretty sure dnscrypt-proxy uses TLS. I'd like to use cloudflare, however current dnscrypt-proxy package is 1.9.9?, not 2.0.8, which cloudflare requires. Womp womp. >also recommending adblocking via your dns cache. Yeah, haven't done anything with adblocking yet. I guess that'd probably be the only way I could do it without reinventing the wheel. >an ipsec/wireguard vpn and key-protected ssh. Good point, would be nice to have for my phone to keep away the glowing niggers. >pflow for measuring some traffic statistics. Actually have a daily egress statistic email cronjob.
>how's life without http? i've considered it but i imagine there's still plenty of sites that require it. maybe mitm-ing unencrypted http with some sort of automatic 302-redirect-to-https would be more convenient, if i knew how to set that up. Lil bit painful if you have to google for stuff and you click on a non-stackoverflow/serverfault link. Other than that, it's not bad.
I've actually set it up to redirect any port 80 and 8080 comms to my routers httpd to display a splash page.
Jason Lopez
>Pretty sure dnscrypt-proxy uses TLS. I'd like to use cloudflare, however current dnscrypt-proxy package is 1.9.9?, not 2.0.8, which cloudflare requires. Womp womp. huh??? just use unbound with cloudflare as your forward-addr.
Jordan Gomez
I'm using unbound with dnscrypt-proxy to a privacy-oriented DNS in the Netherlands.
All DNS from my local network goes to port 53 in on the router. My router forwards those requests to the upstream resolver over 443 (via dnscrypt-proxy.)
Nicholas Harris
Also had a bit of fun setting this up. Have a Eyoyo mini monitor (about 7 in?) with this on it 24/7 to monitor network health.
Scripted with tmux so I don't have to bullshit with making the panes manually each time. Yes I know it looks like shit.
Shit, I should add an external ping for network connectivity.
Also plan to setup security cameras, can monitor their health from here. Wonder if Nagios has a health dashboard like this in cli?
Asher Flores
>spyflare
Zachary Bennett
>Currently running OpenBSD (latest). if you don't mind me asking, why? what would drive someone to use an operating system that has basically no software?
Wyatt Reed
nigga this is a router
Evan Price
running pfsense paravirtualized on my desktop right now allowing pretty much everything outbound with upnp since it's not just me on the network
probably gonna install a couple more of these, one for a family member, maybe one for a small business
Samuel Peterson
this give me serial or give me death
very nice, thanks for the idea user
Brody Robinson
What cheap hardware do people recommend for a pfsense/OPNsense home solution?
William Gutierrez
>if you don't mind me asking, why? what would drive someone to use an operating system that has basically no software? A router doesn't really need a shitload of software. The utilities included in the base openbsd install make it as good a choice as linux or freebsd as a router: >pf (packet filter, firewall) >route & ifconfig >dhcpd/dhclient >unbound (caching dns server) >wpa_supplicant (which also supports access point mode with a compatible card) >httpd/slowcgi >openbgpd >openntpd >ipv6 autoconfig services >ldpd for MPLS >ike/ipsec >tftpd
A large number of services packages available for linux are available for openbsd and freebsd: >apache/nginx >squid >bind9 >miniupnp >asterisk
A shitbox old computer. Bonus points for USB3.0 on a small device so you can use a gigabit ethernet dongle, or an open PCI(-E) slot for a gigabit network card
Ryder Robinson
>literally spends his time searching for anything that resembles a BSD related thread just so he can come in and go "haha! no software!" whether that's true or not doesn't fucking matter for a router
Bentley Ortiz
I used to use pic related as a PFSense box until I started working for a UTM vendor. Now I use one of their boxes since it was free and is much faster.
Started organizing my home lab today, was thinking about slapping some new nics in one of my existing boxes but kind of want a dedicated piece of hardware for pfsense. Can anyone recommend me something under ~$150?
Bentley Ross
Mine had an m2 SSD in it so under a minute.
Brandon Howard
80% of traffic reaching my wan is unknown/unwanted. the internet was a mistake.
Requests come in via #53 to my Pihole/DNSMasq, then forwarded to localhost:3200 to stubby that forwards via DNSoverTLS to 1.1.1.1.
DNSSEC is enabled the whole way up and down, works just fine. It's also super fast (Strayan), so that's nice too.
Levi Collins
some day i want to set up a dial-up server
getting internet anywhere that has a phone line would be neat
Benjamin Gonzalez
are the worlds phone lines still networked enough for that?
Liam Scott
56k doesn't require analog phone lines, but the modem usually does most of the back-end transport is IP or ATM; as long as your lines or phone system supports the V.90/92 codec, you're good
Jordan Cooper
Just set up pfSense on the APU4c4 board from PC-Engines. Seems to work great, now I'm just waiting for one more week until I get my fiber turned on. Shit's gon' be cash.
Apart from relegating appliances into their own VLAN without internet access, any other things I should do? I'll be using a second of these boards for running a NAS (FreeNAS). Setting up an internet-only VLAN for guest internet access?