Can't wait for the IPv6-mostly OPNsense video - This is my primary goal for my new home network

@l0gic23

6 ай бұрын

Why may I ask? Serious question... I don't know what I don't know... I have not run out of IPs on my primary subnet... thx

@UnderEu

6 ай бұрын

@@l0gic23 1. Because I’m an early enthusiast of the current protocol; 2. I want my network to be simple yet powerful, versatile and in line with what the Internet intended to be (no NATs, no design limitations - other than the project size itself - nor any shenanigans imposed to fix problems that existed on the Jurassic stack); and 3. To test my gear against the actual Internet standard and improve/fix it by providing feedback to the manufacturers or replacing them altogether with stuff manufacturers ACTUALLY care about.

@l0gic23

6 ай бұрын

@@UnderEu I better rewatch this channels video on why IP6 in the home/lab. Thanks!

Everyone should hate TLS inspection. No point in breaking sites / application. You were right in identifying this. This applies even in work places as well.

Great Vid! Your graphics (while explaining) are helpful as well. Good job!

I work on one particular brand of NGFW in my day job and while the TLS inspection stuff is impressive in what it can do, you're right that it does cause a lot of problems in practice.

@apalrdsadventures

6 ай бұрын

A lot of modern apps either distribute a trust list on their own (especially if they are containerized / some library is trying to be OS-agnostic), and as a developer it makes a ton of sense to be cert pinning to the CA that issues your certs, but it means it's a nightmare for users behind TLS inspectors.

@TheUkeloser

6 ай бұрын

exactly. Admins can install a trusted CA cert to the workstations and re-sign all their inspected traffic with a subordinate CA signed by the same root, so browsers "mostly" work (Aside from HSTS sites) but standalone apps that just happen to use TCP 443 and TLS are harder.

@apalrdsadventures

6 ай бұрын

The authors of TLS and related specs are very concerned with MITM / privacy attacks and don't care to reduce the level of security they provide to make TLS inspection easier. Sites *should* be deploying HSTS, apps using TLS *should* be validating their certs, asking them to do less so you can MITM their traffic isn't something they are interested in 'fixing'. The end result is the end users perpetually think IT has 'broken' something because the program tells them they are being attacked.

@nezu_cc

6 ай бұрын

Nothing against you in particular, but I absolutely hate people who are trying to MITM TLS traffic. Thank god encrypted SNI is already on the horizon so you people can stop trying to filter the last clear text thing you have left.

@apalrdsadventures

6 ай бұрын

eSNI (and it's successor ECH) has some issues with key distribution. It's a great concept but SNI is unencrypted for a reason. Unencrypted SNI (and ALPN) is a thing is so the server can identify which certificate it should use (to properly deal with multi-tenant servers / CDNs / virtual hosts / ...). ECH needs to encrypt the ClientHello using the edge server's key, not the origin's key, so the client needs to know which CDN / server it's accessing and get the key for that server. CF's eSNI would publish their key (their one key, for all of CF) via DNS TXT records, which doesn't work if you aren't using a single CDN for all of your traffic, so it was rejected as a standard. The current ECH version relies on DNS HTTPS records which are basically similar to an SRV. A single domain can have multiple HTTPS records, each of which points to an edge server, proto (http 1.1/2/3), and the edge server's key. But they still aren't widely deployed and supported.

Thank you so much. I am a small Homelab and will not be using this like you even though it looks fantastic for larger institutions. Great professional presentation on this video.

Great video, very detailed and super specific, thanks a lot mister.

Excellent Video sir..... 10 out of 10

Unfortunately, the free version is very limited in functionality

I tried and did no feel any need for it at home, and pricing is not ok either

Zenarmor is just way too expensive. I mean why would I spend $500+ on subscription services for a $500 Firewall... if this were like a $100 a year subscription we might spring for it.

@renehoehle

2 күн бұрын

Absolutely. I use Sophos XGS on some customers and that is expensive and i use an alternative. But that product is twice that price. So when you really what that features then i can use Sophos XGS. Otherwise i have to use OPNSense without that features.

Good video sir ! Keep them coming !!

Okay, fine.... Ill subscribe. i like this content

Thank you very much! any tips on how to minimize the RAM used by zenarmor?

The problem is i've looked for that yesterday. I think it's nice but in the end much more expensive then the High-End Firewall solutions. So in my Mid-Business Setup i have 120 Devices. So i can't get the Small license i have to pay 1,5 times for the licese (2 Firewalls). So i have 337$ per Month thats too much. So in the end it's much more expensive then the Sophos XGS what i'm using at some customers. So for 3 years it's 12150$. So the problem is i don't need most of the features but i have to use them because i have over 100 devices and then you have to use the Business.

Has someone tried the blocking of DNS over HTTPS wirh this? This seems to be a big unsolved issue in the industry with more and more browsers and devices using it to hide from traditional DNS. Unlike DNS over TLS is also uses the same port 433 so you can't even block it at a port level.

Great

Is it possible to restrict ZenArmor to a specific VLAN? I ask because while I would be happy to use this for work devices, I cant help but agree that the TLS inspection could cause alot more work than I'm ultimately willing to put into it if I had to deploy this across my entire home network. Thanks for the great content!

@apalrdsadventures

6 ай бұрын

Zenarmor doesn't intercept TLS, it only looks at the unencrypted headers. But you choose as a global setting which interfaces to operate on, and beyond that you can choose which interfaces apply to a policy.

@royalcanadianbearforce9841

6 ай бұрын

Thank you very much for the quick reply! Looking forward to deploying this next week!

Thank you for your video's, it is very interesting. However I am very disappointed in this one because as other's mentioned the free version is very limited. You suggest you can do almost the same as in your video without subscription but that is not the case. I will rollback OPNsense before Zenarmor. For the rest keep up the good work!

Great video! What physical host do you use for opnsense?

@apalrdsadventures

4 ай бұрын

I use a Protectli FW4B at home

Could you make a video on how to do a basic OPNSense setup with a UDR? I basically only want to use the UDR as a wifi and protect controller

@bro2917

3 ай бұрын

I would also like to see a video on how to do this most efficiently!

What are your thoughts on opnsense being behind on security updates? I know they have a beta with the new openssl, but still, historically looking, it's not the best in response.

@apalrdsadventures

6 ай бұрын

It depends on the context. In general they are pushing security updates regularly, but large changes to the codebase take time, and OpenSSL continued 1.x security updates through the end of 2023 which OPNsense was including in their releases. AFAIK 24.1 will include OpenSSL 3.x.

Your t-shirt with cyrillic dog breed name Лайка :), also in russian slang it can be feminine of internet “like”. Thank you for interesting video!

@apalrdsadventures

5 ай бұрын

Neat! Лайка was the name of the first dog in space, hence the shirt.

Okay, unrelated question. What browser are you using in the video? It doesn't look familiar and I couldn't find anything like it.

@apalrdsadventures

Ай бұрын

Edge or Firefox

Is there a point in running this and crowdsec at the same time?

@apalrdsadventures

6 ай бұрын

They both really different things and are used to protect different things. This is primarily focused on the destination of traffic (going out to the internet, from a client), Crowdsec is focused on incoming traffic to a server and sharing blocklists of simple attackers similar to fail2ban on a larger scale.

So it relies on TLS headers to categorize encrypted traffic? How else? Btw i think w11 has random MaC address as a built in security feature that you can enable

@apalrdsadventures

6 ай бұрын

Apple-everything is both randomizing the MAC per-network and also no longer sending the hostname via DHCP, so tracking Apple devices is a challenge. They still respond to mdns if queried, but don't immediately advertise it. Zenarmor has caused me to raise eyebrows at some traffic and then spend 10+ minutes identifying the unknown client, only for it to be a sus mobile game on a modern iphone which is doing a good job at hiding its identity. But also, some things can be detected by their known protocol headers (i.e. VPNs), TLS has to send at least SNI and ALPN unencrypted (since the server needs to know the SNI to present the right cert), and more traditional IP-based ranges can also be used as well.

@l0gic23

6 ай бұрын

​@@apalrdsadventures did you take any next steps related to the sus games?

With Zenarmor OPNsense becomes NGFW [ as per Sunny Valley ] How it is comparable with other NGFW like Sophos / Fortigate ?

@legendaryz_ch

3 ай бұрын

More control, less user friendly. Thats opnsense. On sophos youve got your beautiful insights and easy configuration whereas opnsense requires more expertise but has similar - if not better results and is free

@orno6621

3 ай бұрын

The support and hardware, and every vendor has its own Theat İntelligence platform. Plus enterprises are moving to ZTNA

@renehoehle

2 күн бұрын

With Sophos you don't need that because that features are included in most high end firewalls like Sophos XGS. And for Business it's really expensive so twice as the price of Sophos XGS.

Pretty cool.. but I don't want to spend $10 on this for home use haha, maybe small business.

can you use Devices on free version? i dont see that tab

I like the video but did not get a tab for devices, I don't know what I missed here

@Maxio_

5 ай бұрын

Yeah me too

@keviin1314

5 ай бұрын

u need the home version for it (can use the free 15 day trial)

I still prefer NetBSD with it's npf. Way more control to the user/admin.

Are you telling me that OPNsense's IDP/IPS is "just" check marks if ZenArmor is not installed? - and I will be better of keeping my well administrated VyOS with a PiHole runing?

@apalrdsadventures

3 ай бұрын

OPNsense's 'native' IDS/IPS solution uses Suricata. Zenarmor gives you curated feeds for a fee vs administering all of the feeds and rulesets manually for Suricata. Both options can be used (potentially at the same time, on different interfaces) in OPNsense.

Me again. How about a video / videos on CLAT addresses, 464XLAT & DHCP Option 108?

@apalrdsadventures

6 ай бұрын

Doing the NAT64 / Option 108 on OPNsense (mostly v6-only + macos), Linux CLAT comes later.

@eschofield1

6 ай бұрын

@@apalrdsadventures Looking forward to it. 👍

Suricata? Seeing as it's sort of built into OPNsense.

@apalrdsadventures

6 ай бұрын

Suricata is a very manual solution to manage and curate block lists, and is very prone to false positives (and presumable also missing a lot of things, but you'll never know) if you don't put the work in to manage these block lists. That's largely what you get with a Zenarmor subscription, better feeds that they have curated and keep up to date.

@travisaugustine7264

3 ай бұрын

@@apalrdsadventures not to mention suricata is VERY CPU intensive which can result in massive slowdowns.

To expansiv

All of this is fun, but I just whip out shadowsocks and laugh at your firewall all day long.

@DanL57

3 ай бұрын

Don't whip it out in public or you will go to jail.

If your looking for a free version don't waste your time with this as everything is locked behind premium subscription so it's practically useless unless you subscribe

@30:35 who else was expecting pornhub to be a top traffic driver