Please cover OPNSense

@jagdtigger

2 ай бұрын

Avoid OPNSense, their security track record is far from stellar. Go for the original project they forked: pfsense. Less and slower updates but rock stable and on top of their security game.

@vveso

2 ай бұрын

Also curious in seeing this setup. Have toyed with a PiHole in the past, but was too much of a bottleneck

@jagdtigger

2 ай бұрын

Never knew Dave censors comments. (previous post disappeared.) Wont rewrite the whole thing, in short: go for pfsense instead of that fork. They (opnsense) were willing to stay on an EOL version of PHP which is a huge red-flag, and their past track record aint any better AFAIK.

@Doesntcompute2k

2 ай бұрын

@@jagdtigger Dave (likely) doesn't; KZread however....it watches every post for keywords and hides them. Found this out THW

@Doesntcompute2k

2 ай бұрын

I would like to refer you over to the Garage: no, not this Garage, but KZread channel @Jims-Garage (Jim's Garage). He has coverage over OPNsense and other great topics. We all could do with a Dave treatment of OPNsense however.

Thanks for the mention Dave! Wow, he knows I exist!

@wojtek-33

2 ай бұрын

You've made it!

@ianemptymindtank

2 ай бұрын

Career goals, 1) Do cool stuff. 2) Get noticed by Dave Plummer 3) Speak at C3 Berlin about anything cool.

@ChrisTopher-wl6pd

2 ай бұрын

Omg you’re like… so famous now! 🤪

@bru2al1tyusa82

2 ай бұрын

I was excited to hear Dave give you a shoutout as well

@DavesGarage

2 ай бұрын

Love your channel! I'm like the piano teacher who stays one chapter ahead of the students, except I watch Techo Tim to do it :-)

You missed one. Create a Guest network but also create an IoT network. Put all the garbage devices like Echos and your fridge on that. Anything that uses a cloud service.

@theinsomniacmedic

23 күн бұрын

Hey bro, I have a question - what advantage does this offer?

@JustinEmlay

23 күн бұрын

@@theinsomniacmedic Separate networks are exactly that. They are separated from each other. I have my main network with all my PCs, NAS and TVs and what not. They all talk to each other. Then I have my IoT network with my fridge, microwave, thermostat, echos and what not. Those two networks cannot interact. In the event someone hacks into one of these cloud device, I couldn't care less. My main network is isolated. I also have a guest network for guests. As you can imagine none of those guests have any access to my devices.

@theinsomniacmedic

22 күн бұрын

@@JustinEmlay Nice I see now. Thanks alot brother, much appreciated.

@JustinEmlay

22 күн бұрын

@@theinsomniacmedic No problem at all!

@xLTxFire

21 күн бұрын

That sounds like a great idea to me.

i work in IT for a decently sized company of around 13,000 users. whenever i come across a tech oriented video, i get quite critical, as many do, im sure. i am far from claiming to be an expert in all things tech. ive seen some that claim to be, but none that are. in any case, i try to watch tech videos that i am learned about through the eyes of a person that has limited knowledge of anything IT related. thus the critiquing begins...i must say your way of explaining terminology to the layperson is exceptional, your overall knowledge of the subject is the same. top marks, sir and thank you for the education. as previously eluded to, we all cant know everything and youve definitely shown me a thing or two on several occasions. much appreciated.

@notaras1985

Ай бұрын

Bro literally invented the Task Manager. What are you rating and babbling about

Thank you sincerely for this video. It's comforting to have advice from you, as I know you're not trying to sell me something, and you don't have any axe to grind.

@DavesGarage

2 ай бұрын

I'm mostly in this for the subs and likes :-)

Hi Dave, sure, would love to see your take on a deeper dive into pfsense/opnsense. Our home network setups are very similar (Ubiquiti implementation), minus the 5 gigabit part (1 gig fiber here). The performance impact is pretty dismal with the IDS/IPS enabled via Unifi. I appreciate that they offer it, but would prefer it externalized for performance, much like you described and have implemented. I had never heard of the Protectli Vault before, so this is very interesting to learn about. Thanks!

@ericdodson3630

2 ай бұрын

I'm a full unifi household as well, and from what I've heard there should be a refresh of the UDM Pro/SE in the next couple years that will do up to 10GB with IDS\IPS, and to be honest it's time for a hardware refresh, with the new Unifi OS 3.X there are some really cool features and it's becoming more of a mature platform. Once Ubiquiti refreshes the UDM I'll definitely be replacing my UDM Pro even though I only have 1GB symmetrical fiber, I just want new hardware. Unifi is like a drug you can't wait for your next fix LOL

@_masteryoda

2 ай бұрын

Yep. Opnsense is the router. Zenarmor scans all traffic. Country blocking is easy in Opnsense. Keep IOT on guest wi-fi.

@AnIdiotAboard_

2 ай бұрын

I last tryed pfSense and openSence many years ago, and beyond about 2 gbps they sucked eggs, as soon as you enable state-full inspection it just goes to hell, no matter how much CPU power you give it, it cant keep up with it, now ill admit it was many years ago but nothings really changed in the setup so i don't expect it to perform any better. All that said, for most home users at 1.5 / 2 Gbps its fine, it really is, it might stutter from time to time (especially when doing hundreds of downloads) but it works fine

@Doesntcompute2k

2 ай бұрын

@@ericdodson3630 But the one they sold/sells fails miserably at full speed ACL-based IPS. Even on 1Gbps. The Unifi hardware is woefully underpowered. It's a shame. Oh and their VLAN setup is uhmmm, thinking of a "good word," okay---"horrible." But then again, I have 40+ VLANs so I'm likely unique.

@Doesntcompute2k

2 ай бұрын

@@AnIdiotAboard_ No issues now using it on 10Gbps and 40Gbps connections (OPNsense).

I'm in the process of rebuilding my OPNSense router right now. Having you talk about how great it is has been fantastic background audio. One thing I think you overlooked, was DNS blacklisting. The Unbound config for OPNSense has lots of DNS blacklists to keep a lot of trackers, advertising networks, known botnets, etc all at bay - before they even get to the IPS or IDS. Thanks again for your videos. I've liked and subbed, as you've asked. Cheers!

@tonyscaminaci7959

Ай бұрын

@DrTedEsq great info just in the nick of time. I’m configuring Unbound in a bit, thanks!

@DrTedEsq

Ай бұрын

@@tonyscaminaci7959 In the early 2000's, I built a spam filter for the newspaper I worked for. By the time I left there, only 0.002% of emails sent were allowed through - and people still complained about too much spam. (thankfully, they were generally understanding when emails were blocked and had to be retrieved or resent) Much of those denials were through DNS blacklists. I can be a really blunt stick to what might be a delicate problem, but I think it's worth the potential trouble as whitelisting domains is super easy.

The primary issue with ISP provided and most consumer routers is just how readily they are abandoned after maybe a year of security updates... this is my primary reason for leaving them in dumb mode wherever possible and having something of my own handling security.

@richardpetty9159

2 ай бұрын

This is beyond the ability of most non-technical people but, were I to shop for a consumer router, I would definitely pick one that can run aftermarket firmware. In fact, last year I bought an unsupported name-brand router from Goodwill for $10 and put an aftermarket firmware on it and now it’s excellent.

I went with a Protectli router about 2 years ago and running PFSense on it. I have full control over my home network and it's so easy to configure. I have set up firewall aliases to route certain traffic over VPN and also to block all my TV's and other devices that only need LAN access from the internet. I would love a detailed walkthrough on some more protective settings so I look forward to a video covering that!

The thumbnail is gold

@mikkelbreiler8916

2 ай бұрын

I must admit I did go back and admire the thumbnail before actually placing my like vote on your comment praising it..... I did not pay much attention to the thumbnail - when it comes to Dave's videos I know teh quality is in the story not the thumbnail nor the production. Davehimself is the most of the value you'll ever get in one of his videos.

@gryff8400

2 ай бұрын

It changed for me since first publication.... 🤷🏻‍♂️ The original was better...

@DavesGarage

2 ай бұрын

Too many people complained about my bad photoshop work, which was kind of tongue-in-cheek bad, but not everyone got the joke!!

@TishSerg

Ай бұрын

I didn't see that thumbnail due to Dearrow...

Timely.... I am right now in the process of installing a vault with OPNsense... As a newby, I look forward to more content from you on this important topic. Thanks much.

@qdrive978

Ай бұрын

I love my vault running OPNSense

A good source for OPNSense machines are used workstations. Companies offload them in bulk and you can find them very cheap online. You may need to buy a dual NIC seperately but I paid less for mine in total than some consumer boxes.

@garanceadrosehn9691

Ай бұрын

Those might come with a higher bill for electricity, though...

@MrKentaroMotoPI

Ай бұрын

​@@garanceadrosehn9691 As long as the C-states are enabled, the machine will spend most of its time at low voltage and clockspeed. OEM workstations from Dell, HP, etc are very high quality hardware with good, quiet, cooling, error correcting RAM and conservative Xeon CPU's. Most will have a lot of mileage, often running 24/7, so replacing the fans and hard drives is a good idea.

@MrKentaroMotoPI

Ай бұрын

And these machines usually have vanilla hardware, Intel chipsets, NIC's, et al., so a Unix-type OS installation is low risk.

I've said it before and I stand by it still: Your presentation format is one of the absolute best on KZread. Okay, best anywhere. You're to the point, knowledgeable, and to the point. I really enjoyed this video and I agree with the solution you chose: it's really the best with > 1Gbps Internet. And really, if someone at home "only" has 200Mbps, this solution is still so much better than a vendor's supplied "router." Also worth mentioning to people: Never use a vendor's router for WiFi--just not worth it. Put a firewall like you mentioned behind the vendor's router, then an access point( s ) or even cheap WiFi 6e router behind the firewall and you're better off from a security POV.

@greggmacdonald9644

2 ай бұрын

I wouldn't say "never", it depends on what they provide.. but if you want the latest WiFi 7 (and have devices that already support it), or you want > 1 Gbit on the local LAN ports, you'll probably have to provide your own, yeah, at least rn in early 2024.

@DavesGarage

2 ай бұрын

Thanks for the kind words! Glad you fit it useful!

@TheUAoB

2 ай бұрын

@@greggmacdonald9644Surely the main issue with ISP WIFI would be having to trust the ISP firewall, especially when the ISP maintains control of the "router" such as with combined "Cable Modem WiFi routers". You really want the AP behind a firewall you control.

@greggmacdonald9644

2 ай бұрын

@@TheUAoBIf you can't log into your ISP-Provided router and inspect or change settings within it, then sure! But I can log into the one my ISP provides and so did just that. Plus, you can always circumvent that PC-side anyway, using whatever DNS you'd like, and (if actually necessary), use a VPN to avoid ISP restrictions you can't get around locally. So, it's not an issue for many, I would think.

THEM: Can I connect to your wifi. ME: sure, what's your MAC address.

@DavesGarage

2 ай бұрын

At which point someone, from memory, says "00-B0-D0-63-C2-26"

@retroretiree2086

2 ай бұрын

@@DavesGarage 30 years ago that would've been me :)

@samuelhulme8347

2 ай бұрын

Me a couple years ago: remembering my public ip - until we changed isp.

@jojo2234

Ай бұрын

On my job, when someone request wifi access I had to ask for mac address for real, and moreover I had to block random MAC privacy stuff on some devices 😮

@seansingh4421

Ай бұрын

@@samuelhulme8347You had a residential static IP ? I thought that was an old wives tale

I’m living with a double-NAT config (but with the ISP WiFi disabled). Was installing a new mesh solution and called my fiber ISP to ask how to set their combo modem-router into bridge mode as there was no UI I could find to do that. They have been excellent in all things, but in this case the answer was “Certainly, that’s a business feature and we can enable it for an additional $2,600 per year…” 😮 Since I didn’t want or need the added bandwidth and support that came with that price I thanked them and successfully live with the system as is. My ISP regularly gives me 2.5x more bandwidth than I pay for, so I’ve seen no negative impacts.

@riteshdhawan8383

2 ай бұрын

Are you based in US, which ISP is asking $2600 for bridge mode on thier equipment?

@NigelBassman

2 ай бұрын

@@riteshdhawan8383 I’m on an island in the US Pacific Northwest. It’s a small ISP that has great service (both internet and people) but a small local staff. So they have standardized their equipment configs and support. People who want to bridge their equipment are usually businesses (not retired software engineers like myself) with some special needs who also want 1 Gbps+ service. So if I wanted bridge mode I’d need to go to one of those plans. Since I’m paying for 100 Mbps and consistently getting 2.5x that I don’t want to upgrade. I get why they want to standardize support and keep costs lower for most of us. And since they consistently over deliver I see no reason to complain.

@drooplug

2 ай бұрын

If in the US, I question if that is legal. I believe the consumers must be able to use their own equipment.

@DavesGarage

2 ай бұрын

I'm not surprised... here we have arbitrary cutoffs, like if I want a static IP or the next speed tier up, that's commercial, an extra $3600 a year just for being designated as such.

@slowjocrow6451

17 күн бұрын

What issues does double NAT cause?

Great presentation of information. The addition of IPS/IDS is an absolute must given that it can be done subscription free nowadays. The other part I hope you touch upon one day is the proper setup of firewall rules and DNS shielding, both are heavily underrated topics.

Appreciate that you put into the video syllabus “T…g… requests in comments are from scammers, so don't respond to them.” I was *almost* *believing* that it WAS from you - especially the more intense second message that I received after having failed to respond to the first one.

This brings back memories from the early 2000s when I had a pooched-out Pentium II machine running Slackware with hand-written iptables and Snort scripts. I wonder if I have those scripts lying around somewhere...

Yeah, I'd be interested in more about deploying and configuring OPNSense. For me, probably more interested in a demo that gives me a flavor for more of the details of what's possible than a tutorial on how to do things, but something that's a little of each would be cool, too.

Wow! what a mouthful. Guess I need to step up my security game. For years NAT worked well, but I guess those days are past. You make me feel like a street racer in a 32 Ford hot rod left in the dust by the guy in a new Corvette.

@TheChadXperience909

2 ай бұрын

Anti-virus doesn't work on encrypted internet traffic. And, you'll probably never need an IDS/IPS, unless you're hosting services and have open ports in your firewall. NAT isn't a security measure. All you need is a simple firewall.

I'd love to see more coverage of pfSense and OPNSense

Nice presentation as usual, I currently use PFSense, but would look forward to your comparison video of OPNSense.

Dave's Garage may very well be my favorite channel on YT!

Great 100,000 foot level analysis! The drill down was great too! This gives me the picture I need to work from for my own home network.

Note that Netgear router/cable modem combos may not have the ability to update firmware if you buy your own, instead of getting it from the ISP. Only ISPs can update the firmware, and wont do so for a model you purchased even if it is identical to the model the ISP distributes to customers.

I am planning to get set up a home network with an OPNSense router soon, so I would be happy to see a video from you about setting it up.

Keen to see an OPNSense tutorial. I really do wish Ubiquiti would release a UDM that supports IPS at higher line speeds

👏👏 Thanks Dave! A future in-depth video about OPNSense would not only be closely watched and supported, it would be well appreciated.

I'm new to your videos but liked what I saw, simple to understand and no rubbish in-between. I have recently started my journey into homelabs and have just bought a mini pc for my router with the plan of running opnsense so I would like to see your dive into it.

Dave, thanks for a great video. Clear, concise and easy to follow. If you want to squeeze everything you can out of your speed test however consider dumping your RJ45 transceivers. Besides consuming more power, 10GBase-T links have about 2.6 microseconds of latency whereas DAC (Twinax) and optical fiber links have only 300 nanoseconds of latency.

Hi Dave, YES, please do a walkthrough of OPNSense installation!!!!

yup, Please do an OPNsense install and configure tutorial, i believe it will be helpful for a lot of people

Keep the videos coming, love all the different subjects you've covered. Something to nerd out on.

I'd add setup your router to use a filtering DNS such as Quad9 rather than your ISP's DNS and enable DNS over TLS.

@_masteryoda

2 ай бұрын

Agreed on DoT

@Moonraker11

2 ай бұрын

The UDM router he is using actually has DoH built-in now via a feature called DNS Shield.

One of my old ISPs blocked us from accessing the admin panel completely, the wifi password was the same on all routers and obviously couldn't be changed. Fun times.

Pfsense, and secure any port of that device and then setup your vlans, then start firewall your connections (wans and lans). Remember enable ids, and monitor your connections too (perhaps make a nice dashboard with live data monitoring and attach display to your wall).. perhaps i make video about my network security :)

Oh I how I miss my wrt54g that crapped out on me recently. It was a beast with openwrt. It served well 🇺🇸

Well done Dave! You presented a ton of material in a logical and comprehensive manner. Keep up the great work! 🎉

@20chocsaday

2 ай бұрын

Why does Logical appeal to me...

This was great. Would love a opnsense video!

Dave, please occasionally include block diagrams to show the layout(s) you describe….?

This is something I’ve been looking for comprehensive info on for a while. I’d love to see a deep dive into setting up a secure network.

10:21 in addition the bridge mode, a DMZ is another solution that might be available. My isp unit is declined to offer bridge, but will happily DMZ an IP range (into which I include my Meraki security appliance)

Thanks for verifying my choice of a Protectli Vault running OPNSense along with a UniFi 7 Pro AP. I’m experiencing some difficulty setting up OPNSense on the Vault to direct multiple network streams (LAN, IoT, cameras, Guest) to the single 2.5 GBs UniFi Ethernet port which runs the 2.5, 5, and 6 GHz wireless networks over the 3 separate radios. Confused to say the least so it would be great if you could do an in-depth setup of OPNSense on the Protectli Vault.

@tonyscaminaci7959

2 ай бұрын

Thanks for removing that suspect link to a Telegram account. I knew it was fishy lol

WOW! I'm in Australia on 5G WiFi and the best speed I've ever got was 320mb down and 15up and Ping was 16. After seeing your speeds I'm ropeable. Thanks Dave.

You just answered a question I've had for a while now with AT&T 5 Gbps fiber with IDS/IPS enabled on my UDM-SE. Waiting for that walk-through with your OPNsense config!

In my country we're blessed with the right to use our own modem/router. Fiber to the home bring us an RJ45 connector without anything in between. I use a pfSense firewall to keep the thugs out. Checking the firewall logs shows astounding number of connection attempts from places you didn't know existed.

@thomasslone1964

Ай бұрын

really? i live in America where we have no freedom except that our corporate overlords allow us, so i have to use the isp provided route which I'm charged 10usd a month for indefinitely and if i don't deliver it or ship it to them when it breaks or i need a new one they will charge me 200usd

@dan-nutu

Ай бұрын

Then go fight for your freedom in the Land of the Free :)

Just fyi the firewalla brand firewalls automatically do this out of the box. They'll quarantine any new Network devices and you can setup custom filters to block Internet, filter sites, whitelist macs, etc. they're really great devices that are consumer friendly, with a great ui, and don't require a subscription.

Great advice and great video that a lot can learn from. Thanks for taking the time to make it!!

I usually plump for Openwrt and Pihole, Openwrt will run on many off the shelf routers, SBC etc.

Excellent job in solving your bandwidth bottleneck by moving your IDS/IPS off of your UDM Pro! 👏 Great thinking outside the box. Unfortunately, like many in the US, I can only dream of those kinds of internet speeds let alone getting FTTH.

@DavesGarage

2 ай бұрын

This is my first year with really good internet!

Love this video! Easy to digest and share with non-tech literate friends.

I would like an episode on OPNSense. Great episode

I am literally unwrapping some new hardware right now to set up my new OPNSense router and vlan aware switch. Great timing on this video. I would love some more information on configuring OPNSense as the last time I really touched networking rules was in the early 2000s and things have changed a lot.

@richardpetty9159

2 ай бұрын

…BUT you are smarter than you were 20-years ago and user interfaces have improved. You’ll do much better now.

would most defnitely appreciate a walk through of your OPNsense setup and how you configured between your ONT and SE

Thanks for another great video, Dave! I always find your videos super entertaining and educational.

@DavesGarage

2 ай бұрын

Glad you like them!

@thebear128

2 ай бұрын

@@DavesGarage I've been in IT for 20 years and I'm still learning new things from your videos. I love the format and how you present your topics.

@ericdodson3630

2 ай бұрын

@@thebear128 same here. I've been working on computer since 1990 and doing IT professionally since 2005. I'm now 43 and love how much information I can learn from KZread channels. I loved TechTV/ZDTV back in the late 90's early 2000's and while that channel died a quick death at the hands of Comcast we now have infinitely more information about computers and these niche topics.

@thebear128

2 ай бұрын

@@ericdodson3630 Me too! I remember coming home to catch the screensavers and call for help. I was really annoyed when they shortened the screensavers down to an hour from an hour and a half. It just started to go downhill from there. Thank goodness channels like Dave's are giving us that content now.

I stream in 4K on a 50mb/10mb DSL connection. Having Gigabit today is far too much for most households. We have a lot of IOT devices, tablets, phones and multiple Smart TV's in the house all streaming and 0 issues. Unfortunately nothing else is available in our area but in a way who cares... $35/month for this DSL connection is PLENTY for the 4 of us. Even when we worked from home during the Pandemic. I do have it hooked up to a Netgate Router running PfSense. Works great!

All good tips Dave! I'd love for you to go through opnsense IDS/IPS setup. I tried configuring and it cut my bandwidth by about 40-50%. I'm running a beefy enterprise class server with a hypervisor and the VM is definitely not resource constrained. I didn't know fully what I was doing and I probably had too many rulesets enabled. Couldn't be bothered to RTFM at the time. I tried to follow Tim and Lawrence's takes, but it wasn't sinking in. Maybe you'd be the key I need!

Here in Belgium some ISP's have made their television streamingboxes reliant on their own router. Putting them in bridge mode is a nightmare to get your TV to work again so double natting is almost obligatory, for site-to-site VPN in my family I have set up an overlay VPN service :p

Thanks for another video, Dave! I'd enjoy seeing you cover OPNSense configuration!

While I don't claim I have a 100% secure home network, I do have one major thing in my favor: wired Ethernet in almost every room. I'm not a big fan of WiFi anymore. It is convenient, but probably the best vector for attack. So I'm wired 99% of the time.

@harvey66616

Ай бұрын

Not sure what you're saying here. Unless you have just turned wifi off, using a wired connection for most devices doesn't really change your attack surface much. It'd be pretty unusual for an attacker to go after the wifi link on a specific device. Instead, they will go after access to the network itself, at which point it won't matter which devices are on wifi and which are wired. Depending on how much access they manage to get, even having the devices on different VLANs might not help.

Very good & valuable info. I wanted to add one piece of info: re:"you are probably stuck with whatever modem your ISP gave you." Don't just assume this. I am on fiber in the Seattle area, and I was able to call my ISP and ask for the ethernet jack on my ONT (Optical Network Terminal - the box on the outside of your house that the fiber connects to) to be enabled. 15 minutes and a ONT reboot later, I was able to plug my own router right in to the ONT. Your ISP might not publicize that this is possible - mine certainly didn't , and was not thrilled when I requested it be done - but it sometimes can be done. I had to work my way through a couple of levels of support first, but I have been up and running with my own router now for several years. It is worth asking about.

Thanks for sharing Dave. All valid points. I commend you for placing that ProtectLi between ISP modem and Unifi Pro. The only aspect where UDM Pro falls short is when it comes to its firewall this is where pfSense \ OPENSense outshines, so kudos for doing that. IDS\IPS is a necessity. Its good that Unifi product line offers it as part of thier equipment. I am suspecting you are using some kind of a Dedicated internet line from your ISP which I suspect is AT&T business. 0 Jitter, less than 2 digit ping times, and symmetrical inbound\outbound data, and 5 GBPS speed, are all hallmarks of a dedicated internet line.

Been using PFsense for years on a 5th gen I5 with 10G networking and IDS/IPS much prefer it over OPNsense. If your going to do an OPNsense video, consider PFsense as a comparison, just my 2 cens but I would consider PFsense the big brother to OPNsense

Concise and informative as usual, thank you!

Useful Dave, and I was able to understand all that, thank you !

Accurate, kept it simple and too the point. Good work.

Thank you Dave, great topic and would like to watch more content like this.

Good video. In my own situation, I have a layered configuration. My fiber connection goes into a pfsense firewall, which is the front door sitting before my DMZ assets. I then have a secondary firewall a UXG-Pro. All my network traffic is split VLANs.

OPNsense, yes please.

Would love to see your take on configuring OPNsense! I think I would absolutely gain helpful insights! An overview of the firewall, interfaces, and VLANs would really help me out. I'm still looking for a good explanation of how interfaces and VLANs communicate with one another, explanation of the default configuration, and best practices. Thanks, Dave!

Great video ! I must say that you should do audio books (as well as LOTS more KZread videos) because your vocal presentation is wonderful.

Great video Dave, thank you for all these great informations.

T-Mobile 5G home internet has a very basic interface for configuring and doesn’t allow turning off the WiFi, even though I have a commercial grade WiFi. This means, I have an interfering signal that I can’t turn off. I sent a troubleshooting ticket explaining why it should allow more settings and have never heard back about this. I guess most people don’t understand or care enough to complain about this and make them upgrade the firmware and the user interface.

I run pfSense on a Qotom mini PC with i5 CPU, 4 GB RAM, 32 GB SSD & 4 1 GB Ethernet ports. My cable connection provides 1.5 Gb down, but I'm limited by my hardware to "only" 1 Gb. 🙂 I get IPv6 from my ISP, as well as IPv4 and have different /64 prefixes for my main LAN, guest WiFi, test LAN, connection to my Cisco router and OpenVPN. All this is easily handled by pfSense. My cable modem is in bridge mode.

@ErikS-

28 күн бұрын

pfSense is evil. Pretending to be opensource, whilst they are NOT!

Perfect ... good refresher ... Thank you 👍

Hey Dave, you missed a legal fact about Cable Internet Providers, you can own and use your own Cable Modem. I have been using my own modem for over a decade and saving the cost of monthly modem rental from my cable provider. In my case I have a plain vanilla modem with no settings, Motorola MB8600, and that is plugged into my pfSense machine.

@riteshdhawan8383

2 ай бұрын

Its good that your service provider offers you the ability to use your modem. When it comes to AT&T Fiber Consumer, its next to impossible to bypass or get rid of thier equipment. Whatever 3rd party equipment such consumers want to use, it stands behind ISP device.

@B-a_s-H

2 ай бұрын

​@@riteshdhawan8383Where I'm from it's required by law that the ISP makes it possible to use 3rd party equipment.

@v12alpine

2 ай бұрын

@@riteshdhawan8383yep ISP's have been able to get around alot of long standing regulations with the switchover to fiber. This is why they are adament about removing all traces of copper when installing fiber.

Specs on the Dream Machine Pro’s say 3.5Gbps with IDS/IPS turned on.

I'd be keep on the OPNsense video.

Thanks, Dave!

Excellent overview. Thank you!

Thanks for the intro. Please do a vid on OPNSENSE, thanks!

there is no requirement to use the ISP modem. I replaced theirs with mine and stopped paying the rent. You just have to give them the configuration info so it'll work.

@DavesGarage

Ай бұрын

Yes, I guess I should have said you must have a modem, but you can own your own, which I did too!

@LeverPhile

Ай бұрын

Same here, and it paid for itself within about 18 months.

The first thing that you should do with your ISP provided router is throw it in a drawer. I've never had one that was remotely good enough. I can remember the old days where you had to fight them but now you can pretty much use your own router on any ISP.

Very Good, I learned a few more things today. As always, I need to login to my routers and make more tweaks.

Great video, many thanks from Nova Scotia...

Great video, Dave! And yes, a video on OPN Sense would be great!

Brilliant video! Thanks Dave! Subscribed! OPNsense video would be fantastic!

Home network security is NOT the weakest link. So far, two state DOTs and 15 corporations have allowed my personal data to be breached. Network security at home is the VERY last thing I am concerned about.

@RNMSC

2 ай бұрын

While it may not be at the top of your to-do list, it probably should be up there. If you can show that you've been doing what you can to keep your information secure, and that you haven't been compromised, it's a lot easier to hold others accountable. Also keep in mind that there are a huge number of compromised systems where the people doing the compromising are not steeling your data, they are aggregating your bandwidth with other users for bot farms to do things like DDoS or using your cpu cycles for bitcoin mining. Having systems in place that know what the traffic for such activities (that you haven't authorized) looks like can help you if you're running into issues with your ISP over the amount of bandwidth you're using, or if for some reason your computers start acting 'slow' at times, or all the time. Again, doesn't have to be at the top of your to-do list, but if it's not there, at least be aware of what the risks are.

@_masteryoda

2 ай бұрын

You could never touch a computer in your life, and still have everything hacked. I still implement home network security, as it's fun and relatively easy. But yeah... we're not the weak link here... lazy, cheap, incompetent big corps are... even the credit reporting agencies have been hacked.

@smoothstuart7383

2 ай бұрын

other companies have some data of yours, you're home network may well contain 100% of your personal data, so maybe your priorities should be reversed.

@Kenjiro5775

2 ай бұрын

@@smoothstuart7383 I'm as old as dave and my first compute was an Atari 400. I have NEVER had a problem with any personal equipment. Did I mention TWO states notified me about my driver's license data being breached. By the way, the Washington State class action yielded me $60.34, which is how much WA decided identity theft is worth.

@Kenjiro5775

2 ай бұрын

@@RNMSC My first computer was an Atari 400, what do you think my network experience level is?

Thx for fantastic content. Always informative and entertaining :)

I've been running pfsense Plus on a Beelink EQ12 mini pc with 2x Intel 2.5Gb NICs - worth mentioning that pfsense doesn't always play well with Realtek NICs, that are common on consumer PCs. Yes, I would be interested in seeing your setup, I use pfBlockerng and ngtop, and the traffic monitor tots up my download and upload usage. Next step is IDS, like snort, etc. plus Wazuh feeding into Greylog. I will be moving IoT devices to their own vlan and preventing them accessing my other devices.

Use DMZ on provider router to forward all data to your second router (set fixed ip on provider router for the second router and set DMZ to that ip address). Then on your second router use "Access Control" and make a "Allow List" for both WiFi and Ethernet devices (create a allow list and put in all the mac addresses of the devices that you want that can access your network). Now only devices that are listed in the "Allow List" can connect to your network, if a device wants to connect to your network that is not listed in the "'Allow List" its bye bye you cannot come in 🙂 Most routers you can put the mac addresses for the devices that you want to have access to remote control your router, for better security. Make always sure you enable all the firewall options on your router, disable upnp and use port forwarding for your listening applications on specific ports🙂

Good tips, but I would have wanted to see additional guidance: "do not assume your local network is safe - always assume the attacker is already in your local network and do not use hardware that cannot protect itself in the network".

Hey hey!!! Looking forward to the OPNSense walkthrough with you... :)

Definitely cover the OPNSense setup. Your videos are excellent.

Subbed, nice tips for securing home networks ⚡️

Great presentation - I'm changing IPS to fiber 6 and want to secure some assets but let IOT do its thing. Good ideas.

Here in Sweden were I live we have fiber directly to the house and we dont need to use the providers modem/router. Which means I can directly connect my router/firewall to the fiber :)

@snorman1911

2 ай бұрын

Everyone in the whole country has fiber to their house?

Love the tour of your house

exactly on the same boat, have 1Gb now but could update to 5Gb, need to follow our lead, so looking forward the OpnSense config video in the future to implement this Vault solution. Appreciated Dave.

Yes please, would like to see a deep dive into OPNSense