I have been reading about and watching pfSense and OpenSense videos for one year. Time to pull the trigger.
Looking to have a rock-hard residential connection. Which setup tweaks do you recommend? Plug-ins?
Anyone have a sunnyvalley.cloud referral link?
Comments
Guess you had a look at the OPNsense docs already?
https://docs.opnsense.org/
Besides that, entirely depends on what you intend to do besides sticking in WAN and LAN somewhere.
Take a look at the dnscrypt-proxy plugin with @Brueggus dnscry.pt resolvers. Working great and he's running some of the few dnscrypt servers with actually working DNSSEC, no-logging and no-filtering flags.
Didn't take a closer look at Sensei so far, but I guess the privacy policy would turn me off - kinda laying in the nature of their product.
For pfSense you could look into the "snort" plugin. Depending on which rules you load, you might limit/block your outgoing connections as well, if you activate everything available. So your hard-rock residential connection would go both ways :-)
Requires a bit of tuning, so you can still access everything you want and block the opposite.
If you want, you can not only harden your WAN, but also your LAN interface, in case you have some sus IOT devices etc.
We don't know your specific HW / network setup... In case you don't have a dedicated firewall device with multiple network interfaces, for the start you can even virtualize it on any old PC (ideally with 2 NICs): install Proxmox, create at least 2 additional virtual bridges and connect them to your pfSense VM and configure the IPs. I assume you have an ISP router/firewall at home already. There you have to configure all (the ones you need) incoming connections being forwarded to your pfSense VM and all the filtering/firewalling/NATing/DHCP will be configured there.
Just try it out, you can't break anything. If you loose the connection, change the gateway IP on your clients back to your router, revert the firewall settings there... and nothing ever happend ;-)
Good luck
I love my pfSense boxes
ip geo blocking is one of the best features
https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide
In haskellcpanel this is just:
Fuck this 24/7 internet spew of trivia and celebrity bullshit.
well you better use a good, accurate geo database for that.
Free NAT KVM | Free NAT LXC
Inaccurate GEO database is also ok. If you are really geofencing your website, then you dont really care that much about visitors, but care more about providing service to the customers you already have.
Somik.org - Server admins cheat codes
Inaccurate also means, you have false positives, means you blocking out your existing costumer base.
Free NAT KVM | Free NAT LXC
If you block your existing customer base, they can always contact you to unblock, so that's a no. You are only blocking a subset of your new customers.
Somik.org - Server admins cheat codes
If there is an option to overrule the database yes, otherwise no.
Free NAT KVM | Free NAT LXC
Oh ya! Cause you are using external blocklist database. However i think most softwares has provisions for whitelisting IPs. I know the default firewalls do. Not so sure about the pfsense ones...
Somik.org - Server admins cheat codes
Speaking from experience of working in the NGFW (Next-Gen Firewall) industry for around 3 years, my semi-professional opinion: Geolocation based on an IP database is basically useless in terms of increasing security. Attack vectors can come from any IP space from any part of any country. An attacker could use any number of ways to bypass these types of restrictions, from something as basic as just a VPN or proxy, to as high end as deploying C&C malware on victim machines. IP Reputation databases and heuristic detection with a IPS suite, plus a repeated offender dynamic blocklist such as CrowdSec or fail2ban is going to be far more effective than blindly blocking IP spaces just because of the country they come from.
Cheap dedis are my drug, and I'm too far gone to turn back.
Block everything & add back what you need selectively
If there were a way to do this (reasonably) easily, I would!