You missed one. Create a Guest network but also create an IoT network. Put all the garbage devices like Echos and your fridge on that. Anything that uses a cloud service.
@@theinsomniacmedic Separate networks are exactly that. They are separated from each other. I have my main network with all my PCs, NAS and TVs and what not. They all talk to each other. Then I have my IoT network with my fridge, microwave, thermostat, echos and what not. Those two networks cannot interact. In the event someone hacks into one of these cloud device, I couldn't care less. My main network is isolated. I also have a guest network for guests. As you can imagine none of those guests have any access to my devices.
Avoid OPNSense, their security track record is far from stellar. Go for the original project they forked: pfsense. Less and slower updates but rock stable and on top of their security game.
Never knew Dave censors comments. (previous post disappeared.) Wont rewrite the whole thing, in short: go for pfsense instead of that fork. They (opnsense) were willing to stay on an EOL version of PHP which is a huge red-flag, and their past track record aint any better AFAIK.
I would like to refer you over to the Garage: no, not this Garage, but UA-cam channel @Jims-Garage (Jim's Garage). He has coverage over OPNsense and other great topics. We all could do with a Dave treatment of OPNsense however.
Thank you sincerely for this video. It's comforting to have advice from you, as I know you're not trying to sell me something, and you don't have any axe to grind.
I've said it before and I stand by it still: Your presentation format is one of the absolute best on UA-cam. Okay, best anywhere. You're to the point, knowledgeable, and to the point. I really enjoyed this video and I agree with the solution you chose: it's really the best with > 1Gbps Internet. And really, if someone at home "only" has 200Mbps, this solution is still so much better than a vendor's supplied "router." Also worth mentioning to people: Never use a vendor's router for WiFi--just not worth it. Put a firewall like you mentioned behind the vendor's router, then an access point( s ) or even cheap WiFi 6e router behind the firewall and you're better off from a security POV.
I wouldn't say "never", it depends on what they provide.. but if you want the latest WiFi 7 (and have devices that already support it), or you want > 1 Gbit on the local LAN ports, you'll probably have to provide your own, yeah, at least rn in early 2024.
@@greggmacdonald9644Surely the main issue with ISP WIFI would be having to trust the ISP firewall, especially when the ISP maintains control of the "router" such as with combined "Cable Modem WiFi routers". You really want the AP behind a firewall you control.
@@TheUAoBIf you can't log into your ISP-Provided router and inspect or change settings within it, then sure! But I can log into the one my ISP provides and so did just that. Plus, you can always circumvent that PC-side anyway, using whatever DNS you'd like, and (if actually necessary), use a VPN to avoid ISP restrictions you can't get around locally. So, it's not an issue for many, I would think.
I'm in the process of rebuilding my OPNSense router right now. Having you talk about how great it is has been fantastic background audio. One thing I think you overlooked, was DNS blacklisting. The Unbound config for OPNSense has lots of DNS blacklists to keep a lot of trackers, advertising networks, known botnets, etc all at bay - before they even get to the IPS or IDS. Thanks again for your videos. I've liked and subbed, as you've asked. Cheers!
@@tonyscaminaci7959 In the early 2000's, I built a spam filter for the newspaper I worked for. By the time I left there, only 0.002% of emails sent were allowed through - and people still complained about too much spam. (thankfully, they were generally understanding when emails were blocked and had to be retrieved or resent) Much of those denials were through DNS blacklists. I can be a really blunt stick to what might be a delicate problem, but I think it's worth the potential trouble as whitelisting domains is super easy.
Timely.... I am right now in the process of installing a vault with OPNsense... As a newby, I look forward to more content from you on this important topic. Thanks much.
Note that Netgear router/cable modem combos may not have the ability to update firmware if you buy your own, instead of getting it from the ISP. Only ISPs can update the firmware, and wont do so for a model you purchased even if it is identical to the model the ISP distributes to customers.
I went with a Protectli router about 2 years ago and running PFSense on it. I have full control over my home network and it's so easy to configure. I have set up firewall aliases to route certain traffic over VPN and also to block all my TV's and other devices that only need LAN access from the internet. I would love a detailed walkthrough on some more protective settings so I look forward to a video covering that!
Great presentation of information. The addition of IPS/IDS is an absolute must given that it can be done subscription free nowadays. The other part I hope you touch upon one day is the proper setup of firewall rules and DNS shielding, both are heavily underrated topics.
Hi Dave, sure, would love to see your take on a deeper dive into pfsense/opnsense. Our home network setups are very similar (Ubiquiti implementation), minus the 5 gigabit part (1 gig fiber here). The performance impact is pretty dismal with the IDS/IPS enabled via Unifi. I appreciate that they offer it, but would prefer it externalized for performance, much like you described and have implemented. I had never heard of the Protectli Vault before, so this is very interesting to learn about. Thanks!
I'm a full unifi household as well, and from what I've heard there should be a refresh of the UDM Pro/SE in the next couple years that will do up to 10GB with IDS\IPS, and to be honest it's time for a hardware refresh, with the new Unifi OS 3.X there are some really cool features and it's becoming more of a mature platform. Once Ubiquiti refreshes the UDM I'll definitely be replacing my UDM Pro even though I only have 1GB symmetrical fiber, I just want new hardware. Unifi is like a drug you can't wait for your next fix LOL
@@Techguyericd But the one they sold/sells fails miserably at full speed ACL-based IPS. Even on 1Gbps. The Unifi hardware is woefully underpowered. It's a shame. Oh and their VLAN setup is uhmmm, thinking of a "good word," okay---"horrible." But then again, I have 40+ VLANs so I'm likely unique.
I'm new to your videos but liked what I saw, simple to understand and no rubbish in-between. I have recently started my journey into homelabs and have just bought a mini pc for my router with the plan of running opnsense so I would like to see your dive into it.
The primary issue with ISP provided and most consumer routers is just how readily they are abandoned after maybe a year of security updates... this is my primary reason for leaving them in dumb mode wherever possible and having something of my own handling security.
This is beyond the ability of most non-technical people but, were I to shop for a consumer router, I would definitely pick one that can run aftermarket firmware. In fact, last year I bought an unsupported name-brand router from Goodwill for $10 and put an aftermarket firmware on it and now it’s excellent.
I got burned by Amped Wireless, this way. My current house/property is rather large, so I needed four high power (600mw) routers to cover it. (Tree for the house, one for my shop building.) Since the routers and access points were only $10 apart, in price, I simply bought 4 routers and configured three of them as access points. Three months later, Amped Wireless discontinued support for these routers, with at least four unresolved CVE's pertaining to them. Obviously, they're not something that an update will fix, so they simply ended the support for these routers, and arbitrarily called them 'obsolete'. To make matters worse, these were some pretty expensive routers. Otherwise, I've been happy with these routers, but I'll never purchase another Amped Wireless product. I have different equipment, now, but keep a couple of the old routers on a segregated network, to cover some legacy IOT devices, which aren't compatible with 5.8GHz or WPA3. (Before anyone criticizes me for using high power routers, which could potentially affect nearby networks, I live in a very rural farming area, and my nearest neighbor is over a mile away. I only mention this, because people have called me out on it, in the past, claiming that I'm inconsiderate to my neighbors.)
i work in IT for a decently sized company of around 13,000 users. whenever i come across a tech oriented video, i get quite critical, as many do, im sure. i am far from claiming to be an expert in all things tech. ive seen some that claim to be, but none that are. in any case, i try to watch tech videos that i am learned about through the eyes of a person that has limited knowledge of anything IT related. thus the critiquing begins...i must say your way of explaining terminology to the layperson is exceptional, your overall knowledge of the subject is the same. top marks, sir and thank you for the education. as previously eluded to, we all cant know everything and youve definitely shown me a thing or two on several occasions. much appreciated.
You speak techie just casual enough for someone not familiar with the industry to at least get the gist of importance of such measures. The world (or at least my neighborhood) needs a raised awareness of security in a constantly expanding online world - especially since we are raising children. I find your quick, here is the information take it or leave it approach, to be refreshing and easily digested by others, even if they don't fully comprehend. I watch your video's often and today I subscribed. You earned at least that much.
Yeah, I'd be interested in more about deploying and configuring OPNSense. For me, probably more interested in a demo that gives me a flavor for more of the details of what's possible than a tutorial on how to do things, but something that's a little of each would be cool, too.
Dave, thanks for a great video. Clear, concise and easy to follow. If you want to squeeze everything you can out of your speed test however consider dumping your RJ45 transceivers. Besides consuming more power, 10GBase-T links have about 2.6 microseconds of latency whereas DAC (Twinax) and optical fiber links have only 300 nanoseconds of latency.
A good source for OPNSense machines are used workstations. Companies offload them in bulk and you can find them very cheap online. You may need to buy a dual NIC seperately but I paid less for mine in total than some consumer boxes.
@@garanceadrosehn9691 As long as the C-states are enabled, the machine will spend most of its time at low voltage and clockspeed. OEM workstations from Dell, HP, etc are very high quality hardware with good, quiet, cooling, error correcting RAM and conservative Xeon CPU's. Most will have a lot of mileage, often running 24/7, so replacing the fans and hard drives is a good idea.
Appreciate that you put into the video syllabus “T…g… requests in comments are from scammers, so don't respond to them.” I was *almost* *believing* that it WAS from you - especially the more intense second message that I received after having failed to respond to the first one.
@@thebear128 same here. I've been working on computer since 1990 and doing IT professionally since 2005. I'm now 43 and love how much information I can learn from UA-cam channels. I loved TechTV/ZDTV back in the late 90's early 2000's and while that channel died a quick death at the hands of Comcast we now have infinitely more information about computers and these niche topics.
@@Techguyericd Me too! I remember coming home to catch the screensavers and call for help. I was really annoyed when they shortened the screensavers down to an hour from an hour and a half. It just started to go downhill from there. Thank goodness channels like Dave's are giving us that content now.
Dave, just so you know, I have to go into UA-cam Settings and set the speed to .5 (1/2) when I watch your videos. That, and watch the video several times... You're what I'll be when I grow up.
10:21 in addition the bridge mode, a DMZ is another solution that might be available. My isp unit is declined to offer bridge, but will happily DMZ an IP range (into which I include my Meraki security appliance)
I’m living with a double-NAT config (but with the ISP WiFi disabled). Was installing a new mesh solution and called my fiber ISP to ask how to set their combo modem-router into bridge mode as there was no UI I could find to do that. They have been excellent in all things, but in this case the answer was “Certainly, that’s a business feature and we can enable it for an additional $2,600 per year…” 😮 Since I didn’t want or need the added bandwidth and support that came with that price I thanked them and successfully live with the system as is. My ISP regularly gives me 2.5x more bandwidth than I pay for, so I’ve seen no negative impacts.
@@riteshdhawan8383 I’m on an island in the US Pacific Northwest. It’s a small ISP that has great service (both internet and people) but a small local staff. So they have standardized their equipment configs and support. People who want to bridge their equipment are usually businesses (not retired software engineers like myself) with some special needs who also want 1 Gbps+ service. So if I wanted bridge mode I’d need to go to one of those plans. Since I’m paying for 100 Mbps and consistently getting 2.5x that I don’t want to upgrade. I get why they want to standardize support and keep costs lower for most of us. And since they consistently over deliver I see no reason to complain.
I'm not surprised... here we have arbitrary cutoffs, like if I want a static IP or the next speed tier up, that's commercial, an extra $3600 a year just for being designated as such.
I must admit I did go back and admire the thumbnail before actually placing my like vote on your comment praising it..... I did not pay much attention to the thumbnail - when it comes to Dave's videos I know teh quality is in the story not the thumbnail nor the production. Davehimself is the most of the value you'll ever get in one of his videos.
Wow! what a mouthful. Guess I need to step up my security game. For years NAT worked well, but I guess those days are past. You make me feel like a street racer in a 32 Ford hot rod left in the dust by the guy in a new Corvette.
Anti-virus doesn't work on encrypted internet traffic. And, you'll probably never need an IDS/IPS, unless you're hosting services and have open ports in your firewall. NAT isn't a security measure. All you need is a simple firewall.
Very good & valuable info. I wanted to add one piece of info: re:"you are probably stuck with whatever modem your ISP gave you." Don't just assume this. I am on fiber in the Seattle area, and I was able to call my ISP and ask for the ethernet jack on my ONT (Optical Network Terminal - the box on the outside of your house that the fiber connects to) to be enabled. 15 minutes and a ONT reboot later, I was able to plug my own router right in to the ONT. Your ISP might not publicize that this is possible - mine certainly didn't , and was not thrilled when I requested it be done - but it sometimes can be done. I had to work my way through a couple of levels of support first, but I have been up and running with my own router now for several years. It is worth asking about.
Dave thanks for the video, I use pfsense on a netgate device but I assume the concepts to configure are similar to opensense. So I would love a deep dive on configuring opensense.
All good tips Dave! I'd love for you to go through opnsense IDS/IPS setup. I tried configuring and it cut my bandwidth by about 40-50%. I'm running a beefy enterprise class server with a hypervisor and the VM is definitely not resource constrained. I didn't know fully what I was doing and I probably had too many rulesets enabled. Couldn't be bothered to RTFM at the time. I tried to follow Tim and Lawrence's takes, but it wasn't sinking in. Maybe you'd be the key I need!
Though likely not a big difference, from what I can tell, you can set a static route to the second router after the ISP router though may be more complex and needing to make sure their IP ranges are different. I suspect there must be some benefit. Though the best is if your ISP uses pppoe and allows you to connect your own router to the ONT and all you need is a username and password from the ISP
This brings back memories from the early 2000s when I had a pooched-out Pentium II machine running Slackware with hand-written iptables and Snort scripts. I wonder if I have those scripts lying around somewhere...
What an awesome video. Very informative and easy for even the least tech savvy among us to comprehend and utilize. Thank you for sharing your knowledge and being of service to people like my mom and sister. Our family is thankful for you.
5:30 any ISP that isn't just scraping the bottom of the barrel will automatically update the provided routers automatically through remote management, unless the router is so old that they, or the vendor, just isn't even providing security fixes anymore, in that case, just pester your ISP for a new router. 10:10 you might be able to enable DMZ and point to the second router, that way you'll limit some of the inconveniences of double NATting.
Good video. In my own situation, I have a layered configuration. My fiber connection goes into a pfsense firewall, which is the front door sitting before my DMZ assets. I then have a secondary firewall a UXG-Pro. All my network traffic is split VLANs.
there is no requirement to use the ISP modem. I replaced theirs with mine and stopped paying the rent. You just have to give them the configuration info so it'll work.
You just answered a question I've had for a while now with AT&T 5 Gbps fiber with IDS/IPS enabled on my UDM-SE. Waiting for that walk-through with your OPNsense config!
I am literally unwrapping some new hardware right now to set up my new OPNSense router and vlan aware switch. Great timing on this video. I would love some more information on configuring OPNSense as the last time I really touched networking rules was in the early 2000s and things have changed a lot.
One of my old ISPs blocked us from accessing the admin panel completely, the wifi password was the same on all routers and obviously couldn't be changed. Fun times.
If you're wondering: In case, unlike Dave, you're not a Ubiquity fanboy: you can leave out the udm pro altogether and just go all the way with opnsense on protectli or whatever hardware you choose to use. It also does a way better job in dealing with redundant WAN ports. Im not hating ubiquity, i just learned to only use their wifi stuff the hard way :-D
Thanks for sharing Dave. All valid points. I commend you for placing that ProtectLi between ISP modem and Unifi Pro. The only aspect where UDM Pro falls short is when it comes to its firewall this is where pfSense \ OPENSense outshines, so kudos for doing that. IDS\IPS is a necessity. Its good that Unifi product line offers it as part of thier equipment. I am suspecting you are using some kind of a Dedicated internet line from your ISP which I suspect is AT&T business. 0 Jitter, less than 2 digit ping times, and symmetrical inbound\outbound data, and 5 GBPS speed, are all hallmarks of a dedicated internet line.
Thanks for verifying my choice of a Protectli Vault running OPNSense along with a UniFi 7 Pro AP. I’m experiencing some difficulty setting up OPNSense on the Vault to direct multiple network streams (LAN, IoT, cameras, Guest) to the single 2.5 GBs UniFi Ethernet port which runs the 2.5, 5, and 6 GHz wireless networks over the 3 separate radios. Confused to say the least so it would be great if you could do an in-depth setup of OPNSense on the Protectli Vault.
Here in Belgium some ISP's have made their television streamingboxes reliant on their own router. Putting them in bridge mode is a nightmare to get your TV to work again so double natting is almost obligatory, for site-to-site VPN in my family I have set up an overlay VPN service :p
Absolutely valuable, educational and the perfect level of detail for me. It confirms and validates the issues and experiences I have had and presents the information in a very pleasant, comfortable and confident manner. Bravo! P.S: That part showing your 5 Gig fiber bandwidth was just showing off, but I liked it!
Been using PFsense for years on a 5th gen I5 with 10G networking and IDS/IPS much prefer it over OPNsense. If your going to do an OPNsense video, consider PFsense as a comparison, just my 2 cens but I would consider PFsense the big brother to OPNsense
Great video! I've been doing this myself for years, though use a Sophos XG firewall rather than PFSense/OPNSense (and before that, used Sophos UTM, Astaro Security Gateway, and WinRoute Pro). Changing DNS settings to use OpenDNS provides an additional layer of protection too. MAC address filtering in a whitelist mode can provide some additional protection (though can be easily bypassed via MAC address spoofing), as can not broadcasting the SSID.
I'm keen to understand how you plumb an OPNSense box inbetween the modem and the UDM Pro. I have a UDM Pro but am keen to tinker with OPNSENSE but am unsure what I loose on the UDM Pro, and how to access the OPNSense box of its behind the UDM Pro.
On my job, when someone request wifi access I had to ask for mac address for real, and moreover I had to block random MAC privacy stuff on some devices 😮
Very cool.. I have used pfSense and OPNSense, but I never knew you could do a transparent bridge with IDS/IPS enabled.. I would like to see how this is configured.. Might be fun to try it again in combination with, or instead of my Unifi ERx
Good video, but have you considered the fact that your UDM is effectively just as vulnerable to remote admin access attacks as an old Linksys with remote admin enabled, since Unifi equipment is managed via cloud hosting from unifi? It's a security nightmare waiting to happen.
exactly on the same boat, have 1Gb now but could update to 5Gb, need to follow our lead, so looking forward the OpnSense config video in the future to implement this Vault solution. Appreciated Dave.
A few notes to improve clarity on another great video. 1:50 - Not really with all US and foreigner providers. Providing it is a compatible device for the technology they are offering - such as having a coax, DSL or fiber port with the correct transceiver unit - most ISPs would let you use yours. 2:23 - A better, more simple way to explain would be "a router moves packets across different network segments;. a switch moves packets across different ports on the same network segment." 6:28 - WPA3 is only available on more modern WiFi6 and newer, and very selected few WiFi5 equipment. This wireless "version" can sometimes be found on the device label sticker, as a number inside the wireless icon. Alternatively, Windows Task Manager (thanks Dave!) will show you the connection type on the Performance > Wi-Fi tab. If you see 802.11ax, that's WiFi6/7. If you see 802.11ac, that's WiFi5. Anything else (802.11n/a/b/g) is older technology that should support only up to WPA2.
This was a great video. I also love Unifi. Not sure why they dont make a UDM Pro (SUPER) that has bigger CPU. I know they have the UDM PRO SE but that is not much different.
Excellent job in solving your bandwidth bottleneck by moving your IDS/IPS off of your UDM Pro! 👏 Great thinking outside the box. Unfortunately, like many in the US, I can only dream of those kinds of internet speeds let alone getting FTTH.
Been using the Protectli solution for my home for 3 years and it has been flawless. OPNSense is great. Like anything involved with network security, there is a learning curve, but it isn't too steep. It is also super easy to maintain. The best part, there are no moving parts. No PSU, CPU, or cooling fans to go bad. This sucker is 100% solid state.
Pfsense, and secure any port of that device and then setup your vlans, then start firewall your connections (wans and lans). Remember enable ids, and monitor your connections too (perhaps make a nice dashboard with live data monitoring and attach display to your wall).. perhaps i make video about my network security :)
very nice Dave. I have been doing most of your suggestions for years. But it is nice to get some confirmation. I have noticed that my ISP fiber device was not always honoring my DMZ zones I set up... and the conversation was well over the heads of the local technicians. I ended up with multiple port forwarding From ISP modem to my NightHawk then to my Synology for VPN access. The VPN on the Nighthawk is absolute crap.... The VPN on the Synology is much better but still no where near as good as PfSense. I agree with all your suggestions especially if you are building from scratch. The biggest advice I give friends and family.... never use the built in wireless from your ISP. Always get another device to stand between your ISP device and your home.
I stream in 4K on a 50mb/10mb DSL connection. Having Gigabit today is far too much for most households. We have a lot of IOT devices, tablets, phones and multiple Smart TV's in the house all streaming and 0 issues. Unfortunately nothing else is available in our area but in a way who cares... $35/month for this DSL connection is PLENTY for the 4 of us. Even when we worked from home during the Pandemic. I do have it hooked up to a Netgate Router running PfSense. Works great!
I've been running pfsense Plus on a Beelink EQ12 mini pc with 2x Intel 2.5Gb NICs - worth mentioning that pfsense doesn't always play well with Realtek NICs, that are common on consumer PCs. Yes, I would be interested in seeing your setup, I use pfBlockerng and ngtop, and the traffic monitor tots up my download and upload usage. Next step is IDS, like snort, etc. plus Wazuh feeding into Greylog. I will be moving IoT devices to their own vlan and preventing them accessing my other devices.
Dave, I would definitely vote for seeing an in-depth walk thru of open sense. I had pfsense for several years but I feel I could not get the best config and monitoring. Now I have UniFi UPM Pro and 5g fiber so I would like to mirror your configuration.
VERY interested in an OPNsense episode. Could skip basic setup--have done that a dozen times. But more info about system requirements,. setting up, configuring and maintaining/checking logs on Clam AV and IDS/IPS would be very helpful. I'm also using OPNsense on a Protectli Vault--really love the horsepower it provides for SPI, VPN, IDS/IPS, etc. But I know it's not working to its full capability. Thanks so much, Dave. Love your channel. Your interests overlap mine to a great extent. Looking forward to your next posting whatever the subject.
I've run OPNSense as my router for some time. I run it as a VM (Proxmox host) on an old Dell rack mount server (R210 II). Works great - wouldn't change, other than maybe a hardware upgrade if I upgrade my internet at some point. I also run Ubiquti equipment, but just APs. The management server for the Ubiquiti stuff is just a Debian VM running on the same box as OPNSense. Also, for your VPN, you should think about doing Wireguard - state of the art encryption with a very well done, clean sheet design and very high quality code. Funny you should be talking about OPNSense now. Linus Tech Tips just did a video the other day talking about how they were switching their router to an OPNSense box too.
Thanks for the mention Dave! Wow, he knows I exist!
Career goals, 1) Do cool stuff. 2) Get noticed by Dave Plummer 3) Speak at C3 Berlin about anything cool.
Omg you’re like… so famous now! 🤪
I was excited to hear Dave give you a shoutout as well
Love your channel! I'm like the piano teacher who stays one chapter ahead of the students, except I watch Techo Tim to do it :-)
@@DavesGarage ❤
You missed one. Create a Guest network but also create an IoT network. Put all the garbage devices like Echos and your fridge on that. Anything that uses a cloud service.
Hey bro, I have a question - what advantage does this offer?
@@theinsomniacmedic Separate networks are exactly that. They are separated from each other. I have my main network with all my PCs, NAS and TVs and what not. They all talk to each other. Then I have my IoT network with my fridge, microwave, thermostat, echos and what not. Those two networks cannot interact. In the event someone hacks into one of these cloud device, I couldn't care less. My main network is isolated. I also have a guest network for guests. As you can imagine none of those guests have any access to my devices.
@@JustinEmlay Nice I see now. Thanks alot brother, much appreciated.
@@theinsomniacmedic No problem at all!
That sounds like a great idea to me.
Please cover OPNSense
Avoid OPNSense, their security track record is far from stellar. Go for the original project they forked: pfsense. Less and slower updates but rock stable and on top of their security game.
Also curious in seeing this setup. Have toyed with a PiHole in the past, but was too much of a bottleneck
Never knew Dave censors comments. (previous post disappeared.)
Wont rewrite the whole thing, in short: go for pfsense instead of that fork. They (opnsense) were willing to stay on an EOL version of PHP which is a huge red-flag, and their past track record aint any better AFAIK.
@@jagdtigger Dave (likely) doesn't; UA-cam however....it watches every post for keywords and hides them. Found this out THW
I would like to refer you over to the Garage: no, not this Garage, but UA-cam channel @Jims-Garage (Jim's Garage). He has coverage over OPNsense and other great topics. We all could do with a Dave treatment of OPNsense however.
Thank you sincerely for this video. It's comforting to have advice from you, as I know you're not trying to sell me something, and you don't have any axe to grind.
I'm mostly in this for the subs and likes :-)
I've said it before and I stand by it still: Your presentation format is one of the absolute best on UA-cam. Okay, best anywhere. You're to the point, knowledgeable, and to the point. I really enjoyed this video and I agree with the solution you chose: it's really the best with > 1Gbps Internet. And really, if someone at home "only" has 200Mbps, this solution is still so much better than a vendor's supplied "router."
Also worth mentioning to people: Never use a vendor's router for WiFi--just not worth it. Put a firewall like you mentioned behind the vendor's router, then an access point( s ) or even cheap WiFi 6e router behind the firewall and you're better off from a security POV.
I wouldn't say "never", it depends on what they provide.. but if you want the latest WiFi 7 (and have devices that already support it), or you want > 1 Gbit on the local LAN ports, you'll probably have to provide your own, yeah, at least rn in early 2024.
Thanks for the kind words! Glad you fit it useful!
@@greggmacdonald9644Surely the main issue with ISP WIFI would be having to trust the ISP firewall, especially when the ISP maintains control of the "router" such as with combined "Cable Modem WiFi routers". You really want the AP behind a firewall you control.
@@TheUAoBIf you can't log into your ISP-Provided router and inspect or change settings within it, then sure! But I can log into the one my ISP provides and so did just that. Plus, you can always circumvent that PC-side anyway, using whatever DNS you'd like, and (if actually necessary), use a VPN to avoid ISP restrictions you can't get around locally. So, it's not an issue for many, I would think.
“Glad you “fit” it useful? -> R U AI?
I'm in the process of rebuilding my OPNSense router right now. Having you talk about how great it is has been fantastic background audio.
One thing I think you overlooked, was DNS blacklisting. The Unbound config for OPNSense has lots of DNS blacklists to keep a lot of trackers, advertising networks, known botnets, etc all at bay - before they even get to the IPS or IDS.
Thanks again for your videos. I've liked and subbed, as you've asked. Cheers!
@DrTedEsq great info just in the nick of time. I’m configuring Unbound in a bit, thanks!
@@tonyscaminaci7959 In the early 2000's, I built a spam filter for the newspaper I worked for. By the time I left there, only 0.002% of emails sent were allowed through - and people still complained about too much spam. (thankfully, they were generally understanding when emails were blocked and had to be retrieved or resent)
Much of those denials were through DNS blacklists.
I can be a really blunt stick to what might be a delicate problem, but I think it's worth the potential trouble as whitelisting domains is super easy.
Timely.... I am right now in the process of installing a vault with OPNsense... As a newby, I look forward to more content from you on this important topic. Thanks much.
I love my vault running OPNSense
Note that Netgear router/cable modem combos may not have the ability to update firmware if you buy your own, instead of getting it from the ISP. Only ISPs can update the firmware, and wont do so for a model you purchased even if it is identical to the model the ISP distributes to customers.
I went with a Protectli router about 2 years ago and running PFSense on it. I have full control over my home network and it's so easy to configure. I have set up firewall aliases to route certain traffic over VPN and also to block all my TV's and other devices that only need LAN access from the internet. I would love a detailed walkthrough on some more protective settings so I look forward to a video covering that!
Great presentation of information. The addition of IPS/IDS is an absolute must given that it can be done subscription free nowadays. The other part I hope you touch upon one day is the proper setup of firewall rules and DNS shielding, both are heavily underrated topics.
Hi Dave, sure, would love to see your take on a deeper dive into pfsense/opnsense. Our home network setups are very similar (Ubiquiti implementation), minus the 5 gigabit part (1 gig fiber here). The performance impact is pretty dismal with the IDS/IPS enabled via Unifi. I appreciate that they offer it, but would prefer it externalized for performance, much like you described and have implemented. I had never heard of the Protectli Vault before, so this is very interesting to learn about. Thanks!
I'm a full unifi household as well, and from what I've heard there should be a refresh of the UDM Pro/SE in the next couple years that will do up to 10GB with IDS\IPS, and to be honest it's time for a hardware refresh, with the new Unifi OS 3.X there are some really cool features and it's becoming more of a mature platform.
Once Ubiquiti refreshes the UDM I'll definitely be replacing my UDM Pro even though I only have 1GB symmetrical fiber, I just want new hardware. Unifi is like a drug you can't wait for your next fix LOL
Yep. Opnsense is the router. Zenarmor scans all traffic. Country blocking is easy in Opnsense. Keep IOT on guest wi-fi.
@@Techguyericd But the one they sold/sells fails miserably at full speed ACL-based IPS. Even on 1Gbps. The Unifi hardware is woefully underpowered. It's a shame. Oh and their VLAN setup is uhmmm, thinking of a "good word," okay---"horrible." But then again, I have 40+ VLANs so I'm likely unique.
@AnIdiotAboard_ No issues now using it on 10Gbps and 40Gbps connections (OPNsense).
Check out Lawrence Systems for pfsense deep dives. Help me set up my Netgate 4200
I'm new to your videos but liked what I saw, simple to understand and no rubbish in-between. I have recently started my journey into homelabs and have just bought a mini pc for my router with the plan of running opnsense so I would like to see your dive into it.
Nice presentation as usual, I currently use PFSense, but would look forward to your comparison video of OPNSense.
The primary issue with ISP provided and most consumer routers is just how readily they are abandoned after maybe a year of security updates... this is my primary reason for leaving them in dumb mode wherever possible and having something of my own handling security.
This is beyond the ability of most non-technical people but, were I to shop for a consumer router, I would definitely pick one that can run aftermarket firmware.
In fact, last year I bought an unsupported name-brand router from Goodwill for $10 and put an aftermarket firmware on it and now it’s excellent.
I got burned by Amped Wireless, this way. My current house/property is rather large, so I needed four high power (600mw) routers to cover it. (Tree for the house, one for my shop building.) Since the routers and access points were only $10 apart, in price, I simply bought 4 routers and configured three of them as access points. Three months later, Amped Wireless discontinued support for these routers, with at least four unresolved CVE's pertaining to them. Obviously, they're not something that an update will fix, so they simply ended the support for these routers, and arbitrarily called them 'obsolete'. To make matters worse, these were some pretty expensive routers. Otherwise, I've been happy with these routers, but I'll never purchase another Amped Wireless product. I have different equipment, now, but keep a couple of the old routers on a segregated network, to cover some legacy IOT devices, which aren't compatible with 5.8GHz or WPA3. (Before anyone criticizes me for using high power routers, which could potentially affect nearby networks, I live in a very rural farming area, and my nearest neighbor is over a mile away. I only mention this, because people have called me out on it, in the past, claiming that I'm inconsiderate to my neighbors.)
@@richardpetty9159Putting a router in bridge mode is actually pretty easy and it’s something most people should know how to do
Keep the videos coming, love all the different subjects you've covered. Something to nerd out on.
i work in IT for a decently sized company of around 13,000 users. whenever i come across a tech oriented video, i get quite critical, as many do, im sure. i am far from claiming to be an expert in all things tech. ive seen some that claim to be, but none that are. in any case, i try to watch tech videos that i am learned about through the eyes of a person that has limited knowledge of anything IT related. thus the critiquing begins...i must say your way of explaining terminology to the layperson is exceptional, your overall knowledge of the subject is the same. top marks, sir and thank you for the education. as previously eluded to, we all cant know everything and youve definitely shown me a thing or two on several occasions. much appreciated.
Bro literally invented the Task Manager. What are you rating and babbling about
@@notaras1985Read what he wrote and understand what he said. And he used less l337 language, without "bro" in it.
You speak techie just casual enough for someone not familiar with the industry to at least get the gist of importance of such measures. The world (or at least my neighborhood) needs a raised awareness of security in a constantly expanding online world - especially since we are raising children. I find your quick, here is the information take it or leave it approach, to be refreshing and easily digested by others, even if they don't fully comprehend.
I watch your video's often and today I subscribed. You earned at least that much.
Yeah, I'd be interested in more about deploying and configuring OPNSense. For me, probably more interested in a demo that gives me a flavor for more of the details of what's possible than a tutorial on how to do things, but something that's a little of each would be cool, too.
Dave, thanks for a great video. Clear, concise and easy to follow. If you want to squeeze everything you can out of your speed test however consider dumping your RJ45 transceivers. Besides consuming more power, 10GBase-T links have about 2.6 microseconds of latency whereas DAC (Twinax) and optical fiber links have only 300 nanoseconds of latency.
A good source for OPNSense machines are used workstations. Companies offload them in bulk and you can find them very cheap online. You may need to buy a dual NIC seperately but I paid less for mine in total than some consumer boxes.
Those might come with a higher bill for electricity, though...
@@garanceadrosehn9691 As long as the C-states are enabled, the machine will spend most of its time at low voltage and clockspeed. OEM workstations from Dell, HP, etc are very high quality hardware with good, quiet, cooling, error correcting RAM and conservative Xeon CPU's. Most will have a lot of mileage, often running 24/7, so replacing the fans and hard drives is a good idea.
And these machines usually have vanilla hardware, Intel chipsets, NIC's, et al., so a Unix-type OS installation is low risk.
Appreciate that you put into the video syllabus “T…g… requests in comments are from scammers, so don't respond to them.” I was *almost* *believing* that it WAS from you - especially the more intense second message that I received after having failed to respond to the first one.
Thanks for another great video, Dave! I always find your videos super entertaining and educational.
Glad you like them!
@@DavesGarage I've been in IT for 20 years and I'm still learning new things from your videos. I love the format and how you present your topics.
@@thebear128 same here. I've been working on computer since 1990 and doing IT professionally since 2005. I'm now 43 and love how much information I can learn from UA-cam channels. I loved TechTV/ZDTV back in the late 90's early 2000's and while that channel died a quick death at the hands of Comcast we now have infinitely more information about computers and these niche topics.
@@Techguyericd Me too! I remember coming home to catch the screensavers and call for help. I was really annoyed when they shortened the screensavers down to an hour from an hour and a half. It just started to go downhill from there. Thank goodness channels like Dave's are giving us that content now.
I am planning to get set up a home network with an OPNSense router soon, so I would be happy to see a video from you about setting it up.
Great 100,000 foot level analysis! The drill down was great too! This gives me the picture I need to work from for my own home network.
Dave, just so you know, I have to go into UA-cam Settings and set the speed to .5 (1/2) when I watch your videos. That, and watch the video several times... You're what I'll be when I grow up.
Great advice and great video that a lot can learn from. Thanks for taking the time to make it!!
10:21 in addition the bridge mode, a DMZ is another solution that might be available. My isp unit is declined to offer bridge, but will happily DMZ an IP range (into which I include my Meraki security appliance)
I'd love to see more coverage of pfSense and OPNSense
I’m living with a double-NAT config (but with the ISP WiFi disabled). Was installing a new mesh solution and called my fiber ISP to ask how to set their combo modem-router into bridge mode as there was no UI I could find to do that. They have been excellent in all things, but in this case the answer was “Certainly, that’s a business feature and we can enable it for an additional $2,600 per year…” 😮 Since I didn’t want or need the added bandwidth and support that came with that price I thanked them and successfully live with the system as is. My ISP regularly gives me 2.5x more bandwidth than I pay for, so I’ve seen no negative impacts.
Are you based in US, which ISP is asking $2600 for bridge mode on thier equipment?
@@riteshdhawan8383 I’m on an island in the US Pacific Northwest. It’s a small ISP that has great service (both internet and people) but a small local staff. So they have standardized their equipment configs and support. People who want to bridge their equipment are usually businesses (not retired software engineers like myself) with some special needs who also want 1 Gbps+ service. So if I wanted bridge mode I’d need to go to one of those plans. Since I’m paying for 100 Mbps and consistently getting 2.5x that I don’t want to upgrade. I get why they want to standardize support and keep costs lower for most of us. And since they consistently over deliver I see no reason to complain.
If in the US, I question if that is legal. I believe the consumers must be able to use their own equipment.
I'm not surprised... here we have arbitrary cutoffs, like if I want a static IP or the next speed tier up, that's commercial, an extra $3600 a year just for being designated as such.
What issues does double NAT cause?
This is something I’ve been looking for comprehensive info on for a while. I’d love to see a deep dive into setting up a secure network.
The thumbnail is gold
I must admit I did go back and admire the thumbnail before actually placing my like vote on your comment praising it..... I did not pay much attention to the thumbnail - when it comes to Dave's videos I know teh quality is in the story not the thumbnail nor the production. Davehimself is the most of the value you'll ever get in one of his videos.
It changed for me since first publication.... 🤷🏻♂️ The original was better...
Too many people complained about my bad photoshop work, which was kind of tongue-in-cheek bad, but not everyone got the joke!!
I didn't see that thumbnail due to Dearrow...
Well done Dave! You presented a ton of material in a logical and comprehensive manner. Keep up the great work! 🎉
Why does Logical appeal to me...
Wow! what a mouthful. Guess I need to step up my security game. For years NAT worked well, but I guess those days are past. You make me feel like a street racer in a 32 Ford hot rod left in the dust by the guy in a new Corvette.
Anti-virus doesn't work on encrypted internet traffic. And, you'll probably never need an IDS/IPS, unless you're hosting services and have open ports in your firewall. NAT isn't a security measure. All you need is a simple firewall.
Very good & valuable info. I wanted to add one piece of info: re:"you are probably stuck with whatever modem your ISP gave you." Don't just assume this. I am on fiber in the Seattle area, and I was able to call my ISP and ask for the ethernet jack on my ONT (Optical Network Terminal - the box on the outside of your house that the fiber connects to) to be enabled. 15 minutes and a ONT reboot later, I was able to plug my own router right in to the ONT. Your ISP might not publicize that this is possible - mine certainly didn't , and was not thrilled when I requested it be done - but it sometimes can be done. I had to work my way through a couple of levels of support first, but I have been up and running with my own router now for several years. It is worth asking about.
Dave thanks for the video, I use pfsense on a netgate device but I assume the concepts to configure are similar to opensense. So I would love a deep dive on configuring opensense.
Specs on the Dream Machine Pro’s say 3.5Gbps with IDS/IPS turned on.
All good tips Dave!
I'd love for you to go through opnsense IDS/IPS setup. I tried configuring and it cut my bandwidth by about 40-50%. I'm running a beefy enterprise class server with a hypervisor and the VM is definitely not resource constrained. I didn't know fully what I was doing and I probably had too many rulesets enabled. Couldn't be bothered to RTFM at the time.
I tried to follow Tim and Lawrence's takes, but it wasn't sinking in. Maybe you'd be the key I need!
👏👏 Thanks Dave! A future in-depth video about OPNSense would not only be closely watched and supported, it would be well appreciated.
yup, Please do an OPNsense install and configure tutorial, i believe it will be helpful for a lot of people
Though likely not a big difference, from what I can tell, you can set a static route to the second router after the ISP router though may be more complex and needing to make sure their IP ranges are different. I suspect there must be some benefit. Though the best is if your ISP uses pppoe and allows you to connect your own router to the ONT and all you need is a username and password from the ISP
This brings back memories from the early 2000s when I had a pooched-out Pentium II machine running Slackware with hand-written iptables and Snort scripts. I wonder if I have those scripts lying around somewhere...
Love this video! Easy to digest and share with non-tech literate friends.
What an awesome video. Very informative and easy for even the least tech savvy among us to comprehend and utilize. Thank you for sharing your knowledge and being of service to people like my mom and sister. Our family is thankful for you.
5:30 any ISP that isn't just scraping the bottom of the barrel will automatically update the provided routers automatically through remote management, unless the router is so old that they, or the vendor, just isn't even providing security fixes anymore, in that case, just pester your ISP for a new router.
10:10 you might be able to enable DMZ and point to the second router, that way you'll limit some of the inconveniences of double NATting.
Good video. In my own situation, I have a layered configuration. My fiber connection goes into a pfsense firewall, which is the front door sitting before my DMZ assets. I then have a secondary firewall a UXG-Pro. All my network traffic is split VLANs.
there is no requirement to use the ISP modem. I replaced theirs with mine and stopped paying the rent. You just have to give them the configuration info so it'll work.
Yes, I guess I should have said you must have a modem, but you can own your own, which I did too!
Same here, and it paid for itself within about 18 months.
Concise and informative as usual, thank you!
You just answered a question I've had for a while now with AT&T 5 Gbps fiber with IDS/IPS enabled on my UDM-SE. Waiting for that walk-through with your OPNsense config!
Ive been racking my head on these concepts and you made them easy to approach and i'll be taking action on some of these items!! thank you!
I am literally unwrapping some new hardware right now to set up my new OPNSense router and vlan aware switch. Great timing on this video. I would love some more information on configuring OPNSense as the last time I really touched networking rules was in the early 2000s and things have changed a lot.
…BUT you are smarter than you were 20-years ago and user interfaces have improved. You’ll do much better now.
One of my old ISPs blocked us from accessing the admin panel completely, the wifi password was the same on all routers and obviously couldn't be changed.
Fun times.
If you're wondering: In case, unlike Dave, you're not a Ubiquity fanboy: you can leave out the udm pro altogether and just go all the way with opnsense on protectli or whatever hardware you choose to use. It also does a way better job in dealing with redundant WAN ports. Im not hating ubiquity, i just learned to only use their wifi stuff the hard way :-D
Keen to see an OPNSense tutorial. I really do wish Ubiquiti would release a UDM that supports IPS at higher line speeds
Thanks for sharing Dave. All valid points. I commend you for placing that ProtectLi between ISP modem and Unifi Pro. The only aspect where UDM Pro falls short is when it comes to its firewall this is where pfSense \ OPENSense outshines, so kudos for doing that. IDS\IPS is a necessity. Its good that Unifi product line offers it as part of thier equipment. I am suspecting you are using some kind of a Dedicated internet line from your ISP which I suspect is AT&T business. 0 Jitter, less than 2 digit ping times, and symmetrical inbound\outbound data, and 5 GBPS speed, are all hallmarks of a dedicated internet line.
Thanks for verifying my choice of a Protectli Vault running OPNSense along with a UniFi 7 Pro AP. I’m experiencing some difficulty setting up OPNSense on the Vault to direct multiple network streams (LAN, IoT, cameras, Guest) to the single 2.5 GBs UniFi Ethernet port which runs the 2.5, 5, and 6 GHz wireless networks over the 3 separate radios. Confused to say the least so it would be great if you could do an in-depth setup of OPNSense on the Protectli Vault.
Thanks for removing that suspect link to a Telegram account. I knew it was fishy lol
Oh I how I miss my wrt54g that crapped out on me recently. It was a beast with openwrt. It served well 🇺🇸
Thank you Dave, great topic and would like to watch more content like this.
would most defnitely appreciate a walk through of your OPNsense setup and how you configured between your ONT and SE
Another Great video, keep it coming, I would love to see a deep dive into Open PFS
I fully enjoy your videos. Perhaps because one of my highlights regarding computers was when starting using BBS
I love this video and the way you covered the subject. I’m diving into your channel now.
Dave, please occasionally include block diagrams to show the layout(s) you describe….?
Thanks for another video, Dave! I'd enjoy seeing you cover OPNSense configuration!
Here in Belgium some ISP's have made their television streamingboxes reliant on their own router.
Putting them in bridge mode is a nightmare to get your TV to work again so double natting is almost obligatory, for site-to-site VPN in my family I have set up an overlay VPN service :p
This was great. Would love a opnsense video!
Hi Dave, YES, please do a walkthrough of OPNSense installation!!!!
Very Good, I learned a few more things today. As always, I need to login to my routers and make more tweaks.
Absolutely valuable, educational and the perfect level of detail for me. It confirms and validates the issues and experiences I have had and presents the information in a very pleasant, comfortable and confident manner. Bravo! P.S: That part showing your 5 Gig fiber bandwidth was just showing off, but I liked it!
Been using PFsense for years on a 5th gen I5 with 10G networking and IDS/IPS much prefer it over OPNsense. If your going to do an OPNsense video, consider PFsense as a comparison, just my 2 cens but I would consider PFsense the big brother to OPNsense
Great video! I've been doing this myself for years, though use a Sophos XG firewall rather than PFSense/OPNSense (and before that, used Sophos UTM, Astaro Security Gateway, and WinRoute Pro). Changing DNS settings to use OpenDNS provides an additional layer of protection too. MAC address filtering in a whitelist mode can provide some additional protection (though can be easily bypassed via MAC address spoofing), as can not broadcasting the SSID.
I'm keen to understand how you plumb an OPNSense box inbetween the modem and the UDM Pro.
I have a UDM Pro but am keen to tinker with OPNSENSE but am unsure what I loose on the UDM Pro, and how to access the OPNSense box of its behind the UDM Pro.
THEM: Can I connect to your wifi. ME: sure, what's your MAC address.
At which point someone, from memory, says "00-B0-D0-63-C2-26"
@@DavesGarage 30 years ago that would've been me :)
Me a couple years ago: remembering my public ip - until we changed isp.
On my job, when someone request wifi access I had to ask for mac address for real, and moreover I had to block random MAC privacy stuff on some devices 😮
@@samuelhulme8347You had a residential static IP ? I thought that was an old wives tale
I would like an episode on OPNSense. Great episode
Hey hey!!! Looking forward to the OPNSense walkthrough with you... :)
Please cover OPN thanks Dave
Very cool.. I have used pfSense and OPNSense, but I never knew you could do a transparent bridge with IDS/IPS enabled.. I would like to see how this is configured.. Might be fun to try it again in combination with, or instead of my Unifi ERx
Good video, but have you considered the fact that your UDM is effectively just as vulnerable to remote admin access attacks as an old Linksys with remote admin enabled, since Unifi equipment is managed via cloud hosting from unifi? It's a security nightmare waiting to happen.
exactly on the same boat, have 1Gb now but could update to 5Gb, need to follow our lead, so looking forward the OpnSense config video in the future to implement this Vault solution. Appreciated Dave.
A few notes to improve clarity on another great video.
1:50 - Not really with all US and foreigner providers. Providing it is a compatible device for the technology they are offering - such as having a coax, DSL or fiber port with the correct transceiver unit - most ISPs would let you use yours.
2:23 - A better, more simple way to explain would be "a router moves packets across different network segments;. a switch moves packets across different ports on the same network segment."
6:28 - WPA3 is only available on more modern WiFi6 and newer, and very selected few WiFi5 equipment. This wireless "version" can sometimes be found on the device label sticker, as a number inside the wireless icon. Alternatively, Windows Task Manager (thanks Dave!) will show you the connection type on the Performance > Wi-Fi tab. If you see 802.11ax, that's WiFi6/7. If you see 802.11ac, that's WiFi5. Anything else (802.11n/a/b/g) is older technology that should support only up to WPA2.
This was a great video. I also love Unifi. Not sure why they dont make a UDM Pro (SUPER) that has bigger CPU. I know they have the UDM PRO SE but that is not much different.
Good vid. This time around there wasn't anything new to update my knowledge, but I keep watching vids because I'll never assume I know it all. :)
Excellent job in solving your bandwidth bottleneck by moving your IDS/IPS off of your UDM Pro! 👏 Great thinking outside the box. Unfortunately, like many in the US, I can only dream of those kinds of internet speeds let alone getting FTTH.
This is my first year with really good internet!
Been using the Protectli solution for my home for 3 years and it has been flawless. OPNSense is great. Like anything involved with network security, there is a learning curve, but it isn't too steep. It is also super easy to maintain. The best part, there are no moving parts. No PSU, CPU, or cooling fans to go bad. This sucker is 100% solid state.
Thank you for a great intro to home network security I am familiar with all of the parts but not all of the particulars.
Great video ! I must say that you should do audio books (as well as LOTS more UA-cam videos) because your vocal presentation is wonderful.
Pfsense, and secure any port of that device and then setup your vlans, then start firewall your connections (wans and lans). Remember enable ids, and monitor your connections too (perhaps make a nice dashboard with live data monitoring and attach display to your wall).. perhaps i make video about my network security :)
very nice Dave. I have been doing most of your suggestions for years. But it is nice to get some confirmation.
I have noticed that my ISP fiber device was not always honoring my DMZ zones I set up... and the conversation was well over the heads of the local technicians.
I ended up with multiple port forwarding From ISP modem to my NightHawk then to my Synology for VPN access.
The VPN on the Nighthawk is absolute crap.... The VPN on the Synology is much better but still no where near as good as PfSense.
I agree with all your suggestions especially if you are building from scratch.
The biggest advice I give friends and family.... never use the built in wireless from your ISP.
Always get another device to stand between your ISP device and your home.
I stream in 4K on a 50mb/10mb DSL connection. Having Gigabit today is far too much for most households. We have a lot of IOT devices, tablets, phones and multiple Smart TV's in the house all streaming and 0 issues. Unfortunately nothing else is available in our area but in a way who cares... $35/month for this DSL connection is PLENTY for the 4 of us. Even when we worked from home during the Pandemic. I do have it hooked up to a Netgate Router running PfSense. Works great!
I've been running pfsense Plus on a Beelink EQ12 mini pc with 2x Intel 2.5Gb NICs - worth mentioning that pfsense doesn't always play well with Realtek NICs, that are common on consumer PCs. Yes, I would be interested in seeing your setup, I use pfBlockerng and ngtop, and the traffic monitor tots up my download and upload usage. Next step is IDS, like snort, etc. plus Wazuh feeding into Greylog. I will be moving IoT devices to their own vlan and preventing them accessing my other devices.
I usually plump for Openwrt and Pihole, Openwrt will run on many off the shelf routers, SBC etc.
Useful Dave, and I was able to understand all that, thank you !
Pro tip, ziply uses GPON and you can get a GPON to SFP+ converter and they support it for anything faster than 1gbps
I learn a lot from your videos. Thank you, Dave.
I run openwrt on x86 with docker containers and cloudfared not to expose my ip address and let them handle the blocking.
Dave, I would definitely vote for seeing an in-depth walk thru of open sense. I had pfsense for several years but I feel I could not get the best config and monitoring. Now I have UniFi UPM Pro and 5g fiber so I would like to mirror your configuration.
Brilliant video! Thanks Dave! Subscribed! OPNsense video would be fantastic!
Thanks, Dave!
VERY interested in an OPNsense episode. Could skip basic setup--have done that a dozen times. But more info about system requirements,. setting up, configuring and maintaining/checking logs on Clam AV and IDS/IPS would be very helpful. I'm also using OPNsense on a Protectli Vault--really love the horsepower it provides for SPI, VPN, IDS/IPS, etc. But I know it's not working to its full capability.
Thanks so much, Dave. Love your channel. Your interests overlap mine to a great extent. Looking forward to your next posting whatever the subject.
I've run OPNSense as my router for some time. I run it as a VM (Proxmox host) on an old Dell rack mount server (R210 II). Works great - wouldn't change, other than maybe a hardware upgrade if I upgrade my internet at some point. I also run Ubiquti equipment, but just APs. The management server for the Ubiquiti stuff is just a Debian VM running on the same box as OPNSense. Also, for your VPN, you should think about doing Wireguard - state of the art encryption with a very well done, clean sheet design and very high quality code.
Funny you should be talking about OPNSense now. Linus Tech Tips just did a video the other day talking about how they were switching their router to an OPNSense box too.
I'd add setup your router to use a filtering DNS such as Quad9 rather than your ISP's DNS and enable DNS over TLS.
Agreed on DoT
The UDM router he is using actually has DoH built-in now via a feature called DNS Shield.