Any usefulness for Skynet + pfsense/opnsense in transparent bridge mode?

[pjd50]

I assumed this question has been asked thousands of times before, but surprisingly despite different Google searches and forum thread searches, I couldn't find an answer.

On my home set-up, I have AdGuardHome running on my NAS. I then have my Merlin ASUS router pointing the NAS IP address for DNS (thus ad-blocking).
I also have SkyNet running on my Merlin ASUS router.

Is there any usefulness for adding a device running pfsense/opnsense (probably in transparent bridge mode, so that I wouldn't have to mess with my current configuration - see

and

https://www.reddit.com/r/opnsense/comments/1c4kkws/choosing_hardware_for_an_opnsense_transparent

I can't find a clear answer if there's any added benefit or if it's just added redunancy to my set-up. Thanks for any tips!

 

[Tech9]

pfBlockerNG package in pfSense can replace both your DNS-blocker (AdGuard Home) and IP-blocker (Skynet). Suricata/Snort packages can replace AiProtection and can do true IPS/IDS with no 3rd party involvement. Squid package can do SSL proxy if you like. You have various options for QoS, you can intercept and redirect DNS queries (like DNS Director), default DNS server is Unbound (Entware + custom script in Asuswrt-Merlin), policy routing is available, VPNs, VLANs... I don't know what is your Asus router doing there. The more capable and configurable system is your pfSense. It can do everything around routing on one hardware device with better hardware than your Asus router.

Your Asus router was perhaps an existing device before your pfSense appliance. Its advantage is All-In-One router/switch/access point and more user friendly Web UI. You have to decide what do you want and what are you more comfortable with - pfSense or Asuswrt-Merlin. You don't need both for a home setup.

 

[pjd50]

Thanks, that’s helpful. So all those features are available in bridge mode, it seens. But curious if adding it to my existing system in bridge mode gives me any additional security?

 

[Tech9]

But curious if adding it to my existing system in bridge mode gives me any additional security?

Unlikely. Most security issues originate from the LAN side. Most are user error related. Stacking firewalls won't help.

If you go with OPNsense you can run AdGuard Home on the same device, by the way. Guides how to do it available online. No pfBlockerNG for OPNsense though.

 

[dave14305]

No pfBlockerNG for OPNsense though.

But you can replicate the DNS blocking through unbound Blocklists and Firewall Aliases for IP blocklists. Not as elegant, but still achievable.

pfBlockerNG Blocklists for OPNSense Firewall alias:

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://cinsarmy.com/list/ci-badguys.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://isc.sans.edu/block.txt
https://www.spamhaus.org/drop/drop.txt
https://talosintelligence.com/documents/ip-blacklist

 

[Tech9]

Not as elegant, but still achievable.

Absolutely, more manual work with similar results. Not sure how blocklists auto update is going to work, but perhaps it has a solution as well.

I believe @pjd50 doesn't need this complication and extra hardware expense. For home network AIO router is good enough. pfSense/OPNsense starting from zero will be hard. They become more user friendly over the years with scenario presets and better documentation, but can't beat consumer routers with on/off toggles and everything else already done by someone else. And no gaming and parental controls presets on a business oriented software. Whatever is needed has to be recreated manually.

 

[sfx2000]

Absolutely, more manual work with similar results. Not sure how blocklists auto update is going to work, but perhaps it has a solution as well.

Yeah - does it make sense to maintain/manage these DNS blockers when we have things like IPv6, CDN's, and HTTPS/QUIC which bury ad-domains and cannot be blocked...

End-points are probably better - browser side...

 

[pjd50]

Thanks everyone for the advice and input. I am happy with AdGuard Home running on my Synology. And SkyNet seems to be doing a decent job as well (I might as well take advantage of having a nice Merlin-capable router). OPNSense/PFSense might make sense if I wasn't in the Merlin ecosystem (I love the Router UI features for "Wake on LAN" and the VPN Client/VPN Director). I might get a mini-PC and do pfSense/OpenSense in the future (maybe when I finally upgrade my networking equipment!), but for now I don't think it will be super useful for me (especially if I'm running in transparent bridge mode). Maybe in the future I will want more VLAN control etc, and pfSense/OPNsense will give me much better control than ASUS/Merlin + Scripts.

 

[coxhaus]

If you want to play with Pfsense then you can just plug it into your ASUS router network. Turn off blocking private IP addresses and it should work. So, anything plugged into the LAN side on Pfsense will be firewalled using Pfsense. You could use this as a migration to Pfsense as you learn it. You slowly move devices over as you see fit.
I'm not sure how you want to handle wireless but you could learn Pfsense using wired clients.

 

[pjd50]

If you want to play with Pfsense then you can just plug it into your ASUS router network. Turn off blocking private IP addresses and it should work. So, anything plugged into the LAN side on Pfsense will be firewalled using Pfsense. You could use this as a migration to Pfsense as you learn it. You slowly move devices over as you see fit.
I'm not sure how you want to handle wireless but you could learn Pfsense using wired clients.

Thanks, that's a good suggestion. I assume you mean in transparent bridge mode, right? Because my ASUS router is running as the DHCP server? I'm not sure if this is what is called a "Double NAT" if I let both of them be DHCP servers?

 

[coxhaus]

Thanks, that's a good suggestion. I assume you mean in transparent bridge mode, right? Because my ASUS router is running as the DHCP server? I'm not sure if this is what is called a "Double NAT" if I let both of them be DHCP servers?

No, Pfsense will assign DHCP. You are running 2 firewalls. They will be isolated networks. You need to assign an IP network not being used for the Pfsense LAN side. This is how I bring up new firewalls to test and maybe use.

 

[pjd50]

Great, thank you. I'll keep a "soft hunt" for a deal on a good pfSense machine (or OPNsense ... I'm still confused on which one I should try first! Any suggestions for a beginner?).

 

[coxhaus]

Great, thank you. I'll keep a "soft hunt" for a deal on a good pfSense machine (or OPNsense ... I'm still confused on which one I should try first! Any suggestions for a beginner?).

I would Pfsense since it is running the latest FreeBSD version.