pfSense computer bulid

[ddaenen1]

Anything that breaks, look in the logs/reports and whitelist.

Well, i switched pfblockerNG-devel on yesterday. I followed Lawrence Systems youtube guide but that got me a bit of a rough start. In the mean time i followed your advice to see how to fix broken stuff and came to the conclusion, a lot is caused by following the GeoIP guidelines in the video. I reverted back from that after i couldn't access iCloud anymore nor could i see my equity graphs anymore on my iPhone and some other stuff. After mellowing down on the country settings in GeoIP, everything seems to be working fine. The trick will be though to keep on checking if all works and when not, check the log realtime.

Next step will be that i do want to up security on my only open to access my Nextcloud externally. Need to read up on that before i make a move as all iPhones in the house are connected to that and actively using Nextcloud.

 

[ddaenen1]

@avtella, posts like this are giving me the itch to try pfSense again.

Whilst i was sceptic in the beginning as the Mikrotik was running rock solid, i have become a big fan of pfsense in the mean time. It is really really fast (definitely faster than my Mikrotik RB3011), scaleable and flexible with so much more functionality. Since i started, i have set up a Let's Encrypt certs with ACME, added a reverse proxy to access and protect my Nextcloud server using HAProxy, got it connected to my UPS via ethernet and added pfblockerNG-devel for more security. All things that i have yet to see another router/firewall do. With all that running, CPU load is around 15% while maxing out my 1Gbps connecting.

As i am fiddling around on our home network. I will keep it at that now and start fine tuning. Potentially start looking around for a R210 II mobo to replace the R210 mobo as the R210 II support AES-NI CPU's and fits perfectly in the R210 server housing. You don't need to exchange anything else. Just mobo and CPU.

 

[avtella]

Well, i switched pfblockerNG-devel on yesterday. I followed Lawrence Systems youtube guide but that got me a bit of a rough start. In the mean time I followed your advice to see how to fix broken stuff and came to the conclusion, a lot is caused by following the GeoIP guidelines in the video. I reverted back from that after i couldn't access iCloud anymore nor could i see my equity graphs anymore on my iPhone and some other stuff. After mellowing down on the country settings in GeoIP, everything seems to be working fine. The trick will be though to keep on checking if all works and when not, check the log realtime.

Next step will be that i do want to up security on my only open to access my Nextcloud externally. Need to read up on that before i make a move as all iPhones in the house are connected to that and actively using Nextcloud.

I definitely did not use GeoIP he does at one point say to be careful with that, that’s the only part I didn’t follow. I used the other lists and started switching some of the regular lists to the larger _Ag versions and the Storm Center list from ISDH to ISDL as I have enough RAM. After getting settled in and understanding how it works I also enabled TLD and some more block lists unlike the video due to not having to worry about RAM use.
Here’s a more in depth pfblocker guide:
https://www.google.com/amp/s/www.li...ising-on-pfsense-using-pfblockerng-dnsbl/amp/

I added these lists as well as mentioned in the link above:

• hpHosts (all of them) – From MalwareBytes
• BBcan177 – From the creator of pfBlockerNG
• BBC (BBC_DGA_Agr) – From Bambenek Consulting <- This feed is extremely large
• Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.

Below you can see I have a lot of lists and a roughly 11.5% hit rate so far. So I guess a bit overkill at the moment lol.

 

[ddaenen1]

I definitely did not use GeoIP he does at one point say to be careful with that, that’s the only part I didn’t follow. I used the other lists and started switching some of the regular lists to the larger _Ag versions and the Storm Center list from ISDH to ISDL as I have enough RAM. After getting settled in and understanding how it works I also enabled TLD and some more block lists unlike the video due to not having to worry about RAM use.
Here’s a more in depth pfblocker guide:
https://www.google.com/amp/s/www.li...ising-on-pfsense-using-pfblockerng-dnsbl/amp/

I added these lists as well as mentioned in the link above:

• hpHosts (all of them) – From MalwareBytes
• BBcan177 – From the creator of pfBlockerNG
• BBC (BBC_DGA_Agr) – From Bambenek Consulting <- This feed is extremely large
• Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.

Below you can see I have a lot of lists and a roughly 11.5% hit rate so far. So I guess a bit overkill at the moment lol.
View attachment 21797

Thanks! This is great stuff. I have 16GB ECC so i shouldn't be too bothered about memory. I am going to follow your recommendations on the bullets except for Bambenek Consulting. Seems that the downloading of that one fails often. I had already added adware.

 

[Val D.]

My current choices for pfBlockerNG are shown below. I had to scale down things to ensure as low as possible false positives, only Primary and Secondary Tier feeds, no ads blocking (whoever wants to block ads uBlock Origin does much better job than DNS blocking).

Categories ciarmy, compromised and emerging are backed up with corresponding rules in Suricata. I'm going to test the updated Snort in next few weeks, it has some new interesting things available and they made it even easier to configure.

Sorry for the info pop-up captured with the screenshot, I noticed it too late.

 

[ddaenen1]

My current choices for pfBlockerNG are shown below. I had to scale down things to ensure as low as possible false positives, only Primary and Secondary Tier feeds, no ads blocking (whoever wants to block ads uBlock Origin does much better job than DNS blocking).

View attachment 21803

Categories ciarmy, compromised and emerging are backed up with corresponding rules in Suricata. I'm going to test the updated Snort in next few weeks, it has some new interesting things available and they made it even easier to configure.

Sorry for the info pop-up captured with the screenshot, I noticed it too late.

I am going through the same process right now. I have many false positives, especially on social apps and iOS-related stuff.

 

[Chrisgtl]

Mr Post person delivered my shiny new router today. I'm on the net so all going good so far!!

 

[Chrisgtl]

I spoke far too soon!

Got everything up and running beautifully and then rebooted just to make sure it was all dandy.

It didn't boot up. Connected it to a HDMI TV and could see loads of errors trying to repair. Repair failed and it just hung.

Tried reflashing pfSense using various memsticks and it isn't playing ball. I get as far as choosing which disk to install to and then it gives me some weird cache error.

I'm thinking the drive has partly died or the disk controller is borked.

Opened it up and reseated the drive and RAM. No change.

Emailed Kettop and awaiting their reply. All I can think to do is try my Samsung SSD drive in it and remove the m2 drive it came with.

 

[Val D.]

Repair failed and it just hung.

Sounds like a bad SSD drive.

 

[Chrisgtl]

Sounds like a bad SSD drive.

Spot on! Now got my Samsung SSD in it and setting it all back up. I shall try get a discount from the seller.

 

[Val D.]

Now got my Samsung SSD in it and setting it all back up.

I'm going back to original setup with WD Black HDD. At least HDDs don't die in an instant, usually. In most cases SMART monitoring shows issues before the drive needs replacement. I don't really have another use for this HDD, so let it do something. Power efficiency is not my priority. No performance difference for pfSense anyway, it runs in memory.

 

[ddaenen1]

I'm going back to original setup with WD Black HDD. At least HDDs don't die in an instant, usually. In most cases SMART monitoring shows issues before the drive needs replacement. I don't really have another use for this HDD, so let it do something. Power efficiency is not my priority. No performance difference for pfSense anyway, it runs in memory.

I installed pfsense with a ZFS zmirror on 2 100GB Crucial enterprise SSD's so in any case i will be good if a drive fails. For something as essential to a home network as a router, i don't think this is overkill at all.

 

[Chrisgtl]

I wonder if one of you seasoned pfSense users can help me;

If I want to run the OpenVPN server so my Android phone can connect to my LAN how do I make the android phone take advantage of ad blocking? Actually, I'd like to route all traffic via the OpenVPN server including the DNS.

 

[Chrisgtl]

"push" was what I needed.

Got it all working perfectly now and got my SSD refund from seller.

Happy days!!

 

[ddaenen1]

I am going through the same process right now. I have many false positives, especially on social apps and iOS-related stuff.

View attachment 21814

Just a quick update. I trimmed down my pfBlockerNG list dramatically as i found myself whitelisting too much stuff to keep the family's stuff running as before. Now all running well for about 2 weeks with no issues whatsoever.

 

[Chrisgtl]

Just a quick update. I trimmed down my pfBlockerNG list dramatically as i found myself whitelisting too much stuff to keep the family's stuff running as before. Now all running well for about 2 weeks with no issues whatsoever.

Can you share?

 

[ddaenen1]

Can you share?

Certainly. Here is my current pfBlockerNG list.

 

[Chrisgtl]

A little update:

Since installing the Samsung SSD my unit hasn't missed a beat. It's brilliant! I've had lots of time to play now and can confirm I've never had such a solid network.

The fiddle-factor with pfSense seems endless, I'm still trying to weigh up if I prefer Snort or Suricata.

VPN with pfSense is a joy! Today I've setup my TorGuard OpenVPN to allow anything on my LAN with a destination port 8080 to route through the VPN and not WAN. I just need to work out how to block anything on port 8080 if the VPN goes down.

I wouldn't hesitate in recommending pfSense to anyone now I've had direct experience with it. I'm going to donate to the project as appreciation seen as though I didn't buy the Netgate hardware.

 

[Val D.]

Glad to hear everything is working for you.

The only thing I did on my pfSense box in last 2 weeks was to update it to 2.4.5 version. Update went smooth, no issues whatsoever. I did remove the packages though before updating, just in case. The whole process took like 10 minutes, including packages re-installation.

 

[coxhaus]

I feel I was not clear about pfsense. I ran pfsense on an Intel server motherboard with a Xeon. It tested out as 367 on a 300 meg line. It moved data well. I ran it for around a year. I did not like the way it interfaced with my layer 3 switch. I believe running pfsense on a high end server motherboard it will run better than any small consumer router including ASUS. The down side is it will use more electricity. I had no trouble setting it up first try to work with my layer 3 switch. You have to be careful when you upgrade as anything can be broken.