Difference between revisions of "Talk:PFSense and OPNsense"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
(website sources for valuable information: new section)
(communications error to 127.0.0.53 timed out: new section)
 
(6 intermediate revisions by one user not shown)
Line 1: Line 1:
== wan interface ==
+
== WAN interface ==
 
 
there is no such thing as traffic going to a LAN address
+
There is no such thing as traffic going to a LAN address
  
 
an undocumented shortcoming, the firewall cannot understand traffic going to an internal address. Instead the traffic goes to the public WAN IP
 
an undocumented shortcoming, the firewall cannot understand traffic going to an internal address. Instead the traffic goes to the public WAN IP
Line 10: Line 10:
  
 
* http://www.derman.com/blogs/Setting-Up-Blocking-Firewall-Rules
 
* http://www.derman.com/blogs/Setting-Up-Blocking-Firewall-Rules
 +
* https://doc.pfsense.org/index.php/Aliases
 +
 +
== Customize the Login Page ==
 +
 +
Modify the following
 +
vi /usr/local/etc/inc/authgui.inc
 +
 +
== hosts (www.facebook.com, www.tiktok.com , www.discord.com ) ==
 +
 +
Some websites like digitalocean for example is actually behind cloudflares reverse proxy. If you have any website like this on your alias and it resolves cloudflares proxy IP. If these proxy IPs end up being blocked half of the internet will be broken for you. Plenty of sites use CDNs or have backend resources proxied by cloudflare. DNS based blockers are far better for your needs.
 +
* https://old.reddit.com/r/PFSENSE/comments/12ifu1p/cant_get_a_simple_block_rule_to_work_for_all_the/
 +
 +
The pfBlockerNG package (pfBlocker-NG Package) offers mechanisms which can be useful in this area, such as DNSBL, geographic IP address blocking, and automation of AS lookups.
 +
* https://docs.netgate.com/pfsense/en/latest/recipes/block-websites.html
 +
 +
Selectively enforcing pfBlockerNG for specific clients or networks: filtering content for specific clients or networks in pfSense while keeping pfBlockerNG is not a simple task. If we wanted a simpler solution, we could’ve just added a Custom DNS server for our VLAN we wanted content filtered on. Unfortunately, doing this circumvents Unbound (DNS Resolver) and we lose the functionality of pfBlockerNG. To complicate matters more, Unbound does not allow you to specify different servers for the same lookup zone based on who’s querying the server.
 +
* https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/
 +
 +
Zenarmor block websites on the pfSense software firewall and the importance of web filtering.
 +
* https://www.zenarmor.com/docs/network-security-tutorials/how-to-block-websites-on-pfsense
 +
 +
The hosting platforms used by Discord is primarily  Google Cloud Platform. 
 +
* https://www.netify.ai/resources/applications/discord
 +
 +
== Block Malicious IPs in pfSense at David's Homelab  ==
 +
 +
pfSense provides a package called pfBlockerNG which allows for advanced and dynamically updating blocking rules based on blocklists or GeoIP data. It also supports DNS blocking so can fully replace Pi-hole if you choose to enable this feature.
 +
* https://davidshomelab.com/block-malicious-ips-in-pfsense/
 +
 +
== communications error to 127.0.0.53 timed out ==
 +
 +
communications error to 127.0.0.53 timed out
 +
 +
define a rule on LAN to allow a workstation to pass traffic to destination- the firewall itself.  This allows DNS queries to go between the workstation and firewall when the firewall is the DNS server ubound.

Latest revision as of 19:31, 3 February 2024

WAN interface

There is no such thing as traffic going to a LAN address

an undocumented shortcoming, the firewall cannot understand traffic going to an internal address. Instead the traffic goes to the public WAN IP

you can't apply firewall rules on the WAN: they don't work

website sources for valuable information

Customize the Login Page

Modify the following

vi /usr/local/etc/inc/authgui.inc

hosts (www.facebook.com, www.tiktok.com , www.discord.com )

Some websites like digitalocean for example is actually behind cloudflares reverse proxy. If you have any website like this on your alias and it resolves cloudflares proxy IP. If these proxy IPs end up being blocked half of the internet will be broken for you. Plenty of sites use CDNs or have backend resources proxied by cloudflare. DNS based blockers are far better for your needs.

The pfBlockerNG package (pfBlocker-NG Package) offers mechanisms which can be useful in this area, such as DNSBL, geographic IP address blocking, and automation of AS lookups.

Selectively enforcing pfBlockerNG for specific clients or networks: filtering content for specific clients or networks in pfSense while keeping pfBlockerNG is not a simple task. If we wanted a simpler solution, we could’ve just added a Custom DNS server for our VLAN we wanted content filtered on. Unfortunately, doing this circumvents Unbound (DNS Resolver) and we lose the functionality of pfBlockerNG. To complicate matters more, Unbound does not allow you to specify different servers for the same lookup zone based on who’s querying the server.

Zenarmor block websites on the pfSense software firewall and the importance of web filtering.

The hosting platforms used by Discord is primarily Google Cloud Platform.

Block Malicious IPs in pfSense at David's Homelab

pfSense provides a package called pfBlockerNG which allows for advanced and dynamically updating blocking rules based on blocklists or GeoIP data. It also supports DNS blocking so can fully replace Pi-hole if you choose to enable this feature.

communications error to 127.0.0.53 timed out

communications error to 127.0.0.53 timed out

define a rule on LAN to allow a workstation to pass traffic to destination- the firewall itself. This allows DNS queries to go between the workstation and firewall when the firewall is the DNS server ubound.