@stephenw10 yes, thank you

@stephenw10
Awesome!

I should've given you credit too! Your earlier post gave me the confidence that it wouldn't be completely pointless to attempt.

I was planning to order antennas and mount them on the rear but the USB adapter already had antennas that were just long enough to side mount and my impatient nature got the best of me.

Thanks!

@Antibiotic said in EU want to control everything and 5 eyes watching you out!:

I think EU is blocking

You have a VPN, right ? So there is no reason to "think", you can test for yourself.
Why wait ?
Fire it up pointing to Ankara (Turkey) or, dono, Cairo (Egypt) or Bhanka (Bangladesh) and try again.
It still doesn't work ? You need to keep on looking why, but you've just excluded 'EU'. Except if you believe that your VPN can be MITM'ed.
It does work ? Then you still do not have a proof it was 'EU' (blocking) : it could be the VPN end point that was accepted, and not the previous one you used.

I'm not implying EU doesn't block things. They probably are.
We lost the piratebay.com remember ? :)

@Antibiotic said in EU want to control everything and 5 eyes watching you out!:

cloudflare for example which do not filter any dns request.

cloudflare probably accepts all DNS request.
But do they have access to "everybody" and "everywhere" ? So, this boils down to : do you get an answer for "everybody" and "everywhere" ?
You could rephrase that to a simple : you - and me - are always filtered.

@SteveITS said in Feedback request on home network design:

@disi1 said in Feedback request on home network design:

if I enable QoS for VLAN30, it is also applied on the WAN interface for all traffic?

re: inspecting encrypted traffic, the PC would need to trust a cert on the proxy which decrypts the traffic. So, could be an issue for phones or other devices. I know the Bitdefender GravityZone we use for clients can do that on the PC by adding its own cert to Windows and then it intercepts traffic on the PC.

I did register a domain and issued a valid certificate (Let's encrypt) to all internal services, including the firewall (wildcard which I know I have to manually renew every three months). To be clean and potentially use the Squid proxy*.

Before I changed our network over, I did experiment with squid on the exact hardware, using the old setup as the uplink and it produced a lot of overhead on the firewall.

The good news:
Since I use pfSense for all networking and isolated the VLAN30, there were no issues. Before I had extreme lags when I used ZScaler and Pulse VPN for work. It seems the network runs overall smoother. This is without any Traffic Shaping or QoS,

Only today I switched the ISP router to Modem Mode.

p.s. if anyone else wants to split WLAN into VLAN using Mobility Express, it took me some time to figure this out (where 10.10.10.3 is the wlc management interface, but the management vlan needs to stay 0 or the APs cannot join).
switch port access vlan 10 -> IP for the AP
switchport trunk allowed vlan 10,20,30 -> for the wlc interface and the WLANs
switchport trunk native vlan 10 -> needs to be the same as the APs vlan (10)

interface GigabitEthernet1/0/16 description VLAN20_POE switchport access vlan 10 switchport trunk allowed vlan 10,20,30 switchport trunk native vlan 10 switchport mode trunk power inline port poe-ha

Don't forget the ip helper to point to the DHCP for each vlan on the switch.

For Squid transparent proxy you do need a CA, not only a valid certificate. I thought process was wrong. But it doesn't hurt to have a valid certificates in the network.

Thanks for the 'thumbs up' > signature now made a 10 year jump: pfSense 2.2 to 2.7.2, does not sound like 10 years though 🤔

@johnpoz It’s because my Netgate firewall works too well, and they don’t like it. Unbelievable, yeah, I was like what is going on with that my mouse? It’s dancing all over and that config I see on the proxy coming down gestures from Microsoft Azure like I am on a domain. I’m not even on a corporate domain, it’s a private system. Weird, someone doesn’t like my firewall. Works really well, I am glad I finally caught it, while I was working on my AA in cyber security it would do the dancing mouse like clockwork at 4:30 every day when I was doing class, drove me crazy, it would act like the track pad broke. reset would fix it. New laptop same thing same time. It was like crazing making, gas lighting. I wonder if it was a "can, you catch me thing" for the cyber security classes. Again, Microsoft pushes it from Azure.... that's weird. Maybe because I login to a school account for the outlook program that is part of it. Still if I look at the json file it lists a blacklist with google earth, none of it makes sense. Mouse Gestures do not need any remote configurations.

https://answers.microsoft.com/en-us/windows/forum/all/what-is-httpsedge-consumer-staticazureedgenetmouse/615baaf0-a6c2-4adb-b27b-c34d60a6bb42