@steveits I didn't have that rule set initially but after some searching I found a guide on setting up a PFSense firewall for basic use ( wasn't build for use within a VM ) but that one did request the addition of the any rule. After doing the configuration i'm still not able to access the PFSense interface ( to do the initial config I just pulled out the trunk and connected a laptop directly which worked instantly ) So i'm 90% sure the config on the firewall should work so now it's to the drawing board of the esxi and trunk setup. Sadly most guides show it as being super simple yet on my side it doesn't seem to work 😬
The setupb like above also went out of the window since it wouldn't have worked the way I wanted to set it up. My MGMT now has a 10.1.10.0/24 IP range. The PFSense is on 10.1.1.1 which should be the LAN interface without any vlan tagging. So tomorow it's figuring out what wrong on either my switch trunk or on the ESCI network setup.

@johnpoz Managed to get my hands on a couple of Aruba Instant AP345 access-points to play with, the virtual controller on the access-point is quite nice.

They are a bit OTT for home use.

If your public IPs are all in the same subnet and that's the same subnet being used by the WAN then you have to use them with NAT.
You can only use public IPs internally if they are routed to you via some other IP.

See: https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html

Steve

So the hosts at 192.168.1.10 and .15 are servers you are running for those games behind pfSense?

Do they require you allow ping perhaps?

Steve

So one major question remains, what goes the best with it?

INTEL PRO 1000 VT or i350-T4? :)

@cool_corona It was not a waste of time to defend oneself. Some ISPs are dishonest knowing that the Internet cost will get cheaper and cheaper...they're willing to do dishonest tactics to get as much money now. I did not win the case because I did not have a voice recording of my cancellation notice to the ISP, but also I did not get any damage to my credit file over $67.19. That's why I said to record all conversations with ISP since they record all conversations with customers. I didn't think I needed to record a conversation with the ISP executive staff.

@furom said in Recommended public DNS over TLS:

it's still better than freely available to anyone

Who exactly do you think this anyone would be? Who would be sniffing your traffic either locally or on your isp network? Or even on the public internet?

When you resolve - you would be going to to all the authoritative ns for the domains you go to.. Or this who your talking to would have to be in line with your traffic flow to the roots.. Which is going to change depending on which root or tld servers your talking to, and then again when you talk to the authoritative for the domain in question.. So this who would really have to be real close to the source of your traffic.. Pretty much your isp, etc..

If your concerned with the roots and tld servers - you could setup Query Name Minimization, this would only send the roots and tld server the info your looking for, ie the NS for say .com or .net, etc. Then when you ask the tld ns for the domain, you would only send them say domain.net vs host.domain.net, etc.

Keep in mind, that once you talk to roots and learn the tld servers for say .org, you don't go ask roots again for .org anything until the cache has expired.. Same goes for the tld servers, once you ask them for domain.org, you never go ask them again for www.domain.org or ftp.domain.org or whatever.domain.org until that cache expires, etc.

So even when you send the fqdn to roots or the tld servers - your only really going to send them a small fraction of that actual amount of fqdns your going to be looking, just 1 to get the NSes your looking for that thing.. So while you might send www.something.org to roots, any other .org you look for would never go to roots, but only to the tld servers. Until the cache of the .org tld NS expire.

@johnpoz
Hey John, you ever worked at a University ;) Er nothing is quite as fast as you want it to be. I agree some of that stuff needs to be updated, but if you like shoot him a note about your ideas. These folks actually listen to others. Ironically there is a company in Germany called IoT Inspector https://www.iot-inspector.com/ that has absolutely nothing to do with the academic work.

@stephenw10 yeah, been using pfSense for quite a while now. I actually came from m0n0wall :D

@qysotyvah
As i don't trust ExpressVPN anymore , Nord is my choice.
I haven't noticed any issued in switching from ExpressVpn to NordVPN.

@bingo600 said in Low cost smart switch:

D-Link DGS-1100-08

I opt for D-Link DMS-1100-10TP

Yes, the APU2 cannot pass 1G under pfSense/FreeBSD for a single connection.

With some tuning you can get closer to it though. See:
https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/

Steve

Will an 802.3at injector support an 802.3af camera?

Was thinking about getting the at version of the injector so I could add my Ubiquiti APs to it. I think they are 802.3at.