@johnpoz said in blocking doh - speedtest ios app from Ookla:

You should use the freaking dns provided

I've posted before, but the Dish (satellite) video on demand uses DoH even though the Dish DVR on which it's running uses DNS. Took me a bit to figure out why it wasn't working.

I have a "network utility" type app on my phone and it also uses public DNS instead of my DNS, for its DNS test.

@stephenw10 Looks like a duck.. quacks like a duck.. ;)

Alan DeKok speaking about XZ back door: Chief Executive Officer of networkradius.com
https://lists.freeradius.org/pipermail/freeradius-users/2024-April/104263.html

thanks everyone for the replies, this will be my first HA setup with pfsense =)

@Dobby_ said in Strange "warning" in dmesg:

Mail them directly, often they offer to clients new bioses that are not
shown in their "mainstream" offer.

Thanks!

Synology is pretty stable and really well professional usage, QNAP
lets you pimp and tune or pain add more other hardware on top
as I see it, but a small old use HP server is also a budget solution.

I have used an old HP Proliant mini cube with an Intel Xeon-E 1231
and 16 GB RAM / 16 TB (4 SSDs) together with Openmediavault.
Base model for ~200 € plus 30 € CPU and 50 € RAM and it was
running for a really long time together with dual 10 GBe cards
for ~40 €! So if money will be point, it could also nice and long
running.

But now I am looking on a MacBookPro and QNAP offers some NAS
boxes with thunderbolt 4 and two PCIe slots and on top such many
things to tune it will be then less or more my next option.

2 x M.2 NVMe´s for caching 8 x HHD/SSD´s (2 x RAID5 or one RAID50) Dual 10GBe Network adapter with 2 x NVMe`s (for caching) USB Port for Google coral (QMagie App) USB Port for an external RDX drive for backups Up to 16/32 GB RAM 4/8 Core CPU for running much Apps services
(Mailserver, S/FTP, Webserver, Mediaserver, LDAP/RADIUS server,
Backup for Mac)

At Speicher.de you may find out how much RAM in real you could add to your NAS. Often it was said 4 or 8 GB RAM only and
in real you could add 16 to 32 GB RAM. Perhaps good to know for running
much services for the entire LAN on the NAS.

@bmeeks
For sure you will be right with it, it is a long line of points where "bad code"
will be able to enter in the entire process and/or product. But in real life, from
the point of an customer or plain user it is more or less how fast they react
and they handle those things as I see it.

The OpenSource is offering the Source Code free to watch over,
the closed Source is from the vendor and more hidden for sure
this alone makes a difference for many peoples, but trust you
must both of them (or not).

If you maintain all by your self, let us say Netgate is hires 20 plugin
maintainer and all comes from their own hand now, at the FreeBSD
site and on top of all at the found site (Snort, Suricata, Squid....)
will be also anymore points were bad code can be running in.

@michmo
But fine that it is able to do (discuss) and got not suppressed, even
cool to see or hear how others will be thinking on those things and
wich points they are bringing in.

@JonathanLee
It is not really long ago, but in 2024 we all can say it is since a
longer period able to build for a SMB company a network fully
based on OpenSource Software. And for sure the code is open
to watch over, but if the code writer gets a family at one day,
or must work elsewhere more it is also more a risk that the
entire project goes down at one day.

With FreeBSD or Linux, LibreOffice, OpenOffice, Univerntion server,
Zaraffa, OpenWRT, ClearOS and pfSense you were not pressed
anymore to run closed software at all and build a network for
your company, but also have a look on mOnOwall or ZeroShell
and others they were at one day gone. And then? You start again
what is serving me and my needs at the best and who I am
trusting now.

@houseofdreams said in Outgoing connections monitoring software?:

I found the software that was making the connections, nothing fishy, the software package for the NZXT lighting in my PC.

I'm assuming that's sarcasm. 🙄

Flattened Device Tree. It's a file that describes the hardware devices and locations that an OS uses.

@jamesg246 said in WPA2-Enterprise (EAP-TLS) User Authentication finally works on Windows 10 - how to use Computer Authentication and strip out "host/" in username?:

@Finger79 I have this working with Computer authentication, but only with the Check Client Certificate CN option disabled in EAP settings. If I enable this, it stops working.

That's interesting. The "Check Client Certificate CN" option in EAP settings doesn't seem to do anything to me. Thread here with the Redmine bug report linked: Longstanding FreeRADIUS EAP-TLS security bug on validating client certificate common name

In other words, even with "Check Client CN" enabled, I can completely delete the FreeRADIUS Users table and clients can still connect. Strange behavior.

The only way to peer into encrypted traffic (which is darn near 100% of web and email traffic these days) is to use a MITM (man-in-the-middle) proxy certificate system. That means installing trusted certificates for your proxy on all clients (PCs, laptops, and phones) that you wish to monitor. The MITM intercepts and terminates a client's outbound connection to some website, decrypts the traffic, then the proxy establishes its own connection on behalf of that client to the original website. Traffic returned is re-encrypted using the proxy's certificate and sent back to the original client. For this to work without browsers throwing security errors, the proxy's certificate presented to the clients must be trusted and verifiable by the clients. And the clients must be configured to send all outbound requests to the proxy.

Doing this on a home system is very difficult and basically not really worth the effort to implement and maintain. There are "for sale" commercial systems that are cloud-based and handle the MITM interception for you. But again, this requires a customized configuration on each client. It's not something that just happens by magic by purchasing some service.

And attempting to virus scan encrypted traffic is a complete waste of effort. How would you scan encrypted traffic for a virus? After all, the data bits are scrambled up to appear as random data specifically so that nobody other than the final receiving client who has the decryption key can unscramble and read them. So, say you put a hardware virus scanner on your WAN, how is it going to make sense of encrypted traffic? That's why antivirus solutions work best at the traffic endpoints. Only there can they see unencrypted traffic by hooking into the client OS at a point after where the browser or other application has already decrypted the traffic and it is again cleartext.

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

Yes wireless clients will be isolated from each other is that is set on the access point. They would not be isolated from wired devices on the VLAN that AP is bridged to.

What exactly are you wanting to isolate?

I was just finally responding to Nikos... but I do Client Isolation on my WAP clients on my IOT VLAN... and all my wired IP Cameras are on that VLAN as well. I just have rules to to isolate the wired stuff in pfSense itself.

Linksys e8450 looks like nice device. 😃

Yeah, I got some back channel info that one of the OpenWRT Devs is now coding for MediaTek and that some of the Linksys/Belkin stuff was going to get "extra" attention. They do seem have potential but there is a UBI memory hack from DangoWRT that works... but is suddenly causing devices to die.... almost like they've had a Covid shot too many.😉

Anyway... long story short, I'm having an issue getting the DSA build you and I worked on configured under Openwrt 23.05.3. Either I forgot the process, or it isn't going to work... I've even tried editing in the info in the tar backup Network file. I'll figure it out or I'll send you an e8450/rt3200 🙂

JP... yes, I'm hearing you in my head... unify, unify, unify. But I really need 4 ethernet ports on two of my remote WAPs with backhaul.

UAC was supposed to protect against that. But people kept complaining about annoying prompts so Windows made the default security level for never OSes "medium" which doesn't ask about built-in programs running with Admin priviledges,

Instead they now use safe screen stuff that looks a program trying to run on up on the internet to determine if it should display an additional prompt.

Basically just turn UAC to high first thing on a new PC and never have an issue like the one displayed.

@elvisimprsntr Not for me)) But anyway thank you for tip

@NollipfSense said in My French Brothers, Is This Fake?:

Is it real? @Gertjan

I'm not sure at all.
I'm 700 km away from Paris, and why I approach Paris it's always at FLT 30.

From what I know, the guy isn't that popular in France.

I've looked around (the net) a bit, and could only find references on a site called "tiktok".

edit : closing the wheel with some kind of sheet will make sensitive to the slight bit of wind. Apply some basic physicals rules and you'll know it's fake.

@johnpoz said in Do you use dhcp reservations?:

@JonathanLee said in Do you use dhcp reservations?:

I do not want any mac address cloning going on.

Who is going to clone your macs?

Hackers. Black hackers.
Or cyber warriors from China, Iran, russia. (They are in 120-180ms distance from Your data ;)

And for what purpose?

Steal money. Or steal some info about Your clients to steal MUCH MORE money from them.
2.
Make damage for Your country.

Mac cloning is only a thing if they are already on your network..

Because around 80% of devices at home, work and office are connected by WiFi, airsnort, fake DHCP server for MITM doing work well.

I would love to hear your theory how anyone could use that to do anything? That doesn't already have full access to my network anyway..

Hm. Are You serious? I do not believe that You say that…

BTW, I prefer to using “IP reservation “ feature ONLY as some sort of helpful feature in administration and of pf rules work.
And THIS IS NOT AS A SECURITY BARRIER any way!

When planning infrastructure each one need to keep in mind that MAC/IP - NOT MAKE DEVICE TRUSTED, this is just ID.
And like Your passport w/o photo or biometric chip,- may be stealing by someone.

One of the basic rules nowadays must be: EACH DEVICE MUST HAVE OWN SERTS. NO SERTS,- NO ANY RIGHTS, NO ACCESS ANYWHERE !

Am I wrong?