add a home built or netgate pfsense appliance ?



  • Hello, new here to the forum, and new to pfsense in the near future. :)

    I am going add a pfsense box to my home setup.

    I currently have ATT NVG599 dsl router/wifi server/firewall ---> *I can't remove this device, will be placed in passthrough mode once pfsense box is added.
    ----> a layer 2 switch ----> *can change firmware to layer 3 routing if needed
    ---->all of the wired devices in the house including a freenas box that has a few of jails and a vm. The freenas box has 4 NICs but I am currently only using one.

    The freenas box is fairly new, I built it last year, and have been slowly adding things and learning a lot along the way.

    In the freenas box, I have unbound in a jail as the DNS server for everything on my LAN. I have two different include.conf files that unbound.conf reads. One is for resolving local hostnames, and one is an ad blocker list that downloads an update with a shell script every two weeks. I'd like to move my DNS server into my new pfsesne box. Will a netgate hardware pfsense box (leaning towards SG-3100 at this point) allow me to configure unbound in this way?

    I may have other questions, but that is the main one at this point. From what I have read, it looks like I will be able to put freenas and any jails and/or vm's i want to access remotely behind openVPN served from the pfsesne box.

    I currently have nextcloud (via dynamic DNS exposed to the internet through my ATT NVG599 router using NAT to open a port, I'd obviously like to change this to VPN.) Nextcloud is used as an easy way for everyone in the family to move things off of their phones, so I'd like to keep it available remotely. The Nextcloud logs show a ton of different IP's trying to access it. Seems like i'd be better off accessing through openVPN remotely.

    I plan to add a plex server in the near future as well, but I want get my network setup finalized before I add anymore jails or vm's in the freenas box. ( I also have an ubuntu vm inside of freenas running an elastic stack, not very far along with this project yet though )

    Any advice is welcome, I am basically a hobbyist trying to figure out how to best secure me and my family's data/network. I am not afraid to research and learn to figure things out for myself, but I do get stuck from time to time :)

    I guess my basic question is, would I be better off putting together my own new box, installing pfsesne, unbound, and openVPN, so that I can configure unbound as I currently have it. (yes, I realize i will have a lot to learn with openVPN), or, will one of the netgate pfsense appliances let me configure things how I see fit?

    Thanks !!



  • Whether you make your own box or use a Netgate one, Unbound will work the same on both.

    The simple way to move would be to copy your custom config files to your pfSense box and add include: lines in pfSense’s Custom Options for Unbound.

    Long term though, you would probably want to move your LAN hosts into pfSense as “Host Override” entries in the Unbound settings, that way they’re backed up with your pfSense config file. Of course, there’s also an option to have DHCP hosts be added to Unbound, so that might be even easier!



  • @trentk10 said:

    one is an ad blocker list that downloads an update with a shell script every two weeks

    Hmm... I'm doing the same thing, though on a monthly basis. I have the cron package installed so I can add custom cron jobs, and have the monthly download of the list as one of those. The only thing I don't have automated is a reload of Unbound following the list update... not a super-big deal to me though. Personally, I'd rather do that myself rather than leave my network with no DNS should something about the auto-updated file cause issues.

    Just curious what site you're using for your list. ☺


  • Moderator

    You can also try pfBlockerNG, or the upcoming pfBlockerNG-devel package for pfSense which will provide much more functionality.

    Here is a good write-up:
    https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

    Forum:
    https://forum.netgate.com/category/62/pfblockerng



  • @virgiliomi said in add a home built or netgate pfsense appliance ?:

    @trentk10 said:

    one is an ad blocker list that downloads an update with a shell script every two weeks

    Hmm... I'm doing the same thing, though on a monthly basis. I have the cron package installed so I can add custom cron jobs, and have the monthly download of the list as one of those. The only thing I don't have automated is a reload of Unbound following the list update... not a super-big deal to me though. Personally, I'd rather do that myself rather than leave my network with no DNS should something about the auto-updated file cause issues.

    Just curious what site you're using for your list. ☺

    I use a list from
    https://pgl.yoyo.org
    It was suggested in one of the guides I used to help me install and setup unbound. In my script I do restart unbound after a download, but it is set to run in the middle of the night. So far, I haven't had any problems with that.

    What site to you use for your download ? :)



  • @bbcan177 said in add a home built or netgate pfsense appliance ?:

    You can also try pfBlockerNG, or the upcoming pfBlockerNG-devel package for pfSense which will provide much more functionality.

    Here is a good write-up:
    https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

    Forum:
    https://forum.netgate.com/category/62/pfblockerng

    Thanks, I will definitely look into adding this once I get my box !!!



  • @trentk10 Same list. :) Seems to work well for most sites I use.



  • I ended up going with a ebay used dell/hp sff i7 4770 with pcie. It will replace a n54l which is struggling already with pfblockerng (large list), snort (alerts only) etc using 8gb ram out of 16.

    I already have dual and quad intel nics ready to go in.

    vpn to connect to firewall.

    multiple vpn points of presence to accommodate gamers and streamers.

    snort and one day suricata.

    1/3 the price of a appliance for me and way more powerful, cheap easy to replace.