Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Share you setups! How are you keeping yourself safe online?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 5 Posters 771 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deanfourie
      last edited by

      So basically, a post to discuss sharing of setups and configurations, tools and rules for keeping yourself safe in this current day and age.

      Just anything from ways to block botnets, ads and analytics, tools like pfBlocker, ntopng etc, custom firewall rules and VPN setups etc.

      I think this could be a great post to both share and gain knowledge from others configurations.

      Lets see what's out there!

      keyserK 1 Reply Last reply Reply Quote 1
      • N
        nimrod
        last edited by

        This is a great thread, and i hope more people will share their setups.

        I use Snort and pfBlockerNG and tons of custom IP and DNSBL lists. Im mostly focused on blocking telemetry and useless google traffic.

        These feeds have most hits on my system:

        https://raw.githubusercontent.com/nickspaargaren/no-google/master/pihole-google.txt

https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt

        Just be carefull with the google feed. If you are using google in any way for e-mail or you have android phone, there is some whitelisting you have to do if you want your google account and android phone to be functional. However, 98% of all these entries are useless google spyware crap that can be safely blocked.

        Im also using NtopNG to spy on my smart TV and stop it from "calling home". I have a separate manual feed in pfBlocker where i feed all the data i find in Ntop.

        I was also able to extract tons of IP`s and host entries from uBlock origin and Privacy Badger tracking hosts and put them into that feed as well. This way, there is no need to use those plugins in browsers, except for uBlock which is still usefull for youtube adblocking. And speaking of youtube ad blocking, it seems like this guy had success blocking youtube ads with pfSense. However, it requires a lot of work and free time i dont have.

        There are also specialised lists out there for Apple and Windows users that can be used to block telemetry.

        Some usefull lists can be found here as well.

        My current pfBlocker setup has almost 1000 hits per day, mostly by android devices and smart TVs.

        As for firewall rules, i use NordVPN with WireGuard protocol and i have a simple rule that sends all traffic via VPN. Access to pfSense box and WAP is restricted with firewall rule, and traffic is allowed only from my main machine IP.

        1 Reply Last reply Reply Quote 0
        • AndyRHA
          AndyRH
          last edited by AndyRH

          #1 Using pfSense
          #2 VLANs to isolate IoT devices
          #3 pfBlocker to block bad guy IPs
          #4 PiHole to block ads and some bad things (I like the UI better)
          #6 VLANs to isolate web accessible devices
          #7 Point to Point VPN to backup important stuff to a friend's house who is also following #1
          #8 Forcing all DNS requests to PiHole (there VLANs that are exceptions)

          o||||o
          7100-1u

          johnpozJ 1 Reply Last reply Reply Quote 2
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @AndyRH
            last edited by johnpoz

            @andyrh pretty much the same exact ;)

            #3 - I use pfblocker via alias to only allow only US IPs to my plex and other services behind and to pfsense

            #4 same I like the eye candy better on pihole

            #7 not doing

            #8 limited fashion on some vlans.

            #9 Make sure nothing using dot or doh via block rules to known doh servers IPs and FQDNs via unbound and dot port(s).

            edit:
            #10 using ha proxy to allow access to my services behind pfsense, and limit in haproxy to specific fqdn. If port hit without specific sni, not allowed.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • keyserK
              keyser Rebel Alliance @deanfourie
              last edited by keyser

              @deanfourie Good idea.

              1: SG-6100 with BiDi SFP for direct Fiber to the Home attach
              2: Two VLANs - Home network and Guest network.
              3: Aruba CX-6100 switch and Aruba IAP-315 APs with detailed pr. Device IPv4/IPv6 L2/L3 access lists enabled - based on client MAC address (to much hassle with 802.1x for wired home networking). One SSID and all wired ports are “colorless”. Mac-address defines which VLAN, role (access rights) is assigned to you.
              Five network roles defined i switch/AP: ADMIN, CLIENT, IOT, SECURE IOT and GUEST. Role gets assigned from Radius based on Client Mac-address.
              4: FreeRadius on pfSense with all well known MAC Addresses defined and assigned their apropriate role. Unknown MAC addresses get assigned the Guest Role.

              The Trick here is that different device types (Not guests) are still in the same VLAN/IP Subnet and can find each other (broadcast/arp) if allowed by the ACL role assigned in the switch/AP.

              5: pfBlockerNG for Geo based aliases blocking inbound sessions to whitelisted countries. Russia, Belarus, China and North Korea blocked completely inbound/outbound.
              6: pfBlockerNG for IP based blocklists and wellknown offending IPs
              7: pfBlockerNG DNSBL with about 12 feeds active to block tracking, adds and phishing - including DOH Blocking.
              8: Occationally NTopNG active to spy and monitor traffic, but for unknown reasons, NTopNG adds a 20 - 200 ms latency to occational packets once in a while (noticable), so it’s not running permanently.
              9: Destination NAT on ANY outbound DNS, NTP requests from internal interfaces. Rerouted to pfSense NTP and DNS server.

              Love the no fuss of using the official appliances :-)

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.