I've been using PFSense on a surplus dual-core PC I bought for $10 coupled with an Apple Time Capsule in AP mode and a cable modem since 2015, and have never looked back. So far this combo seems more bullet proof than most consumer routers for a fraction of the cost and headache :) - Thank you for this wonderful video tutorial :)
I've been using pfSense for years. It's great stuff. It can handle everything from simple home use, to advanced features like VPNs, VLANs, failover (high availability), multiple WANs, Let's Encrypt certificate updating, reverse proxy, ad blocking, and more. And in spite of what the guy said, the latest pfSense can be very resilient to being unplugged without shutting down because the latest version can use the ZFS filesystem which is awesome. Although I still don't recommend doing it 🙂
100% agree - this is awesome content to get folks educated about home network protection. Also, make sure to research the manufacture, many devices (especially the cheaper ones) are made in china. When you buy a firewall try not to get one flashed in china, but look at hardware that has coreboot on it and toss on ipfire (easy) or pfsense (more complicated).
Goodness I just love it when y'all creators make your own skits and don't shove stock footage at us, plus you even included a full tutorial in this video x.x Amazing.
Instead of explaining to folks what I’ve been learning as I train as a CCNA, I’ll just point them to this video. Very informative and condensed. Love it
@@deang5622 no way to get that kind of learning boiled down to a 20 minute video, but this one will give just a taste of the basics and paint a picture of the scope of CCNA without much of the details. forest vs trees, this vid is forest
Literally everything you described this video I've been doing for like 6yrs now. Recently I did upgraded to a dedicated AP instead of using my old router.
@@martyn6792 its a chinese product, youre better off getting a prebuilt router from teklager (sweden) or parts (taiwan) from pc engines (usa/switzlerland) to build a router yourself. another option is to buy from netgate (official products from pfsense) if ur using pfsense instead of opnsense
@@cont8155 that's ridiculous and unfounded. It's like suggesting a raspberry pi has a chinese backdoor. When in reality almost all electornics are now made in China. All they provide is hardware, YOU put the your own firmware and OS on it. Any back door is going to be in the firmware you install.
I was just about to put the same comment. Did networking support for Big Corp for over a decade. I didn’t see a single misstep. The added bit about Apple’s self assigned IP demonstrates that the video was well thought out. She probably actually saw that happened and either understood why or found out why. Good job!
I am a new subscriber to your channel, Naomi. Please, do know that your work here is a very noble one. Don't ever stop making your content, please. You explain what big companies don't want us to know. Regards from Honduras ❤
Made the jump on pfSense years ago and throw away my asus router. The best move I ever made. Btw, I wrote the first sentence before I even knew this video was about to introduce it :). This video is the best introduction to the topic and transition to pfSense I have seen. Will share it with all my friends! Thanks
My biggest issue with ISPs these days is how they are forcing everyone onto using their all in one modem+router combo. The first issue I have with that is I want to choose my own premium router that suits my needs, with a gaming router with 4k support and dedicated 4k optimized networks, and having 8 ethernet ports (wired connections are faster, especially when living in a condo or apartment where you are drowning in other peoples wireless signals). I've been reading about how to use Bridge mode but according to some forums online, the ISPs don't want you doing this and its either not supported in their routers or your system doesn't work properly. I hope this isn't accurate but it had prevented me from migrating to these providers in general.
@@cyberwasp461more ports won't help when the router's internal hardware itself is crap. It's good to have more ports and hardwire everything, but the router hardware itself being good is essential.
Yes, all-in-ones from the ISP are completely garbage. I went from 25-50Mbps using the all-in-one to anywhere between 150-200Mbps using my Asus router. Like you, I couldn't find a "bridge mode" in my modem settings, but I did find "IP Passthrough" which is kind of the same thing. They do work differently and affect connection speed, but the end result is still basically the same and I doubt you would end up noticing a difference.
I consider myself very techie and have built all my systems from the ground up. However, I have never met anyone as thorough and as easy to follow as you, Naomi. You are an awesome asset to all of us who may or may not know much about what goes "behind the curtains." Thank you so much!
That’s why i love Merlin Firmware for ASUS routers. You can run Skynet additional firewall, Diversion. AI Protection from Trend Micro etc and it now has Wireguard server protocol available now.
Fantastic video Naomi and very well and professionally presented material. I love how quick and detailed your coverage of pfsense. Including the pro tips like literally unplugging and replugging the ethernet cable to get a new ip address. I am embarrassed that I never thought of just unplugging and replugging the cable lol. I would literally go into the command line or network settings to get a new ip, essentially the longer (dummy) method when I could have just did the trick you did. Can't wait for your upcoming videos on network segmentation.
I have Google mesh router with 3 AP's . The main Google Ap cannot be changed using conventional methods so I was wondering if there is a method to use pfSense and not current Google with the. I can configure the Google mesh router with a guest mode, that model well-made you have multiple guests for each peripheral I want to connect to the system I'm just fishing for some answers if you can help.
This is way too hard even for people who are interested in privacy like me. I just don't have the bandwidth to take on a project like this. You're not gonna catch most people, but it doesn't mean this education isn't worth doing.
It is not bandwidth you don't have, it's the technical knowledge and ability. And 98% of the public do not. So the idea this is pitched at any random Joe is farcical and that Joe can learn this stuff is nonsense.
Cyber security is all about levels of risk and protection. If you are not interested is higher levels of protection, then you are right this video doesn't apply. If you care more about security and privacy, then you'll take the time to learn this.
Great video! I started on pfSense about seven or eight years ago and loaded it on a dual PIII server that I had added two dual gigabit NICs (64-bit PCI) - years later, I ported that configuration to a four-port Protectli mini-PC as shown. But that unit is now at my mom's house, as I have upgraded to a six-port Protectli at home. What amazes me is that I planned my network configuration so well that I haven't changed it much over the years. I look forward to more follow-up videos - I split the remaining interfaces other than the LAN and WAN to be my DMZ network and an "ADMIN" network. The LAN and ADMIN VLANs are trunked from my main managed switch to peripheral switches that can only be managed through the ADMIN network (only on a few systems I run). Of course, the ADMIN network has no wireless access points and is locked down in DHCP assignment. IoT and "guest" wireless are on the DMZ network. I like pfSense for being easy to move between devices too as upgrades are made...
Wouldn't it make more sense for the IoT stuff to be put on a different VLAN but not on the DMZ? Considering the security in IoT devices, it doesn't make sense to me to open them up to public like that.
@@diddy_dante: My IoT devices are actually locked down to where they only need to contact - I used Wireshark to figure out the minimum needed (i.e. Honeywell thermostat only allowed to communicate with Honeywell servers. The security camera DVR is also locked down to not give any traffic to the outside world.
Thank you for the video. There is allot of generalization in it. First: for firmware update reasons I suggest to use mikrotik devices you can manually update them as long as your willing to do it. And they are allot more cheaper. In fact this applies for pfSence as well. Second: If someone makes in your setup WiFi attack than your expensive setup falls apart. Third: these rules at the beginning in video apply on any device with old firmware in LAN. For example cameras smart devices, basically any device witch holds some sort of firmware. Forth: you don’t need expensive device for pfSence. In fact any old PC within reason will be more than capable running pfSence with LAN expansion card. For the last there is nothing 100% secure all the prevention makes your setup less prone to be attacked. I see the big work you put in to it. Keep up with a good work.
You're the best !!! I have been looking for this exact information to protect and isolate my information and devices. I'm looking forward to the other videos to isolate my home theater, so they function without collecting my data. I hope this all works out but I'm very concerned that if it doesn't, I won't be able to go online for assistance anymore. The last portion of this video seemed rushed and I hope I can download it for future reference if my system fails. If any one of these components stops working, I will be lost, lol. Thank you for everything you do to help make the world a safer place.
Kudos for using a Netgear router as the example - they've been atrocious for face-palmingly dumb WAN-side auth attacks; not all of which they fix on older models. Although brickbats (just little ones) for running a Netgear Nighthawk of some kind (a r7xxx series?) that's quite possibly capable of being flashed to one of the flavours of open source firmwares (DD-WRT, Open-WRT, Tomato) that means you get all the function of pfSense PLUS working WiFi AND more frequent updates without needing another hardware device to purchase and power. There's precious little difference between learning pfSense and learning *WRT. Although there is a very slim but not-entirely-zero chance you brick the router flashing it.
@@LilRedDog fair enough. I run one and it's bigger 8000 & 9000 brothers on DD-WRT where 5ghz works great. I've only used Open-WRT on Ubiquity gear to unlock radio restrictions. Open source firmware is still a great way of re-purposing an older router where the original manufacturer has officially or effectively abandoned it ... or simply crippled it with a rubbish firmware in the first place 🙄
This is *great* content. I understand already all of it, but was still a compelling watch. One recommendation (YMMV): Use TWO routers of different makes in sequence. Yes some things have issues with double NATing but the average user (that's you if you don't know what NATing is) won't notice , and the non-average user can figure it out. Internet -> Router 1 -> Router 2 -> your devices Yes double NATing will break UPnP but...uh...good. I used this setup for decades with no issues gaming, using VPNs, etc.
Broadband suppliers in the US can require modemrouters (integral) that are custom made for/by them. That usually means the actual customer is locked out of the update process and only the broadband supply can start updates. Which they have no interest in doing.
I love your videos and often find myself going down the RUclips rabbit hole watching them. I am always delighted when you recommend something that I am already using. However, I have two questions. First, who do I turn to when something doesn't work as expected? Before I retired, I could go to the IT person at work and ask questions. They wouldn't always have the answers, but sometimes they would. Now, I am at a loss as to whom to ask. Second, I currently have one of those 5-in-1 routers from my ISP provider. I will probably have to buy my own router, as I did years ago. I've been breaking and fixing my computers since 2001, following videos and blogs. I once created a brick router and had to reinstall Windows when I attempted to follow directions for changing the registry. Learning processes are filled with mistakes, and I've gained a lot by researching my snafus. Sometimes, though, I've had to give up when I couldn't find the information I needed. Having an easy-to-access place where I can ask questions would be awesome. Thank you so much for providing these videos.
13:46 power tip: plug the vault into a UPS then, I see they have a UPS addon, but it wont send a shutdown signal for prolonged power cuts, the one with usb ports paired with a normal one might do it
I wasJUST watching your video on VoIP and was wondering about making home internet connection secured. Taking notes and waiting for the next video about segmenting network :D
This is almost exactly my setup. I too use a Protectli and I love it. I upped my router game to a mesh router, but it too is in AP mode. And yes, I have a managed switch between the Protectli and the router, plus another at a mesh satellite because I need wired connections there. Based on the comments I have seen here, I hope you address Pi-Hole versus pfBlockerNG in your next video.
I'll address it so she need not: Pi-hole with the Brave browser lets nothing through. I did add a custom list and block ~312,000 sites but even RUclips loses with that combination.
@@LilRedDog have you tried pfBlockerNG? This does the same thing without needing an additional device. I have tried both and I am letting pfSense do the job. My Pi-hole was a fun project, but it is unnecessary if you already have a pfSense firewall.
@@DavidHathaway No I have not. Technically I have one device and a Browser. But I could VM Pi-hole on something but I love my Pi zero2 too much. It is so cute taped to the router and using WiFi to talk to the network. Can it recursive DNS? I'm sure you can: asking for a friend.😆
@@LilRedDog I used my Pi zero (OG version) for Pi-Hole and loved the cute bugger. Worked well for sure. And cheap! But I just don't need it since getting the Protectli and using pfSense with the pfBlockerNG package. I also use the Snort package to detect weird network traffic. I'd like to put my IoT devices on a different VLAN but I haven't figured that out quite yet; the fault is mine not pfSense. Anyways.... I do need to figure out what to do with my Pi now.
@@DavidHathaway Sell it on eBay for 3-10x what you paid for it, while you can!!!! I use my old one with a travel router; it is a hassle because it has no RTC and I have to set the date and time after 3 days of sitting. But I'm addicted.
A firewall can also block outgoing traffic. This is good to keep children safe from unwanted websites (blacklisting) and blocking certain outgoing ports usually assigned to known malicious software, although clever hackers can modify their software to change the common port. A good example of a port to block in a security conscious company would be port 3389 used for remote access.
The 169.254.*.* IP range also applies in a Windows environment as well. I'd assume it happens in most OSs. The oldest version of Windows I remember seeing this with was Windows XP. The 169.254.*.* is also called an APIPA for Automatic Private IP Addressing. Another reason to use a separate device for the wireless you don't have to replace the router to gain access to newer wireless standards as you only have to replace the access point. Also, some routers don't have the convenient setting to switch it into access point mode. If the router you are putting in access point mode, the main thing you need to do is turn off the DHCP server & if it provides the option to point it to one of the ID addresses not handed out by DHCP.
I would believe it. Listening to security now and hearing the stories of microtik, Asus, D-Link, Netgear, Belkin, Cisco, and Linksys problems... Well.... Up until recently, the routers required manual firmware updates. Thankfully now, many of them self update.
@@ltsiver any network hardware manufacturer is going to be affected by vulnerabilities. Of the ones you listed, Cisco and Mikrotik are the ones I'd trust to actually release updates as they aren't targeting the residential market exclusively.
Ubiquiti has been a very good product for us. A good way to classify it would be Cisco-like performance for a lot less money. No subscription costs. I see it being used in a lot of commercial settings these days and use it for my home and business. Easily configurable and expandable managed system with excellent firewall capabilities. Nothing is absolute out there, but Ubiquiti offers an enterprise system at a very competitive price point that works out of the box.
About updates. Before fiber came to town I was stuck with my ISP gear they send and that only updated when the unit died and was physical replaced with a newer model. Now when I can choose my own brand I have a ASUS device and that thing get firmware updates almost as often as my Q-NAP NAS. So quit often.
Not sure I understand why you would need pfSense if you've already got the firewall features of your router enabled, and you've got a relatively new router (
Pfsense is the best firewall. Also can protect you from having the router ping the manufacturer with your data. Pfsense makes it easier to setup multiple networks to separate iot from your devices and guests. It blocks all incoming traffic unless requested by a device in the local network.
This is a very, very good tutorial. 👏You broken it down pieces by pieces to make it easy to understand the task of each apparratus and the software side of it. I'm even happier to learn that Protectli and is an american base compagnie. And Brent Cowing seams a common sens person, so is probably the best person to represent Protectli. I'm going to by myself a Protectli apparatus. 😃// C'est un très, très bon tutoriel. 👏Vous l'avez décomposé pièce par pièce pour faciliter la compréhension de la tâche de chaque appareil et du côté logiciel. Je suis encore plus heureux d'apprendre que Protectli est une compagnie basée aux États-Unis. Et Brent Cowing semble être une personne sensée, donc c'est probablement la personne la mieux placée pour représenter Protectli. Je vais m'acheter un appareil Protectli. 😃
I am someone involved with testing devices at an internet supplier, we use inhouse firmware and middleware, not the default supplier firmware. We focus on vulnerabilities, stability, functionality and energy ‘green’ compliancy as mandated in the EU and possibly elsewhere. We take energy complience serious, so your advice for adding devices consuming a few watts is a lot of unnessesary waisted power when implemented by plenty million subscribers. Do not add boxes to your home configuration if not absolutely necessary, better invest in a high regarded and safe all-in-one.
Thanks, I've had to watch this episode twice to fully understand all the steps, I think I'm up for the challenge. I only wish I hadn't set a lot of my devices to a dedicated IP address, but I'm slowly changing them all to obtain there IP address automatically. Thanks for the great episode, looking forward to part two. Cheers from Australia 🇦🇺
All IP addresses on your internal network are dedicated. Once it has been assigned it can't be used by any other device in your network. You're getting mixed up, I suspect, on the difference between dynamically assigned and statically assigned IP addresses. Dynamically assigned is most often done by the DHCP protocol where your router acts as a DHCP server and issues IP addresses to the devices on the network. It's not true to suggest that DHCP dynamically assigned addressing is better than statically assigned addresses. Most companies use statically assigned addresses and there is a good reason for it. It begs the question, how did you end up with statically assigned addresses on your network if you don't know much about the subject?
@@deang5622 that's correct, from a security point of view the way the IPs are assigned for the LAN devices doesn't make much of a difference...maybe MAC filtering would make a difference (so that only MACs from a list can communicate w/ the router)?... imo these are just unnecessary complications for the home user (i'm not saying education is a waste of time). changing ('hiding') the router's LAN IP for example for security reasons takes more time to set up than for an attacker that's already connected to the LAN to detect. ppl need to realize that traffic outside their modems is monitored by the ISP for various reasons, traffic management being one since bandwidth is their greatest investment and they have no interest in sharing it for free, so it's not like the wild wild west outside the modems... and to prove my point, the vast majority of malware infections occur thru attachments (and links) followed by P2P shared material, both requiring the end user to click on a trap.. i use a dedicated firewall device and i'm yet to see sustained attempts of attacks or port probing in the logs going back decades...
Untangle, owned by Arista, does the same except it has a lot of extra features giving you a full dashboard and a whole host of network software such as Web Filtering, Virus Blockers, Threat Prevention, Firewall, Bandwidth Control, etc.... and even has load balancing for two WAN's if you want (so that if one of your ISP's goes down, you have a backup). Good topic. I went through the network redesign a couple years ago. Thanks!
@@cpufrost - For most people, correct. There is a free level. But, to get higher levels of protection like BitDefender, there is a cost. Licensing for virus protection, web filtering, etc... isn't free. Updates occur at least twice daily. For this high level of protection, it requires resources that aren't working for free. Zero Day attach protection requires frequent updates. Blocking these threats at the firewall protects your IOT devices that aren't well protected.
If I got one of those things I would not know how to set it up even after watching the video... also I know Tom Baker the 4th Doctor, and when I called him on the phone he answered, I think he still lives in the same house he was living in back in the 20th century.
Oh, one thing I've always got in my Internet connection (router etc) is a UPS backup, a battery backed up power supply in the event of a power cut. Also have one for computer supply. Costs half the amount of a desktop but waaaay less than losing data.
*Princess Naomi* : The RobinHood of Digital World. Much love and respect.. Thanks a bunch for educating us. Edit : 20mins worthy for being digitally secured.
Got the Vilfo VPN router. They're roadmap shows a lot of transparency in my opinion. And it seems like they do update more regularly than any vendor I've seen. As far as security, I haven't gotten hit once since installation in November 2022 thanks to their software based built-in VPN server(separate from whomever your VPN provider is as it supports multiple providers). They do allow you to but do not recommend opening the remote WAN which was the case for my old ISP router that caused my Synology NAS to get hit with over 10,000 attempts via bots or hackers from 2014 to November 2022 which were recorded by its auto block feature.
It would be great if device manufacturers or at least router manufacturers would just support OpenWRT or pfSense directly, and maybe just make a custom interface of one of those for their router. Speaking of, can you compare pfSense, OpenWRT, and DD-WRT? My usual setup involves making sure to use an OpenWRT supported router, and since I'm already familiar with IP CHAINS in Linux, it makes sense to me (with that said, OpenWRT and DD-WRT do have pretty decent UIs that make it easy to do typical firewall changes without having to get into the weeds with IP CHAINS). I like being able to just install an updated and more powerful firmware directly on the router that's connected directly to the wider Internet, and I get wanting to be able to just unplug just the Wifi (which, to be clear, could still be done with OpenWRT and a wholly separate device dedicated to that purpose, of course), but maybe I'm missing something with just using OpenWRT instead of pfSense?
Excellent comment. DD-WRT and OpenWRT are excellent, and are definitely worth investigating. They work with many models of wireless routers, and are a great way to rejuvenate and repurpose old equipment that might otherwise be discarded.
the testing was done on 7 companies gateways that were sold in Europe. Also the title says about router but the whole discussion is about gateways (I am a newly retired internet tech from a major isp in Canada)
I would also recommend Sophos Firewall Home since it has way more security features than PFSense or OPNSense like proper DPI, IPS with TLS Decryption, AV, exploit detection and so on. The home edition can be used for free for up to 4 cpu cores and 6 gb RAM.
I moved from a pfsense setup to a Microtik router/switch. The price was competitive and their RouterOS is enterprise level software. Plus the mikrotik throughput was much higher than what the pfsense box could handle.
Thanks very much Naomi, I'm not based in the US, so I take I can't really make use of the content of this video? But I'm going to read up on all the things mentioned. 👍🏼
Clear explanation, but why don't you use the functionality (fw, dhcp etc.) of the Netgear Nighthawk router? Is the Nighthawk as unsafe as the router functionality in the cable modem? I already put my cable modem into bridge mode (so the unsafe router functionality is turned off!) . I use my Nighthawk as the (WiFi) router, only 2 devices have an UTP port, I have to use Wifi the rest of my devices, because they don't have an UTP port.
Idk about you, but my (granted older one, r7000) was bottlenecking my speed despite having pihole in my network (dns and dhcp server) so meaning pre blocking of 20% traffic. What speeds he can get vs the throughput you get when you enable more security is sometimes quite different.Also, netgear software and firmware is notoriously rubbish,buggy,and forget updates after a couple of yrs (this is for most home products perios).No jk. But gotta say, in AP only mode, stellar and stable. I do have a managed netgear switch though, and that one is quite stable.
PFSense here. Internal networks/servers/VM's on zero trust networking principles (including WLAN isolation). Zero trust: Block all traffic, specific services (ports) only as needed. GeoIP blocking, and other mitigations at the network layer. Separate vLAN's for storage, services/VM's, out of band management, and clients. I'd say my network is pretty hardened. 😅
Yes, I do believe it. ISPs give old and low-end hardware which I should be grateful it even comes with firmware in English. Security might as well be their last concern.
I feel like the internet threat is not explained enough. Nowadays, ISPs put symmetrical NATs on their networks that effectively limit the ability of any consumer routers of communicating outside of the ISP and its own network and probably even have their own sets of firewalls. Apart from having to trust our preferred ISPs, is there any other risk regular users must face by using a severely vulnerable routers?
Pretty damn complicated. Clear as mud. I wonder what percent of viewers are courageous enough to implement the steps recommended in this video. Hmmm. . . .
This is the kind of video I used watch then try to do it myself resulting in an absolute nightmare .. I finally learned the lesson after my last Windows re-install of shame to accept my limitations ☹️
Getting the parts together to build a mini-ITX OpenWRT wireless router as my ISP aren't interested in upgrading me to their Wi-Fi 6E capable modem/wireless router, problem is Wi-Fi 7 is coming soon and I'm waiting to see what other low power parts such as CPUs/APUs become available in the meantime. Hopefully I can turn it into a Wireless NAS too.
3:21 not always. There are router boxes without wireless. This includes but is not limited to some VOiP boxes and some modem combos (modem and router all-in-one). An example of a modem combo without wireless is the Westell 6100.
"MY" wireless router is in the lower-most corner of "my" house with a wireless box relaying said wireless signal to upper deck here neighboring below Coastal AK😅
this video was much more advance than i would have suspected. you mention stuff like pfsense, coreboot bios and other technical tips. only thing you missed was pfblocker but this is still pretty good for newbies that need to know the basics. can tell you put in the research and effort into this video. kudos :]
13:50 this is potentially a vulnerability with the vault. With increasingly aggressive cost cutting in power production, power is increasingly dirty and unstable with more frequent outages. If it can't stay on long enough to shut down during an outage and shutting down matters, this can become a major issue for degraded areas of the power grid and a vulnerability which is as simple to exploit as going up the pole and shorting the line - or pulling a fuse if it's an old-fashioned fused box with public access. So you also need to run dedicated UPS with a system that alerts you via SMS whenever the UPS is cut off from power and whenever power is restored to the UPS.
My provider offered a Fritzbox for additional 4€ per month... well worth it! FritzBoxen are waaaaaay better than the usual D-Link or Netgear garbage. Updates for years and easy GUI. Today i configured DNS over TLS... just for fun and it was a breeze!
Lots of junk out there. Netgear make lots of good stuff, but the R7000 router had a DNS rebinding issue. Wat back when I used a 3 modem setup, I had to move the R7000 from the front unit to one of the two back units. I have been using pfSense for many years. First 4 years I used the Netgate SG-2440 and the unit still works as a secondary FW. For about 5 years now, I am using a 6 port Qotom brick PC and very happy with it. I have VLANS and a LAGG setup.
My xfinity xfi router was insecure for so long. One day I was working with the School IT guy setting up a new IP Phone system (I go to a Tech School / High School combo) and learned how Networking works. I decided to configure my home router to get better speeds and get a Dedicated IP for my BSD based Server. Turns out the Admin passcode was 'Admin' and around 20 ports were open. Firewall was set to Low (pretty much off) so I decided to get that all fixed. Thankfully every device in my home is either Linux or some other UNIX but still kinda scary. Glad I set that up. No listeners yet but I check once a month to make sure the network is good to go. Not my home, still living with my mom until I can get my own place after graduation. Comcast is the provider here in my region. Fuck Comcast.
![Chlöe - Shake (Feat. Jeremih) [Official Visualizer]](http://i.ytimg.com/vi/aDs_1ufpfv8/mqdefault.jpg)
I've been using PFSense on a surplus dual-core PC I bought for $10 coupled with an Apple Time Capsule in AP mode and a cable modem since 2015, and have never looked back. So far this combo seems more bullet proof than most consumer routers for a fraction of the cost and headache :) - Thank you for this wonderful video tutorial :)
I've been using pfSense for years. It's great stuff. It can handle everything from simple home use, to advanced features like VPNs, VLANs, failover (high availability), multiple WANs, Let's Encrypt certificate updating, reverse proxy, ad blocking, and more. And in spite of what the guy said, the latest pfSense can be very resilient to being unplugged without shutting down because the latest version can use the ZFS filesystem which is awesome. Although I still don't recommend doing it 🙂
Your specific details about setting up and the finer points on everything are what make your videos so great for newbies. Thank you!!
You and NetworkChuck are excellent at this! You both cover SO MANY GREAT topics here. Looking forward to the continuation of this topic!
I can't stand watching NetworkChuck. He's way too annoying.
@@fourtwanky Cant understand? LOL. go back to school then. The topics he cover as much more diverse and accurate compared to this privacy freak.
@@marco31 Get over yourself
@@fourtwanky I would have said that in ALL CAPS but you beat me to it. Put the campy humour back in the closet Chuck.
100% agree - this is awesome content to get folks educated about home network protection. Also, make sure to research the manufacture, many devices (especially the cheaper ones) are made in china. When you buy a firewall try not to get one flashed in china, but look at hardware that has coreboot on it and toss on ipfire (easy) or pfsense (more complicated).
Video feels like it's sponsored by Protectli, since it is the only product mentioned as a potential solution.
Goodness I just love it when y'all creators make your own skits and don't shove stock footage at us, plus you even included a full tutorial in this video x.x Amazing.
Instead of explaining to folks what I’ve been learning as I train as a CCNA, I’ll just point them to this video. Very informative and condensed. Love it
So you think Joe Public is going to learn CCNA?
Yeah, good luck with that mate.
@@deang5622 no way to get that kind of learning boiled down to a 20 minute video, but this one will give just a taste of the basics and paint a picture of the scope of CCNA without much of the details. forest vs trees, this vid is forest
@@deang5622 way to be a negative nancy :p
Naomi, this channel is impeccable. The fact that you have anything less than a kajillion subscribers perplexes me beyond verbal expression 🤷♂️
Shuuushhh she is ours.Lose lips sink ships.
@@garymichael8591 💯
@@garymichael8591 don’t’lose’ your lips!
Naomi is a modern day super hero.
lol pretty much. Need a wife like this. This woman is impressive.
I agree
Facts
Dang Naomi, you really did your research and applied it well on this video! I'm impressed and thank you! You just gained a follower.
Literally everything you described this video I've been doing for like 6yrs now.
Recently I did upgraded to a dedicated AP instead of using my old router.
Literally!
My day job is IT and this is a superbly put together video with excellent explanations and walk throughs. Protectli looks an interesting product
Thanks for watching!
APU2 is better Protectli most likely has a chinese backdoor
@@cont8155 Interesting thought, where is protectli made ?
@@martyn6792 its a chinese product, youre better off getting a prebuilt router from teklager (sweden) or parts (taiwan) from pc engines (usa/switzlerland) to build a router yourself. another option is to buy from netgate (official products from pfsense) if ur using pfsense instead of opnsense
@@cont8155 that's ridiculous and unfounded. It's like suggesting a raspberry pi has a chinese backdoor. When in reality almost all electornics are now made in China. All they provide is hardware, YOU put the your own firmware and OS on it. Any back door is going to be in the firmware you install.
I work as an IT consultant. This was a very good video. Accurate and clearly presented.
I really appreciate that!
Indeed. They're basically breaking down a standard business setup into something that individuals can implement at home.
I was just about to put the same comment. Did networking support for Big Corp for over a decade. I didn’t see a single misstep. The added bit about Apple’s self assigned IP demonstrates that the video was well thought out. She probably actually saw that happened and either understood why or found out why. Good job!
I am a new subscriber to your channel, Naomi. Please, do know that your work here is a very noble one. Don't ever stop making your content, please. You explain what big companies don't want us to know.
Regards from Honduras ❤
Made the jump on pfSense years ago and throw away my asus router. The best move I ever made. Btw, I wrote the first sentence before I even knew this video was about to introduce it :). This video is the best introduction to the topic and transition to pfSense I have seen. Will share it with all my friends! Thanks
I switched to Opnsense on a tiny x86 PC with 4x2.5Gb ports and absolutely love it
My biggest issue with ISPs these days is how they are forcing everyone onto using their all in one modem+router combo. The first issue I have with that is I want to choose my own premium router that suits my needs, with a gaming router with 4k support and dedicated 4k optimized networks, and having 8 ethernet ports (wired connections are faster, especially when living in a condo or apartment where you are drowning in other peoples wireless signals). I've been reading about how to use Bridge mode but according to some forums online, the ISPs don't want you doing this and its either not supported in their routers or your system doesn't work properly. I hope this isn't accurate but it had prevented me from migrating to these providers in general.
if you need more ports just get a switch. Easy to setup and they have ones from 8 up to 32 ports or more. Everything I have is hardwired.
@@cyberwasp461more ports won't help when the router's internal hardware itself is crap. It's good to have more ports and hardwire everything, but the router hardware itself being good is essential.
Yes, all-in-ones from the ISP are completely garbage. I went from 25-50Mbps using the all-in-one to anywhere between 150-200Mbps using my Asus router. Like you, I couldn't find a "bridge mode" in my modem settings, but I did find "IP Passthrough" which is kind of the same thing. They do work differently and affect connection speed, but the end result is still basically the same and I doubt you would end up noticing a difference.
I consider myself very techie and have built all my systems from the ground up. However, I have never met anyone as thorough and as easy to follow as you, Naomi. You are an awesome asset to all of us who may or may not know much about what goes "behind the curtains."
Thank you so much!
That’s why i love Merlin Firmware for ASUS routers. You can run Skynet additional firewall, Diversion. AI Protection from Trend Micro etc and it now has Wireguard server protocol available now.
Fantastic video Naomi and very well and professionally presented material. I love how quick and detailed your coverage of pfsense. Including the pro tips like literally unplugging and replugging the ethernet cable to get a new ip address. I am embarrassed that I never thought of just unplugging and replugging the cable lol. I would literally go into the command line or network settings to get a new ip, essentially the longer (dummy) method when I could have just did the trick you did. Can't wait for your upcoming videos on network segmentation.
I have Google mesh router with 3 AP's . The main Google Ap cannot be changed using conventional methods so I was wondering if there is a method to use pfSense and not current Google with the. I can configure the Google mesh router with a guest mode, that model well-made you have multiple guests for each peripheral I want to connect to the system I'm just fishing for some answers if you can help.
what i like on pfsense is the migration from device to other device , you can back up near all the setting on it.
This is way too hard even for people who are interested in privacy like me. I just don't have the bandwidth to take on a project like this.
You're not gonna catch most people, but it doesn't mean this education isn't worth doing.
"I just don't have the bandwidth to take on a project like this"
I see what you did there...😇
It is not bandwidth you don't have, it's the technical knowledge and ability.
And 98% of the public do not.
So the idea this is pitched at any random Joe is farcical and that Joe can learn this stuff is nonsense.
@@deang5622 I thought you were being -intentionally- punny; my bad.
Cyber security is all about levels of risk and protection. If you are not interested is higher levels of protection, then you are right this video doesn't apply. If you care more about security and privacy, then you'll take the time to learn this.
@@wannabedal-adx458 Agreed. We all do what we feel we are able to do, what's worth it for us.
Great video! I started on pfSense about seven or eight years ago and loaded it on a dual PIII server that I had added two dual gigabit NICs (64-bit PCI) - years later, I ported that configuration to a four-port Protectli mini-PC as shown. But that unit is now at my mom's house, as I have upgraded to a six-port Protectli at home. What amazes me is that I planned my network configuration so well that I haven't changed it much over the years.
I look forward to more follow-up videos - I split the remaining interfaces other than the LAN and WAN to be my DMZ network and an "ADMIN" network. The LAN and ADMIN VLANs are trunked from my main managed switch to peripheral switches that can only be managed through the ADMIN network (only on a few systems I run). Of course, the ADMIN network has no wireless access points and is locked down in DHCP assignment. IoT and "guest" wireless are on the DMZ network.
I like pfSense for being easy to move between devices too as upgrades are made...
Wouldn't it make more sense for the IoT stuff to be put on a different VLAN but not on the DMZ? Considering the security in IoT devices, it doesn't make sense to me to open them up to public like that.
@@diddy_dante: My IoT devices are actually locked down to where they only need to contact - I used Wireshark to figure out the minimum needed (i.e. Honeywell thermostat only allowed to communicate with Honeywell servers. The security camera DVR is also locked down to not give any traffic to the outside world.
@@IBM_Museum ah ok that seems good then
WOW!!, Beautiful inside and out!! for what its worth my family and friends appreciate what you do. THANK YOU!! GOD BLESS.
Thank you for the video. There is allot of generalization in it.
First: for firmware update reasons I suggest to use mikrotik devices you can manually update them as long as your willing to do it. And they are allot more cheaper. In fact this applies for pfSence as well.
Second: If someone makes in your setup WiFi attack than your expensive setup falls apart.
Third: these rules at the beginning in video apply on any device with old firmware in LAN. For example cameras smart devices, basically any device witch holds some sort of firmware.
Forth: you don’t need expensive device for pfSence. In fact any old PC within reason will be more than capable running pfSence with LAN expansion card.
For the last there is nothing 100% secure all the prevention makes your setup less prone to be attacked.
I see the big work you put in to it. Keep up with a good work.
Don't forget you now also need a UPS for your router... as they didn't really mention in the video.
This is GREAT Info. Seems too complicated for a non techy like me
first time i see your channel, i am a student in IT and found your video very educational and clear, keep up the good work
You're the best !!! I have been looking for this exact information to protect and isolate my information and devices. I'm looking forward to the other videos to isolate my home theater, so they function without collecting my data. I hope this all works out but I'm very concerned that if it doesn't, I won't be able to go online for assistance anymore. The last portion of this video seemed rushed and I hope I can download it for future reference if my system fails. If any one of these components stops working, I will be lost, lol. Thank you for everything you do to help make the world a safer place.
Normal people are not going to be able to understand any of this unfortunately. Still all of this is a good idea.
Kudos for using a Netgear router as the example - they've been atrocious for face-palmingly dumb WAN-side auth attacks; not all of which they fix on older models.
Although brickbats (just little ones) for running a Netgear Nighthawk of some kind (a r7xxx series?) that's quite possibly capable of being flashed to one of the flavours of open source firmwares (DD-WRT, Open-WRT, Tomato) that means you get all the function of pfSense PLUS working WiFi AND more frequent updates without needing another hardware device to purchase and power.
There's precious little difference between learning pfSense and learning *WRT. Although there is a very slim but not-entirely-zero chance you brick the router flashing it.
Actyally:
Open-WRT does not like the chipset in the R7000. So it is 2.4Ghz only with that firmware.
@@LilRedDog fair enough. I run one and it's bigger 8000 & 9000 brothers on DD-WRT where 5ghz works great. I've only used Open-WRT on Ubiquity gear to unlock radio restrictions.
Open source firmware is still a great way of re-purposing an older router where the original manufacturer has officially or effectively abandoned it ... or simply crippled it with a rubbish firmware in the first place 🙄
This is *great* content. I understand already all of it, but was still a compelling watch.
One recommendation (YMMV):
Use TWO routers of different makes in sequence. Yes some things have issues with double NATing but the average user (that's you if you don't know what NATing is) won't notice , and the non-average user can figure it out.
Internet -> Router 1 -> Router 2 -> your devices
Yes double NATing will break UPnP but...uh...good.
I used this setup for decades with no issues gaming, using VPNs, etc.
Naomi...I love your channel.
Very very informative in a way that I can understand.
Thank you so much👍
Broadband suppliers in the US can require modemrouters (integral) that are custom made for/by them. That usually means the actual customer is locked out of the update process and only the broadband supply can start updates. Which they have no interest in doing.
I love your videos and often find myself going down the RUclips rabbit hole watching them. I am always delighted when you recommend something that I am already using. However, I have two questions. First, who do I turn to when something doesn't work as expected? Before I retired, I could go to the IT person at work and ask questions. They wouldn't always have the answers, but sometimes they would. Now, I am at a loss as to whom to ask. Second, I currently have one of those 5-in-1 routers from my ISP provider. I will probably have to buy my own router, as I did years ago.
I've been breaking and fixing my computers since 2001, following videos and blogs. I once created a brick router and had to reinstall Windows when I attempted to follow directions for changing the registry. Learning processes are filled with mistakes, and I've gained a lot by researching my snafus. Sometimes, though, I've had to give up when I couldn't find the information I needed. Having an easy-to-access place where I can ask questions would be awesome.
Thank you so much for providing these videos.
13:46 power tip: plug the vault into a UPS then,
I see they have a UPS addon, but it wont send a shutdown signal for prolonged power cuts, the one with usb ports paired with a normal one might do it
Excellent guide Naomi, that's exactly what I have done, except I used an old PC with 2 network cards for installing pfSense.
And what does that cost in electricity a year?
@@LilRedDog I am not sure, I should actually find out! I think it has an 80 watt power supply.
I wasJUST watching your video on VoIP and was wondering about making home internet connection secured. Taking notes and waiting for the next video about segmenting network :D
Naomi is super intelligent, her videos are always very well made and packed with very useful information....and she gorgeous on top of all that!
This is almost exactly my setup. I too use a Protectli and I love it. I upped my router game to a mesh router, but it too is in AP mode. And yes, I have a managed switch between the Protectli and the router, plus another at a mesh satellite because I need wired connections there.
Based on the comments I have seen here, I hope you address Pi-Hole versus pfBlockerNG in your next video.
I'll address it so she need not:
Pi-hole with the Brave browser lets nothing through.
I did add a custom list and block ~312,000 sites but even RUclips loses with that combination.
@@LilRedDog have you tried pfBlockerNG? This does the same thing without needing an additional device. I have tried both and I am letting pfSense do the job. My Pi-hole was a fun project, but it is unnecessary if you already have a pfSense firewall.
@@DavidHathaway No I have not.
Technically I have one device and a Browser.
But I could VM Pi-hole on something but I love my Pi zero2 too much.
It is so cute taped to the router and using WiFi to talk to the network.
Can it recursive DNS?
I'm sure you can: asking for a friend.😆
@@LilRedDog I used my Pi zero (OG version) for Pi-Hole and loved the cute bugger. Worked well for sure. And cheap!
But I just don't need it since getting the Protectli and using pfSense with the pfBlockerNG package. I also use the Snort package to detect weird network traffic. I'd like to put my IoT devices on a different VLAN but I haven't figured that out quite yet; the fault is mine not pfSense. Anyways....
I do need to figure out what to do with my Pi now.
@@DavidHathaway Sell it on eBay for 3-10x what you paid for it, while you can!!!!
I use my old one with a travel router; it is a hassle because it has no RTC and I have to set the date and time after 3 days of sitting.
But I'm addicted.
This video is great, Naomi. What a wonderful explanation and tutorial on Protectli and internet security.
A firewall can also block outgoing traffic. This is good to keep children safe from unwanted websites (blacklisting) and blocking certain outgoing ports usually assigned to known malicious software, although clever hackers can modify their software to change the common port. A good example of a port to block in a security conscious company would be port 3389 used for remote access.
The router, like hellblazer, is gateway between earth and hell. Great video, the Naomi twins have done it again.
The 169.254.*.* IP range also applies in a Windows environment as well. I'd assume it happens in most OSs. The oldest version of Windows I remember seeing this with was Windows XP. The 169.254.*.* is also called an APIPA for Automatic Private IP Addressing. Another reason to use a separate device for the wireless you don't have to replace the router to gain access to newer wireless standards as you only have to replace the access point.
Also, some routers don't have the convenient setting to switch it into access point mode. If the router you are putting in access point mode, the main thing you need to do is turn off the DHCP server & if it provides the option to point it to one of the ID addresses not handed out by DHCP.
I remember seeing it with Windows 9x back when I had to fiddle with a late 90s/early 2000s "your first 10BaseT home network" kit I'd bought.
I would believe it. Listening to security now and hearing the stories of microtik, Asus, D-Link, Netgear, Belkin, Cisco, and Linksys problems... Well....
Up until recently, the routers required manual firmware updates. Thankfully now, many of them self update.
What do you have against Mikrotik or Cisco?
Both are perfectly fine solutions, but are not really for beginners or novices.
@@shaunclarke94 I don't have anything against them. I was referring to their security flaws.
@@ltsiver any network hardware manufacturer is going to be affected by vulnerabilities.
Of the ones you listed, Cisco and Mikrotik are the ones I'd trust to actually release updates as they aren't targeting the residential market exclusively.
Great video! Question: Is there a reason why you went for pfsense instead of opnsense seeing that it has a friendly gui and more plugins?
It's what was recommended by Michael Bazzel so I defaulted to his setup
@@NaomiBrockwellTV on the upside as OPNsense is a fork of pfSense the learning curve to switch between them is pretty darn slim.
Ubiquiti has been a very good product for us. A good way to classify it would be Cisco-like performance for a lot less money. No subscription costs. I see it being used in a lot of commercial settings these days and use it for my home and business. Easily configurable and expandable managed system with excellent firewall capabilities.
Nothing is absolute out there, but Ubiquiti offers an enterprise system at a very competitive price point that works out of the box.
I am glad I subscribed to your channel. The subjects and the production of this channel are fantastic.
Thank you very much!
@@NaomiBrockwellTV No, thank you ❤❤❤
How come I haven't seen you until now.....such a pretty unsung hero ❤️
Happy to see you again and thanks 🥰
Thanks for putting thought and action resulting in the common good.
Awesome information. This is something I’ve been looking to do for my home network. Thank you.
You guys make learning easy and fun. Please make more.
Thank you so much!
About updates. Before fiber came to town I was stuck with my ISP gear they send and that only updated when the unit died and was physical replaced with a newer model.
Now when I can choose my own brand I have a ASUS device and that thing get firmware updates almost as often as my Q-NAP NAS. So quit often.
All of your videos are so thorough. Keep it up!
I appreciate that she pronounces it router instead of rooter. LOL. Love Naomi's videos and she is a hot nerd... even better! LOL! ❤
Not sure I understand why you would need pfSense if you've already got the firewall features of your router enabled, and you've got a relatively new router (
You're right. These types of videos are clickbait. It's mostly FUD imho!
Pfsense is the best firewall. Also can protect you from having the router ping the manufacturer with your data. Pfsense makes it easier to setup multiple networks to separate iot from your devices and guests. It blocks all incoming traffic unless requested by a device in the local network.
Hi Naomi, great series. Just invested in a Protectli/Pfsense project. Looking forward to putting it all in place.
Thank you!😊
This is a very, very good tutorial. 👏You broken it down pieces by pieces to make it easy to understand the task of each apparratus and the software side of it. I'm even happier to learn that Protectli and is an american base compagnie. And Brent Cowing seams a common sens person, so is probably the best person to represent Protectli. I'm going to by myself a Protectli apparatus. 😃// C'est un très, très bon tutoriel. 👏Vous l'avez décomposé pièce par pièce pour faciliter la compréhension de la tâche de chaque appareil et du côté logiciel. Je suis encore plus heureux d'apprendre que Protectli est une compagnie basée aux États-Unis. Et Brent Cowing semble être une personne sensée, donc c'est probablement la personne la mieux placée pour représenter Protectli. Je vais m'acheter un appareil Protectli. 😃
I am someone involved with testing devices at an internet supplier, we use inhouse firmware and middleware, not the default supplier firmware. We focus on vulnerabilities, stability, functionality and energy ‘green’ compliancy as mandated in the EU and possibly elsewhere. We take energy complience serious, so your advice for adding devices consuming a few watts is a lot of unnessesary waisted power when implemented by plenty million subscribers. Do not add boxes to your home configuration if not absolutely necessary, better invest in a high regarded and safe all-in-one.
Thanks, I've had to watch this episode twice to fully understand all the steps, I think I'm up for the challenge. I only wish I hadn't set a lot of my devices to a dedicated IP address, but I'm slowly changing them all to obtain there IP address automatically. Thanks for the great episode, looking forward to part two. Cheers from Australia 🇦🇺
All IP addresses on your internal network are dedicated. Once it has been assigned it can't be used by any other device in your network.
You're getting mixed up, I suspect, on the difference between dynamically assigned and statically assigned IP addresses.
Dynamically assigned is most often done by the DHCP protocol where your router acts as a DHCP server and issues IP addresses to the devices on the network.
It's not true to suggest that DHCP dynamically assigned addressing is better than statically assigned addresses.
Most companies use statically assigned addresses and there is a good reason for it.
It begs the question, how did you end up with statically assigned addresses on your network if you don't know much about the subject?
@@deang5622 that's correct, from a security point of view the way the IPs are assigned for the LAN devices doesn't make much of a difference...maybe MAC filtering would make a difference (so that only MACs from a list can communicate w/ the router)?...
imo these are just unnecessary complications for the home user (i'm not saying education is a waste of time). changing ('hiding') the router's LAN IP for example for security reasons takes more time to set up than for an attacker that's already connected to the LAN to detect.
ppl need to realize that traffic outside their modems is monitored by the ISP for various reasons, traffic management being one since bandwidth is their greatest investment and they have no interest in sharing it for free, so it's not like the wild wild west outside the modems...
and to prove my point, the vast majority of malware infections occur thru attachments (and links) followed by P2P shared material, both requiring the end user to click on a trap..
i use a dedicated firewall device and i'm yet to see sustained attempts of attacks or port probing in the logs going back decades...
I'm spankin New to Cybersecurity,.... this is Beyond HELPFULLLLLLLLLLLLLL!!!
Please make a video on the Firewalla.
Untangle, owned by Arista, does the same except it has a lot of extra features giving you a full dashboard and a whole host of network software such as Web Filtering, Virus Blockers, Threat Prevention, Firewall, Bandwidth Control, etc.... and even has load balancing for two WAN's if you want (so that if one of your ISP's goes down, you have a backup). Good topic. I went through the network redesign a couple years ago. Thanks!
Untangle is subscription based, however.
@@cpufrost - For most people, correct. There is a free level. But, to get higher levels of protection like BitDefender, there is a cost. Licensing for virus protection, web filtering, etc... isn't free. Updates occur at least twice daily. For this high level of protection, it requires resources that aren't working for free. Zero Day attach protection requires frequent updates. Blocking these threats at the firewall protects your IOT devices that aren't well protected.
Does it support split tunneling for VPNs and support for multiple VPNs?
Naomi, you’re making me want to get a Protectli now 👏
If I got one of those things I would not know how to set it up even after watching the video... also I know Tom Baker the 4th Doctor, and when I called him on the phone he answered, I think he still lives in the same house he was living in back in the 20th century.
Oh, one thing I've always got in my Internet connection (router etc) is a UPS backup, a battery backed up power supply in the event of a power cut. Also have one for computer supply. Costs half the amount of a desktop but waaaay less than losing data.
A great video. I loved the first part explaining in lay person terms on how everything is glued together to make a home network work!😅
love your videos, they make me wanna return to learn cybersecurity
9:22 Press spacebar to select the Protectli Vault. Took me a while to figure this out.
*Princess Naomi* :
The RobinHood of Digital World.
Much love and respect.. Thanks a bunch for educating us.
Edit : 20mins worthy for being digitally secured.
Thanks so much for the insight it's a creepy internet now a days.👀😓
When installing pfsense I had to hit space bar to select the protectli drive. You didn't mention this in your tutorial so posting for awareness.
Got the Vilfo VPN router. They're roadmap shows a lot of transparency in my opinion. And it seems like they do update more regularly than any vendor I've seen.
As far as security, I haven't gotten hit once since installation in November 2022 thanks to their software based built-in VPN server(separate from whomever your VPN provider is as it supports multiple providers).
They do allow you to but do not recommend opening the remote WAN which was the case for my old ISP router that caused my Synology NAS to get hit with over 10,000 attempts via bots or hackers from 2014 to November 2022 which were recorded by its auto block feature.
Thank you for packing so much information at a fantastically easy to understand video
12:43 Chuck is informative, but he's always so tense!
It would be great if device manufacturers or at least router manufacturers would just support OpenWRT or pfSense directly, and maybe just make a custom interface of one of those for their router.
Speaking of, can you compare pfSense, OpenWRT, and DD-WRT? My usual setup involves making sure to use an OpenWRT supported router, and since I'm already familiar with IP CHAINS in Linux, it makes sense to me (with that said, OpenWRT and DD-WRT do have pretty decent UIs that make it easy to do typical firewall changes without having to get into the weeds with IP CHAINS). I like being able to just install an updated and more powerful firmware directly on the router that's connected directly to the wider Internet, and I get wanting to be able to just unplug just the Wifi (which, to be clear, could still be done with OpenWRT and a wholly separate device dedicated to that purpose, of course), but maybe I'm missing something with just using OpenWRT instead of pfSense?
Excellent comment. DD-WRT and OpenWRT are excellent, and are definitely worth investigating. They work with many models of wireless routers, and are a great way to rejuvenate and repurpose old equipment that might otherwise be discarded.
@@cdl0 Tomato does/did? as well, i have it on an old linksys e3200 to convert it to wireless bridge.
@@dwelfusius Yes, Tomato still exists, and is a good option for routers using a Broadcom chipset.
Thank you for making this. Looking forward to watching the next episode.
Just discovered this channel. It's awesome!
omg... I have similar device! Another great straithforward video... thumb up!
Thank you @Naomi, I just set my system to your advice here and I'm up and running!
Nice! Let me know how you like it!
the testing was done on 7 companies gateways that were sold in Europe. Also the title says about router but the whole discussion is about gateways (I am a newly retired internet tech from a major isp in Canada)
Excellent information. Thank you.
I would also recommend Sophos Firewall Home since it has way more security features than PFSense or OPNSense like proper DPI, IPS with TLS Decryption, AV, exploit detection and so on. The home edition can be used for free for up to 4 cpu cores and 6 gb RAM.
I moved from a pfsense setup to a Microtik router/switch. The price was competitive and their RouterOS is enterprise level software. Plus the mikrotik throughput was much higher than what the pfsense box could handle.
What model?
Thanks very much Naomi, I'm not based in the US, so I take I can't really make use of the content of this video? But I'm going to read up on all the things mentioned. 👍🏼
Clear explanation, but why don't you use the functionality (fw, dhcp etc.) of the Netgear Nighthawk router? Is the Nighthawk as unsafe as the router functionality in the cable modem? I already put my cable modem into bridge mode (so the unsafe router functionality is turned off!) . I use my Nighthawk as the (WiFi) router, only 2 devices have an UTP port, I have to use Wifi the rest of my devices, because they don't have an UTP port.
Idk about you, but my (granted older one, r7000) was bottlenecking my speed despite having pihole in my network (dns and dhcp server) so meaning pre blocking of 20% traffic. What speeds he can get vs the throughput you get when you enable more security is sometimes quite different.Also, netgear software and firmware is notoriously rubbish,buggy,and forget updates after a couple of yrs (this is for most home products perios).No jk. But gotta say, in AP only mode, stellar and stable. I do have a managed netgear switch though, and that one is quite stable.
PFSense here. Internal networks/servers/VM's on zero trust networking principles (including WLAN isolation).
Zero trust: Block all traffic, specific services (ports) only as needed. GeoIP blocking, and other mitigations at the network layer.
Separate vLAN's for storage, services/VM's, out of band management, and clients.
I'd say my network is pretty hardened. 😅
Two extra security measures I'd recommend for an AP is first disabling SSID broadcasting. The other is to setup a whitelist for MAC filtering.
Yes, I do believe it. ISPs give old and low-end hardware which I should be grateful it even comes with firmware in English. Security might as well be their last concern.
I feel like the internet threat is not explained enough. Nowadays, ISPs put symmetrical NATs on their networks that effectively limit the ability of any consumer routers of communicating outside of the ISP and its own network and probably even have their own sets of firewalls. Apart from having to trust our preferred ISPs, is there any other risk regular users must face by using a severely vulnerable routers?
Thank you for giviing the enduring image of my router needing to emotionally supported occasionally. a router is not just for christmas.
😂 Absolutely, a router is not just for christmas. This needs to be a sketch...
Pretty damn complicated. Clear as mud. I wonder what percent of viewers are courageous enough to implement the steps recommended in this video. Hmmm. . . .
This is the kind of video I used watch then try to do it myself resulting in an absolute nightmare .. I finally learned the lesson after my last Windows re-install of shame to accept my limitations ☹️
"did you shut it down or just unplug it?" Best moment in all of NBTV >>> "uhhhhhhhhhhhhhhh..." 🤣😂🤣
🤣
Getting the parts together to build a mini-ITX OpenWRT wireless router as my ISP aren't interested in upgrading me to their Wi-Fi 6E capable modem/wireless router, problem is Wi-Fi 7 is coming soon and I'm waiting to see what other low power parts such as CPUs/APUs become available in the meantime.
Hopefully I can turn it into a Wireless NAS too.
3:21 not always. There are router boxes without wireless. This includes but is not limited to some VOiP boxes and some modem combos (modem and router all-in-one). An example of a modem combo without wireless is the Westell 6100.
"MY" wireless router is in the lower-most corner of "my" house with a wireless box relaying said wireless signal to upper deck here neighboring below Coastal AK😅
this video was much more advance than i would have suspected. you mention stuff like pfsense, coreboot bios and other technical tips. only thing you missed was pfblocker but this is still pretty good for newbies that need to know the basics.
can tell you put in the research and effort into this video. kudos :]
pf blocker is the 3rd video in this series, hasn't been release yet :)
Great content Naomi (as always)!
Is there anyone out there who can cure Network Chuck from continually slurping his coffee?
😂
13:50 this is potentially a vulnerability with the vault. With increasingly aggressive cost cutting in power production, power is increasingly dirty and unstable with more frequent outages. If it can't stay on long enough to shut down during an outage and shutting down matters, this can become a major issue for degraded areas of the power grid and a vulnerability which is as simple to exploit as going up the pole and shorting the line - or pulling a fuse if it's an old-fashioned fused box with public access. So you also need to run dedicated UPS with a system that alerts you via SMS whenever the UPS is cut off from power and whenever power is restored to the UPS.
My provider offered a Fritzbox for additional 4€ per month... well worth it! FritzBoxen are waaaaaay better than the usual D-Link or Netgear garbage. Updates for years and easy GUI. Today i configured DNS over TLS... just for fun and it was a breeze!
Lots of junk out there. Netgear make lots of good stuff, but the R7000 router had a DNS rebinding issue. Wat back when I used a 3 modem setup, I had to move the R7000 from the front unit to one of the two back units. I have been using pfSense for many years. First 4 years I used the Netgate SG-2440 and the unit still works as a secondary FW. For about 5 years now, I am using a 6 port Qotom brick PC and very happy with it. I have VLANS and a LAGG setup.
My xfinity xfi router was insecure for so long. One day I was working with the School IT guy setting up a new IP Phone system (I go to a Tech School / High School combo) and learned how Networking works. I decided to configure my home router to get better speeds and get a Dedicated IP for my BSD based Server. Turns out the Admin passcode was 'Admin' and around 20 ports were open. Firewall was set to Low (pretty much off) so I decided to get that all fixed. Thankfully every device in my home is either Linux or some other UNIX but still kinda scary. Glad I set that up. No listeners yet but I check once a month to make sure the network is good to go. Not my home, still living with my mom until I can get my own place after graduation. Comcast is the provider here in my region. Fuck Comcast.