Your Home Network is Exposed: Top 10 Ways to Protect it NOW!

Thanks for the mention Dave! Wow, he knows I exist!

Please cover OPNSense

You missed one. Create a Guest network but also create an IoT network. Put all the garbage devices like Echos and your fridge on that. Anything that uses a cloud service.

Thank you sincerely for this video. It's comforting to have advice from you, as I know you're not trying to sell me something, and you don't have any axe to grind.

i work in IT for a decently sized company of around 13,000 users. whenever i come across a tech oriented video, i get quite critical, as many do, im sure. i am far from claiming to be an expert in all things tech. ive seen some that claim to be, but none that are. in any case, i try to watch tech videos that i am learned about through the eyes of a person that has limited knowledge of anything IT related. thus the critiquing begins...i must say your way of explaining terminology to the layperson is exceptional, your overall knowledge of the subject is the same. top marks, sir and thank you for the education. as previously eluded to, we all cant know everything and youve definitely shown me a thing or two on several occasions. much appreciated.

Hi Dave, sure, would love to see your take on a deeper dive into pfsense/opnsense. Our home network setups are very similar (Ubiquiti implementation), minus the 5 gigabit part (1 gig fiber here). The performance impact is pretty dismal with the IDS/IPS enabled via Unifi. I appreciate that they offer it, but would prefer it externalized for performance, much like you described and have implemented. I had never heard of the Protectli Vault before, so this is very interesting to learn about. Thanks!

I went with a Protectli router about 2 years ago and running PFSense on it. I have full control over my home network and it's so easy to configure. I have set up firewall aliases to route certain traffic over VPN and also to block all my TV's and other devices that only need LAN access from the internet. I would love a detailed walkthrough on some more protective settings so I look forward to a video covering that!

THEM: Can I connect to your wifi. ME: sure, what's your MAC address.

I'm in the process of rebuilding my OPNSense router right now. Having you talk about how great it is has been fantastic background audio.
One thing I think you overlooked, was DNS blacklisting. The Unbound config for OPNSense has lots of DNS blacklists to keep a lot of trackers, advertising networks, known botnets, etc all at bay - before they even get to the IPS or IDS.
Thanks again for your videos. I've liked and subbed, as you've asked. Cheers!

Timely.... I am right now in the process of installing a vault with OPNsense... As a newby, I look forward to more content from you on this important topic. Thanks much.

Dave's Garage may very well be my favorite channel on YT!

Great presentation of information. The addition of IPS/IDS is an absolute must given that it can be done subscription free nowadays. The other part I hope you touch upon one day is the proper setup of firewall rules and DNS shielding, both are heavily underrated topics.

Yeah, I'd be interested in more about deploying and configuring OPNSense. For me, probably more interested in a demo that gives me a flavor for more of the details of what's possible than a tutorial on how to do things, but something that's a little of each would be cool, too.

A good source for OPNSense machines are used workstations. Companies offload them in bulk and you can find them very cheap online. You may need to buy a dual NIC seperately but I paid less for mine in total than some consumer boxes.

Appreciate that you put into the video syllabus “T…g… requests in comments are from scammers, so don't respond to them.” I was *almost* *believing* that it WAS from you - especially the more intense second message that I received after having failed to respond to the first one.

I've said it before and I stand by it still: Your presentation format is one of the absolute best on RUclips. Okay, best anywhere. You're to the point, knowledgeable, and to the point. I really enjoyed this video and I agree with the solution you chose: it's really the best with > 1Gbps Internet. And really, if someone at home "only" has 200Mbps, this solution is still so much better than a vendor's supplied "router."
Also worth mentioning to people: Never use a vendor's router for WiFi--just not worth it. Put a firewall like you mentioned behind the vendor's router, then an access point( s ) or even cheap WiFi 6e router behind the firewall and you're better off from a security POV.

The thumbnail is gold

This brings back memories from the early 2000s when I had a pooched-out Pentium II machine running Slackware with hand-written iptables and Snort scripts. I wonder if I have those scripts lying around somewhere...

Keep the videos coming, love all the different subjects you've covered. Something to nerd out on.

The primary issue with ISP provided and most consumer routers is just how readily they are abandoned after maybe a year of security updates... this is my primary reason for leaving them in dumb mode wherever possible and having something of my own handling security.

I'd love to see more coverage of pfSense and OPNSense

Nice presentation as usual, I currently use PFSense, but would look forward to your comparison video of OPNSense.

Dave, thanks for a great video. Clear, concise and easy to follow. If you want to squeeze everything you can out of your speed test however consider dumping your RJ45 transceivers. Besides consuming more power, 10GBase-T links have about 2.6 microseconds of latency whereas DAC (Twinax) and optical fiber links have only 300 nanoseconds of latency.

Note that Netgear router/cable modem combos may not have the ability to update firmware if you buy your own, instead of getting it from the ISP. Only ISPs can update the firmware, and wont do so for a model you purchased even if it is identical to the model the ISP distributes to customers.

Great 100,000 foot level analysis! The drill down was great too! This gives me the picture I need to work from for my own home network.

Wow! what a mouthful. Guess I need to step up my security game. For years NAT worked well, but I guess those days are past. You make me feel like a street racer in a 32 Ford hot rod left in the dust by the guy in a new Corvette.

I’m living with a double-NAT config (but with the ISP WiFi disabled). Was installing a new mesh solution and called my fiber ISP to ask how to set their combo modem-router into bridge mode as there was no UI I could find to do that. They have been excellent in all things, but in this case the answer was “Certainly, that’s a business feature and we can enable it for an additional $2,600 per year…” 😮 Since I didn’t want or need the added bandwidth and support that came with that price I thanked them and successfully live with the system as is. My ISP regularly gives me 2.5x more bandwidth than I pay for, so I’ve seen no negative impacts.

I am planning to get set up a home network with an OPNSense router soon, so I would be happy to see a video from you about setting it up.

👏👏 Thanks Dave! A future in-depth video about OPNSense would not only be closely watched and supported, it would be well appreciated.

I'm new to your videos but liked what I saw, simple to understand and no rubbish in-between. I have recently started my journey into homelabs and have just bought a mini pc for my router with the plan of running opnsense so I would like to see your dive into it.

Keen to see an OPNSense tutorial. I really do wish Ubiquiti would release a UDM that supports IPS at higher line speeds

Hi Dave, YES, please do a walkthrough of OPNSense installation!!!!

This is something I’ve been looking for comprehensive info on for a while. I’d love to see a deep dive into setting up a secure network.

You just answered a question I've had for a while now with AT&T 5 Gbps fiber with IDS/IPS enabled on my UDM-SE. Waiting for that walk-through with your OPNsense config!

Love this video! Easy to digest and share with non-tech literate friends.

yup, Please do an OPNsense install and configure tutorial, i believe it will be helpful for a lot of people

Great advice and great video that a lot can learn from. Thanks for taking the time to make it!!

One of my old ISPs blocked us from accessing the admin panel completely, the wifi password was the same on all routers and obviously couldn't be changed.
Fun times.

Thanks for sharing Dave. All valid points. I commend you for placing that ProtectLi between ISP modem and Unifi Pro. The only aspect where UDM Pro falls short is when it comes to its firewall this is where pfSense \ OPENSense outshines, so kudos for doing that. IDS\IPS is a necessity. Its good that Unifi product line offers it as part of thier equipment. I am suspecting you are using some kind of a Dedicated internet line from your ISP which I suspect is AT&T business. 0 Jitter, less than 2 digit ping times, and symmetrical inbound\outbound data, and 5 GBPS speed, are all hallmarks of a dedicated internet line.

Thanks for another video, Dave! I'd enjoy seeing you cover OPNSense configuration!

Thank you Dave, great topic and would like to watch more content like this.

Concise and informative as usual, thank you!

Dave, please occasionally include block diagrams to show the layout(s) you describe….?

Well done Dave! You presented a ton of material in a logical and comprehensive manner. Keep up the great work! 🎉

10:21 in addition the bridge mode, a DMZ is another solution that might be available. My isp unit is declined to offer bridge, but will happily DMZ an IP range (into which I include my Meraki security appliance)

Accurate, kept it simple and too the point. Good work.

would most defnitely appreciate a walk through of your OPNsense setup and how you configured between your ONT and SE

Useful Dave, and I was able to understand all that, thank you !

Thanks for another great video, Dave! I always find your videos super entertaining and educational.

Very Good, I learned a few more things today. As always, I need to login to my routers and make more tweaks.

Perfect ... good refresher ... Thank you 👍

This was great. Would love a opnsense video!

Oh I how I miss my wrt54g that crapped out on me recently. It was a beast with openwrt. It served well 🇺🇸

Great video ! I must say that you should do audio books (as well as LOTS more RUclips videos) because your vocal presentation is wonderful.

Very good & valuable info. I wanted to add one piece of info: re:"you are probably stuck with whatever modem your ISP gave you." Don't just assume this. I am on fiber in the Seattle area, and I was able to call my ISP and ask for the ethernet jack on my ONT (Optical Network Terminal - the box on the outside of your house that the fiber connects to) to be enabled. 15 minutes and a ONT reboot later, I was able to plug my own router right in to the ONT. Your ISP might not publicize that this is possible - mine certainly didn't , and was not thrilled when I requested it be done - but it sometimes can be done. I had to work my way through a couple of levels of support first, but I have been up and running with my own router now for several years. It is worth asking about.

Pfsense, and secure any port of that device and then setup your vlans, then start firewall your connections (wans and lans). Remember enable ids, and monitor your connections too (perhaps make a nice dashboard with live data monitoring and attach display to your wall).. perhaps i make video about my network security :)

I usually plump for Openwrt and Pihole, Openwrt will run on many off the shelf routers, SBC etc.

WOW! I'm in Australia on 5G WiFi and the best speed I've ever got was 320mb down and 15up and Ping was 16. After seeing your speeds I'm ropeable. Thanks Dave.

I'd add setup your router to use a filtering DNS such as Quad9 rather than your ISP's DNS and enable DNS over TLS.

Excellent overview.
Thank you!

I would like an episode on OPNSense. Great episode

All good tips Dave!
I'd love for you to go through opnsense IDS/IPS setup. I tried configuring and it cut my bandwidth by about 40-50%. I'm running a beefy enterprise class server with a hypervisor and the VM is definitely not resource constrained. I didn't know fully what I was doing and I probably had too many rulesets enabled. Couldn't be bothered to RTFM at the time.
I tried to follow Tim and Lawrence's takes, but it wasn't sinking in. Maybe you'd be the key I need!

I am literally unwrapping some new hardware right now to set up my new OPNSense router and vlan aware switch. Great timing on this video. I would love some more information on configuring OPNSense as the last time I really touched networking rules was in the early 2000s and things have changed a lot.

Good video. In my own situation, I have a layered configuration. My fiber connection goes into a pfsense firewall, which is the front door sitting before my DMZ assets. I then have a secondary firewall a UXG-Pro. All my network traffic is split VLANs.

Definitely cover the OPNSense setup. Your videos are excellent.

Thanks for verifying my choice of a Protectli Vault running OPNSense along with a UniFi 7 Pro AP. I’m experiencing some difficulty setting up OPNSense on the Vault to direct multiple network streams (LAN, IoT, cameras, Guest) to the single 2.5 GBs UniFi Ethernet port which runs the 2.5, 5, and 6 GHz wireless networks over the 3 separate radios. Confused to say the least so it would be great if you could do an in-depth setup of OPNSense on the Protectli Vault.

Great video Dave, thank you for all these great informations.

Thanks, Dave!

Love the tour of your house

exactly on the same boat, have 1Gb now but could update to 5Gb, need to follow our lead, so looking forward the OpnSense config video in the future to implement this Vault solution. Appreciated Dave.

Great video, many thanks from Nova Scotia...

Here in Belgium some ISP's have made their television streamingboxes reliant on their own router.
Putting them in bridge mode is a nightmare to get your TV to work again so double natting is almost obligatory, for site-to-site VPN in my family I have set up an overlay VPN service :p

Excellent job in solving your bandwidth bottleneck by moving your IDS/IPS off of your UDM Pro! 👏 Great thinking outside the box. Unfortunately, like many in the US, I can only dream of those kinds of internet speeds let alone getting FTTH.

I stream in 4K on a 50mb/10mb DSL connection. Having Gigabit today is far too much for most households. We have a lot of IOT devices, tablets, phones and multiple Smart TV's in the house all streaming and 0 issues. Unfortunately nothing else is available in our area but in a way who cares... $35/month for this DSL connection is PLENTY for the 4 of us. Even when we worked from home during the Pandemic. I do have it hooked up to a Netgate Router running PfSense. Works great!

Brilliant video! Thanks Dave! Subscribed! OPNsense video would be fantastic!

Great video, Dave! And yes, a video on OPN Sense would be great!

Dave, I would definitely vote for seeing an in-depth walk thru of open sense. I had pfsense for several years but I feel I could not get the best config and monitoring. Now I have UniFi UPM Pro and 5g fiber so I would like to mirror your configuration.

Thx for fantastic content. Always informative and entertaining :)

nice Video Dave !

Would love to see your take on configuring OPNsense! I think I would absolutely gain helpful insights! An overview of the firewall, interfaces, and VLANs would really help me out. I'm still looking for a good explanation of how interfaces and VLANs communicate with one another, explanation of the default configuration, and best practices. Thanks, Dave!

Just fyi the firewalla brand firewalls automatically do this out of the box. They'll quarantine any new Network devices and you can setup custom filters to block Internet, filter sites, whitelist macs, etc. they're really great devices that are consumer friendly, with a great ui, and don't require a subscription.

Thanks for the intro. Please do a vid on OPNSENSE, thanks!

Thanks Dave. I would like to see more on OPNSense.

Hey hey!!! Looking forward to the OPNSense walkthrough with you... :)

Thank you and yes, please, on more details.
A block diagram of the set up would be extremely helpful in understanding the traffic flows from device to device (source to sink and back)..

Subbed, nice tips for securing home networks ⚡️

I've been running pfsense Plus on a Beelink EQ12 mini pc with 2x Intel 2.5Gb NICs - worth mentioning that pfsense doesn't always play well with Realtek NICs, that are common on consumer PCs. Yes, I would be interested in seeing your setup, I use pfBlockerng and ngtop, and the traffic monitor tots up my download and upload usage. Next step is IDS, like snort, etc. plus Wazuh feeding into Greylog. I will be moving IoT devices to their own vlan and preventing them accessing my other devices.

Love this video!. I’ve done some of this, but wow! Loads more to do!!

very nice Dave. I have been doing most of your suggestions for years. But it is nice to get some confirmation.
I have noticed that my ISP fiber device was not always honoring my DMZ zones I set up... and the conversation was well over the heads of the local technicians.
I ended up with multiple port forwarding From ISP modem to my NightHawk then to my Synology for VPN access.
The VPN on the Nighthawk is absolute crap.... The VPN on the Synology is much better but still no where near as good as PfSense.
I agree with all your suggestions especially if you are building from scratch.
The biggest advice I give friends and family.... never use the built in wireless from your ISP.
Always get another device to stand between your ISP device and your home.

VERY interested in an OPNsense episode. Could skip basic setup--have done that a dozen times. But more info about system requirements,. setting up, configuring and maintaining/checking logs on Clam AV and IDS/IPS would be very helpful. I'm also using OPNsense on a Protectli Vault--really love the horsepower it provides for SPI, VPN, IDS/IPS, etc. But I know it's not working to its full capability.
Thanks so much, Dave. Love your channel. Your interests overlap mine to a great extent. Looking forward to your next posting whatever the subject.

Very cool.. I have used pfSense and OPNSense, but I never knew you could do a transparent bridge with IDS/IPS enabled.. I would like to see how this is configured.. Might be fun to try it again in combination with, or instead of my Unifi ERx

Been using PFsense for years on a 5th gen I5 with 10G networking and IDS/IPS much prefer it over OPNsense. If your going to do an OPNsense video, consider PFsense as a comparison, just my 2 cens but I would consider PFsense the big brother to OPNsense

Thanks Dave!

Use DMZ on provider router to forward all data to your second router (set fixed ip on provider router for the second router and set DMZ to that ip address).
Then on your second router use "Access Control" and make a "Allow List" for both WiFi and Ethernet devices (create a allow list and put in all the mac addresses of the devices that you want that can access your network).
Now only devices that are listed in the "Allow List" can connect to your network, if a device wants to connect to your network that is not listed in the "'Allow List" its bye bye you cannot come in 🙂
Most routers you can put the mac addresses for the devices that you want to have access to remote control your router, for better security.
Make always sure you enable all the firewall options on your router, disable upnp and use port forwarding for your listening applications on specific ports🙂

I decided to change my password from default after being lazy and not doing it since I got the router. I forgot to save the random string with firefox, so now I gotta do it again. But great video. And I highly recommend following all the tips.

I've run OPNSense as my router for some time. I run it as a VM (Proxmox host) on an old Dell rack mount server (R210 II). Works great - wouldn't change, other than maybe a hardware upgrade if I upgrade my internet at some point. I also run Ubiquti equipment, but just APs. The management server for the Ubiquiti stuff is just a Debian VM running on the same box as OPNSense. Also, for your VPN, you should think about doing Wireguard - state of the art encryption with a very well done, clean sheet design and very high quality code.
Funny you should be talking about OPNSense now. Linus Tech Tips just did a video the other day talking about how they were switching their router to an OPNSense box too.

Yes please, would like to see a deep dive into OPNSense

Thanks Dave, really informative. Please make that walk-through video.

Absolutely valuable, educational and the perfect level of detail for me. It confirms and validates the issues and experiences I have had and presents the information in a very pleasant, comfortable and confident manner. Bravo! P.S: That part showing your 5 Gig fiber bandwidth was just showing off, but I liked it!

Very interested in your take on opnsense setup & config!