You missed one. Create a Guest network but also create an IoT network. Put all the garbage devices like Echos and your fridge on that. Anything that uses a cloud service.
@@theinsomniacmedic Separate networks are exactly that. They are separated from each other. I have my main network with all my PCs, NAS and TVs and what not. They all talk to each other. Then I have my IoT network with my fridge, microwave, thermostat, echos and what not. Those two networks cannot interact. In the event someone hacks into one of these cloud device, I couldn't care less. My main network is isolated. I also have a guest network for guests. As you can imagine none of those guests have any access to my devices.
Avoid OPNSense, their security track record is far from stellar. Go for the original project they forked: pfsense. Less and slower updates but rock stable and on top of their security game.
Never knew Dave censors comments. (previous post disappeared.) Wont rewrite the whole thing, in short: go for pfsense instead of that fork. They (opnsense) were willing to stay on an EOL version of PHP which is a huge red-flag, and their past track record aint any better AFAIK.
I would like to refer you over to the Garage: no, not this Garage, but RUclips channel @Jims-Garage (Jim's Garage). He has coverage over OPNsense and other great topics. We all could do with a Dave treatment of OPNsense however.
Thank you sincerely for this video. It's comforting to have advice from you, as I know you're not trying to sell me something, and you don't have any axe to grind.
I'm in the process of rebuilding my OPNSense router right now. Having you talk about how great it is has been fantastic background audio. One thing I think you overlooked, was DNS blacklisting. The Unbound config for OPNSense has lots of DNS blacklists to keep a lot of trackers, advertising networks, known botnets, etc all at bay - before they even get to the IPS or IDS. Thanks again for your videos. I've liked and subbed, as you've asked. Cheers!
@@tonyscaminaci7959 In the early 2000's, I built a spam filter for the newspaper I worked for. By the time I left there, only 0.002% of emails sent were allowed through - and people still complained about too much spam. (thankfully, they were generally understanding when emails were blocked and had to be retrieved or resent) Much of those denials were through DNS blacklists. I can be a really blunt stick to what might be a delicate problem, but I think it's worth the potential trouble as whitelisting domains is super easy.
I went with a Protectli router about 2 years ago and running PFSense on it. I have full control over my home network and it's so easy to configure. I have set up firewall aliases to route certain traffic over VPN and also to block all my TV's and other devices that only need LAN access from the internet. I would love a detailed walkthrough on some more protective settings so I look forward to a video covering that!
i work in IT for a decently sized company of around 13,000 users. whenever i come across a tech oriented video, i get quite critical, as many do, im sure. i am far from claiming to be an expert in all things tech. ive seen some that claim to be, but none that are. in any case, i try to watch tech videos that i am learned about through the eyes of a person that has limited knowledge of anything IT related. thus the critiquing begins...i must say your way of explaining terminology to the layperson is exceptional, your overall knowledge of the subject is the same. top marks, sir and thank you for the education. as previously eluded to, we all cant know everything and youve definitely shown me a thing or two on several occasions. much appreciated.
Timely.... I am right now in the process of installing a vault with OPNsense... As a newby, I look forward to more content from you on this important topic. Thanks much.
I've said it before and I stand by it still: Your presentation format is one of the absolute best on RUclips. Okay, best anywhere. You're to the point, knowledgeable, and to the point. I really enjoyed this video and I agree with the solution you chose: it's really the best with > 1Gbps Internet. And really, if someone at home "only" has 200Mbps, this solution is still so much better than a vendor's supplied "router." Also worth mentioning to people: Never use a vendor's router for WiFi--just not worth it. Put a firewall like you mentioned behind the vendor's router, then an access point( s ) or even cheap WiFi 6e router behind the firewall and you're better off from a security POV.
I wouldn't say "never", it depends on what they provide.. but if you want the latest WiFi 7 (and have devices that already support it), or you want > 1 Gbit on the local LAN ports, you'll probably have to provide your own, yeah, at least rn in early 2024.
@@greggmacdonald9644Surely the main issue with ISP WIFI would be having to trust the ISP firewall, especially when the ISP maintains control of the "router" such as with combined "Cable Modem WiFi routers". You really want the AP behind a firewall you control.
@@TheUAoBIf you can't log into your ISP-Provided router and inspect or change settings within it, then sure! But I can log into the one my ISP provides and so did just that. Plus, you can always circumvent that PC-side anyway, using whatever DNS you'd like, and (if actually necessary), use a VPN to avoid ISP restrictions you can't get around locally. So, it's not an issue for many, I would think.
Appreciate that you put into the video syllabus “T…g… requests in comments are from scammers, so don't respond to them.” I was *almost* *believing* that it WAS from you - especially the more intense second message that I received after having failed to respond to the first one.
Yeah, I'd be interested in more about deploying and configuring OPNSense. For me, probably more interested in a demo that gives me a flavor for more of the details of what's possible than a tutorial on how to do things, but something that's a little of each would be cool, too.
Great presentation of information. The addition of IPS/IDS is an absolute must given that it can be done subscription free nowadays. The other part I hope you touch upon one day is the proper setup of firewall rules and DNS shielding, both are heavily underrated topics.
This brings back memories from the early 2000s when I had a pooched-out Pentium II machine running Slackware with hand-written iptables and Snort scripts. I wonder if I have those scripts lying around somewhere...
Hi Dave, sure, would love to see your take on a deeper dive into pfsense/opnsense. Our home network setups are very similar (Ubiquiti implementation), minus the 5 gigabit part (1 gig fiber here). The performance impact is pretty dismal with the IDS/IPS enabled via Unifi. I appreciate that they offer it, but would prefer it externalized for performance, much like you described and have implemented. I had never heard of the Protectli Vault before, so this is very interesting to learn about. Thanks!
I'm a full unifi household as well, and from what I've heard there should be a refresh of the UDM Pro/SE in the next couple years that will do up to 10GB with IDS\IPS, and to be honest it's time for a hardware refresh, with the new Unifi OS 3.X there are some really cool features and it's becoming more of a mature platform. Once Ubiquiti refreshes the UDM I'll definitely be replacing my UDM Pro even though I only have 1GB symmetrical fiber, I just want new hardware. Unifi is like a drug you can't wait for your next fix LOL
I last tryed pfSense and openSence many years ago, and beyond about 2 gbps they sucked eggs, as soon as you enable state-full inspection it just goes to hell, no matter how much CPU power you give it, it cant keep up with it, now ill admit it was many years ago but nothings really changed in the setup so i don't expect it to perform any better. All that said, for most home users at 1.5 / 2 Gbps its fine, it really is, it might stutter from time to time (especially when doing hundreds of downloads) but it works fine
@@Techguyericd But the one they sold/sells fails miserably at full speed ACL-based IPS. Even on 1Gbps. The Unifi hardware is woefully underpowered. It's a shame. Oh and their VLAN setup is uhmmm, thinking of a "good word," okay---"horrible." But then again, I have 40+ VLANs so I'm likely unique.
You speak techie just casual enough for someone not familiar with the industry to at least get the gist of importance of such measures. The world (or at least my neighborhood) needs a raised awareness of security in a constantly expanding online world - especially since we are raising children. I find your quick, here is the information take it or leave it approach, to be refreshing and easily digested by others, even if they don't fully comprehend. I watch your video's often and today I subscribed. You earned at least that much.
The primary issue with ISP provided and most consumer routers is just how readily they are abandoned after maybe a year of security updates... this is my primary reason for leaving them in dumb mode wherever possible and having something of my own handling security.
This is beyond the ability of most non-technical people but, were I to shop for a consumer router, I would definitely pick one that can run aftermarket firmware. In fact, last year I bought an unsupported name-brand router from Goodwill for $10 and put an aftermarket firmware on it and now it’s excellent.
I'm new to your videos but liked what I saw, simple to understand and no rubbish in-between. I have recently started my journey into homelabs and have just bought a mini pc for my router with the plan of running opnsense so I would like to see your dive into it.
Dave, thanks for a great video. Clear, concise and easy to follow. If you want to squeeze everything you can out of your speed test however consider dumping your RJ45 transceivers. Besides consuming more power, 10GBase-T links have about 2.6 microseconds of latency whereas DAC (Twinax) and optical fiber links have only 300 nanoseconds of latency.
Wow! what a mouthful. Guess I need to step up my security game. For years NAT worked well, but I guess those days are past. You make me feel like a street racer in a 32 Ford hot rod left in the dust by the guy in a new Corvette.
Anti-virus doesn't work on encrypted internet traffic. And, you'll probably never need an IDS/IPS, unless you're hosting services and have open ports in your firewall. NAT isn't a security measure. All you need is a simple firewall.
I’m living with a double-NAT config (but with the ISP WiFi disabled). Was installing a new mesh solution and called my fiber ISP to ask how to set their combo modem-router into bridge mode as there was no UI I could find to do that. They have been excellent in all things, but in this case the answer was “Certainly, that’s a business feature and we can enable it for an additional $2,600 per year…” 😮 Since I didn’t want or need the added bandwidth and support that came with that price I thanked them and successfully live with the system as is. My ISP regularly gives me 2.5x more bandwidth than I pay for, so I’ve seen no negative impacts.
@@riteshdhawan8383 I’m on an island in the US Pacific Northwest. It’s a small ISP that has great service (both internet and people) but a small local staff. So they have standardized their equipment configs and support. People who want to bridge their equipment are usually businesses (not retired software engineers like myself) with some special needs who also want 1 Gbps+ service. So if I wanted bridge mode I’d need to go to one of those plans. Since I’m paying for 100 Mbps and consistently getting 2.5x that I don’t want to upgrade. I get why they want to standardize support and keep costs lower for most of us. And since they consistently over deliver I see no reason to complain.
I'm not surprised... here we have arbitrary cutoffs, like if I want a static IP or the next speed tier up, that's commercial, an extra $3600 a year just for being designated as such.
If you're wondering: In case, unlike Dave, you're not a Ubiquity fanboy: you can leave out the udm pro altogether and just go all the way with opnsense on protectli or whatever hardware you choose to use. It also does a way better job in dealing with redundant WAN ports. Im not hating ubiquity, i just learned to only use their wifi stuff the hard way :-D
One of my old ISPs blocked us from accessing the admin panel completely, the wifi password was the same on all routers and obviously couldn't be changed. Fun times.
A good source for OPNSense machines are used workstations. Companies offload them in bulk and you can find them very cheap online. You may need to buy a dual NIC seperately but I paid less for mine in total than some consumer boxes.
@@garanceadrosehn9691 As long as the C-states are enabled, the machine will spend most of its time at low voltage and clockspeed. OEM workstations from Dell, HP, etc are very high quality hardware with good, quiet, cooling, error correcting RAM and conservative Xeon CPU's. Most will have a lot of mileage, often running 24/7, so replacing the fans and hard drives is a good idea.
Been using the Protectli solution for my home for 3 years and it has been flawless. OPNSense is great. Like anything involved with network security, there is a learning curve, but it isn't too steep. It is also super easy to maintain. The best part, there are no moving parts. No PSU, CPU, or cooling fans to go bad. This sucker is 100% solid state.
Very good & valuable info. I wanted to add one piece of info: re:"you are probably stuck with whatever modem your ISP gave you." Don't just assume this. I am on fiber in the Seattle area, and I was able to call my ISP and ask for the ethernet jack on my ONT (Optical Network Terminal - the box on the outside of your house that the fiber connects to) to be enabled. 15 minutes and a ONT reboot later, I was able to plug my own router right in to the ONT. Your ISP might not publicize that this is possible - mine certainly didn't , and was not thrilled when I requested it be done - but it sometimes can be done. I had to work my way through a couple of levels of support first, but I have been up and running with my own router now for several years. It is worth asking about.
All good tips Dave! I'd love for you to go through opnsense IDS/IPS setup. I tried configuring and it cut my bandwidth by about 40-50%. I'm running a beefy enterprise class server with a hypervisor and the VM is definitely not resource constrained. I didn't know fully what I was doing and I probably had too many rulesets enabled. Couldn't be bothered to RTFM at the time. I tried to follow Tim and Lawrence's takes, but it wasn't sinking in. Maybe you'd be the key I need!
What an awesome video. Very informative and easy for even the least tech savvy among us to comprehend and utilize. Thank you for sharing your knowledge and being of service to people like my mom and sister. Our family is thankful for you.
Excellent job in solving your bandwidth bottleneck by moving your IDS/IPS off of your UDM Pro! 👏 Great thinking outside the box. Unfortunately, like many in the US, I can only dream of those kinds of internet speeds let alone getting FTTH.
You just answered a question I've had for a while now with AT&T 5 Gbps fiber with IDS/IPS enabled on my UDM-SE. Waiting for that walk-through with your OPNsense config!
A tip regarding an easy way to remember strong passwords. Choose a pattern on your keyboard. Eg 3 keys left to right. Or from up to down. Or from left to right, skip every second. Type your first password character, follow with the next 2 in your pattern. Repeat 4 times. I throw in a # in the middle and type lower case-upper case-lower case. This password is equal to 94 to the power of 13, argued. Pretty safe. All you have to remember are 4 characters and your pattern. The most easy to remember for a human are 3 characters. That is pretty safe too
Thanks for verifying my choice of a Protectli Vault running OPNSense along with a UniFi 7 Pro AP. I’m experiencing some difficulty setting up OPNSense on the Vault to direct multiple network streams (LAN, IoT, cameras, Guest) to the single 2.5 GBs UniFi Ethernet port which runs the 2.5, 5, and 6 GHz wireless networks over the 3 separate radios. Confused to say the least so it would be great if you could do an in-depth setup of OPNSense on the Protectli Vault.
I am literally unwrapping some new hardware right now to set up my new OPNSense router and vlan aware switch. Great timing on this video. I would love some more information on configuring OPNSense as the last time I really touched networking rules was in the early 2000s and things have changed a lot.
Thanks for sharing Dave. All valid points. I commend you for placing that ProtectLi between ISP modem and Unifi Pro. The only aspect where UDM Pro falls short is when it comes to its firewall this is where pfSense \ OPENSense outshines, so kudos for doing that. IDS\IPS is a necessity. Its good that Unifi product line offers it as part of thier equipment. I am suspecting you are using some kind of a Dedicated internet line from your ISP which I suspect is AT&T business. 0 Jitter, less than 2 digit ping times, and symmetrical inbound\outbound data, and 5 GBPS speed, are all hallmarks of a dedicated internet line.
Dave thanks for the video, I use pfsense on a netgate device but I assume the concepts to configure are similar to opensense. So I would love a deep dive on configuring opensense.
I feel like "Short Round" following Indiana through the cavern of computer science lit by the torch of Dave's guidance. I can always count on a thoroughness of coverage and "description of its surroundings". Thank you for task manager (among many things) by the way. Your work is appreciated. Also, there is much appetite for a low level walkthrough. Kalima...
Note that Netgear router/cable modem combos may not have the ability to update firmware if you buy your own, instead of getting it from the ISP. Only ISPs can update the firmware, and wont do so for a model you purchased even if it is identical to the model the ISP distributes to customers.
Good video. In my own situation, I have a layered configuration. My fiber connection goes into a pfsense firewall, which is the front door sitting before my DMZ assets. I then have a secondary firewall a UXG-Pro. All my network traffic is split VLANs.
Dave, I would definitely vote for seeing an in-depth walk thru of open sense. I had pfsense for several years but I feel I could not get the best config and monitoring. Now I have UniFi UPM Pro and 5g fiber so I would like to mirror your configuration.
I stream in 4K on a 50mb/10mb DSL connection. Having Gigabit today is far too much for most households. We have a lot of IOT devices, tablets, phones and multiple Smart TV's in the house all streaming and 0 issues. Unfortunately nothing else is available in our area but in a way who cares... $35/month for this DSL connection is PLENTY for the 4 of us. Even when we worked from home during the Pandemic. I do have it hooked up to a Netgate Router running PfSense. Works great!
WOW! I'm in Australia on 5G WiFi and the best speed I've ever got was 320mb down and 15up and Ping was 16. After seeing your speeds I'm ropeable. Thanks Dave.
I must admit I did go back and admire the thumbnail before actually placing my like vote on your comment praising it..... I did not pay much attention to the thumbnail - when it comes to Dave's videos I know teh quality is in the story not the thumbnail nor the production. Davehimself is the most of the value you'll ever get in one of his videos.
exactly on the same boat, have 1Gb now but could update to 5Gb, need to follow our lead, so looking forward the OpnSense config video in the future to implement this Vault solution. Appreciated Dave.
10:21 in addition the bridge mode, a DMZ is another solution that might be available. My isp unit is declined to offer bridge, but will happily DMZ an IP range (into which I include my Meraki security appliance)
Very cool.. I have used pfSense and OPNSense, but I never knew you could do a transparent bridge with IDS/IPS enabled.. I would like to see how this is configured.. Might be fun to try it again in combination with, or instead of my Unifi ERx
VERY interested in an OPNsense episode. Could skip basic setup--have done that a dozen times. But more info about system requirements,. setting up, configuring and maintaining/checking logs on Clam AV and IDS/IPS would be very helpful. I'm also using OPNsense on a Protectli Vault--really love the horsepower it provides for SPI, VPN, IDS/IPS, etc. But I know it's not working to its full capability. Thanks so much, Dave. Love your channel. Your interests overlap mine to a great extent. Looking forward to your next posting whatever the subject.
Here in Belgium some ISP's have made their television streamingboxes reliant on their own router. Putting them in bridge mode is a nightmare to get your TV to work again so double natting is almost obligatory, for site-to-site VPN in my family I have set up an overlay VPN service :p
there is no requirement to use the ISP modem. I replaced theirs with mine and stopped paying the rent. You just have to give them the configuration info so it'll work.
Just fyi the firewalla brand firewalls automatically do this out of the box. They'll quarantine any new Network devices and you can setup custom filters to block Internet, filter sites, whitelist macs, etc. they're really great devices that are consumer friendly, with a great ui, and don't require a subscription.
Would love to see your take on configuring OPNsense! I think I would absolutely gain helpful insights! An overview of the firewall, interfaces, and VLANs would really help me out. I'm still looking for a good explanation of how interfaces and VLANs communicate with one another, explanation of the default configuration, and best practices. Thanks, Dave!
5:30 any ISP that isn't just scraping the bottom of the barrel will automatically update the provided routers automatically through remote management, unless the router is so old that they, or the vendor, just isn't even providing security fixes anymore, in that case, just pester your ISP for a new router. 10:10 you might be able to enable DMZ and point to the second router, that way you'll limit some of the inconveniences of double NATting.
I've run OPNSense as my router for some time. I run it as a VM (Proxmox host) on an old Dell rack mount server (R210 II). Works great - wouldn't change, other than maybe a hardware upgrade if I upgrade my internet at some point. I also run Ubiquti equipment, but just APs. The management server for the Ubiquiti stuff is just a Debian VM running on the same box as OPNSense. Also, for your VPN, you should think about doing Wireguard - state of the art encryption with a very well done, clean sheet design and very high quality code. Funny you should be talking about OPNSense now. Linus Tech Tips just did a video the other day talking about how they were switching their router to an OPNSense box too.
Great video! I've been doing this myself for years, though use a Sophos XG firewall rather than PFSense/OPNSense (and before that, used Sophos UTM, Astaro Security Gateway, and WinRoute Pro). Changing DNS settings to use OpenDNS provides an additional layer of protection too. MAC address filtering in a whitelist mode can provide some additional protection (though can be easily bypassed via MAC address spoofing), as can not broadcasting the SSID.
Been using PFsense for years on a 5th gen I5 with 10G networking and IDS/IPS much prefer it over OPNsense. If your going to do an OPNsense video, consider PFsense as a comparison, just my 2 cens but I would consider PFsense the big brother to OPNsense
While I don't claim I have a 100% secure home network, I do have one major thing in my favor: wired Ethernet in almost every room. I'm not a big fan of WiFi anymore. It is convenient, but probably the best vector for attack. So I'm wired 99% of the time.
Not sure what you're saying here. Unless you have just turned wifi off, using a wired connection for most devices doesn't really change your attack surface much. It'd be pretty unusual for an attacker to go after the wifi link on a specific device. Instead, they will go after access to the network itself, at which point it won't matter which devices are on wifi and which are wired. Depending on how much access they manage to get, even having the devices on different VLANs might not help.
Thanks for this overview. This informations are 100% valuable to me since i'm connected through fiber for quite some time now and felt the urge to secure my network better. It would be nice, if you make a video about this OPN Sense setup and configuration. Have a nice day!
I've been running pfsense Plus on a Beelink EQ12 mini pc with 2x Intel 2.5Gb NICs - worth mentioning that pfsense doesn't always play well with Realtek NICs, that are common on consumer PCs. Yes, I would be interested in seeing your setup, I use pfBlockerng and ngtop, and the traffic monitor tots up my download and upload usage. Next step is IDS, like snort, etc. plus Wazuh feeding into Greylog. I will be moving IoT devices to their own vlan and preventing them accessing my other devices.
Though likely not a big difference, from what I can tell, you can set a static route to the second router after the ISP router though may be more complex and needing to make sure their IP ranges are different. I suspect there must be some benefit. Though the best is if your ISP uses pppoe and allows you to connect your own router to the ONT and all you need is a username and password from the ISP
I already run an OPNSense firewall but only have it with a very basic config. I would love to see a more in depth video on setting it up with more security and functionality.
very nice Dave. I have been doing most of your suggestions for years. But it is nice to get some confirmation. I have noticed that my ISP fiber device was not always honoring my DMZ zones I set up... and the conversation was well over the heads of the local technicians. I ended up with multiple port forwarding From ISP modem to my NightHawk then to my Synology for VPN access. The VPN on the Nighthawk is absolute crap.... The VPN on the Synology is much better but still no where near as good as PfSense. I agree with all your suggestions especially if you are building from scratch. The biggest advice I give friends and family.... never use the built in wireless from your ISP. Always get another device to stand between your ISP device and your home.
Hey Dave, you missed a legal fact about Cable Internet Providers, you can own and use your own Cable Modem. I have been using my own modem for over a decade and saving the cost of monthly modem rental from my cable provider. In my case I have a plain vanilla modem with no settings, Motorola MB8600, and that is plugged into my pfSense machine.
Its good that your service provider offers you the ability to use your modem. When it comes to AT&T Fiber Consumer, its next to impossible to bypass or get rid of thier equipment. Whatever 3rd party equipment such consumers want to use, it stands behind ISP device.
@@riteshdhawan8383yep ISP's have been able to get around alot of long standing regulations with the switchover to fiber. This is why they are adament about removing all traces of copper when installing fiber.
I just replaced an 8-year-old router with a new Unifi Gateway Lite just this past weekend (starting last Friday). My connection to the internet is slower than 1-GB/sec, so I expect this Gateway will be fast enough for me for awhile. I am still in the process of configuring VPN's on it, and checking out what other options I should turn on (or turn off), so RUclips picked an excellent time to recommend this video to me. Thanks for making it. I would still be interested in a video on OPNSense, as I had intended to go with that solution before this new Gateway Lite product was released. I like your strategy of putting OPNSense on one box in front of the Unifi router, which then allows you turn off IDS/IPS in the UDM-Pro. I will follow that strategy if I find that my Gateway Lite is having trouble keeping up with network traffic. (that isn't likely right now, but it might happen if FiOS shows up on my street! -- which was supposed to happen back in 2020, but then COVID hit)
Thanks for the mention Dave! Wow, he knows I exist!
Career goals, 1) Do cool stuff. 2) Get noticed by Dave Plummer 3) Speak at C3 Berlin about anything cool.
Omg you’re like… so famous now! 🤪
I was excited to hear Dave give you a shoutout as well
Love your channel! I'm like the piano teacher who stays one chapter ahead of the students, except I watch Techo Tim to do it :-)
@@DavesGarage ❤
You missed one. Create a Guest network but also create an IoT network. Put all the garbage devices like Echos and your fridge on that. Anything that uses a cloud service.
Hey bro, I have a question - what advantage does this offer?
@@theinsomniacmedic Separate networks are exactly that. They are separated from each other. I have my main network with all my PCs, NAS and TVs and what not. They all talk to each other. Then I have my IoT network with my fridge, microwave, thermostat, echos and what not. Those two networks cannot interact. In the event someone hacks into one of these cloud device, I couldn't care less. My main network is isolated. I also have a guest network for guests. As you can imagine none of those guests have any access to my devices.
@@JustinEmlay Nice I see now. Thanks alot brother, much appreciated.
@@theinsomniacmedic No problem at all!
That sounds like a great idea to me.
Please cover OPNSense
Avoid OPNSense, their security track record is far from stellar. Go for the original project they forked: pfsense. Less and slower updates but rock stable and on top of their security game.
Also curious in seeing this setup. Have toyed with a PiHole in the past, but was too much of a bottleneck
Never knew Dave censors comments. (previous post disappeared.)
Wont rewrite the whole thing, in short: go for pfsense instead of that fork. They (opnsense) were willing to stay on an EOL version of PHP which is a huge red-flag, and their past track record aint any better AFAIK.
@@jagdtigger Dave (likely) doesn't; RUclips however....it watches every post for keywords and hides them. Found this out THW
I would like to refer you over to the Garage: no, not this Garage, but RUclips channel @Jims-Garage (Jim's Garage). He has coverage over OPNsense and other great topics. We all could do with a Dave treatment of OPNsense however.
Thank you sincerely for this video. It's comforting to have advice from you, as I know you're not trying to sell me something, and you don't have any axe to grind.
I'm mostly in this for the subs and likes :-)
I'm in the process of rebuilding my OPNSense router right now. Having you talk about how great it is has been fantastic background audio.
One thing I think you overlooked, was DNS blacklisting. The Unbound config for OPNSense has lots of DNS blacklists to keep a lot of trackers, advertising networks, known botnets, etc all at bay - before they even get to the IPS or IDS.
Thanks again for your videos. I've liked and subbed, as you've asked. Cheers!
@DrTedEsq great info just in the nick of time. I’m configuring Unbound in a bit, thanks!
@@tonyscaminaci7959 In the early 2000's, I built a spam filter for the newspaper I worked for. By the time I left there, only 0.002% of emails sent were allowed through - and people still complained about too much spam. (thankfully, they were generally understanding when emails were blocked and had to be retrieved or resent)
Much of those denials were through DNS blacklists.
I can be a really blunt stick to what might be a delicate problem, but I think it's worth the potential trouble as whitelisting domains is super easy.
I went with a Protectli router about 2 years ago and running PFSense on it. I have full control over my home network and it's so easy to configure. I have set up firewall aliases to route certain traffic over VPN and also to block all my TV's and other devices that only need LAN access from the internet. I would love a detailed walkthrough on some more protective settings so I look forward to a video covering that!
i work in IT for a decently sized company of around 13,000 users. whenever i come across a tech oriented video, i get quite critical, as many do, im sure. i am far from claiming to be an expert in all things tech. ive seen some that claim to be, but none that are. in any case, i try to watch tech videos that i am learned about through the eyes of a person that has limited knowledge of anything IT related. thus the critiquing begins...i must say your way of explaining terminology to the layperson is exceptional, your overall knowledge of the subject is the same. top marks, sir and thank you for the education. as previously eluded to, we all cant know everything and youve definitely shown me a thing or two on several occasions. much appreciated.
Bro literally invented the Task Manager. What are you rating and babbling about
@@notaras1985Read what he wrote and understand what he said. And he used less l337 language, without "bro" in it.
Timely.... I am right now in the process of installing a vault with OPNsense... As a newby, I look forward to more content from you on this important topic. Thanks much.
I love my vault running OPNSense
I've said it before and I stand by it still: Your presentation format is one of the absolute best on RUclips. Okay, best anywhere. You're to the point, knowledgeable, and to the point. I really enjoyed this video and I agree with the solution you chose: it's really the best with > 1Gbps Internet. And really, if someone at home "only" has 200Mbps, this solution is still so much better than a vendor's supplied "router."
Also worth mentioning to people: Never use a vendor's router for WiFi--just not worth it. Put a firewall like you mentioned behind the vendor's router, then an access point( s ) or even cheap WiFi 6e router behind the firewall and you're better off from a security POV.
I wouldn't say "never", it depends on what they provide.. but if you want the latest WiFi 7 (and have devices that already support it), or you want > 1 Gbit on the local LAN ports, you'll probably have to provide your own, yeah, at least rn in early 2024.
Thanks for the kind words! Glad you fit it useful!
@@greggmacdonald9644Surely the main issue with ISP WIFI would be having to trust the ISP firewall, especially when the ISP maintains control of the "router" such as with combined "Cable Modem WiFi routers". You really want the AP behind a firewall you control.
@@TheUAoBIf you can't log into your ISP-Provided router and inspect or change settings within it, then sure! But I can log into the one my ISP provides and so did just that. Plus, you can always circumvent that PC-side anyway, using whatever DNS you'd like, and (if actually necessary), use a VPN to avoid ISP restrictions you can't get around locally. So, it's not an issue for many, I would think.
“Glad you “fit” it useful? -> R U AI?
Appreciate that you put into the video syllabus “T…g… requests in comments are from scammers, so don't respond to them.” I was *almost* *believing* that it WAS from you - especially the more intense second message that I received after having failed to respond to the first one.
Yeah, I'd be interested in more about deploying and configuring OPNSense. For me, probably more interested in a demo that gives me a flavor for more of the details of what's possible than a tutorial on how to do things, but something that's a little of each would be cool, too.
Great presentation of information. The addition of IPS/IDS is an absolute must given that it can be done subscription free nowadays. The other part I hope you touch upon one day is the proper setup of firewall rules and DNS shielding, both are heavily underrated topics.
This brings back memories from the early 2000s when I had a pooched-out Pentium II machine running Slackware with hand-written iptables and Snort scripts. I wonder if I have those scripts lying around somewhere...
Hi Dave, sure, would love to see your take on a deeper dive into pfsense/opnsense. Our home network setups are very similar (Ubiquiti implementation), minus the 5 gigabit part (1 gig fiber here). The performance impact is pretty dismal with the IDS/IPS enabled via Unifi. I appreciate that they offer it, but would prefer it externalized for performance, much like you described and have implemented. I had never heard of the Protectli Vault before, so this is very interesting to learn about. Thanks!
I'm a full unifi household as well, and from what I've heard there should be a refresh of the UDM Pro/SE in the next couple years that will do up to 10GB with IDS\IPS, and to be honest it's time for a hardware refresh, with the new Unifi OS 3.X there are some really cool features and it's becoming more of a mature platform.
Once Ubiquiti refreshes the UDM I'll definitely be replacing my UDM Pro even though I only have 1GB symmetrical fiber, I just want new hardware. Unifi is like a drug you can't wait for your next fix LOL
Yep. Opnsense is the router. Zenarmor scans all traffic. Country blocking is easy in Opnsense. Keep IOT on guest wi-fi.
I last tryed pfSense and openSence many years ago, and beyond about 2 gbps they sucked eggs, as soon as you enable state-full inspection it just goes to hell, no matter how much CPU power you give it, it cant keep up with it, now ill admit it was many years ago but nothings really changed in the setup so i don't expect it to perform any better.
All that said, for most home users at 1.5 / 2 Gbps its fine, it really is, it might stutter from time to time (especially when doing hundreds of downloads) but it works fine
@@Techguyericd But the one they sold/sells fails miserably at full speed ACL-based IPS. Even on 1Gbps. The Unifi hardware is woefully underpowered. It's a shame. Oh and their VLAN setup is uhmmm, thinking of a "good word," okay---"horrible." But then again, I have 40+ VLANs so I'm likely unique.
@@AnIdiotAboard_ No issues now using it on 10Gbps and 40Gbps connections (OPNsense).
You speak techie just casual enough for someone not familiar with the industry to at least get the gist of importance of such measures. The world (or at least my neighborhood) needs a raised awareness of security in a constantly expanding online world - especially since we are raising children. I find your quick, here is the information take it or leave it approach, to be refreshing and easily digested by others, even if they don't fully comprehend.
I watch your video's often and today I subscribed. You earned at least that much.
The primary issue with ISP provided and most consumer routers is just how readily they are abandoned after maybe a year of security updates... this is my primary reason for leaving them in dumb mode wherever possible and having something of my own handling security.
This is beyond the ability of most non-technical people but, were I to shop for a consumer router, I would definitely pick one that can run aftermarket firmware.
In fact, last year I bought an unsupported name-brand router from Goodwill for $10 and put an aftermarket firmware on it and now it’s excellent.
Nice presentation as usual, I currently use PFSense, but would look forward to your comparison video of OPNSense.
I'm new to your videos but liked what I saw, simple to understand and no rubbish in-between. I have recently started my journey into homelabs and have just bought a mini pc for my router with the plan of running opnsense so I would like to see your dive into it.
I'd love to see more coverage of pfSense and OPNSense
Dave, thanks for a great video. Clear, concise and easy to follow. If you want to squeeze everything you can out of your speed test however consider dumping your RJ45 transceivers. Besides consuming more power, 10GBase-T links have about 2.6 microseconds of latency whereas DAC (Twinax) and optical fiber links have only 300 nanoseconds of latency.
yup, Please do an OPNsense install and configure tutorial, i believe it will be helpful for a lot of people
Great 100,000 foot level analysis! The drill down was great too! This gives me the picture I need to work from for my own home network.
Hi Dave, YES, please do a walkthrough of OPNSense installation!!!!
Wow! what a mouthful. Guess I need to step up my security game. For years NAT worked well, but I guess those days are past. You make me feel like a street racer in a 32 Ford hot rod left in the dust by the guy in a new Corvette.
Anti-virus doesn't work on encrypted internet traffic. And, you'll probably never need an IDS/IPS, unless you're hosting services and have open ports in your firewall. NAT isn't a security measure. All you need is a simple firewall.
I’m living with a double-NAT config (but with the ISP WiFi disabled). Was installing a new mesh solution and called my fiber ISP to ask how to set their combo modem-router into bridge mode as there was no UI I could find to do that. They have been excellent in all things, but in this case the answer was “Certainly, that’s a business feature and we can enable it for an additional $2,600 per year…” 😮 Since I didn’t want or need the added bandwidth and support that came with that price I thanked them and successfully live with the system as is. My ISP regularly gives me 2.5x more bandwidth than I pay for, so I’ve seen no negative impacts.
Are you based in US, which ISP is asking $2600 for bridge mode on thier equipment?
@@riteshdhawan8383 I’m on an island in the US Pacific Northwest. It’s a small ISP that has great service (both internet and people) but a small local staff. So they have standardized their equipment configs and support. People who want to bridge their equipment are usually businesses (not retired software engineers like myself) with some special needs who also want 1 Gbps+ service. So if I wanted bridge mode I’d need to go to one of those plans. Since I’m paying for 100 Mbps and consistently getting 2.5x that I don’t want to upgrade. I get why they want to standardize support and keep costs lower for most of us. And since they consistently over deliver I see no reason to complain.
If in the US, I question if that is legal. I believe the consumers must be able to use their own equipment.
I'm not surprised... here we have arbitrary cutoffs, like if I want a static IP or the next speed tier up, that's commercial, an extra $3600 a year just for being designated as such.
What issues does double NAT cause?
I am planning to get set up a home network with an OPNSense router soon, so I would be happy to see a video from you about setting it up.
👏👏 Thanks Dave! A future in-depth video about OPNSense would not only be closely watched and supported, it would be well appreciated.
If you're wondering: In case, unlike Dave, you're not a Ubiquity fanboy: you can leave out the udm pro altogether and just go all the way with opnsense on protectli or whatever hardware you choose to use. It also does a way better job in dealing with redundant WAN ports. Im not hating ubiquity, i just learned to only use their wifi stuff the hard way :-D
One of my old ISPs blocked us from accessing the admin panel completely, the wifi password was the same on all routers and obviously couldn't be changed.
Fun times.
This is something I’ve been looking for comprehensive info on for a while. I’d love to see a deep dive into setting up a secure network.
A good source for OPNSense machines are used workstations. Companies offload them in bulk and you can find them very cheap online. You may need to buy a dual NIC seperately but I paid less for mine in total than some consumer boxes.
Those might come with a higher bill for electricity, though...
@@garanceadrosehn9691 As long as the C-states are enabled, the machine will spend most of its time at low voltage and clockspeed. OEM workstations from Dell, HP, etc are very high quality hardware with good, quiet, cooling, error correcting RAM and conservative Xeon CPU's. Most will have a lot of mileage, often running 24/7, so replacing the fans and hard drives is a good idea.
And these machines usually have vanilla hardware, Intel chipsets, NIC's, et al., so a Unix-type OS installation is low risk.
Oh I how I miss my wrt54g that crapped out on me recently. It was a beast with openwrt. It served well 🇺🇸
Keen to see an OPNSense tutorial. I really do wish Ubiquiti would release a UDM that supports IPS at higher line speeds
Been using the Protectli solution for my home for 3 years and it has been flawless. OPNSense is great. Like anything involved with network security, there is a learning curve, but it isn't too steep. It is also super easy to maintain. The best part, there are no moving parts. No PSU, CPU, or cooling fans to go bad. This sucker is 100% solid state.
Dave, please occasionally include block diagrams to show the layout(s) you describe….?
Very good & valuable info. I wanted to add one piece of info: re:"you are probably stuck with whatever modem your ISP gave you." Don't just assume this. I am on fiber in the Seattle area, and I was able to call my ISP and ask for the ethernet jack on my ONT (Optical Network Terminal - the box on the outside of your house that the fiber connects to) to be enabled. 15 minutes and a ONT reboot later, I was able to plug my own router right in to the ONT. Your ISP might not publicize that this is possible - mine certainly didn't , and was not thrilled when I requested it be done - but it sometimes can be done. I had to work my way through a couple of levels of support first, but I have been up and running with my own router now for several years. It is worth asking about.
All good tips Dave!
I'd love for you to go through opnsense IDS/IPS setup. I tried configuring and it cut my bandwidth by about 40-50%. I'm running a beefy enterprise class server with a hypervisor and the VM is definitely not resource constrained. I didn't know fully what I was doing and I probably had too many rulesets enabled. Couldn't be bothered to RTFM at the time.
I tried to follow Tim and Lawrence's takes, but it wasn't sinking in. Maybe you'd be the key I need!
What an awesome video. Very informative and easy for even the least tech savvy among us to comprehend and utilize. Thank you for sharing your knowledge and being of service to people like my mom and sister. Our family is thankful for you.
Excellent job in solving your bandwidth bottleneck by moving your IDS/IPS off of your UDM Pro! 👏 Great thinking outside the box. Unfortunately, like many in the US, I can only dream of those kinds of internet speeds let alone getting FTTH.
This is my first year with really good internet!
You just answered a question I've had for a while now with AT&T 5 Gbps fiber with IDS/IPS enabled on my UDM-SE. Waiting for that walk-through with your OPNsense config!
This was great. Would love a opnsense video!
would most defnitely appreciate a walk through of your OPNsense setup and how you configured between your ONT and SE
A tip regarding an easy way to remember strong passwords. Choose a pattern on your keyboard. Eg 3 keys left to right. Or from up to down. Or from left to right, skip every second. Type your first password character, follow with the next 2 in your pattern. Repeat 4 times. I throw in a # in the middle and type lower case-upper case-lower case. This password is equal to 94 to the power of 13, argued. Pretty safe. All you have to remember are 4 characters and your pattern. The most easy to remember for a human are 3 characters. That is pretty safe too
Thanks for verifying my choice of a Protectli Vault running OPNSense along with a UniFi 7 Pro AP. I’m experiencing some difficulty setting up OPNSense on the Vault to direct multiple network streams (LAN, IoT, cameras, Guest) to the single 2.5 GBs UniFi Ethernet port which runs the 2.5, 5, and 6 GHz wireless networks over the 3 separate radios. Confused to say the least so it would be great if you could do an in-depth setup of OPNSense on the Protectli Vault.
Thanks for removing that suspect link to a Telegram account. I knew it was fishy lol
I am literally unwrapping some new hardware right now to set up my new OPNSense router and vlan aware switch. Great timing on this video. I would love some more information on configuring OPNSense as the last time I really touched networking rules was in the early 2000s and things have changed a lot.
…BUT you are smarter than you were 20-years ago and user interfaces have improved. You’ll do much better now.
I would like an episode on OPNSense. Great episode
Thanks for sharing Dave. All valid points. I commend you for placing that ProtectLi between ISP modem and Unifi Pro. The only aspect where UDM Pro falls short is when it comes to its firewall this is where pfSense \ OPENSense outshines, so kudos for doing that. IDS\IPS is a necessity. Its good that Unifi product line offers it as part of thier equipment. I am suspecting you are using some kind of a Dedicated internet line from your ISP which I suspect is AT&T business. 0 Jitter, less than 2 digit ping times, and symmetrical inbound\outbound data, and 5 GBPS speed, are all hallmarks of a dedicated internet line.
Dave thanks for the video, I use pfsense on a netgate device but I assume the concepts to configure are similar to opensense. So I would love a deep dive on configuring opensense.
I feel like "Short Round" following Indiana through the cavern of computer science lit by the torch of Dave's guidance. I can always count on a thoroughness of coverage and "description of its surroundings". Thank you for task manager (among many things) by the way. Your work is appreciated. Also, there is much appetite for a low level walkthrough. Kalima...
Keep the videos coming, love all the different subjects you've covered. Something to nerd out on.
Note that Netgear router/cable modem combos may not have the ability to update firmware if you buy your own, instead of getting it from the ISP. Only ISPs can update the firmware, and wont do so for a model you purchased even if it is identical to the model the ISP distributes to customers.
Good video. In my own situation, I have a layered configuration. My fiber connection goes into a pfsense firewall, which is the front door sitting before my DMZ assets. I then have a secondary firewall a UXG-Pro. All my network traffic is split VLANs.
Dave, I would definitely vote for seeing an in-depth walk thru of open sense. I had pfsense for several years but I feel I could not get the best config and monitoring. Now I have UniFi UPM Pro and 5g fiber so I would like to mirror your configuration.
I stream in 4K on a 50mb/10mb DSL connection. Having Gigabit today is far too much for most households. We have a lot of IOT devices, tablets, phones and multiple Smart TV's in the house all streaming and 0 issues. Unfortunately nothing else is available in our area but in a way who cares... $35/month for this DSL connection is PLENTY for the 4 of us. Even when we worked from home during the Pandemic. I do have it hooked up to a Netgate Router running PfSense. Works great!
WOW! I'm in Australia on 5G WiFi and the best speed I've ever got was 320mb down and 15up and Ping was 16. After seeing your speeds I'm ropeable. Thanks Dave.
The thumbnail is gold
I must admit I did go back and admire the thumbnail before actually placing my like vote on your comment praising it..... I did not pay much attention to the thumbnail - when it comes to Dave's videos I know teh quality is in the story not the thumbnail nor the production. Davehimself is the most of the value you'll ever get in one of his videos.
It changed for me since first publication.... 🤷🏻♂️ The original was better...
Too many people complained about my bad photoshop work, which was kind of tongue-in-cheek bad, but not everyone got the joke!!
I didn't see that thumbnail due to Dearrow...
Very Good, I learned a few more things today. As always, I need to login to my routers and make more tweaks.
exactly on the same boat, have 1Gb now but could update to 5Gb, need to follow our lead, so looking forward the OpnSense config video in the future to implement this Vault solution. Appreciated Dave.
10:21 in addition the bridge mode, a DMZ is another solution that might be available. My isp unit is declined to offer bridge, but will happily DMZ an IP range (into which I include my Meraki security appliance)
Very cool.. I have used pfSense and OPNSense, but I never knew you could do a transparent bridge with IDS/IPS enabled.. I would like to see how this is configured.. Might be fun to try it again in combination with, or instead of my Unifi ERx
Good vid. This time around there wasn't anything new to update my knowledge, but I keep watching vids because I'll never assume I know it all. :)
Well done Dave! You presented a ton of material in a logical and comprehensive manner. Keep up the great work! 🎉
Why does Logical appeal to me...
Specs on the Dream Machine Pro’s say 3.5Gbps with IDS/IPS turned on.
Another Great video, keep it coming, I would love to see a deep dive into Open PFS
Thanks for another video, Dave! I'd enjoy seeing you cover OPNSense configuration!
Hey hey!!! Looking forward to the OPNSense walkthrough with you... :)
Thanks for the intro. Please do a vid on OPNSENSE, thanks!
Ive been racking my head on these concepts and you made them easy to approach and i'll be taking action on some of these items!! thank you!
VERY interested in an OPNsense episode. Could skip basic setup--have done that a dozen times. But more info about system requirements,. setting up, configuring and maintaining/checking logs on Clam AV and IDS/IPS would be very helpful. I'm also using OPNsense on a Protectli Vault--really love the horsepower it provides for SPI, VPN, IDS/IPS, etc. But I know it's not working to its full capability.
Thanks so much, Dave. Love your channel. Your interests overlap mine to a great extent. Looking forward to your next posting whatever the subject.
Here in Belgium some ISP's have made their television streamingboxes reliant on their own router.
Putting them in bridge mode is a nightmare to get your TV to work again so double natting is almost obligatory, for site-to-site VPN in my family I have set up an overlay VPN service :p
Thank you Dave, great topic and would like to watch more content like this.
Pro tip, ziply uses GPON and you can get a GPON to SFP+ converter and they support it for anything faster than 1gbps
there is no requirement to use the ISP modem. I replaced theirs with mine and stopped paying the rent. You just have to give them the configuration info so it'll work.
Yes, I guess I should have said you must have a modem, but you can own your own, which I did too!
Same here, and it paid for itself within about 18 months.
Just fyi the firewalla brand firewalls automatically do this out of the box. They'll quarantine any new Network devices and you can setup custom filters to block Internet, filter sites, whitelist macs, etc. they're really great devices that are consumer friendly, with a great ui, and don't require a subscription.
Would love to see your take on configuring OPNsense! I think I would absolutely gain helpful insights! An overview of the firewall, interfaces, and VLANs would really help me out. I'm still looking for a good explanation of how interfaces and VLANs communicate with one another, explanation of the default configuration, and best practices. Thanks, Dave!
5:30 any ISP that isn't just scraping the bottom of the barrel will automatically update the provided routers automatically through remote management, unless the router is so old that they, or the vendor, just isn't even providing security fixes anymore, in that case, just pester your ISP for a new router.
10:10 you might be able to enable DMZ and point to the second router, that way you'll limit some of the inconveniences of double NATting.
I've run OPNSense as my router for some time. I run it as a VM (Proxmox host) on an old Dell rack mount server (R210 II). Works great - wouldn't change, other than maybe a hardware upgrade if I upgrade my internet at some point. I also run Ubiquti equipment, but just APs. The management server for the Ubiquiti stuff is just a Debian VM running on the same box as OPNSense. Also, for your VPN, you should think about doing Wireguard - state of the art encryption with a very well done, clean sheet design and very high quality code.
Funny you should be talking about OPNSense now. Linus Tech Tips just did a video the other day talking about how they were switching their router to an OPNSense box too.
Please cover OPN thanks Dave
I usually plump for Openwrt and Pihole, Openwrt will run on many off the shelf routers, SBC etc.
Great video! I've been doing this myself for years, though use a Sophos XG firewall rather than PFSense/OPNSense (and before that, used Sophos UTM, Astaro Security Gateway, and WinRoute Pro). Changing DNS settings to use OpenDNS provides an additional layer of protection too. MAC address filtering in a whitelist mode can provide some additional protection (though can be easily bypassed via MAC address spoofing), as can not broadcasting the SSID.
Been using PFsense for years on a 5th gen I5 with 10G networking and IDS/IPS much prefer it over OPNsense. If your going to do an OPNsense video, consider PFsense as a comparison, just my 2 cens but I would consider PFsense the big brother to OPNsense
I fully enjoy your videos. Perhaps because one of my highlights regarding computers was when starting using BBS
Yes please, would like to see a deep dive into OPNSense
Love this video! Easy to digest and share with non-tech literate friends.
While I don't claim I have a 100% secure home network, I do have one major thing in my favor: wired Ethernet in almost every room. I'm not a big fan of WiFi anymore. It is convenient, but probably the best vector for attack. So I'm wired 99% of the time.
Not sure what you're saying here.
Unless you have just turned wifi off, using a wired connection for most devices doesn't really change your attack surface much. It'd be pretty unusual for an attacker to go after the wifi link on a specific device. Instead, they will go after access to the network itself, at which point it won't matter which devices are on wifi and which are wired. Depending on how much access they manage to get, even having the devices on different VLANs might not help.
Thanks for this overview. This informations are 100% valuable to me since i'm connected through fiber for quite some time now and felt the urge to secure my network better. It would be nice, if you make a video about this OPN Sense setup and configuration. Have a nice day!
I've been running pfsense Plus on a Beelink EQ12 mini pc with 2x Intel 2.5Gb NICs - worth mentioning that pfsense doesn't always play well with Realtek NICs, that are common on consumer PCs. Yes, I would be interested in seeing your setup, I use pfBlockerng and ngtop, and the traffic monitor tots up my download and upload usage. Next step is IDS, like snort, etc. plus Wazuh feeding into Greylog. I will be moving IoT devices to their own vlan and preventing them accessing my other devices.
Though likely not a big difference, from what I can tell, you can set a static route to the second router after the ISP router though may be more complex and needing to make sure their IP ranges are different. I suspect there must be some benefit. Though the best is if your ISP uses pppoe and allows you to connect your own router to the ONT and all you need is a username and password from the ISP
Definitely cover the OPNSense setup. Your videos are excellent.
Great video ! I must say that you should do audio books (as well as LOTS more RUclips videos) because your vocal presentation is wonderful.
I already run an OPNSense firewall but only have it with a very basic config. I would love to see a more in depth video on setting it up with more security and functionality.
Great advice and great video that a lot can learn from. Thanks for taking the time to make it!!
very nice Dave. I have been doing most of your suggestions for years. But it is nice to get some confirmation.
I have noticed that my ISP fiber device was not always honoring my DMZ zones I set up... and the conversation was well over the heads of the local technicians.
I ended up with multiple port forwarding From ISP modem to my NightHawk then to my Synology for VPN access.
The VPN on the Nighthawk is absolute crap.... The VPN on the Synology is much better but still no where near as good as PfSense.
I agree with all your suggestions especially if you are building from scratch.
The biggest advice I give friends and family.... never use the built in wireless from your ISP.
Always get another device to stand between your ISP device and your home.
Thank you for a great intro to home network security I am familiar with all of the parts but not all of the particulars.
It would be great if you'll cover open pfsens
Hey Dave, you missed a legal fact about Cable Internet Providers, you can own and use your own Cable Modem. I have been using my own modem for over a decade and saving the cost of monthly modem rental from my cable provider. In my case I have a plain vanilla modem with no settings, Motorola MB8600, and that is plugged into my pfSense machine.
Its good that your service provider offers you the ability to use your modem. When it comes to AT&T Fiber Consumer, its next to impossible to bypass or get rid of thier equipment. Whatever 3rd party equipment such consumers want to use, it stands behind ISP device.
@@riteshdhawan8383Where I'm from it's required by law that the ISP makes it possible to use 3rd party equipment.
@@riteshdhawan8383yep ISP's have been able to get around alot of long standing regulations with the switchover to fiber. This is why they are adament about removing all traces of copper when installing fiber.
Fantastic, Dave. Thank you for this. It's now bookmarked for future reverence . . . er, reference.
I'd add setup your router to use a filtering DNS such as Quad9 rather than your ISP's DNS and enable DNS over TLS.
Agreed on DoT
The UDM router he is using actually has DoH built-in now via a feature called DNS Shield.
I just replaced an 8-year-old router with a new Unifi Gateway Lite just this past weekend (starting last Friday). My connection to the internet is slower than 1-GB/sec, so I expect this Gateway will be fast enough for me for awhile. I am still in the process of configuring VPN's on it, and checking out what other options I should turn on (or turn off), so RUclips picked an excellent time to recommend this video to me. Thanks for making it.
I would still be interested in a video on OPNSense, as I had intended to go with that solution before this new Gateway Lite product was released. I like your strategy of putting OPNSense on one box in front of the Unifi router, which then allows you turn off IDS/IPS in the UDM-Pro. I will follow that strategy if I find that my Gateway Lite is having trouble keeping up with network traffic. (that isn't likely right now, but it might happen if FiOS shows up on my street! -- which was supposed to happen back in 2020, but then COVID hit)
Ha! RUclips now tells me that you've already made a video on OPNSense (6 days ago). Thanks! 😊
Brilliant video! Thanks Dave! Subscribed! OPNsense video would be fantastic!