Messages

1

Virtual private networks / Domain name based routing

« on: May 08, 2021, 12:45:29 pm »

Hi All,

I'm trying to set up a (hopefully) simple VPN configuration but not sure how to proceed.

I am using a 3rd party VPN supplier and set that up as a OpenVPN client.
This now gives me two working gateways: one for my ISP(default WAN) and one for the VPN.

Now I know you can configure specific IPs to be redirected via the different gateways but I want to use the FQDNs
In my current configuration I'm only using Unbound DNS doing recursive DNS.

I would like to do one of the following:

Option 1:
Direct all traffic from a specific interface/VLAN to the VPN Gateway with the exception a list of specific domain names which I will specify in a file, those will go through the WAN.

Option 2:
Direct all traffic from a specific interface/VLAN to the WAN/ISP Gateway with the exception a list of specific domain names which I will specify in a file, those will go through the VPN.

Are either of the options possible without hacking the firewall 'too much'?

Thanks

2

Intrusion Detection and Prevention / IDS Rulesets Per Interface/VLANS

« on: April 29, 2021, 12:26:46 pm »

Hi,

Is it possible to enable different rulesets/rules to different interfaces and specifically VLANS.

Some Examples:

Work VLAN: Company is using zscaler, etc for networking and IDS is going crazy trying to analyse that traffic. I want to disable some rules.

Personal VLAN: I want a few more rules enabled but nothing crazy.

Kids VLAN: This is for computer literate and inquisitive teenagers. I want everything enabled including the kitchen sink.

Thanks

3

Web Proxy Filtering and Caching / Website Category Filtering

« on: April 20, 2021, 12:04:38 pm »

I'm looking to filter by website categories. I know that there are cloud services that provide this functionality but that involves sending a request to them every time.

Are there any places where I can get the latest category lists and process them locally ?
Since I don't want to store the internet on my hard drive, it would be good if there were options for a 'popular website' list or specific category list which I work locally and then 'outsource' the rest.

I understand that those lists become IP for some companies, so if there are no free ones I'm willing to pay a 'reasonable' amount (human reasonable not Bill Gates reasonable).

Unfortunately googling for 'website category lists' either gives me services providing this in their package or at best a REST endpoint for checking individual URLs.

The only other way  i can think of doing this is of building up a local cache on every website visited but I would like to have some predefined (smaller problem) and there is no way for me to keep the list from stagnating (bigger problem).

4

General Discussion / Virtualised vs Bare metal for extra software

« on: April 19, 2021, 08:57:50 pm »

Hi All,

I have a bit of a configuration dilemma. I have a decent old PC and would like to install OPNsense but would like to add additional software so the hardware doesn't go to waste.

Hardware:
- Intel I7-2600K with 1GB Nic on motherboard
- 32GB DDR3
- Intel I350-4 Nic
- 500GB Single SSD

Internet Setup:
- 350Down/35Up - Fibre connection
- Router/Modem connecting to the onboard Nic as WAN

Internet Usage:
- Streaming (Need B/W Volume)
- Gaming (Need Low Latency)
- Home Working (Need Stability)

Core Firewall Software:
- OPNsense
- AdGuard Plugin - Using the 'core' blacklists, nothing crazy.
- Sensei Plugin (Maybe, still not convinced if I need it together with AdGuard)
- IDS/IPS Plugin - Once again just the 'core' blacklists.
- No VPNs on the FW, I have VPN software on the windows boxes.
- Some sort of Parental control script or will use Sensei
- lets-encrypt plugin
- Cron Jobs

Expected Nic Assignment:
- On-Board - WAN
- Card Nic0 (Main Lan) - My PC (access to FW Interface/SSH) / Work PC Subnet
- Card Nic1 (OPT1) - TV/Firestick/Netflix
- Card Nic2 (OPT2) - Family Ruter/Home Wifi (Laptops/Phones)
- Card Nic3 (OPT3) - IoT/Alexa Vlans

Additional Software:
- Jenkins Controller (No agents) - Would be controlling agents inside network and in cloud.
- Grafana Server (Could use the community plugin)
- Log/Statistics database (MySql/Mongo) with scheduled offsite backups.

So I now have 2 options:
1) Run everything on the same server. Jenkins and the DB maintenance would be done via SSH to the FW box.
2) Virtualise (Proxmox?) - Firewall on one VM with passthrough NICs and the other software on one or two other VMs.

Question: Which option is 'better ^(tm)'?

Each one has obvious pros but the cons:

Cons - Option 1:
Running other software outside of the confines of the FW is never a good idea.
The log/statistics database I can lock down, I think the problem is Jenkins.
Issue1: It runs on Java, Issue2: Even if I consider Jenkins itself safe, no way I can validate the integrity of it's plugins. Yes I can try lock it all down, but I'm human, I'll miss something.

Cons - Option 2:
Virtualising firewall. While I'm relatively convinced that the hypervisor will not be compromised I'm somewhat worried about the extra layer of complexity. That said. if I get my Nic pass-through done correctly everything else should be relatively problem free.

So having written this all out I've almost talked myself into option 2 since the benefit of virtualization and the con of putting 'alien' software on the firewall seem to outweigh all else.

Can anyone shed some light and/or maybe suggest another reason to swing either way?

Thanks!