Messages

If you have inbound port forwarding rules or IPv6 allow rules for publicly accessible services, Crowdsec or blocklists are worth considering, IMHO.

Not a fan of IDS/IPS in general, because I think it's a fundamentally flawed concept.

I stopped using Crowdsec because the free blocklists are really not worth the effort of configuring and maintaining the service. For a company I would consider it, but just a bit under 100$ per month for the most basic subscription is prohibitive for me as a private user. All the interesting blocklists are subscription only.

100$ per year like I pay for Proxmox and I would be in.

So I just use FireHOL and friends for inbound connections, now.

If you do not have inbound connections for public services at all, I don't see a reason to use any of these products/technologies.

Install AdGuard Home for some DNS based filtering for outbound and you are good to go.

Rock 'n Roll  I have no inbound connection for anything on the public side.

Thank you!

-S

Hey there.

If I have the default deny all rules on my external interfaces, does IDS or CrowdSec offer any advantage on those interfaces?  I vacillate every time I read something on this.

Thank you in advance,
Stan

I bought a HUNSN from Amazon and it's been rock solid.

This is the one I bought.  I might have went a little overboard with 16 GB RAM and 256 GB SSD...but I've got room to grow.

https://www.amazon.com/dp/B0CG1BVGDX

Just to close the loop on this, if anyone is curious.

It turns out that I had to adjust my System > Gateway > Configuration items.  Specifically, Weight and Priority on each interface.  I had Priority correct, but  Weight was set opposite of what it should have been.

Hope this helps someone.
-S

Ditto!  Thank you!

side-note: using ".local" for anything other than mDNS is generally not recommended

Since presumably "ourhome.local" is internal-only, you could change [Services > Unbound DNS > General > Local Zone Type] to "static"

It IS internal only.

Thanks!  I'll check out the options there (Local Zone Type).
-S

Just wondering what everyone is doing so the request for _ldap._tcp.dc._msdcs and wpad, don't get forwarded to the internet.  I'm not running a Windows domain, and I noticed these requests were being forwarded through Unbound DNS.

I've added them as overrides, pointing them to the firewall.  Should I bother?  Is this a bad idea?

Thanks in advance.

The rest of my screenshots

Hey all!  Long time lurker, first time poster. :D

I have a question regarding how to prefer one WAN interface over the other.

I have 2 ISP's and one LAN.

I'll attach pics to show what I'll attempt to describe.

My i3 ISP is 1 gb up/down, and Spectrum is 500 mb up/down.  I'm TRYING to make traffic prefer i3 over Spectrum.

Gateway Configuration - i3 Priority = 25, Spectrum = 50.

Gateway Group - both Tier 1.

Firewall Shaper Pipes - 450 Mbit/s pipe and 850 Mbit/s pipe.

Firewall Shaper Queues - 450 MB Pipe with weight of 75 for Upload, 450 MB Pipe with weight of 100 for Download, 850 MB Pipe with weight of 75 for Upload, 850 MB Pipe with weight of 100 for Download.

Firewall Rules - i3 Download Rule using the 850 MB Download Queue, i3 Upload Rule using the 850 MB Upload Queue, Spectrum Download Rule using the 450 MB Download Queue, Spectrum Upload Rule using the 450 MB Upload Queue.

Firewall Shaper Status consistently shows the Spectrum connection getting more of the traffic, and I don't understand why.

Perfect!  Thanks dseven!  That's what I figured, but with the FreeBSD update (specifically), I just wanted to be sure.

Thanks again!
-S

Hey everyone.

Long time listener, first time caller.

I'm wondering what the best practice is for upgrading to 25.x when it's released.

Should/Can I upgrade in place and just keep moving forward?

Or, should I upgrade and reset the box, and reconfigure from scratch?

I'm using a Hunsn micro pc i3 8 core, 16 GB RAM, 512 GB SSD.

Thanks in advance,
Stan