1
General Discussion / Re: when my internet connection drops
« on: August 29, 2022, 07:44:15 pm »
one doubt, any way to restart the unbound automatically, in pfsense there is watchdog, but in opnsense with monit?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Suricata and IPS in general is also quite heavy on resources.
...
Just one opinion about your last post. You are totally right in that point and would like to add something. At the beggining I was a bit fan of IPS but after months and months I realized its draining a lot of resources and...just for a very bit protection!
Right now IPS just watches for non encrypted traffic (please tell me if this has changed on OPNsense), with a very heavy resource cost. I think there is no official number but people on reddit usually are ok with the "90% encrypted, 10% non encrypted" idea.
What I always recommend is not using IPS but IP blocklists. Blocklists will just block all the unwanted traffic of the used IPs (remember to use good and updated lists). With IPS you will have to pray for two things: for that "bad traffic" to be non encrypted and to have an active rule for that kind of attack in case the traffic is non encrypted.
Blocklist resource cost is totally negligible.
but zenarmor does not IPS
Zenarmor is IPS, though you have to buy at least home license to use all of it's features.
The features on the picture are what IPS does, kills connections on known malicious sources, it isn't as advanced and doesn't necessarilly have as wide database, but as private individual, you don't need more secure IPS than Zenarmor.
Without proper configuration, Suricata might block you from using VPN (sole purpose for people to use VPN is to bypass firewall and DNS blocks which allow them to watch netflix movies, released in other countries), it also can block traffic for some online games because some of their servers have been compromised and so on.
IPS (Intrusion prevention system) is what the name implies, system which blocks known threats and connections.
It is very important to follow the order explained
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 192.168.30.254@5310
forward-addr: ::1@5353
Thank you very much, I have tried it and it works.
Opnsense 22.1 Clean Install - Installation:
It is very important to follow the order explained
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Opnsense - Services - Unbound - Dns Over Tls
Set the desired dns servers, ej, Cloudflare:
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
6 - Opnsense - Services - Unbound - General
Listen Port: 5353
7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
Thanks for this detailed installation way!
I just used this easy install (in german)https://hoerli.net/opnsense-adguardhome-werbefrei-trackerfrei-und-hinter-einer-guten-firewall/.