Looking to install OPNsense and Ad blocking.

Started by EvilBob, February 12, 2021, 05:37:00 AM

Previous topic - Next topic
Hello,

I am looking to install OPNsense as my firewall here at home.  One thing that would really be nice would be able to block ads that come into my local, home network.

With that said, I have a few questions!

* Does ad blocking with OPNsense require a separate module, or another computer?
* Is there a way to block ads within OPNsense? (if yes, is it easy to setup?)
* Also, is there a step-by-step guide available to walk someone through configuring the firewall to block ads?

Thank you!

You can either pay 10 dollars a month for sensei which does ads, apps all sorts of layer 7 stuff, and works very well.  Or you can setup a pihole server and do it yourself for free. Opnsense does have unbound but its not as good imo as pihole. Sensei is very good if your not a cheapskate. It is also very easy to use because someone else is categorising all the different types of traffic for you and keeping it up to date.

Thank you for your reply.  I took a quick look at the Sensei feature page and I see information about "Cloud Management", "Cloud Web", etc. 

If I understand this correctly, having to use a cloud-based service with a firewall could be a potential security hole.

I will research the pihole option.


The cloud management is optional. I dont use it myself. Its main feature is continually updating against their rulesets so the moment new threats appear you are protected. Eg: if a malicious botnet ip is found you are immediately protected against it because their database is retrieved by your sensei installation. Its fairly good and secure from that perspective. I dont know how the cloud part works but I think its more for msp's who have multiple installations to look after so I dont use that and it is a module you just dont turn on.

There are a lot more options, most of them free and built in:
1. Built-in: Services -> Unbound DNS -> Blacklist
2. Install Adguard Home _on your OPNsense_ - very similar to pihole. (a) install community repo https://www.routerperformance.net/opnsense-repo/, (b) install plugin adguard home, (3) configure via web-GUI on port 3000
3. Use free NextDNS service (nextdns.io)
4. Use Squid / SquidGuard plugin to filter ads. (may be slow)
5. ...

I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!

Pi-Hole!

I literally added OPNSense to my home network yesterday.
Before that, I had 2x Raspberry Pi 4 4GB running as my DNS Server, Unbound recursive DNS, and ADs/tracking blocker.
It works amazingly well. Easy to manage and block rubbish.

OPNSense is set to use both Pi-Hole as DNS server.

Sensei is free up to 50 devices.
With Sensei I was able to find out DNS calls that were dangerous, I blocked them on Pi-Hole.
I was also able to see my smart TV with Google DNS hardcoded skipping Pi-Hole, etc.

Pi-Hole is so easy to set up, you should give it a go.

Some people might suggest you AdGuard plugin within OPNSense. They both have the same purpose but they work totally different, AdGuard has some weird way to deal with things. Just compare both communities to see the posts. Anyways  :)

Quote from: Cadish on February 14, 2021, 08:18:52 PM
I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!

Is there any advantage using all three of them?
If you use adguard I do not see an advantage of unbound with blocking list.
Does sensei free on top of these give you so much more?

These are serious questions from me. So far, I was using unbound as forwarder and sensei free. I am just testing adguard and asking myself what unbound and sensei could be good for if I would use adguard.

Adguard is only installed on some devices, not all. I don't know if Sensei is adding a lot of value in top or not... Probably all of these have a lot of overlap, but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...

Quote from: Cadish on February 20, 2021, 05:02:05 PM
Adguard is only installed on some devices, not all.

OK, your are talking about AdGuard on client devices. I was talking about AdGuard Home on OPNsense.

Quote from: Cadish on February 20, 2021, 05:02:05 PM
but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...

Recources on OPNsense box. Performance.
I would like to avoid to spend firewall resources two times or three times for something that is already done.

Quote from: ratoloko on February 18, 2021, 04:45:46 AM
Some people might suggest you AdGuard plugin within OPNSense. They both have the same purpose but they work totally different, AdGuard has some weird way to deal with things. Just compare both communities to see the posts. Anyways  :)
That is bullshit.

Both piHole and adguard home(!) work as a DNS server with DNS blacklists.

Using an app based DNS blocking - such as "adguard" app - is different, but don't confuse it with adguard home.

Just a suggestion by a noob Home user to another home user: Maybe use Home Assistant (WireGuard integration) to get it setup and experiment? I do not have experience with WireGuard setups, but some things can be easily  be setup using HA.

Just a suggestion as a noob user, maybe this doesn't make sense at all...  ???

@EvilBob - if your gol is to reduce the ads (no solution currently can garantee you'll be 100% ads free) then go with the easisest setup, that is Unbound + blacklist - and uBlock Origin extension for your browser  8)