One feature i find useful with pfBlockerNG (Not available in pi-hole) is that blocked domains are returned as 1x1 pixel image which makes websites render better rather than showing errors messages in the areas where blocked ad domains should be
Pi-Hole 5.0 came out recently, and now allows for per-client blocking, something pfblocker is lacking (or maybe it isn't and I just couldn't figure it out). I was using pfblocker, but am working on transitioning because this is exactly what I want. Different things blocked for adults, kids, and guests without a super long rules list on the firewall.
I prefer pihole over pfblockerng because of the interface. Whitelisting, Overview etc. is much more useful and powerful in my opinion. And with the "additional" unbound in pihole this instance also resolve the names itself and dont forward it. At the time I'm using pfblockerng only for IP blocking. For DNS stuff pihole.
I use block lists in OPNsense, under built in Unbound DNS. It works the same, I like not having 2 devices, but I do miss the pretty UI and graphs in pi-hole.
Thanks for clarifying! Glad to see I won't need to buy some separate system for it, considering I'm gonna turn the old pc into a firewall with pfSense. (I know about the wattage consumption guys, it's only a temporary build until I can afford a decent Netgate hardware).
Pihole still has some advantages: 1. Much easier and cheaper to add to existing config/ router. 2. Can run as a VM, i personally use it that way with no issues whatsoever. Running pfsense as a vm could be a pain, a lot of pain. 3. Hosts lists. Pihole has built in lists and allow you to customise it. Pfsense has no built in lists. you need to find and add yourself. I was using pihole lists with pfsense through :)
I agree with pi-hole being simple. But PFsense def runs just as flawlessly in a VM. Give it a shot. I actually run both. I have a pretty complex home/small business network and use a virtualized Pfsense on a quad core laptop. Very reliable and steady uptime and all functionality still there. Just get a couple usb to Ethernet dongles, then pFsense can have its own Wan and Lan ports. Push the pfsense LAN output to your main router. Really the trick is to leave the virtualbox usb settings alone. Just set the network device options you want to use in the virtualbox network setting (NAT, Bridged Adapter, etc..) Allow your Host OS to control the USB network devices. And then, very importantly, on your Host OS you must disable the ipv4 and ipv6 settings of those same Bridged internet adapters that pfsense is using. Works so sweet after that. Just have a good Host pc with a clean, reliable OS, and is ready for uptime. Allow it to auto-load the pfsense virtualboxes upon startup. I have months of steady uptime on these Pfsense and Pihole VM's, and if I reset the laptop it autostarts everything within 2 mins.
@@briythepcguy7051 I could have sworn those usb ethernet dongles don't take full advantage of the port or some features from PFSense since they depend on the cpu.
I couldn't agree more, with this video. I actually run both but that is because I run dedicated Unbound Servers, due to other requirements on my network.
I use pi-hole, bc pi-hole is DNS over HTTPS and DNS over TLS ready. Pfsense DNS Server only works with DNS over TLS. In my case, all device sends the dns request plainttext to pi-hole, pi-hole is filtering, after that, pi-hole sends the request over DNS over HTTPS to the upstream dns server. This case is not possible with pfsense and pfblockerNG, so far.
I considered pfBlockerNG; however, I can't seem to get DoH for DNS on pfsense unless I'm mistaken... So I'm using a PiHole running as a separate ESXi instance on the same box I run my pfsense instance on. I think this is a preferable solution as I can route all non-DoH DNS on my networks to the pihole and all the non-blocked resolutions are all over DoH, as I don't want to give that information to my ISP.
I do kind of agree though for home users who are running pfsense and don't want the added complication of a second device likely the simpler solution, especially if they don't care about moving all their DNS resolutions to DoH.
As i recall from using, pi-hole was just easier to manage, and i had some nice graphs. But I use pfBlocker, so that i can use my pi for something else.
Nice vid. I prefer using pihole. It’s not as good as pfblocker but... I have it running on parents network since they can access the gui easily without the risk of them trashing pfsence.
The main issue I ran in to with pfblocker, which I love, is the auto generated rules made loading my firewall pages take up to a minute to load with every change. After I disabled it the problems went away.
The pfsense project should give more credits to BBCAN, the developer of pfblockerng. BB created this package which makes people buy pfsense. The same goes for the developer of the snort and suricata package on pfsense, Bmeeks.
One other small advantage of pfblocker is that you can actually block the usage of other dns servers except your own, you can't do that with pihole because well… it's not a firewall. The graphs however are way better in pihole :)
I find pi-hole to work very nice in home networks. Pfsense embedded PfBlockerNG is cool too. And PFsense def runs just as flawlessly in a VM. I actually run both. I have a pretty complex home/small business network and use a virtualized Pfsense on a quad core laptop. Very reliable and steady uptime and all functionality still there. Just get a couple usb to Ethernet dongles, then pFsense can have its own Wan and Lan ports. Push the pfsense LAN output to your main router. Really the trick is to leave the virtualbox usb settings alone. Just set the network device options you want to use in the virtualbox network setting (NAT, Bridged Adapter, etc..) Allow your Host OS to control the USB network devices. And then, very importantly, on your Host OS you must disable the ipv4 and ipv6 settings of those same Bridged internet adapters that pfsense is using. Works so sweet after that. Just have a good Host pc with a clean, reliable OS, and is ready for uptime. Allow it to auto-load the pfsense virtualboxes upon startup. I have months of steady uptime on these Pfsense and Pihole VM's, and if I reset the laptop it autostarts everything within 2 mins.
Just to let you know in security you want to use 2 different firewalls, to lessen the attack surface of malicious actors. That way the same bug cannot be exploited on both firewall instances.
@@jameswatkins7806 Lol, you preaching to the choir my friend. Actually, you would want at least 3 firewalls. Pfsense, a good router firewall, and an OS level firewall. You def want a software based firewall on your OS's that keeps track of, and restricts any program from running unless approved. I actually put t-pot honeypot in front of my whole network so hackers can't even get into my inner network. They won't get past the honeypot. They like a kid in a candy store when they see hundreds of open ports and vulnerabilities. Then I can just IP block them on the inner firewalls.
@@jameswatkins7806 I own many servers across the world and I pentest my own networks all the time. I really try to get into it. I designed it to be complex for that exact reason. A Honeypot gives you a wealth of information and can be very helpful. Hook a honeypot up and you will be probed from China within seconds. They masscan probe the whole internet constantly. So, You basically want two or more network security segments. Like they do with fences in prisons. First an outside facing DMZ that is"unsecure" and for your Honeypot only, Then behind that would be your locked down pfsense, Pfsense would then feed out to a good router like a flashed dd-wrt or something fancy, but the routers ports are also locked down. Needed ports can be forwarded to pfsense. No outside hacker will be able to get past a properly placed DMZ'd honeypot and into your real network, past your snort IDS if you use layered segments, utilizing different private network lan ip's. A,B,C classes. You could even put another Honeypot on the inside of your network to be sure no hacker has gotten in. If you are going to run a wan side honeypot though you best be ready to be able to change your IP when you want to shut it off or you will get DDOS'd and maybe really hacked. You can change a static IP by changing the mac address of your cable modem. This can be done in a number of ways. Your cable modem probably doesn't have a mac address change setting itself, but I have comcast and I can force them to change my IP by using a DD-WRT router, connected to my cable modem. If you can master a honeypot placement on your networks wan and/or lan, and also learn how to probe your ports. Then you can secure your network with confidence.
Good summary of the basic choice. The hardware cost of Pi-Hole is pretty low, and there are virtual machine options. Anything at this level, check for other sources of info, and check the dates of those sources. It's April 2021 and things can have changed a lot.
I'm not going to lie PiHole on a Raspberry PI is one of the simplest applications to install on a PI, plus you can have it up and running in minutes. The PI Hole graphical user interface is clean, the network activity graphs and info is presented extremely well (one of the best looking ones I've seen). It's nowhere near as complex or fiddly to operate as Pfsense/PfBlockerNG and that's its real strong point, simplicity. PfSense with PfblockerNG on the other hand by comparison can be very time consuming and complex depending how deep you want to go, but ultimately it can do a whole lot more (just make sure you do backups along the way in pfsense). Updating PiHole is easy, adding new blocklists is easy, whitelisting and blacklisting sites is just a case of clicking a button. Note: PiHole can also function as a basic DHCP server. The only real downside of PiHole is its inability to block adverts shown on TH-cam videos, but if you pair PiHole alongside Ublock Origin browser plugin (for the likes of TH-cam on your desktops) then you're good to go. Note you can access your PiHole GUI from pretty much any device on your LAN, just add your PiHole IP address in your browsers and just log in. If you want to access the back end of it (i.e the operating system the PiHole server is running on (Raspbian)) and you don't have a seperate monitor for your physical PI device, be sure to install VNC on it, then you can access it using VNC Viewer for free.
I love my Raspberry Pi!! And everyone should have pi-hole on their network. Another even simpler setup is to just download virtualbox on an desktop/laptop and spin up a ubuntu server iso. And command line a pihole install. Then you can use your Raspberry pi for many other things!
@@humanbeing-001 Yes Raspberry Pi are pretty simple but if you like to have full control, Pfsense is the way to go. As it takes more time to set up, Pfsense Is just a all in one solution for networking. Also you could use's pfsense to control a home made switch. I love my pfsense I went from a NetgearWNDR to a DD-WRT/Pi hole to Pfsense. I tried the Pi out it just lacks the configurbility but is very simple, Just like most low end managed switches do. My setup Pfsense-MikroTik317/10Gb/s-CiscoSG350X-CiscoSG300PP. I wish I would have gone with a UniFi switch instead of the MikroTik but the price different at the time was 200-300 different, also ones it is configured its awesome.
I think you’re missing the value of not necessarily pihole itself, but a typified configuration: upstream dns encryption. Namely, cloudflareD. Either method will block ads, but I can’t say whether pfsense or the like would support upstream dns encryption in the same way as you would on a raspberry pi. This ads another layer of privacy that frankly should be available to every household.
This is a good question and I believe it does but I don't plan to verify it though. OpenWRT has updated DNS hajicking topic on their doc page and it is done via ipset. DoH might be encrypted but you need SRC and DST in the IP header. If the DST IP is on the pfBlockerNG's blocklist (that is being applied) it must block the IP but don't take it for granted.
I have several vlans, only want to allow 1 vlan with full access to the web. Can you have PFblocker assigned to individual vlans? Looking to install Pfsense for home network.
Is it just me or ........ whatever anyone else does pfSense just do it better or at least the RIGHT way - that is what I seem to hear from Lawrence Systems every time "....vs pf" is in the headline.
Interesting video. Thank you. What if you only want one or two devices to have this sort of control- aka, my son's laptop while remote learning? Which way to lean?
+System Lord, the regex issue in pfBlockerNG is the reason why I have pi-hole running on a VM and pfSense DNS is set to the pi-hole address. Such a pain because I have specific websites I wan to block. One thing I looked into is just creating a text file in my HTTP server and adding that as a list in pfBlockerNG.
Recently subscribed to your channel - great content! My question is, are then any similar extensions to edgeOS you can use to serve a similar function? Or is there a way of doing this with an edgerouter. I liked your explanation and justification for running pfblocker on a pfsense firewall, and would go down this path but I already have an edgerouter. I would have got a Netgate but they have not yet been approved for use in New Zealand, and no one is selling them so I ended up getting an an edgerouter. Can you make any recommendations for a network based DNS blackhole in this situation? Or should I just go with Pi-hole, also do you know if it’s possible to run Pi-hole in a container?
@@kristopherleslie8343 the Pie is like a VW bug, Pfsense is like a aircraft carrier. The Throughput of the firewall, IDS & IPS and Along with DNS filtering & IP Blocking. The amount is really what will be the difference. As you start to add this stuff and lists on the pie the list can not be that big as it will kill your throughput. Also hole point to security is to have logs so you can look at what has happened. With a Large list with more then 4 clients on a pie you will be lucky to get 100/5 internet. even if you have 1G/1G internet. you could sacrifice the security but then why even do a pie? The Pi = Slow Speed / Pfsense = All the Speed with all the security. So you start to cut the list down to increases bandwidth. But you've now lost security. That's the technical differences.
Pihole isn't foolproof, in fact it doesn't really block effectively anymore. It can't block ads at the beginning of videos or even ones in between videos. It will however block older TH-cam ads that give you the option to click skip. But youtube ads without the skip option won't be blocked unless you like creating 20,000 plus host name lists for every iteration of TH-cam ads address's. And you will need to do that by the hour because that's how aggressive TH-cam ads are these days
How important is it to use SSDs with powerloss protection in combination with ZFS for homelab or small business? Is it OK to use consumer SSDs with ZFS in my NAS/SAN ?
@@LAWRENCESYSTEMS How does ZFS cope with such a power loss scenario? Would I just loose the new data or changes that should have been made to a file or could it render my existing files corrupt without me noticing it except later when I open a file? (just realized that I commented under the wrong video… damn YT autoplay. But thanks for answering anyways!) 😄😄
Is there any way to implement pfblocker on Edgerouter? Or any alternatives? I see you are running pfsense at home and all other stuff is unifi, is that because the pfblocker? Now I am using pihole on my edgerouter network. I think you often forget to give as an alternative that one can install pfsense on a low power Linux machine, old hardware or VM.
I don't forget, I have a video with over 260,000 views showing how to do it. th-cam.com/video/9kSZ1oM-4ZM/w-d-xo.html I don't discourage people from doing it, but I do frequently suggest the SG1100 because for many people that is easier than loading pfsense on an old computer.
@@LAWRENCESYSTEMS Yes, I remember that video :) I should better say, that is an advantage of pfsense vs consumer routers and vs also unifi / edgerouter. So this could be mentioned when comparing pfsense to other stuff.
pfsense is a lot more reliable - because the hardware on the small Edgerouter and USG simply is a bottleneck - MIPS dualcore below 1GHZ and very little RAM (just look into the datasheets for them). If you want a small and good PFSense router there's the fitlet2 on Amazon.com otherwise look at Aliexpress - if you want to spend about half for it with more ports. The fitlet2 is about the best, smallest and most high quality solution I've found - nothing else came close (spoiler: I don't own one so far, so I can only speak about theory, digging datasheets and reading reviews).
Alan Xu TH-cam ads aren’t easy to block, because the ads themselves are basically also just youtube videos, a firewall can’t tell the difference, a browser plugin however (uBlock) can.
Lawrence, thanks for all your help with your videos...the network is legit. But man how the hell do i get DNS over TLS/HTTPS + piHole working? Currently its one or the other, DNS over TLS/HTTPS are working and so is the piHole. How the hell do i get them both playing nicely with each other?
@@prevaloir5362 I'm using the pfblockers ip lists and have installed adguard home onto my pfsense box for dns. It's a much nicer interface and handles DNS rewrites better than the pfsense way of doing it
Jimmy Bristow Adgyard scabs your browser for code that is the ad pi hole is a dns server which blocks ads from being generated when a website asks for an ad
So I would to need install pfSense on my laptop in order to take a advantage of all the features such the anti virus that come with pfSense and ad blocker
pfSense is a firewall service which would typically be ran on a dedicated server, replacing your current router. There is no way to install it on your laptop as a client software.
Well if you virtualize it you could. Of course you’d have to virtualize your client software too.. and boot times are going to go way up since you’d start your hypervisor then pf then lastly your client. It kinda works on a laptop but imho it’s way better to just call your home pf box via openvpn and run your client through that.
Cool, I was wondering if it would be possible to do piehole without a pi... Can this be used to block Microsoft from collecting data and forcing updates without user permission? If yes=true then how? Thanks for the awesome and informative videos!
it is an extension for pfsense, if you already have your router setup, it goes on that for free. (Home router: pfsense box with multiple nics) - small form factor
@@annfry9072 however.. just to get a hp t610+ thin client, 16gb SATA SSD Dom module, the power cord, and an intel dual port ethernet card... just to build that pfsense router cost me ~$150
@@annfry9072 meanwhile if you don't wanna fool with pfsense or otherwise don't have any old x86-64 computers preferably with at least one pcie slot laying around... it's prolly for the best to go along with the raspberry pie with pihole for the cost and use your existing equipment
You should also mention the Raspberry Pi isn’t very robust hardware. If you run Linux on an SD card 7x24, for example, the writes eventually trash the SD card and your Pi crashes in as little as a few months. The Pi hardware is made to be as cheap and small as possible and it has thermal and other limitations. It’s designed for hobby use not continuous mission critical operation. A Pi is far less robust than a Netgate box or similar typical pfSense hardware. I know countless people trying to use a Pi in continuous operation only to have frequent failures.
You don't have to run it on a Pi. I have it as a Hyper-V virtual machine on my server. The domain controller VM on the same computer has the PiHole as its upstream DNS server.
Soooo true, the Pi's problem is not having a HHD or SSD bus, just charge a little more so we can hack a lot more. SD bus speeds are too slow for modern day.
I've got a few friends in the government/military that actually run pi 24x7. Never mentioned a problem before that was outlandish. I actually looked at them twice when they mentioned this since I didn't expect rpi to be that kind of use case.
i tried pi hole and i found it kinda shit, took hours to update the many lists i found online but ZERO youtube ads (and, hm, hub ads) were blocked, it worked on some websites but not all, maybe 50-50
A ridiculous comparison. If you could put pfsense or OPNsense on a Raspberry Pi, or compare to IPFire (on Pi 3s, 4 in development) with Pi-hole added... Are you sponsored by pfSense? It seems like users not buying pfSense hardware have turned to OPNsense. Anyway, apples to oranges comparison.
And btw, the jerk that is speaking on this video: cool down! Get of the steroids! Jezus, you are giving headaches with that speed, nobody actually can listen, let alone understand, this!
![Warhammer 40k: Space Marine 2 | เพื่อจักรพรรดิ ! [ตอนเดียวจบ]](http://i.ytimg.com/vi/4M0ckYMA4-U/mqdefault.jpg)
One feature i find useful with pfBlockerNG (Not available in pi-hole) is that blocked domains are returned as 1x1 pixel image which makes websites render better rather than showing errors messages in the areas where blocked ad domains should be
Pi-Hole 5.0 came out recently, and now allows for per-client blocking, something pfblocker is lacking (or maybe it isn't and I just couldn't figure it out). I was using pfblocker, but am working on transitioning because this is exactly what I want. Different things blocked for adults, kids, and guests without a super long rules list on the firewall.
I prefer pihole over pfblockerng because of the interface. Whitelisting, Overview etc. is much more useful and powerful in my opinion. And with the "additional" unbound in pihole this instance also resolve the names itself and dont forward it. At the time I'm using pfblockerng only for IP blocking. For DNS stuff pihole.
Been waiting on this video! Now just need the snort vs surricata lol. Thanks as always !
Surricata broke so much stuff in my network, snort has been much easier for me
If you can take the time and setup Surricata It is better but more involved. Snort is set it forget it.
jh
@@manthing1467 n.g
probably be hno
I use block lists in OPNsense, under built in Unbound DNS. It works the same, I like not having 2 devices, but I do miss the pretty UI and graphs in pi-hole.
Thanks for clarifying! Glad to see I won't need to buy some separate system for it, considering I'm gonna turn the old pc into a firewall with pfSense. (I know about the wattage consumption guys, it's only a temporary build until I can afford a decent Netgate hardware).
Thanks for mentioning the pihole reporting.
That's a pretty report to put into customer newsletters.
Pihole still has some advantages:
1. Much easier and cheaper to add to existing config/ router.
2. Can run as a VM, i personally use it that way with no issues whatsoever. Running pfsense as a vm could be a pain, a lot of pain.
3. Hosts lists. Pihole has built in lists and allow you to customise it. Pfsense has no built in lists. you need to find and add yourself. I was using pihole lists with pfsense through :)
i agree, pfblocker is kinda hard to use for me. im running my pihole as a VM
I agree with pi-hole being simple. But PFsense def runs just as flawlessly in a VM. Give it a shot. I actually run both. I have a pretty complex home/small business network and use a virtualized Pfsense on a quad core laptop. Very reliable and steady uptime and all functionality still there. Just get a couple usb to Ethernet dongles, then pFsense can have its own Wan and Lan ports. Push the pfsense LAN output to your main router.
Really the trick is to leave the virtualbox usb settings alone. Just set the network device options you want to use in the virtualbox network setting (NAT, Bridged Adapter, etc..)
Allow your Host OS to control the USB network devices. And then, very importantly, on your Host OS you must disable the ipv4 and ipv6 settings of those same Bridged internet adapters that pfsense is using. Works so sweet after that. Just have a good Host pc with a clean, reliable OS, and is ready for uptime. Allow it to auto-load the pfsense virtualboxes upon startup. I have months of steady uptime on these Pfsense and Pihole VM's, and if I reset the laptop it autostarts everything within 2 mins.
@@briythepcguy7051 I could have sworn those usb ethernet dongles don't take full advantage of the port or some features from PFSense since they depend on the cpu.
thankyou for this vid. i need it
writing this while watching the starting add. 😁
I couldn't agree more, with this video. I actually run both but that is because I run dedicated Unbound Servers, due to other requirements on my network.
just getting back into my pfsense project finally, thanks for keeping these videos up.
I use pi-hole, bc pi-hole is DNS over HTTPS and DNS over TLS ready. Pfsense DNS Server only works with DNS over TLS. In my case, all device sends the dns request plainttext to pi-hole, pi-hole is filtering, after that, pi-hole sends the request over DNS over HTTPS to the upstream dns server. This case is not possible with pfsense and pfblockerNG, so far.
I considered pfBlockerNG; however, I can't seem to get DoH for DNS on pfsense unless I'm mistaken... So I'm using a PiHole running as a separate ESXi instance on the same box I run my pfsense instance on. I think this is a preferable solution as I can route all non-DoH DNS on my networks to the pihole and all the non-blocked resolutions are all over DoH, as I don't want to give that information to my ISP.
I do kind of agree though for home users who are running pfsense and don't want the added complication of a second device likely the simpler solution, especially if they don't care about moving all their DNS resolutions to DoH.
As i recall from using, pi-hole was just easier to manage, and i had some nice graphs. But I use pfBlocker, so that i can use my pi for something else.
Very well explained 👍
You can't lose either way, Pi-Hole is mush easier for average user.
Nice vid. I prefer using pihole. It’s not as good as pfblocker but... I have it running on parents network since they can access the gui easily without the risk of them trashing pfsence.
Good video. Short and to the point!
Unless I'm silly, could you set up pfBlocker and then have your DNS be piHole with added coverage so you have the geoIP coverage?
Or just use pfBlocker
This is what I was looking for. Thank You
Great explanation of the differences
The main issue I ran in to with pfblocker, which I love, is the auto generated rules made loading my firewall pages take up to a minute to load with every change. After I disabled it the problems went away.
The pfsense project should give more credits to BBCAN, the developer of pfblockerng. BB created this package which makes people buy pfsense. The same goes for the developer of the snort and suricata package on pfsense, Bmeeks.
One other small advantage of pfblocker is that you can actually block the usage of other dns servers except your own, you can't do that with pihole because well… it's not a firewall. The graphs however are way better in pihole :)
I find pi-hole to work very nice in home networks. Pfsense embedded PfBlockerNG is cool too. And PFsense def runs just as flawlessly in a VM. I actually run both. I have a pretty complex home/small business network and use a virtualized Pfsense on a quad core laptop. Very reliable and steady uptime and all functionality still there. Just get a couple usb to Ethernet dongles, then pFsense can have its own Wan and Lan ports. Push the pfsense LAN output to your main router.
Really the trick is to leave the virtualbox usb settings alone. Just set the network device options you want to use in the virtualbox network setting (NAT, Bridged Adapter, etc..)
Allow your Host OS to control the USB network devices. And then, very importantly, on your Host OS you must disable the ipv4 and ipv6 settings of those same Bridged internet adapters that pfsense is using. Works so sweet after that. Just have a good Host pc with a clean, reliable OS, and is ready for uptime. Allow it to auto-load the pfsense virtualboxes upon startup. I have months of steady uptime on these Pfsense and Pihole VM's, and if I reset the laptop it autostarts everything within 2 mins.
Just to let you know in security you want to use 2 different firewalls, to lessen the attack surface of malicious actors. That way the same bug cannot be exploited on both firewall instances.
@@jameswatkins7806 Lol, you preaching to the choir my friend. Actually, you would want at least 3 firewalls. Pfsense, a good router firewall, and an OS level firewall. You def want a software based firewall on your OS's that keeps track of, and restricts any program from running unless approved. I actually put t-pot honeypot in front of my whole network so hackers can't even get into my inner network. They won't get past the honeypot. They like a kid in a candy store when they see hundreds of open ports and vulnerabilities. Then I can just IP block them on the inner firewalls.
@@jameswatkins7806 I own many servers across the world and I pentest my own networks all the time. I really try to get into it. I designed it to be complex for that exact reason. A Honeypot gives you a wealth of information and can be very helpful. Hook a honeypot up and you will be probed from China within seconds. They masscan probe the whole internet constantly. So, You basically want two or more network security segments. Like they do with fences in prisons.
First an outside facing DMZ that is"unsecure" and for your Honeypot only, Then behind that would be your locked down pfsense, Pfsense would then feed out to a good router like a flashed dd-wrt or something fancy, but the routers ports are also locked down. Needed ports can be forwarded to pfsense. No outside hacker will be able to get past a properly placed DMZ'd honeypot and into your real network, past your snort IDS if you use layered segments, utilizing different private network lan ip's. A,B,C classes. You could even put another Honeypot on the inside of your network to be sure no hacker has gotten in.
If you are going to run a wan side honeypot though you best be ready to be able to change your IP when you want to shut it off or you will get DDOS'd and maybe really hacked. You can change a static IP by changing the mac address of your cable modem. This can be done in a number of ways. Your cable modem probably doesn't have a mac address change setting itself, but I have comcast and I can force them to change my IP by using a DD-WRT router, connected to my cable modem.
If you can master a honeypot placement on your networks wan and/or lan, and also learn how to probe your ports. Then you can secure your network with confidence.
I don't use pfsence but I do have good firewalls so pi-hole make sense.
thank you so much for this vid,
can you help me plese for youtube block ,(what the best tools _ Squid , pfBlockerNG or Pi-Hole)
Thank you for great videos you are posting I was just wondering if PF sense or opnsense have Virus scanner and blocker
You can run pi-hole on many linux dist, pfblocker only on one 1 😉
how do I block specific websites or categories for specific IPs in network in pfblockerNG?
Guess i'll replace my diy router and pi-hole vm with pf-sense & pfblocker today
Good man. May i suggest a hp t610+ thin client pc with a intel dual or quad ethernet card as the hardware?
@@adventureoflinkmk2 i already have an AMD Athlon 5150 on a MSI AM1i with 2 GB DDR3 and an Intel PRO/1000 PT dual ethernet card ... 😅
But maybe later
@@adventureoflinkmk2 i'd love to get my hands on some but they're overpriced these days. Used to go for $55 now they cost $150.
Great video.. :)
can you make also a video for pfsense vs other NGFW. Thanks
th-cam.com/video/vpKEi2o1DQM/w-d-xo.html
Can you make a video how to make "private DNS" for phone with pi hole?
Good summary of the basic choice.
The hardware cost of Pi-Hole is pretty low, and there are virtual machine options.
Anything at this level, check for other sources of info, and check the dates of those sources. It's April 2021 and things can have changed a lot.
is pfSense > UDM Pro firewall?
I'm not going to lie PiHole on a Raspberry PI is one of the simplest applications to install on a PI, plus you can have it up and running in minutes.
The PI Hole graphical user interface is clean, the network activity graphs and info is presented extremely well (one of the best looking ones I've seen). It's nowhere near as complex or fiddly to operate as Pfsense/PfBlockerNG and that's its real strong point, simplicity.
PfSense with PfblockerNG on the other hand by comparison can be very time consuming and complex depending how deep you want to go, but ultimately it can do a whole lot more (just make sure you do backups along the way in pfsense).
Updating PiHole is easy, adding new blocklists is easy, whitelisting and blacklisting sites is just a case of clicking a button. Note: PiHole can also function as a basic DHCP server.
The only real downside of PiHole is its inability to block adverts shown on TH-cam videos, but if you pair PiHole alongside Ublock Origin browser plugin (for the likes of TH-cam on your desktops) then you're good to go.
Note you can access your PiHole GUI from pretty much any device on your LAN, just add your PiHole IP address in your browsers and just log in. If you want to access the back end of it (i.e the operating system the PiHole server is running on (Raspbian)) and you don't have a seperate monitor for your physical PI device, be sure to install VNC on it, then you can access it using VNC Viewer for free.
I love my Raspberry Pi!! And everyone should have pi-hole on their network. Another even simpler setup is to just download virtualbox on an desktop/laptop and spin up a ubuntu server iso. And command line a pihole install. Then you can use your Raspberry pi for many other things!
@@humanbeing-001 Yes Raspberry Pi are pretty simple but if you like to have full control, Pfsense is the way to go. As it takes more time to set up, Pfsense Is just a all in one solution for networking. Also you could use's pfsense to control a home made switch. I love my pfsense I went from a NetgearWNDR to a DD-WRT/Pi hole to Pfsense. I tried the Pi out it just lacks the configurbility but is very simple, Just like most low end managed switches do.
My setup Pfsense-MikroTik317/10Gb/s-CiscoSG350X-CiscoSG300PP. I wish I would have gone with a UniFi switch instead of the MikroTik but the price different at the time was 200-300 different, also ones it is configured its awesome.
@@humanbeing-001 that's what i did even though i am running pfsense
Can pfsense block TH-cam ads?
I think you’re missing the value of not necessarily pihole itself, but a typified configuration: upstream dns encryption. Namely, cloudflareD. Either method will block ads, but I can’t say whether pfsense or the like would support upstream dns encryption in the same way as you would on a raspberry pi. This ads another layer of privacy that frankly should be available to every household.
Pfsense supports that
Good stuff man!
Hi Tom,
Thanks for the video, As an Untangle user I was wondering if Untangle (home pro) has a similar feature to PfBlocker on PfSense.
Thanks
wiki.untangle.com/index.php/Ad_Blocker
Thanks Tom, it would be nice if possible if you could do a video to compare it to PfBlocker
This video appeals to me. I just changed pihole for pfblocker
So if the software is using DoH, pfBlockerNG will still block the network access to that IP ?
This is a good question and I believe it does but I don't plan to verify it though. OpenWRT has updated DNS hajicking topic on their doc page and it is done via ipset. DoH might be encrypted but you need SRC and DST in the IP header. If the DST IP is on the pfBlockerNG's blocklist (that is being applied) it must block the IP but don't take it for granted.
Is there a way to add the pi-hole website content blocking to the pfBlockerNG?
I have several vlans, only want to allow 1 vlan with full access to the web. Can you have PFblocker assigned to individual vlans? Looking to install Pfsense for home network.
Yes you can
Is it just me or ........ whatever anyone else does pfSense just do it better or at least the RIGHT way - that is what I seem to hear from
Lawrence Systems every time "....vs pf" is in the headline.
Interesting video. Thank you.
What if you only want one or two devices to have this sort of control- aka, my son's laptop while remote learning? Which way to lean?
You can set up your DNS on the device itself, instead of at the router level.
The only thing i noticed was that pfBlockerNG cannot do regex, unless it can?
+System Lord, the regex issue in pfBlockerNG is the reason why I have pi-hole running on a VM and pfSense DNS is set to the pi-hole address. Such a pain because I have specific websites I wan to block. One thing I looked into is just creating a text file in my HTTP server and adding that as a list in pfBlockerNG.
Recently subscribed to your channel - great content! My question is, are then any similar extensions to edgeOS you can use to serve a similar function? Or is there a way of doing this with an edgerouter. I liked your explanation and justification for running pfblocker on a pfsense firewall, and would go down this path but I already have an edgerouter. I would have got a Netgate but they have not yet been approved for use in New Zealand, and no one is selling them so I ended up getting an an edgerouter. Can you make any recommendations for a network based DNS blackhole in this situation? Or should I just go with Pi-hole, also do you know if it’s possible to run Pi-hole in a container?
Would pihole + hosts file lists (such as SomeoneWhoCares) be as good as the pfSense solution?
No Pfsense Is Like the Enterprise solutions, Pie Hole is a home gamer thing. Now both are good Pfsense is better as you can do so so much more.
@@TNW1337 what is a technical difference?
@@kristopherleslie8343 the Pie is like a VW bug, Pfsense is like a aircraft carrier. The Throughput of the firewall, IDS & IPS and Along with DNS filtering & IP Blocking.
The amount is really what will be the difference. As you start to add this stuff and lists on the pie the list can not be that big as it will kill your throughput. Also hole point to security is to have logs so you can look at what has happened. With a Large list with more then 4 clients on a pie you will be lucky to get 100/5 internet. even if you have 1G/1G internet. you could sacrifice the security but then why even do a pie? The Pi = Slow Speed / Pfsense = All the Speed with all the security. So you start to cut the list down to increases bandwidth. But you've now lost security. That's the technical differences.
TechNitWit so basically it could be upgraded to be more business class but that’s not its true market. Gotcha. Thank you for clear explanation!
I’ll play around with Pi hole it looks awesome. But for my home lab PFSense is still going to be my run to.
what about untangle
Pihole isn't foolproof, in fact it doesn't really block effectively anymore. It can't block ads at the beginning of videos or even ones in between videos. It will however block older TH-cam ads that give you the option to click skip. But youtube ads without the skip option won't be blocked unless you like creating 20,000 plus host name lists for every iteration of TH-cam ads address's. And you will need to do that by the hour because that's how aggressive TH-cam ads are these days
Can you use pfBlockerNG as a recursive dns server?
How important is it to use SSDs with powerloss protection in combination with ZFS for homelab or small business? Is it OK to use consumer SSDs with ZFS in my NAS/SAN ?
You would likely just lose a few seconds of data on loss
@@LAWRENCESYSTEMS How does ZFS cope with such a power loss scenario? Would I just loose the new data or changes that should have been made to a file or could it render my existing files corrupt without me noticing it except later when I open a file? (just realized that I commented under the wrong video… damn YT autoplay. But thanks for answering anyways!) 😄😄
@@succubiuseisspin3707 ZFS is a COW, that is how it copes with powerloss further explanation here th-cam.com/video/nlBXXdz0JKA/w-d-xo.html
Privoxy vs pfblockerng !??
like your video. now if i install pfsence in my old pc, is pfblocker included with it or not ?
No. You need to install that as a separate package from within the pfsense web interface.
Is there any way to implement pfblocker on Edgerouter? Or any alternatives? I see you are running pfsense at home and all other stuff is unifi, is that because the pfblocker? Now I am using pihole on my edgerouter network. I think you often forget to give as an alternative that one can install pfsense on a low power Linux machine, old hardware or VM.
I don't forget, I have a video with over 260,000 views showing how to do it. th-cam.com/video/9kSZ1oM-4ZM/w-d-xo.html
I don't discourage people from doing it, but I do frequently suggest the SG1100 because for many people that is easier than loading pfsense on an old computer.
@@LAWRENCESYSTEMS Yes, I remember that video :) I should better say, that is an advantage of pfsense vs consumer routers and vs also unifi / edgerouter. So this could be mentioned when comparing pfsense to other stuff.
pfsense is a lot more reliable - because the hardware on the small Edgerouter and USG simply is a bottleneck - MIPS dualcore below 1GHZ and very little RAM (just look into the datasheets for them). If you want a small and good PFSense router there's the fitlet2
on Amazon.com otherwise look at Aliexpress - if you want to spend about half for it with more ports. The fitlet2 is about the best, smallest and most high quality solution I've found - nothing else came close (spoiler: I don't own one so far, so I can only speak about theory, digging datasheets and reading reviews).
Pi hole doesn’t do anything to TH-cam.......... I know it’s not Pinole fault . I really wish there something as effective as ublock
...or Adblock Plus; it has very good rules to block TH-cam annoyances!
Alan Xu TH-cam ads aren’t easy to block, because the ads themselves are basically also just youtube videos, a firewall can’t tell the difference, a browser plugin however (uBlock) can.
Max I know I wish there is a way to apply ublock origin on a router
Lawrence, thanks for all your help with your videos...the network is legit. But man how the hell do i get DNS over TLS/HTTPS + piHole working? Currently its one or the other, DNS over TLS/HTTPS are working and so is the piHole. How the hell do i get them both playing nicely with each other?
Why not use both
how stupid are you
@@regis9596 says you
@@prevaloir5362 I'm using the pfblockers ip lists and have installed adguard home onto my pfsense box for dns. It's a much nicer interface and handles DNS rewrites better than the pfsense way of doing it
pi-hole vs adguard home
what about DoH in pfblockerNG ?
Just google it, I mean if you already understand DoH and DNS filtering then you should know the answer. If not google it.
@@kingrpriddick great info.. thanks!
@@freebs3545 Well you asked such a smart question!
@@kingrpriddick my point was.. he should incorporate it into a pfsense video... but there's always a guy like you around to make snide remarks.
AdGuards a good one too
Jimmy Bristow Adgyard scabs your browser for code that is the ad pi hole is a dns server which blocks ads from being generated when a website asks for an ad
But if you run pihole its easier to run unbound
So I would to need install pfSense on my laptop in order to take a advantage of all the features such the anti virus that come with pfSense and ad blocker
pfSense is a firewall service which would typically be ran on a dedicated server, replacing your current router. There is no way to install it on your laptop as a client software.
no, lmao. try again.
Well if you virtualize it you could.
Of course you’d have to virtualize your client software too.. and boot times are going to go way up since you’d start your hypervisor then pf then lastly your client. It kinda works on a laptop but imho it’s way better to just call your home pf box via openvpn and run your client through that.
@@KarryKarryKarry Boot times for a hypervisor guest vm are usually faster in most cases than physical hardware.
Cool, I was wondering if it would be possible to do piehole without a pi... Can this be used to block Microsoft from collecting data and forcing updates without user permission? If yes=true then how? Thanks for the awesome and informative videos!
Every update reloads their spyware, unless you can write a script to do it with persistence, which I would buy. Lol
VMware it
pi-hole is just pfsense/opnsense for people who dont want to fool with something more "advanced".
No discussions on Cost? A pi and SD costs £20 and thats it, you’re done.
That seems like a massive thing you just didn’t bother covering
it is an extension for pfsense, if you already have your router setup, it goes on that for free. (Home router: pfsense box with multiple nics) - small form factor
@@annfry9072 however.. just to get a hp t610+ thin client, 16gb SATA SSD Dom module, the power cord, and an intel dual port ethernet card... just to build that pfsense router cost me ~$150
@@annfry9072 meanwhile if you don't wanna fool with pfsense or otherwise don't have any old x86-64 computers preferably with at least one pcie slot laying around... it's prolly for the best to go along with the raspberry pie with pihole for the cost and use your existing equipment
I'm a big ol dummy. I have no idea what any of this means.
You should also mention the Raspberry Pi isn’t very robust hardware. If you run Linux on an SD card 7x24, for example, the writes eventually trash the SD card and your Pi crashes in as little as a few months. The Pi hardware is made to be as cheap and small as possible and it has thermal and other limitations. It’s designed for hobby use not continuous mission critical operation. A Pi is far less robust than a Netgate box or similar typical pfSense hardware. I know countless people trying to use a Pi in continuous operation only to have frequent failures.
Not true got pi-hole running for 2 years on same SD card.
@tntdruid You can look it up. You’re living on borrowed time. SDcards are not designed to be OS drives.
You don't have to run it on a Pi. I have it as a Hyper-V virtual machine on my server. The domain controller VM on the same computer has the PiHole as its upstream DNS server.
Soooo true, the Pi's problem is not having a HHD or SSD bus, just charge a little more so we can hack a lot more. SD bus speeds are too slow for modern day.
I've got a few friends in the government/military that actually run pi 24x7. Never mentioned a problem before that was outlandish. I actually looked at them twice when they mentioned this since I didn't expect rpi to be that kind of use case.
Can pi-hole block websites?
I like to meet you one day
Why not to use just hosts file in the first place?
i tried pi hole and i found it kinda shit, took hours to update the many lists i found online but ZERO youtube ads (and, hm, hub ads) were blocked, it worked on some websites but not all, maybe 50-50
A ridiculous comparison. If you could put pfsense or OPNsense on a Raspberry Pi, or compare to IPFire (on Pi 3s, 4 in development) with Pi-hole added... Are you sponsored by pfSense? It seems like users not buying pfSense hardware have turned to OPNsense. Anyway, apples to oranges comparison.
And btw, the jerk that is speaking on this video: cool down! Get of the steroids! Jezus, you are giving headaches with that speed, nobody actually can listen, let alone understand, this!