I've had some issues with Tailscale service just stopping and me using that to access the devices behind cgnat that's kind of a problem. I worked around this making a cronjob restarting the service every so often as a quickfix, but this is much better. I must have missed this package whenever going through the list to see if there's something interesting to find. Ima try it, thanks!
Great to get this update, and glad to realize this matches my experience. I wish you can dig a bit deeper as to why DNSBL is not relevant anymore and what could be used as a replacement especially in a home environment with kids
It's fairly easy these days to tell a web browser to use a different DNS, so if one uses a block with the DHCP specified DNS, the end user can simply tell the browser to use a different DNS service. It's a little hard to change DNS at the system level, but not too difficult. I still use a local DNS via "Adguard Home", however it's not for parental controls, it's to limit DNS requests going to the internet by doing forced caching, and to re-write certain requests such as keeping NTP requests local. For parental controls, you will need to go deeper to really lock down the device, simple DNS blocking is easy to get around.
the same reason we have a manual updater and not an auto-updater, obviously. Everything in that plugin is opt-in manual administration based and just having a plugin does nothing useful.
@@Mr.Leeroy That's make no sense! the patches should have been as normal system updates which should been done regularly..same as any operating system in this world. Instead of relying on installing a package to install the updates?? (patches) I have been using pfsense on and off for almost 2 years and i never had an idea about the patches packages till seeing this video..and im kinda tech nerd let alone other people who are less nerdy? Netgate need to fix this issue and make the patches as a normal system updates IMO. Also Thank you Lawrance for the Video.
@@yahyoh91 Patches are not updates. They may contain couple hotfixes until an update comes, but thats only a fraction of their usecases, which are mainly dev or admin tuning functionality. If you are hoping for a faster and less attended rolling release, that's not happening since project is built around FreeBSD, which has the opposite in its core philosophy.
Tom your latest PfBlockerNG video is still the 2020 correct? Just following your advice for the DNSBL setting on this video, I did install the non Dev package on our new 8200 but it is version 3.2. Thanks
I use, and have seen you recommend, HA Proxy on Pfsense, but I've been concerned with the cyber security aspect of utilizing a reverse proxy (which would be a "DMZ" service) on the firewall controlling all connections in/out and between networks. It seems it would be best to split it out, have a dedicated HA Proxy instance - and even better a dedicated "internal" HAProxy instance and "External" HA Proxy instance for internal-only services and externally available services.
Tom in regards to Snort or Suricata, did you say you don't really recommend either or did I misunderstand what you said. And if the answer is yes what is your intrusion detection preference then.
Would it be possible to explain package choices between a first-time or home setup, a paranoid setup, and then for a business that wants to put money where it matters, such as an HA or large hardware cost setup?
I love Traffic Totals. My only problem with it is that whenever there is an unclean shutdown the data seems to get corrupted and the only way I've found to fix that is to reset graphing data (lose it all). That should be easy to avoid if everything goes as expected, but after numerous power outages and brownouts I finally had to get a UPS. After that my ssd started dying and caused it to crash numerous times before I realized what was happening. Then I virtualized it so I can spin it up on a different physical host just in case, and then had a stick of ram going bad and crashing the system. So I now have two PC's running Proxmox, both with mirrored zfs boot pools, both on UPSs, in part to keep my router running through power and equipment failure. 😞 I have Cron installed to launch the QEMU Guest Agent on boot.
Thank you for all your information.... It is always very informative... I have a quick question... I was hoping to run by you... Would you happen to have any recommendations for Hyper-v cloud hosting services? Or do you offer hosting of hyper-v servers? Thank you very much
i'm using pihole and have a firewall rule setup which forwards all outgoing dns to pihole (except pihole itself^^). but i don't know if this is sufficient in all cases, at least it seems to work for me and blocks lots of ads. of course, for forwarded requests the router ip shows up in pihole log.
Pfsense hardware is heavily overpriced. Only use it on a business environment where using it is mandatory. Any other time - you’ll get way more performance for way less money installing it on hardware you source yourself.
@@Shantytowns Quote up a CPU with sufficient direct PCIe lanes & motherboard with intel integrated graphics, 2 x PCIe x16 / 4 x PCIe x8 slots & 1GBE for OOBM & PCIe Cards: 4x1GBE x8 Card, Options: 2x10GBE PCIE x8 Card, 2x2.5/5GBE PCIe x8 Card. Add a 4RU RM Case with front facing slots like Silverstone, PSU & Cooling Fans, Rack Mount Rails.... $$$$ Now add the software license subscription. I know because I have done this in my own lab. System Builder since 1987
@@deadlymarsupial1236 if you honestly think that netgate offers good hardware options - you're a horrendous system builder since 1987. Software license subscription? There isn't one. Instead of just listing off a bunch of random shit and trying to go strawman against common knowledge - you tell me which system you think is a good value. I'll tell you why it isn't - within the constraints of my original statement.
can ha proxy work like squid proxy? i use steam cache now and apt cache and has worked pretty well but feel it’s harder to set up then ha proxy probably would be.
Sir i trying to install pfsense on my cyberoam CR-15iNG firewall After installation when booting from ssd its giving the error bios drive c: is disk 0 Can any one can help me i am in very much trouble 🙏 pls help
What proxy would you suggest one use... now that I have removed Squid from my pfSense? We need a proxy.. not for caching or filtering (although this would be a plus of it did) but we need it for logging....
I purchased a couple netgates, I wanted to love pfsense but honestly the way they do vlans and interfaces is so confusing to me. I wish it was easier to use.
Service Watchdog is a useful one to keep service up. Also mail report.
I've had some issues with Tailscale service just stopping and me using that to access the devices behind cgnat that's kind of a problem. I worked around this making a cronjob restarting the service every so often as a quickfix, but this is much better. I must have missed this package whenever going through the list to see if there's something interesting to find.
Ima try it, thanks!
Which should NOT be nedded!
Great to get this update, and glad to realize this matches my experience. I wish you can dig a bit deeper as to why DNSBL is not relevant anymore and what could be used as a replacement especially in a home environment with kids
It's fairly easy these days to tell a web browser to use a different DNS, so if one uses a block with the DHCP specified DNS, the end user can simply tell the browser to use a different DNS service. It's a little hard to change DNS at the system level, but not too difficult. I still use a local DNS via "Adguard Home", however it's not for parental controls, it's to limit DNS requests going to the internet by doing forced caching, and to re-write certain requests such as keeping NTP requests local.
For parental controls, you will need to go deeper to really lock down the device, simple DNS blocking is easy to get around.
Also DoH in browser bypasses traditional DNS, which is why endpoint DNS is preferred when the device needs to be managed and monitored.
@@timezonewallyou can block browser DNS with DNSBL on PfSense.
As always, absolutely awesome alliteration. 😎
Watching this Channel since.. 2017 or something.. Thanks Lawrence for everything!
Thanks for the pfsense pkg update Tom!
Thanks Tom! Nice package review 👍
Thanks for the update Tom!
I hope they can add support for WAF alongside with HAproxy
i dont use it, but the crowsec package is probably something people will want if they host anything externally
Dear Netgate, why is the patcher not installed by default?
I agree
the same reason we have a manual updater and not an auto-updater, obviously. Everything in that plugin is opt-in manual administration based and just having a plugin does nothing useful.
@@Mr.Leeroy That's make no sense! the patches should have been as normal system updates which should been done regularly..same as any operating system in this world. Instead of relying on installing a package to install the updates?? (patches)
I have been using pfsense on and off for almost 2 years and i never had an idea about the patches packages till seeing this video..and im kinda tech nerd let alone other people who are less nerdy?
Netgate need to fix this issue and make the patches as a normal system updates IMO.
Also Thank you Lawrance for the Video.
@@yahyoh91 Patches are not updates. They may contain couple hotfixes until an update comes, but thats only a fraction of their usecases, which are mainly dev or admin tuning functionality.
If you are hoping for a faster and less attended rolling release, that's not happening since project is built around FreeBSD, which has the opposite in its core philosophy.
Perfect!
Thank you!
Tom your latest PfBlockerNG video is still the 2020 correct? Just following your advice for the DNSBL setting on this video, I did install the non Dev package on our new 8200 but it is version 3.2. Thanks
This is the latest verion th-cam.com/video/oNo77CMoxUM/w-d-xo.htmlsi=JHqXr4UZRrAq-ZDl
Great again Lawrence!
What do you think of Zen Armor solution?
watched even though I use opnsense :) appreciate the time you put in to this
Thanks
I use, and have seen you recommend, HA Proxy on Pfsense, but I've been concerned with the cyber security aspect of utilizing a reverse proxy (which would be a "DMZ" service) on the firewall controlling all connections in/out and between networks. It seems it would be best to split it out, have a dedicated HA Proxy instance - and even better a dedicated "internal" HAProxy instance and "External" HA Proxy instance for internal-only services and externally available services.
Always better to split out services to individual systems to run them.
I use cron for enabling hardware offloads on passthru NICs in a VM
Tom in regards to Snort or Suricata, did you say you don't really recommend either or did I misunderstand what you said. And if the answer is yes what is your intrusion detection preference then.
IDS is not really a set it and forget it type a system and it's not very effective against modern threats.
Would it be possible to explain package choices between a first-time or home setup, a paranoid setup, and then for a business that wants to put money where it matters, such as an HA or large hardware cost setup?
I love Traffic Totals. My only problem with it is that whenever there is an unclean shutdown the data seems to get corrupted and the only way I've found to fix that is to reset graphing data (lose it all).
That should be easy to avoid if everything goes as expected, but after numerous power outages and brownouts I finally had to get a UPS.
After that my ssd started dying and caused it to crash numerous times before I realized what was happening.
Then I virtualized it so I can spin it up on a different physical host just in case, and then had a stick of ram going bad and crashing the system.
So I now have two PC's running Proxmox, both with mirrored zfs boot pools, both on UPSs, in part to keep my router running through power and equipment failure. 😞
I have Cron installed to launch the QEMU Guest Agent on boot.
bro do a update install and setup for 2.7.7 pls cause i swap hardware and doing a fresh install and i m lost as hell lol
I used ntopng a few months back but I found out it was writing a LOT of logs and was killing my NVMe 😰
Thank you for all your information.... It is always very informative... I have a quick question... I was hoping to run by you... Would you happen to have any recommendations for Hyper-v cloud hosting services? Or do you offer hosting of hyper-v servers? Thank you very much
I don't ever use Hyper-v
@@LAWRENCESYSTEMS Thank you...
Awesome
Avahi!
What about zerotier? Is that available on pfSense yet? I keep finding old posts (2+ yrs) all say no official package.
nope
i'm using pihole and have a firewall rule setup which forwards all outgoing dns to pihole (except pihole itself^^). but i don't know if this is sufficient in all cases, at least it seems to work for me and blocks lots of ads. of course, for forwarded requests the router ip shows up in pihole log.
Cheers from Australia.
Wish pfSense had a proper supply chain presence here.
What do you mean? Just download it, right?
Pfsense hardware is heavily overpriced. Only use it on a business environment where using it is mandatory. Any other time - you’ll get way more performance for way less money installing it on hardware you source yourself.
@@Shantytowns Quote up a CPU with sufficient direct PCIe lanes & motherboard with intel integrated graphics, 2 x PCIe x16 / 4 x PCIe x8 slots & 1GBE for OOBM & PCIe Cards: 4x1GBE x8 Card, Options: 2x10GBE PCIE x8 Card, 2x2.5/5GBE PCIe x8 Card. Add a 4RU RM Case with front facing slots like Silverstone, PSU & Cooling Fans, Rack Mount Rails.... $$$$ Now add the software license subscription. I know because I have done this in my own lab. System Builder since 1987
@@deadlymarsupial1236 if you honestly think that netgate offers good hardware options - you're a horrendous system builder since 1987.
Software license subscription? There isn't one.
Instead of just listing off a bunch of random shit and trying to go strawman against common knowledge - you tell me which system you think is a good value.
I'll tell you why it isn't - within the constraints of my original statement.
@@Shantytowns 🤣🥱
Is the issue with Zabbix this use case, or Zabbix in general?
I was evaluating Zabbix for monitoring a large deployment.
Zabbix is great, but I just don't use it anymore.
can ha proxy work like squid proxy? i use steam cache now and apt cache and has worked pretty well but feel it’s harder to set up then ha proxy probably would be.
No
Hmm "NSFW_LAN". Does that connect to a NSFW directory of photos and videos on the NAS? 🤭
Sir i trying to install pfsense on my cyberoam CR-15iNG firewall
After installation when booting from ssd its giving the error
bios drive c: is disk 0
Can any one can help me i am in very much trouble 🙏 pls help
What proxy would you suggest one use... now that I have removed Squid from my pfSense? We need a proxy.. not for caching or filtering (although this would be a plus of it did) but we need it for logging....
I don't suggest any due to the issues that come with them. We use an endpoint tool on each client machine to monitor and manage web sites.
@@LAWRENCESYSTEMS Which endpoint tool is it? Does it have a management console? Is it open source? Thanks in advance for the guidance.
@@diegogarriz3857 We currently us Zorus and I am not aware of any good open source alternative.
Cron can be useful if you want to schedule eg. reboot at some certain time.
Why the NUT wasn't mentioned?
I almost never use it. If you're using ZFS suddenly losing power is not really an issue.
Anyone else think the little hand icon on the thumbnail was flipping the bird? Thought it was another video about opensense *rim shot*
What are y'all using outside of Zabbix?
Auvik
Were these particular packages proposed in order of their propensity to perform? Or just random order? 😂
What do you recommend if you don't like Snort?
Since most traffic is encrypted IDS systems are much less useful here in 2024
What does zabbix have to do with squid?
Nothing, I just don't use zabbix anymore and I don't recommend anyone use squid.
By chance do all of these packages exist and setup the same way in opnsense? I really like all of your content appreciate you!
freeradius3, wireguard, tailscale, service watchdog, pfblocker, openvpn client export ❤
I dont get this video Tom. It's titled My preferred packages but you then go on to say you do not prefer to install Snort or Suricata!!!!!
And I explain why in the video
I purchased a couple netgates, I wanted to love pfsense but honestly the way they do vlans and interfaces is so confusing to me. I wish it was easier to use.
Let us know if you have specific questions. I found it straightforward. My job is networking and firewalls related, not PFsense.
Take a breather, maybe read a bit more about vlans and try again. Once you get the hang of it it's just as easy as any other implementation
It seems pretty straightforward to me as well. 🤔
If I want to create a filter for Kids @home, which packages or setup would you recommend?
You can start with just using cloudflare family for dns and redirect all dns traffic to be forced over PfSense.
Wan IP address…
First
you have replaced zabbix with uptime-kuma?
Essentially yes but Uptime Kuma does not have near the same features as Zabbix, but I also did not really need all those features.
@@LAWRENCESYSTEMS thanks for the reply