OpenWrt vs Pfsense

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › OpenWrt vs Pfsense

1 | 2

Kiwifruta

1423 posts

Uber Geek

ID Verified

#1530392 12-Apr-2016 07:16

@michaelmurfy thanks for pi-hole suggestion. I had to read it 3 times before I finally understood it all. And that's not a dig at your articulation.

I do appreciate all your posts, so informative and practical too.

So in the physical network configuration, would the raspberry-pi be connected to a LAN port of the router? (Our UFB connection only requires setting up the router as a DHCP client, with VLAN tagging set to 10.)

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1530432 12-Apr-2016 08:22

Kiwifruta: @michaelmurfy thanks for pi-hole suggestion. I had to read it 3 times before I finally understood it all. And that's not a dig at your articulation.

I do appreciate all your posts, so informative and practical too.

So in the physical network configuration, would the raspberry-pi be connected to a LAN port of the router? (Our UFB connection only requires setting up the router as a DHCP client, with VLAN tagging set to 10.)

Sure is - essentially set the DHCP server on your router to hand out the address of your Pi-Hole installation. I've currently got it running on a Raspberry Pi (Primary DNS) as well as a Debian server (Secondary DNS) with some sync scripts keeping all the configuration in check (screenshot). Both instances are running dnscrypt for security.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

mentalinc

3239 posts

Uber Geek

Trusted

#1530433 12-Apr-2016 08:29

Pi-hole will stop sky go from working.. Haven't found the right hosts to white list yet

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1530614 12-Apr-2016 12:01

mentalinc: Pi-hole will stop sky go from working.. Haven't found the right hosts to white list yet

Appears to be working with me? But I don't have Sky so can't sign in to fully test.

mentalinc

3239 posts

Uber Geek

Trusted

#1530987 12-Apr-2016 18:25

It fails to start the stream from playing, you can login it's just once it should start playing nothing happens then you get an error message.

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

Kiwifruta

1423 posts

Uber Geek

ID Verified

#1532814 14-Apr-2016 00:10

Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1532817 14-Apr-2016 02:25

Kiwifruta: Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do

Sorry what I was getting at was this:

So, with a pi-hole you can add custom lists (including massive ones to block adult sites), but also you're able to put a file in your /etc/dnsmasq.d/ directory to enforce Google Safesearch:

#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com

When you redirect your DNS to your pi-hole it'll force all DNS queries to get filtered before passing over to OpenDNS family shield - this will in-term add an extra layer of protection. This doesn't stop a tech-savvy kid from doing something like using a proxy server to access the internet however will filter most queries.

There is no solution that is 100% effective - trust me. SNUP (Network4learning) has this constant problem and yes I've seen kids find ways to get around that to pr0n or obscene imagery - now, the network4learning is a pretty aggressive proxy solution designed for schools. But, with running your own DNS server it means you're able to monitor the DNS queries coming from your families devices and if you don't like it - just add it to the /etc/pihole/blacklist.conf file and run pihole -g to update your lists.

This is the reason I recommended it - it gives you flexibility, is a cheap solution and works really well - plus, enables you to use OpenDNS over dnscrypt.

Lastly, if you really wanted to enforce your actions adding firewall rules on your OpenWRT router to block anything but Port 80 / 443 (and maybe 25565 if they're into Minecraft like most kids) will ensure products like Tunnelbear etc should fail to connect however even such products are savvy at getting past even the most strict firewall solutions.

tl;dr: did work for schools, no solution is going to be 100% but the above will get 99% sorted.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Kiwifruta

1423 posts

Uber Geek

ID Verified

#1532972 14-Apr-2016 12:13

michaelmurfy:
Kiwifruta: Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do

Sorry what I was getting at was this:

So, with a pi-hole you can add custom lists (including massive ones to block adult sites), but also you're able to put a file in your /etc/dnsmasq.d/ directory to enforce Google Safesearch:
#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com
When you redirect your DNS to your pi-hole it'll force all DNS queries to get filtered before passing over to OpenDNS family shield - this will in-term add an extra layer of protection. This doesn't stop a tech-savvy kid from doing something like using a proxy server to access the internet however will filter most queries.

There is no solution that is 100% effective - trust me. SNUP (Network4learning) has this constant problem and yes I've seen kids find ways to get around that to pr0n or obscene imagery - now, the network4learning is a pretty aggressive proxy solution designed for schools. But, with running your own DNS server it means you're able to monitor the DNS queries coming from your families devices and if you don't like it - just add it to the /etc/pihole/blacklist.conf file and run pihole -g to update your lists.

This is the reason I recommended it - it gives you flexibility, is a cheap solution and works really well - plus, enables you to use OpenDNS over dnscrypt.

Lastly, if you really wanted to enforce your actions adding firewall rules on your OpenWRT router to block anything but Port 80 / 443 (and maybe 25565 if they're into Minecraft like most kids) will ensure products like Tunnelbear etc should fail to connect however even such products are savvy at getting past even the most strict firewall solutions.

tl;dr: did work for schools, no solution is going to be 100% but the above will get 99% sorted.

Thanks Michael. My name is Dwayne by the way.

My cousin fell victim to ransomware, by clicking on a .zip file purportedly from her ISP. She didn't pay up but reinstalled her OS and lost her files from her studies as a consequence.

I said I'd help her set up her computer (and hopefully router too if it's up to the task) to prevent that and other things happening again. I've googled around and read a few things about securing a home network, most of the key ones I knew already, but I knew there was still more I didn't know. This prompted my starting this thread. I was wondering if pfSense (or OpenWrt) could be used to filter out dodgy emails or email attachments. I imagine the blacklist (or algorithms) for filtering dodgy email attachments would be huge and beyond the hardware capabilities of a non-x86 OpenWrt consumer router, and more suited to router firmware installed on an x86 device. However, maybe a raspberry pi could do this too.

Best practice, obviously, is to not set up users with administrator rights and never open such attachments in the first place. But not everyone knows that, or would even know how to implement it. So I began thinking is there a solution that can be set up on router (or a replacement to the ISP provided modem/router) at home to guard the home network? With IoT here, home networks need to be even more secure.

Putting anti-virus etc software on a PC, smart device etc, impacts the devices' performances and can become expensive when there are many devices, and if a visitor logs on to a friend's wifi network and there is some sort of malware on their device it can still do some damage on the host's network. So a solution located at the gateway would be much more cost effective and a set up once and work forever solution.

Thanks for pointing out the google forced strict search on the router.

sultanoswing

814 posts

Ultimate Geek

#1533867 16-Apr-2016 08:45

I tried serching for "Pi-hole", but my pfSense's filtering (pfBlockerNG and custom host files) censored the term.

You have to admit that "Pi-hole" sounds just too dodgy.

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1533878 16-Apr-2016 10:14

In that case: https://goo.gl/PW3KUS (had to shorten that link because of the company being "Foolish IT" and if you put those words together you get a word that GZ doesn't like.

I've got some ransomware samples so will run them on a VM to see if it gets owned.

sultanoswing

814 posts

Ultimate Geek

#1533880 16-Apr-2016 10:30

I should have added a smiley to the pi-hole post above ;)

Kiwifruta

1423 posts

Uber Geek

ID Verified

#1542220 26-Apr-2016 14:28

Kiwifruta:
michaelmurfy:
Kiwifruta: Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do

Sorry what I was getting at was this:

So, with a pi-hole you can add custom lists (including massive ones to block adult sites), but also you're able to put a file in your /etc/dnsmasq.d/ directory to enforce Google Safesearch:
#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com
When you redirect your DNS to your pi-hole it'll force all DNS queries to get filtered before passing over to OpenDNS family shield - this will in-term add an extra layer of protection. This doesn't stop a tech-savvy kid from doing something like using a proxy server to access the internet however will filter most queries.

There is no solution that is 100% effective - trust me. SNUP (Network4learning) has this constant problem and yes I've seen kids find ways to get around that to pr0n or obscene imagery - now, the network4learning is a pretty aggressive proxy solution designed for schools. But, with running your own DNS server it means you're able to monitor the DNS queries coming from your families devices and if you don't like it - just add it to the /etc/pihole/blacklist.conf file and run pihole -g to update your lists.

This is the reason I recommended it - it gives you flexibility, is a cheap solution and works really well - plus, enables you to use OpenDNS over dnscrypt.

Lastly, if you really wanted to enforce your actions adding firewall rules on your OpenWRT router to block anything but Port 80 / 443 (and maybe 25565 if they're into Minecraft like most kids) will ensure products like Tunnelbear etc should fail to connect however even such products are savvy at getting past even the most strict firewall solutions.

tl;dr: did work for schools, no solution is going to be 100% but the above will get 99% sorted.
Thanks Michael. My name is Dwayne by the way.

My cousin fell victim to ransomware, by clicking on a .zip file purportedly from her ISP. She didn't pay up but reinstalled her OS and lost her files from her studies as a consequence.

I said I'd help her set up her computer (and hopefully router too if it's up to the task) to prevent that and other things happening again. I've googled around and read a few things about securing a home network, most of the key ones I knew already, but I knew there was still more I didn't know. This prompted my starting this thread. I was wondering if pfSense (or OpenWrt) could be used to filter out dodgy emails or email attachments. I imagine the blacklist (or algorithms) for filtering dodgy email attachments would be huge and beyond the hardware capabilities of a non-x86 OpenWrt consumer router, and more suited to router firmware installed on an x86 device. However, maybe a raspberry pi could do this too.

Best practice, obviously, is to not set up users with administrator rights and never open such attachments in the first place. But not everyone knows that, or would even know how to implement it. So I began thinking is there a solution that can be set up on router (or a replacement to the ISP provided modem/router) at home to guard the home network? With IoT here, home networks need to be even more secure.

Putting anti-virus etc software on a PC, smart device etc, impacts the devices' performances and can become expensive when there are many devices, and if a visitor logs on to a friend's wifi network and there is some sort of malware on their device it can still do some damage on the host's network. So a solution located at the gateway would be much more cost effective and a set up once and work forever solution.

Thanks for pointing out the google forced strict search on the router.

Two questions for @MichaelMurfy
1) How do I set up dnscrypt (OpenDNS Family Shield) on OpenWrt and use dnsmasq (using a modified version of your hosts file unblocking tutorial) with dns4me?

No need to write specific commands but the general jist/description of what needs to be done should be enough.

I've tried a few times but lost the internet connection. I think I had forgotten to update the gateway address (in the configuration) from 192.168.1.1 to my router's IP address. My router is back now at home and in use, so I cannot risk stuffing it up if I try again, and wipe out internet access for the rest of the family.

I also had in the firewall your iptables command to redirect port 53 traffic to the router and the OpenDNS Family Shield was entered on the WAN side.

2) How do I force google safe search on OpenWrt?
Again I tried and stuffed something up and lost internet connectivity.

Cheers

If it's all too much bother, then tell me.

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1542510 27-Apr-2016 02:19

@Kiwifruta

1) Setting up dnscrypt on OpenWRT is pretty straight-forward however my only experience was on an alternative firmware (Tomato Shibby or Advanced Tomato) which has the dnscrypt client built in. By following the guide on the OpenWRT Wiki you should be able to set it up in a snap - https://wiki.openwrt.org/inbox/dnscrypt and for OpenDNS Family Shield use "cisco-familyshield" instead of Cisco in that guide (is in the file /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv).

2) Safesearch on OpenWRT should be pretty straight-forward. A way of doing it would be to add a new file in /etc/dnsmasq.d/safesearch.conf with:

#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com

I don't have an OpenWRT router so not 100% sure on this one sorry.

1 | 2