Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




706 posts

Ultimate Geek
+1 received by user: 144


Topic # 195079 5-Apr-2016 18:43
Send private message

For a home user, what advantages and disadvantages does Pfsense offer over OpenWrt?


I use OpenDNS family shield on my OpenWrt router and redirect all port 53 requests to the router. This blocks porn but not on google image searches. Can Pfsense filter google image results? i.e. block porn images from search results? I know this setting is available on Google search itself.

I have an adblock installed on OpenWrt

All our emails are web-based so gmail/hotmail filter out the spam.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2

mdf

1709 posts

Uber Geek
+1 received by user: 479

Trusted
Subscriber

  Reply # 1526498 5-Apr-2016 19:58
Send private message

For the home user? Probably a bricked device. I've tried OpenWRT twice and both times fled to the relative safety of DD-WRT and Tomato.

 

As I understand it (and it will disclaim any and all expert knowledge), OpenWRT started our primarily as firmware for embedded devices (i.e. purpose build routers). pfSense started out as something to be installed on full-blown x86 architecture. Both have evolved a long was since then though.

 

If you're just trying to filter naughty images, you might like to have a look at Squid. Google tells me its compatible with both OpenWRT and pfSense, but I've only ever installed it on a dedicated device (e.g. Raspberry Pi). Using it at a transparent proxy, you can add ufdbGuard to make naughtiness verboten. It advertises an option to enforce Google SafeSearch, though again I've not done that myself (my project was quite different and ended up being more trouble than it was worth so was binned halfway through).




706 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1526554 5-Apr-2016 21:16
Send private message

Thanks I'll look in to Squid. I have OpenWrt on two devices and it works well. Gargoyle was good too.

I forgot to mention that I've blocked the WAN ports so that the router passes all the www.grc.com tests.

For me, I believe security and QoS are the two biggest requirements.

Gargoyle has great QoS but no VLAN tagging on the GUI, and the last I looked the VLAN tags drop off everytime the network settings are changed. I haven't yet got my head around how to use the QoS on OpenWrt. How easily can QoS be configured on PfSense? What QoS options does PfSense offer?

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
Meow
7284 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1526619 6-Apr-2016 00:05
One person supports this post
Send private message

I personally run Pi-Hole (https://pi-hole.net/) on my Raspberry Pi 2 and that is my main DNS server - I also have a VM container that mirrors the DNS config as a secondary resolver (really, my network is overkill) and use OpenDNS on the network with dnscrypt. The problem with this setup is it means you can't whitelist sites however if I visit a site that I know is supported by ads I pay them directly (notice the subscription tag on Geekzone?). Basically, I block ads, Microsoft stuff and anything harmful because as an IT person I really want to prevent having to come home to do tech support on any devices on my network.

 

Click to see full size

 

This has its advantages since my dns4me hosts file runs directly on a dedicated DNS server - and also DNS resolves insanely quickly since it has freed up your router to route internet and firewall only. My router also forwards all DNS queries to the Raspberry Pi for those stubborn ones like Chromecasts etc. I was going to write a tutorial on getting something like this running however I didn't want to potentially take any ad revenue from Mauricio.

 

Long story cut short I have also experimented with pr0n blocking on Google Images however nothing is perfect - Family Shield is almost as good as you're ever going to get here. Running a proxy is complex for your average user and on todays high speed connections has the potential to actually slow down your browsing. People will always find their way around the blocks so it is best to educate than downright block hoping that (if it is in a parent-kids situation) that the kid will have some respect.

 

If you've got Family Shield running using the Pi-Hole method enables you to even track what kinds of Google Searches they're doing - and from what IP so you can have "that talk" - basically, if they know that you can see what they're doing then they're more likely to just not do it.

 

But for $50 or so (for a Raspberry Pi) it offers some decent protection from malware, pr0n etc and with the correct firewall rules is pretty hard to get around. I would recommend against going to pfsense only since it involves more (often expensive in electricity) hardware and the setup you've got is actually more than capable to achieve what you're wanting.

 

Unless, if your budget is unlimited then get a Cisco Meraki router (around $1k) along with their license (around $1k also) which should block almost anything dodgy ;)

 

 





26233 posts

Uber Geek
+1 received by user: 5816

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1526663 6-Apr-2016 07:13
One person supports this post
Send private message

Kiwifruta: 

Gargoyle has great QoS but no VLAN tagging on the GUI, and the last I looked the VLAN tags drop off everytime the network settings are changed. I haven't yet got my head around how to use the QoS on OpenWrt. How easily can QoS be configured on PfSense? What QoS options does PfSense offer?

 

What do you want (or expect QoS) to do? Many people who post on here have very unrealistic expectations of what QoS on a network actually does, and more importantly that you can't really control inbound traffic to your router, just outbound.

 

 




706 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1526670 6-Apr-2016 07:29
Send private message

sbiddle:

Kiwifruta: 

Gargoyle has great QoS but no VLAN tagging on the GUI, and the last I looked the VLAN tags drop off everytime the network settings are changed. I haven't yet got my head around how to use the QoS on OpenWrt. How easily can QoS be configured on PfSense? What QoS options does PfSense offer?


What do you want (or expect QoS) to do? Many people who post on here have very unrealistic expectations of what QoS on a network actually does, and more importantly that you can't really control inbound traffic to your router, just outbound.


 



The biggest thing for me is just to turn off and turn on wifi at set times.

In fact, that is my only requirement of QoS.

3348 posts

Uber Geek
+1 received by user: 1120

Subscriber

  Reply # 1527340 6-Apr-2016 21:41
One person supports this post
Send private message

Kiwifruta:
sbiddle:

 

Kiwifruta: 

Gargoyle has great QoS but no VLAN tagging on the GUI, and the last I looked the VLAN tags drop off everytime the network settings are changed. I haven't yet got my head around how to use the QoS on OpenWrt. How easily can QoS be configured on PfSense? What QoS options does PfSense offer?

 

 

 

What do you want (or expect QoS) to do? Many people who post on here have very unrealistic expectations of what QoS on a network actually does, and more importantly that you can't really control inbound traffic to your router, just outbound.

 

 

 

 

 



The biggest thing for me is just to turn off and turn on wifi at set times.

In fact, that is my only requirement of QoS.

 

That is in no way what QoS does....

 

Sounds like the feature you are looking for would be called something like 'Wifi Scheduling' - most decent residential grade routers have this, I would assume Gargoyle has this too.


1403 posts

Uber Geek
+1 received by user: 135


  Reply # 1527341 6-Apr-2016 21:46
Send private message

If your looking at PFSense (i.e. a PC based solution) then look at Untangle.  It does filtering, including optional HTTPS, spam, ad-blocking, reporting, virus scanning etc.  I run it on a dual core AMD with a 2 port NIC, and its the router for my UFB connection.  I run the free version but you can upgrade modules for better levels of protection.

Rock solid, no impact on downloads, and tells me who downloads what, as well as who tries to download what.


1403 posts

Uber Geek
+1 received by user: 135


  Reply # 1527345 6-Apr-2016 21:48
Send private message

Untangle also does true QoS:

http://wiki.untangle.com/index.php/QoS

 

"Quality of Service (QoS for short) is a mechanism to ensure high-quality performance to latency- and bandwidth-sensitive applications. It allows for the prioritization and differential treatment of traffic based on rules. Most often this is used to improve the performance of latency and bandwidth sensitive applications and traffic (like VoIP) at the cost of less important traffic such as peer-to-peer."




706 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1527359 6-Apr-2016 22:21
Send private message

chevrolux:

Kiwifruta:
sbiddle:


Kiwifruta: 

Gargoyle has great QoS but no VLAN tagging on the GUI, and the last I looked the VLAN tags drop off everytime the network settings are changed. I haven't yet got my head around how to use the QoS on OpenWrt. How easily can QoS be configured on PfSense? What QoS options does PfSense offer?


 


What do you want (or expect QoS) to do? Many people who post on here have very unrealistic expectations of what QoS on a network actually does, and more importantly that you can't really control inbound traffic to your router, just outbound.


 


 




The biggest thing for me is just to turn off and turn on wifi at set times.

In fact, that is my only requirement of QoS.


That is in no way what QoS does....


Sounds like the feature you are looking for would be called something like 'Wifi Scheduling' - most decent residential grade routers have this, I would assume Gargoyle has this too.



Okay thanks. I was thinking that wifi scheduling was under QoS settings in Gargoyle. Thanks for clarifying that Wifi Scheduling is the correct term.

597 posts

Ultimate Geek
+1 received by user: 36


  Reply # 1529037 9-Apr-2016 15:45
Send private message

michaelmurfy:

 

I personally run Pi-Hole (https://pi-hole.net/) on my Raspberry Pi 2 and that is my main DNS server - I also have a VM container that mirrors the DNS config as a secondary resolver (really, my network is overkill) and use OpenDNS on the network with dnscrypt. The problem with this setup is it means you can't whitelist sites however if I visit a site that I know is supported by ads I pay them directly (notice the subscription tag on Geekzone?). Basically, I block ads, Microsoft stuff and anything harmful because as an IT person I really want to prevent having to come home to do tech support on any devices on my network.

 

Click to see full size

 

This has its advantages since my dns4me hosts file runs directly on a dedicated DNS server - and also DNS resolves insanely quickly since it has freed up your router to route internet and firewall only. My router also forwards all DNS queries to the Raspberry Pi for those stubborn ones like Chromecasts etc. I was going to write a tutorial on getting something like this running however I didn't want to potentially take any ad revenue from Mauricio.

 

Long story cut short I have also experimented with pr0n blocking on Google Images however nothing is perfect - Family Shield is almost as good as you're ever going to get here. Running a proxy is complex for your average user and on todays high speed connections has the potential to actually slow down your browsing. People will always find their way around the blocks so it is best to educate than downright block hoping that (if it is in a parent-kids situation) that the kid will have some respect.

 

If you've got Family Shield running using the Pi-Hole method enables you to even track what kinds of Google Searches they're doing - and from what IP so you can have "that talk" - basically, if they know that you can see what they're doing then they're more likely to just not do it.

 

But for $50 or so (for a Raspberry Pi) it offers some decent protection from malware, pr0n etc and with the correct firewall rules is pretty hard to get around. I would recommend against going to pfsense only since it involves more (often expensive in electricity) hardware and the setup you've got is actually more than capable to achieve what you're wanting.

 

Unless, if your budget is unlimited then get a Cisco Meraki router (around $1k) along with their license (around $1k also) which should block almost anything dodgy ;)

 

 

 

 

Any chance you could give me some pointers on getting an EdgeRouter Lite to point to the Pi-Hole server? easy enough to change on Windows but would like it happening for all network devices.


Meow
7284 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1529233 9-Apr-2016 20:52
Send private message

It is pretty simple really.

 

First, set up your Pi-Hole server (either on a dedicated Linux box or an actual Raspberry Pi - for me I have it running on both an OpenVZ container + a Raspberry Pi for redundancy). I'd recommend using dnscrypt (https://github.com/pi-hole/pi-hole/wiki/DNSCrypt) as well and using both the CloudNS nameservers in Australia (https://cloudns.com.au/) if you care about privacy too. I tried OpenDNS however it was too evasive for me and I'd rather have something a little more private.

 

On your EdgeRouter you want to disable DNS forwarding first to clear out any old rules and then re-enable it with something like this:

 

Click to see full size

 

20:45 mmurphy@charmander ~ $ show service dns forwarding
cache-size 0
listen-on eth1
listen-on eth1.50
listen-on eth2
name-server 192.168.2.8
name-server 192.168.2.10

 

Note: in my instance I had to reboot my Edgerouter after doing this - it was still not letting DNS through to my internal DNS servers despite the configuration being fine.

 

Then enable some NAT forwarding for devices like Chromecasts that refuse to use anything but GoogleDNS:

 

20:44 mmurphy@charmander ~ $ show service nat rule 3
description "DNS Forward"
destination {
port 53
}
inbound-interface eth1
inside-address {
address 192.168.2.1
port 53
}
log disable
protocol tcp_udp
source {
address 192.168.2.20-192.168.2.254
}
type destination

 

Set your Edgerouters system DNS to your Pi-Hole and you're essentially done. I found it was best to do DNS forwarding through the EdgeRouter for devices that refuse to use your own DNS. If you do this, then please subscribe to this site since it relies off ads or subscribers to stay active (and subscribing is cheap).

 

Also, add these to /etc/pihole/whitelist.txt:

 

gse.google.com
msn.com
dns.msftncsi.com
msftncsi.com
www.msftncsi.com

 

and this will fix the issue with stuff.co.nz, spark.co.nz, your computer thinking it doesn't have an internet connection and a few other things. You'll need to play around with the rest to get a result that suits you.

 

 





1494 posts

Uber Geek
+1 received by user: 131

Trusted

  Reply # 1529262 9-Apr-2016 21:46
Send private message

Anyone have a good dnsmasq config for unotelly?




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

Want to be with an awesome ISP? Want $20 credit too? Use this link to sign up to BigPipe.


Meow
7284 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1529295 9-Apr-2016 23:25
Send private message

mentalinc: Anyone have a good dnsmasq config for unotelly?

 

I already went vastly off-topic with my above post - for that, you're best to ask in the private forums of which I've now enabled you for (look at the bottom of the forums link above).





'That VDSL Cat'
7546 posts

Uber Geek
+1 received by user: 1524

Trusted
Spark
Subscriber

  Reply # 1529635 10-Apr-2016 20:05
Send private message

michaelmurfy:

 

mentalinc: Anyone have a good dnsmasq config for unotelly?

 

I already went vastly off-topic with my above post - for that, you're best to ask in the private forums of which I've now enabled you for (look at the bottom of the forums link above).

 

 

 

 

There's another place to poke around here huh? wink

 

 

 

I have held off commenting here till the OPs position was a little more clear. TBH, i think your better off with openWRT, DDWRT, Tomato or the such based off the few things you have made comment on here.

 

 

 

Im a huge fan of running pfsense myself, i love having the full control and having devices set out just do do their single task where appropriate.

 

Personally, filtering is a whole different point to go down, I have not played with any of that apart from a few DNS and purely HTTP controlled points. Fact is, if you block something, people will work around it, find an alternative service.. Blocking through teaching whats okay and whats not is still my favourite place to go.

 

A transparent proxy/dns log could be useful for that usecase, when it comes to a talk about hey.. your visiting places you shouldnt.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




706 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1529968 11-Apr-2016 11:15
Send private message

hio77:

michaelmurfy:


mentalinc: Anyone have a good dnsmasq config for unotelly?


I already went vastly off-topic with my above post - for that, you're best to ask in the private forums of which I've now enabled you for (look at the bottom of the forums link above).



 


There's another place to poke around here huh? wink


 


I have held off commenting here till the OPs position was a little more clear. TBH, i think your better off with openWRT, DDWRT, Tomato or the such based off the few things you have made comment on here.


 


Im a huge fan of running pfsense myself, i love having the full control and having devices set out just do do their single task where appropriate.


Personally, filtering is a whole different point to go down, I have not played with any of that apart from a few DNS and purely HTTP controlled points. Fact is, if you block something, people will work around it, find an alternative service.. Blocking through teaching whats okay and whats not is still my favourite place to go.


A transparent proxy/dns log could be useful for that usecase, when it comes to a talk about hey.. your visiting places you shouldnt.



Thanks.
My kids are young, the eldest is 7, so there is no way they are going to be searching for strange things. I fact all those do is go to YouTube, and Google & the FireTV to find & play games. They do not even know about google searching, although now that the eldest can read and write I expect that won't be far away. I'm just trying to block those accidental occurrences. One time I google searched something about reading the scriptures and clicked on the first result and a swingers website appeared in one of the tabs, I had had the PC just one day and hadn't set up OpenDNS Family Shield yet. Will OpenDNS Family Shield block ads for scantily clad foreign wives? Or must I use an adblocking service? Generally, I don't mind adverts because sometimes I find something that I end up buying, and I know ad revenue supports many websites that I frequent, including GZ.

Anyway, when I go to upgrade our family router, I was wondering if there is any advantage in running pfSense over OpenWrt. My inner geek likes the idea of 'making my own router' so a NUC loaded with pfSense appeals. OpenWrt is available on budget routers that come with WAPs. So for a home network, is pfSense really worthwhile?

OpenWrt does all that I know I need, but I'm aware there will be things I am unaware of. For example, @MichaelMurfy discussed dnscrypt, I had no idea about this, so I googled around and learned about man in the middle attacks. As a consequence, my next project is getting dnscypt set up on my home OpenWrt router.

I guess this is the crux of my query, as far as home networks are concerned, in relation to security & the blocking of kid unfriendly ads/website/apps are there things that should be put in place that pfSense can do but OpenWrt cannot? Like malware detection and blocking?

We already pass the grc.com tests, OpenDNS family shield is in place on the router, all port 53 traffic is directed to the router. Our devices are all android (smart phones, FireTV), and linux (smart TV, I assume it's linux and Chromecast). There is no home PC, although we will get one sometime this year, and I will set it up so that users will not have administrator/root rights.

Thanks again.
It's okay with me if this thread gets a little off topic, because it will probably be relevant to me (like dnscrypt was) and other readers.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Opera launches new mobile browser: Opera Touch
Posted 25-Apr-2018 20:45


TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.