Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 4 5 [6] 7 8 ... 10

Author Topic: LAN setup  (Read 63571 times)

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #75 on: January 01, 2017, 09:10:09 PM »

Did you have to upgrade to FreeBSD v11 first?

I think I have to
Logged

underzone

  • Reg Member
  • ***
  • Posts: 442
Re: LAN setup
« Reply #76 on: January 01, 2017, 10:12:10 PM »

with the box more loaded up now temp is only 33C still :)

asus ac68 on passive cooling over 70C even in winter.

latency is lower than the ac68 also

Code: [Select]
C:\Windows\system32>ping -t bbc.co.uk

Pinging bbc.co.uk [212.58.244.23] with 32 bytes of data:
Reply from 212.58.244.23: bytes=32 time=6ms TTL=56
Reply from 212.58.244.23: bytes=32 time=7ms TTL=56
Reply from 212.58.244.23: bytes=32 time=6ms TTL=56
Reply from 212.58.244.23: bytes=32 time=7ms TTL=56
Reply from 212.58.244.23: bytes=32 time=7ms TTL=56

Ping statistics for 212.58.244.23:
    Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms

Those pings are very impressive! Well done mate.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #77 on: January 02, 2017, 09:18:43 AM »

Did you have to upgrade to FreeBSD v11 first?

I think I have to

The OS is upgraded as part of the upgrade process, its a all in one solution.

Now days FreeBSD supports binary updates so its still a very quick process assuming you can download the update packages quickly and the box itself is powerful enough to process all the package updates quickly, on my unit it took about 10 minutes, from 2.3 to 2.4 (which includes the OS update), and about 5 from 2.2 to 2.3.

The bad news with 2.4 I think they have removed hardware crypto support on their openvpn binaries, seems an odd decision, but I may have misunderstood the post, so I have asked for clarification.

The good news is 2.4 has added newer and better QoS queuing systems so basically QoS is enhanced.
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #78 on: January 02, 2017, 09:37:54 AM »

Oh that's good news, I was concerned about the OS update. I still plan to wait for 2.4 to be the official update so I'm on 2.3.2-RELEASE-p1 (amd64) currently.

Thanks  :cool:
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: LAN setup
« Reply #79 on: January 02, 2017, 12:42:08 PM »

It blocks domains that have been found to host malware.

What options are there for lists?

I see there is Malware Patrol, and they seem to offer various lists for a fee, both for PFBlockerNG & Squid, surely you'd only need to use PFBlockerNG or Squid not both for the purpose of blocking Malware domains?
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #80 on: January 02, 2017, 01:27:13 PM »

pfblockerNG also adds a lighttpd daemon so it works like this.

Dns lookup is changed to a rfc1918 ip.
Code: [Select]
C:\Windows\system32>nslookup 152media.com.
Server:  PFSENSE.home
Address:  2a02:c7f:<censored>

Name:    152media.com
Address:  10.10.10.1

Then the traffic will be sent to the lighttpd daemon running on pfsense and a blank img is served.

So no squid or other package needed.

You can also whitelist sites listed on alexa to try and avoid accidental breakage of popular sites from FP's.

For this to work, you need to be using the "dns resolver"(unbound) not "dns forwarder".
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #81 on: January 02, 2017, 03:58:36 PM »

I tested a reboot with the DUID workaround and kept the same ipv6 prefix.

I will be testing the FAIRQ+codel combo later.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: LAN setup
« Reply #82 on: January 02, 2017, 05:33:23 PM »

Thanks Chrysalis, but what options are there for lists to use? It's not exactly the easiest thing to Google for.

Edit.

Have found this post which seems quite useful

https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159

« Last Edit: January 02, 2017, 05:50:05 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #83 on: January 02, 2017, 11:27:22 PM »

you already found a good lot of choices there :)

for purely malware lists that are freely available there isnt many.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #84 on: January 03, 2017, 04:11:01 PM »

ronski I would say

malcode
mdl
dshield_sd
mpatrol - with alexa
ms2
bbc_dga
bbc_c2

Those all look malware focused including crypto malware, having a quick look at all those lists they dont seem to include any ads/tracking stuff.

just be aware its easier to add bad url's then remove cleaned out ones so it wouldnt surprise me if there is dead domains or domains that are now clean in the lists, but pfsense does allow whitelisting and alexa will whitelist the top ranked sites.

hphosts
swc

those two for sure do include ad/tracking domains.
« Last Edit: January 03, 2017, 04:13:23 PM by Chrysalis »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #86 on: January 03, 2017, 05:51:11 PM »

I added these which the ac68 would explode in a fit with such a size.

Code: [Select]
===[ DNSBL Domain/IP Counts ] ===================================

 1209183 total
  809831 /var/db/pfblockerng/dnsbl/bambenek_dga.txt
  162237 /var/db/pfblockerng/dnsbl/hphost_fsa.txt
  142657 /var/db/pfblockerng/dnsbl/hphosts_emd.txt
   43810 /var/db/pfblockerng/dnsbl/malwarepatrol.txt
   26329 /var/db/pfblockerng/dnsbl/hphost_psh.txt
   17267 /var/db/pfblockerng/dnsbl/hphosts_exp.txt
    5280 /var/db/pfblockerng/dnsbl/disconnectmalvertising.txt
    1207 /var/db/pfblockerng/dnsbl/malwaredomainlist.txt
     345 /var/db/pfblockerng/dnsbl/zeustracker.txt
     100 /var/db/pfblockerng/dnsbl/malc0de.txt
      73 /var/db/pfblockerng/dnsbl/hphost_hjk.txt
      43 /var/db/pfblockerng/dnsbl/dshield_sdh.txt
       4 /var/db/pfblockerng/dnsbl/bambenek_c2.txt
       0 /var/db/pfblockerng/dnsbl/malwaredomains.txt
       0 /var/db/pfblockerng/dnsbl/disconnect_malware.txt
       0 /var/db/pfblockerng/dnsbl/disconnect_basic.txt

the biggest ones are the cryptolocker domains, device is now using 25% of ram.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: LAN setup
« Reply #87 on: January 03, 2017, 07:30:27 PM »

Thanks Chrysalis for the further info which is very useful. I did manage to get the Danguardian feed working last night, got tripped up with a few things, didn't realise it wouldn't work until the CRON job ran, also took ages to find/work out what a force update was. I'll detail more in my thread and add other feeds when I've got some time.

Incidentally how often should the CRON job run for pfBlockerNG?

One other thing, I understand this blocks the domain name, but would it block the actual IP address if used directly say by malware?
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #88 on: January 03, 2017, 08:47:45 PM »

A safe setting is once a day, you dont want to upset list maintainers by swamping thewir servers for updates.

By the way a quick update.

1 - I removed the DGA list which has 800k entries, I did some digging and found these are not verified live domains, they are generated domains from seed's that ransomware admin's were found to be used for domain generation, so its a sort of catch all list that is designed to preempt new domains coming on line and been unfiltered, but my unbound started having some issues, however I may readd it later due to what I found in issue #3 see below.
2 - I added a IP BL for some ransomware servers, this has to be added in the ipv4 section as its not DNS filtered, but firewall filtered. url for list is here, site says is updated every 5 mins but I at least for now set it to once a day. https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
3 - I discovered that unbound is restarted very frequently if it is set to host DHCP name records, basically if the static DHCP or leased DHCP boxes are ticked in dns resolver settings, pfsense seems to be coded badly in that whenever a DHCP record is updated it will restart unbound which flushes its cache and reloads dns lists, and the 800k list I had added caused unbound to be unresponsive for 30+ seconds when this happened.

Now regarding #3, on my particular network, I can see in the resolver logs, unbound was been restarted every 10-20 minutes which is way too frequent for my liking, so I copied someone else's suggestion which is to manually maintain a DHCP dns list which I load into unbound using the custom config box with an include line and keep those 2 boxes unticked, I am only maintaining for my static DHCP leases, I dont care about dns resolution on dynamic leases.

Just reread your post.

My cron is set to every 12 hours, but I have all this lists set to only update once a day.  Setting the cron to run more often shouldnt be a big deal however it may (if you add lists at different start times) stagger updates which would mean more dns reloading.

Also on the DNSBL config page near the bottom is this section

"DNSBL IP Firewall Rule Settings"

I think but I am only guessing as I have not tried it that if you enable "List Action" setting and select deny, then it may add the resolved ip's to the firewall.

Just be aware that many domains can be hosted on a single ip, so lets say a ransomware dude is hosting his domain on a shared web hosting server mixed in with legal customers sharing the same ip, you could also block all those sites.
« Last Edit: January 03, 2017, 08:58:39 PM by Chrysalis »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #89 on: January 04, 2017, 01:06:41 PM »

Was using my phone in bed earlier and there was a internet outage, when I checked pfsense later I found it had a kernel panic and self rebooted, so I seem to have a hardware issue somewhere or a configuration issue.

I think the 2 most likely culprits are the ram and addon intel card (is reported issues in pfsense with intel addon cards), I have disabled msix on the intel ports and also reverted a tunable I played with yesterday and will see if stays stable, if I get another panic I will test the ram.
Logged
Pages: 1 ... 4 5 [6] 7 8 ... 10