I like RADIUS for WiFi, once it’s set up its easy to use. WPA2 enterprise is more secure in that each connection uses its own key rather than a single preshared key, which prevents someone with the key from sniffing other WiFi traffic on the network. It also allows you to manage and importantly revoke users, plus it allows the client device to verify the identity of the server (much like https) which helps protect against someone spoofing the AP to try and get the password.
Awesome, thanks for sharing this. It seems like a great option. I do have a WPA2 option, I may try that on the router to see how devices react before I move over to the OPNsense firewall/router and turn the current router into a AP Mesh for the new place. I tried WPA3, but most of my devices couldn’t connect no matter the restarting etc.
I know I’m doing way more than is needed, but I want to learn so that’s why I’m trying to implement all I can at home as I learn. I’m finally getting network layers down and understanding of how WAN and LAN interact through the router etc.
Adventures in the New Network…and OPNsense.
Heres the new network…SO far…
And here’s the office so far.
So far I have implemented the firewall successfully. I was banging my head against the wall for a bit because I was being TOO detailed in assigning Static IP’s and information while defining my network via OPNsense.
IE- When setting up a static IP I would also add in the DNS address, Network Name and all kinds of info…this led to problems when I tried to set up DNSmasq to use the firewall as the route for all DNS requests to my pihole device…I lost all internet access also because I never set up the access all rule to allow my devices to connect to the internet on the second network that was not set up automatically… I had DNS errors all over and it was a mess.
The key points that saved me-
1.) Make sure you have the basic rules in place to allow all networks to communicate with each other and the internet on ALL networks (I was setting up 3 and only one was really “configured”)
2.) set up your rules BEFORE you decide to start handing out Static IP’s OR just set the IP and not all the other options till you have it set up how you want (except maybe with DNS NTP etc.
3.) The device I attempted to use to test my rules allowing cross traffic between networks to different devices was a WD Mycloud EX (not the 2 version which is still supported by WD fyi) . Come to find out as a security feature the OS itself does NOT allow that by default UNLESS you activate “Cloud Access” which I can not enable because it is no longer supported with security updates from WD.
The parts that messed me up…
Using rules to allow DNS access on ports 53 and 853 between networks while trying to use a wrongly configured dnsmasq that weren’t connected to the internet vs default rule and static ips with ips for DNS assigned.
Trying to connect to a device that WOULDNT allow the connection!
Now that I’m past these few issues it’s been working quite well…
Other interesting facts about firewalls that’s useful setting up rules-
-Invert is a useful option to save on two rules in one… IE block such and such to Inverted destination block all traffic to everywhere BUT the destination. Kinda cool or can be used for source as well. (Thanks @Biky!!!)
-If it’s a network you need, keep backups of working settings and revert as needed (IE-I used it to make sure the wife had her Plex DVR and Phone access to FB, Pintrest and Instagram)
-ASUS RT-AX92U works great as a wifi 6 AP for wifi, sadly when put in “Mesh” mode without a wired backhaul the wifi 6 band is used for wireless backhaul and not available for device use for connectivity.
-I had more but brain fart I’ll as more as it comes to me…
References- Easy to follow Small Secure (dual-stack) Network Firewall and Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX - #60 by PhaseLockedLoop and Recursive DNS With AD-Blocking Features - Part 1 | Nerd For Tech and https://homenetworkguy.com/
Hope its ok to do external links…
To do: Need to learn to set up port mode on my Cisco router, and use firewall to create VLAN’s to assign that traffic to ports on the switch. This isnt really needed because I have two mesh networks I can set up with hardware I have ASUS RT-AX92U and a Linksys Mesh system for IoT.
I mean it makes sense that they would do this but yeah that is a bummer. That’s why a lot of people do the old style mesh still. Multiple access points wired in from different points in the home.
Why wouldn’t it be?
Its looking solidly setup now.
Thank you sir.
I just didnt want to seem like I’m promoting other sites is all.
Its coming along… I’m proud of it. I still have to do VLAN’s (already different subnets), 2nd Wifi network for IoT and set up both servers (X470d4u R2700 and Dell T420-converted from T320 he he he that was fun didnt think it would work but it has!!!).
-Will be upgrading to new proxmox version 7.1 I think last I saw, know this will mess up GPU passthrough, so I’ll be fixing that.
-I may do a clean install to try out my notes to make sure they are complete and attempt a new configuration of VM’s and ZFS dataset maybe using TrueNAS instead of proxmox natively… haven’t decided.
-Still keeping Plex on a LXC container not TrueNAS.
-Interested in a cloud service I’ll reference Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech for suggestions of software
-Learn email notifications
-Setting up automated updates
-Local and cloud backups
It’s ambitious for a novice not in the field…I may get side tracked… but those are my goals
Gamingwise… I’m looking into Wireless HDMI options to get rid of a cord across the room to my tv for recliner gaming on the big screen.
@PhaseLockedLoop… Do I need to worry about this with Protectli Vault 4 like yours?
Did you use any advanced options like intrusion detection etc?
I did but you don’t necessarily need to worry. I only did it to isolate my government work systems and protect them
Yeah, its more for experience. I can physically isolate via direct connection to firewall to each network AP without the switch being an intermediary and dedicate it to trusted cable LAN.
I’m still messed up somehow on my rules…at least for dns as far as I can tell… every guide I look up and try blocks dns completely despite a rule allowing it before the deny rule… I’m beginning to wonder if the fact that I have pihole set up as a recursive server to set up dnssec using its own unbound service is messing me up somehow… I’m at a total loss so back to square one and allow everything so I can write this… fml I’m gonna take a break a bit set up the ryzen server…maybe… I need a cable for that ug…well on to unpacking boxes then
Well, looks like I’ll be away longer than I thought. Sadly the new home only offers a 15 GFI circuit breaker that is shared with the media room next to me. Between my gaming PC, basic networking equipment, ceiling fans, TV’s and sound bar plus lighting when I attempt to run my Ryzen server only I trip the breaker within 10 min of light load applications.
So, as the wife is not understanding at the moment, I cant get the funds to upgrade the wiring or get a dedicated 20amp drop, and there is no ethernet through the home to place a server else where I guess this is the end of me here for a while so I can give ya all a break from my less informed questions. lol
It’s been really fun. I appreciate all of you in this community. Hope the best for you all. Hopefully I will be back sometime in the future, till then I’ll be reading and doing what I can locally. o7
Well, it finally came… I got approval for getting an estimate for electrical work… woot woot!!! I have been tinkering with pihole and opnsense along with unbound. I have it slightly different than @PhaseLockedLoop… I run unbound on my pi with pihole and have it refer to internal net for access to unbound. I configured unbound and tested it in cli for dnssec. I dunno if that’s appropriate but it works.
I am beginning to follow this thread. Bookmarking now. My goal is to be able to exclude speicific ips on my lan from wireguard and whitelist only specific devices. I am using opnsense firewall to the internet, and have various devices on my network. My goal is by ip to route either through wireguard or to not route through wireguard.
I shared your thread with Argone.
Im working on cleaning up my grammar in my threads. I want to make them easier even when long
Sweet, yeah I saw that. I’m more than happy to share my format or tips on organizing. @Argone
I love this tool for it Draw.io Diagrams
Once I get electrical sorted, I’ll be able to finally be able to follow that plan I mapped out lol.
Next goal I think is learning my cisco switch to isolate VLANs inside the switch to certain ports. I’m currently just using the ports on the protectili directly to wifi AP’s. Hey, it works. Also, fun fact, that ASUS RT-AX92U works flawlessly as an AP mesh node. It still uses all the tools to optimize signal and connectivity without anything that messes with DHCP and other services from the firewall. Nice piece of gear. I’ll have to get to you on wifi bands to avoid being close to the airport sometime.
I have my own. Nextcloud Draw. Way more extendable and I dont have to give my data to others. I love diagrams
If you look at my BIND thread there have been more than a few edits dedicated to edification and grammar.
I am solely dedicated to making these the model help threads for the forum. So everyone can get great help from them.
That thread takes SOOOO long to edit and save. Infrastructure Series: BIND9 Authoritative DNS Guide "Please See Me Edition"
Yeah, @PhaseLockedLoop it’s a amazing write up. Honestly… it’s like going to a class on the subject. You did a amazing job sir, I hope it is as appreciated by others as it is by myself. If I was more involved in other avenues of internet social media I would for sure share it, BUT the level of this community is by far the best I’ve seen on the web in my searches (and I have ALOT of time on my hands at home all day LOL)
That was the intent. I am slowly evolving the way I write these to be a sort of flipped classroom deal. You get all the material and instructions and answers; then you ask questions and have them answered amongst yourselves. I think it will foster learning better. Time will tell. I love your threads because I draw inspiration from them. I cannot nearly draw the concept out like you have. You have a great deal more patience than I do on that front.
Yeah, I have a habbit of not just wanting to know “how” but the “WHY” and the concepts. I’m also a complete novice, so I can provide feed back in that way for people more involved daily who have some of that knowledge by default. I also have pages and pages of Notepad logs of every command I have done, tested, reverted, and explored along with the sources (IE web pages etc).
I try really hard to flush out what I want to do, why, and how it fits together.
The thing I love about your posts is it’s a “bridge” for me between the online manuals and documentation and the lay person.
I can ADD a lot, but its at least documented so I don’t lose my place lol (a good example I’m looking at VLAN manuals for Cisco, and Suricata on my OPNsense firewall…lol)
Keep that habit. It will take you far.
It sounds like you were a mechanic or an engineer in a past life
Minus my rants