pfSense Part 3: Controlling Routes | Level One Techs

I see, kind of makes sense as it prevents it from falling back to the WAN gateway if the VPN goes down. But I think there are better ways of doing that.

Great video love to see pfsense content, people ask for openwrt but pfsense is one of the only groups that stays on top of security issues. I recall a while back there was a Defcon video that showed a security hole where you could act as if you were inside the network through a callback during a load. Pfsense was one of the only ones to patch the flaw.

By the way, I know this being a Linux video but I saw the debloat script in it a was wondering if Level1Techs could do a debloat windows video. I've noticed nerfing Cortana with group policies, disabling superfetch, turning off a ton of unnecessary services can really take back some needed performance. I notice it the most with i/o latency, windows 10 can be brutal with keyboard and mouse lag in game and disabling much junk as possible has yielded good results for me. Figured I should ask with the whole "Gaming mode" being in the creators update.

Cheers.

1 Like

Just a heads up...

I applied the "cleaned up list" posted in this thread to block Windows 10 Telemetry, to an alias and added a block rule to my installation of pfsense and everything seemed to work fine....that is until my 5 year old couldn't get on YouTube through my XBOX One. Tried everything to troubleshoot it, cause it seemed to work everywhere else on my network, just not the xbox. In a Last ditch effort to get it to work, I disabled the firewall rule that i setup to block telemetery....and sucess.

Anyone have any idea which entry in that list is the issue? I looked, and there are no obvious references to youtube or xbox in the list. Needless to say, this firewall rule will stay disabled until I can narrow it down.

you can whitelist just the xbox and leave it disabled for everything else.

For source address try not the xbox IP address? for example?

I bet that there is some telemetry the xbox sends on youtube load and the code is so bad it fails when the telemetry host is unreachable.

1 Like

I noticed someone posted the IP's for Windows Telemetry on Pfsense.org.
Pfsense probably caches the IP's the first time there is a lookup but in theory you might be able to save a few nanoseconds. :wink:

Hey, since I haven't found any tutorial on the Internet for that I just want to give some tip for dynamic aliases of Autonomous Systems (AS).

This was evaluated with Steam and Steam Game Servers like CS:GO. I am optimistic this method is also capable of solving Netflix situations mentioned in this thread above.

With the package pfBlockerNG one can define Aliases of AS. These System numbers can be found in ntopng logs (package) or for example on the Hurricane Electric page http://bgp.he.net.

This is an example search query for Netflix Autonomous systems (ASNs starting with AS).
http://bgp.he.net/search?search[search]=netflix&commit=Search

All you need to do is create a native Alias by providing the ASN to pfBlockerNG, Format Whois.
pfBlockerNG will then resolve to IPs, automatically download, and update this Alias. For Netflix you may need to +Add more than one ASN to the set.

In the firewall you simply use the created Alias as you wish. In my case route ASValve ports 27000 - 27050 to WAN.

Edit: I do not know from where pfBlockerNG gets the IPs of the ASN. I assume from bgp.he.net since a dev BBcan177 mentioned it on forum.pfsense.org

2 Likes

The MS Telemetry list in the beginning of the thread affects Skype connectivity. I removed some obvious ones, but can't figure out which other ones are blocking Skype.
Anyone ran into this?

What about pfsense requiring AES-NI processor support in version 2.5 and newer? Some not that old lower power hardware probably won't have that support. Kinda seems the pfsense team is forcing people to consider their appliances they sell.

Some Sources:
Soruce 1
Source 2 (YT)

@wendell

I am checking out opensense as a potential alternative

2 Likes

I actually thought wendell already mentioned this in some video, and I thought they wanted to do this series on opnsense, was a little suprised when the first came online with pfsense...

Before you do that, you might want to read some more about it.

6 Likes

@comfreak

Thanks man :slight_smile: always glad to get further information and clarity on these topics.

As for the AES-NI requirement in future pfsense can anyone comment on that?

1 Like

AES in hardware is simply the correct choice. There is no market for software AES in any business scenario and arguably not in retail either. Openwrt provides plenty of support for consumer low end routers.

Apparently Netgate has responded to the same criticism that you mentioned. In a nutshell, they decided to go for an AES-NI requirement because pure software-based AES implementations are apparently more vulnerable to side-channel attacks.

4 Likes

Hi and thanks for pfSense Part 3 controlling routes.

I want to isolate my Apple TVs and Roku from my PIA OpenVPN and allow them to pass through the ISP WAN giving me the full 200 Mbps. I set up static addresses of the devices and I want to control the routes using the MAC addresses method. All of these devices are on my igb0 Wireless Interface. Where do I create the Firewall rule and is this action a Pass or Block?

Thank you,
Gary

You create the rule on the wireless interface, it’s a pass rule and it needs to be above the rule which uses the VPN gateway.

Anyone have a list of urls for Amazon Prime Video steaming?

@Wendell @Ryan your puny Windows telemetry IP blocking list is for scrubs. A real list has 13k+ entries.

Here’s mine (including yours at the start):

List of 13,218 IPs, domains, and IP ranges tied to M$ telemetry and 3rd parties, .txt here: Windows Firewall Outbound rules - _Block - PFSense Formatted.txt (195.7 KB)

This was gathered from W10Privacy, Spybot Anti-Beacon, WindowsSpyBlocker, Windows10Privatizer etc. - Find them on Github. (Most of my research in my post from 2016.)

Updated this list on January 2018, but (the sources are) most likely not 100% fullproof.

1 Like

Lol it seems crazy the os would be that chatty. What’s the high assurance bit that needs to be flipped on so we get the same experience as China and/or the dod? Lol

Edit. Turned your original 2016 post into a wiki and features it in our wiki section. It would rock if it were updated for 2018 and you mention what, if anything, this does for auto updates.

I believe 2/3 of that list is alternative IP addresses in case a. the main ip address failed, or b. it probably also depends on what part of the world you are in.

Yeah I totally want that Windows 10 China Government Edition <3

Cool. I’ll get to it soon-ish. I also need to specify that these IPs are also based on my preferences in the aforementioned programs (e.g. if you blocked Edge or Skype completely). What I do to update is I use W10Privacy’s builtin update picker & downloader :wink:

[EDIT] Done. :slight_smile:

1 Like