Welcome to the Home Network Guy forum!

Recent Posts

Pages: [1] 2 3 ... 10
1
Troubleshooting / Re: [OPNSense]Routing for host with IPVLAN network
« Last post by Home Network Guy on November 02, 2022, 02:22:59 PM »
I have not personally use IPVLAN in Docker, but after looking at it, I think I would like to learn about it in more detail and write about it since it could be an interesting topic.

From what I gather, using IPVLAN allows you to separate your Docker containers into separate VLANs. If I correctly interpreted what I read on Docker's website, you might not need static routes but instead you should configure the switch port that your Docker server is connected to as a VLAN trunk so that you can use VLAN tags/IDs to isolate traffic on the appropriate VLANs. If your Docker server is plugged directly into OPNsense, you would need to ensure the VLANs are configured on that port on OPNsense.
2
Troubleshooting / [OPNSense]Routing for host with IPVLAN network
« Last post by C18uj8Ms on November 01, 2022, 10:29:13 AM »
Hi HNG,
Thanks a bunch for the awesome material. I am configuring and learning my OPNSense router and I frequently refer to your pages.
I am trying to use a bunch of docker containers on a Raspberry Pi with their own IP address and I decided to use IPVLAN to have maximum control.
I have added a static route on OPNSense which specifies the Pi as a gateway for the subnets on the IPVLAN network even though there is an advisory note that says
Quote
Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway.
This largely works apart from the fact that my SSH connection keeps dropping. When FW optimizations are set to normal it lasts 30 seconds (same as the expiration value on Diagnostics-> Sessions) or 900 seconds for conservative.
Am I missing some setting?
Would it be possible to sort of recreate the static route with a firewall rule? Could this potentially solve my problem?
Cheers
3
I am not able to connect my mi app to router my mobile is 10..242 in logs I see ports blocked is it normal what is the solution
4
Security/Advisories / Plex Media Server Breach
« Last post by Home Network Guy on August 24, 2022, 02:48:24 PM »
One of the databases containing Plex user account information was breached. The subset of affected data is emails, usernames, and encrypted passwords. A password reset has been enforced by the Plex security team. Below is the full transcript:

Quote
Dear Plex User,

We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.

What happened

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What we're doing

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.

What you can do

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.

We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so.

Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.

For step-by-step instructions on how to reset your password, visit:
https://support.plex.tv/articles/account-requires-password-reset

Thank you,
The Plex Security Team
5
Proposed Network Designs / Communications / Entertainment / Security
« Last post by JW on May 30, 2022, 06:39:48 PM »
Hello,

I am looking for a way to accomplish the following securely:

1. A home network with certificate-based (or otherwise password-less) authentication for users and guests
2. Remote access to a home media server (e.g. Plex), but with the capability to upload video feeds from car cameras, drones, etc.
3. A secure domain for family email, files, etc.

Currently using Netgear Oribi home network on Xfinity. I use Proton VPN since they are Swiss-based, no indication of Chinese affiliation or ownership.

Also interested in using HAMNET with this setup, in case anyone here is into amateur radio.

Crazy, right? Standing by for ideas ...

6
And now I'll open the more specific questions.

But I'll try to describe my home network first...

In my network there is

This ISP router has only some features that could be helpful, e.g. static routing table, open ports to WAN of specific clients connected to LAN.

Any router has multiple ethernet ports.
I'm planning to install OpenWRT on Mikrotik hEX S and OPNsense on gateprotect GPO 150.
Generally I was thinking about a setup like this:
Internet > ISP router (= modem & router)
ISP router > OpenWRT router
OpenWRT router > DMZ Switch
OpenWRT router > OPNsense router
OPNsense router > LAN Switch

This means the DMZ is in between external and internal firewall. To my understanding this is a recommended setup to strengthen security.

What makes setup a little more complicated: my ISP offers 2 WAN:
  • static public IP
  • and dynamic public IP

Luckily this ISP router provides bridge-mode for static public IP.
So consequently the OpenWRT router will have 2 WAN ports.

Now here are the questions:
Is it advisable to setup "NAT disabled for homelab" if ISP router only offers static routing, but very limited firewall rules (specific ports can be opened for internal devices connected to this ISP router)?
Is it advisable to use the same subnet for managing any network device's WebUI? Or would this undermine all measures for strengthen security?

The ISP router can only provide 1 subnet (= LAN) that is used for administration.
And WANdynamic of OpenWRT router will be connected to this subnet.
I'm not sure if it makes sense to use this LAN for administration of all network devices then.
Certainly I could use ISP router LAN for administration of this router only and another network for administration of OpenWRT and OPNsense router.

THX
7
Hello,

based on the turorial Use Static Routing to Second OPNsense Router with NAT Disabled for a Homelab I would like to discuss some generic questions and some questions specific for my home network.

I'll start with the generic question:
I could connect the secondary router to a separate, unused interface on the primary router.
What do you mean when saying "unused interface"?

THX
8
How-to Discussions / Re: Questions regarding Basic DMZ How-to
« Last post by Home Network Guy on April 03, 2022, 04:37:37 PM »
Greetings! Germany is my second largest source of visitors!

Thanks for the compliments. I'm glad you found the information useful. It definitely takes time to produce the content. As for your questions:

1. The second rule is used to block all unencrypted DNS requests on port 53 -- both internally and externally. Since access to other networks should typically be restricted already (so you couldn't use DNS servers on other parts of your network unless you specifically allowed it), the second rule is more useful to block requests to external servers such as 8.8.8.8. The first rule is placed before the second rule so that you do not block your only allowed local DNS server (which is often the IP address of the network interface where the device resides). By default Unbound DNS listens on all interfaces so a network with the network address range of 192.168.30.1-192.168.30.254 will have the DNS server address of 192.168.30.1, which is the interface address.

2. I actually used to do just as you have suggested -- block the private networks without using an allow rule which has destination invert checked, but I also had a rule below the block rule to "allow all" so that access to the Internet would work properly. If you block private networks, you have to allow "all other" traffic which requires an allow all rule at the bottom of your rules. I saw examples of these 2 rules in a few places online so I used that for a while, but then once I learned more about firewall rules and saw some examples, I realized that you can combine those 2 rules into a single rule which is more elegant. Instead of "block private networks, allow all other networks (to allow Internet)", the rule in the DMZ guide essentially says "allow access to any network that is not a private network (which is the public Internet addresses").

When you have several local networks, it's easier to block all of the private networks and then add a rule above that to allow access to a specific service like DNS because you are less likely to forget to update a list of networks to block if you decide to add another network. It is a bit of a safeguard since it will keep everything appropriately isolated. If you want to open access, you have be intentional with the firewall updates (it's better to block by default than accidentally leave a hole in your firewall that may go unnoticed until it is exploited).

I hope these explanations help clarify the reason for those firewall rules.
9
How-to Discussions / Questions regarding Basic DMZ How-to
« Last post by Tanduvil on April 03, 2022, 02:57:28 PM »
Hello,

I have two quiestions regarding this article: https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense

First of all: what a great article, thanks so much for all your time and effort!

Regarding the second DNS-Block-Rule for Rogue users, if the destination of the "Allow DNS" Rule would be "This Firewall" instead of DMZ Address - would the DNS block rule then be obsolete?

Second question: For blocking the private networks, would it be possible to switch it, means creating a block rule for the private networks without the destination/invert? Or would it have a different impact?

Again, thanks so much!
Greetings from Germany :)

Chris
10
Troubleshooting / Re: OPNsense router strongswan-5.9.4 error (Update)
« Last post by Home Network Guy on February 07, 2022, 04:02:14 PM »
It sounds like the package used by the IPsec VPN uses is vulnerable and will not allow you to use it until you update it. I am not sure if you can update that version without an update provided by OPNsense. The versions that are downloaded from the OPNsense repository will be the version that is shipped with each OPNsense release. You will either have to wait until that is patched or perhaps download it from a different repository. However, I do not know if updating it from another repository will break anything since there might be some integration work that needs to be completed in order for the new version to work properly. I would imagine if there is a vulnerable VPN package that OPNsense would update that quickly or be working on updating it soon.
Pages: [1] 2 3 ... 10