Guest asrequested Posted December 22, 2018 Share Posted December 22, 2018 (edited) It was something I downloaded and was calling out. But the IPS blocked it and stopped it from connecting. After a bit of research, IPS just warns you of outgoing problems, and blocks incoming problems. But I wouldn't have known it was there, if it hadn't told me. Sophos took care of it, though. Edited December 22, 2018 by Doofus 1 Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted December 23, 2018 Share Posted December 23, 2018 Anybody use or consider Backblaze B2? I thought about setting up Duplicati with that for low cost emergency storage. Link to comment Share on other sites More sharing options...
Guest asrequested Posted December 29, 2018 Share Posted December 29, 2018 Since adding rules to pfsense, my USG IPS log is empty 3 Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 30, 2018 Share Posted December 30, 2018 Anybody use or consider Backblaze B2? I thought about setting up Duplicati with that for low cost emergency storage. I use it, works well. I don't use it for media backup, just my server system files, but I don't see why it wouldn't work for everything. Link to comment Share on other sites More sharing options...
chef 3763 Posted December 30, 2018 Author Share Posted December 30, 2018 (edited) I was talking to the IT guy at my work, and he asked me how many routers I have set up. Currently I'm using the ISP's fibre router only. He mentioned I should set up two. Something about 10.1.1.X subnets for all local devices on a second router. Then I see @ post and he has those subnets setup. What exactly is happening there? Edited December 30, 2018 by chef Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted December 30, 2018 Share Posted December 30, 2018 I was talking to the IT guy at my work, and he asked me how many routers I have set up. Currently I'm using the ISP's fibre router only. He mentioned I should set up two. Something about 10.1.1.X subnets for all local devices on a second router. Then I see @ post and he has those subnets setup. What exactly is happening there? Setting up "three dumb routers" is actually a pretty inexpensive and effective security measure to separate devices on different networks. https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity 1 Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted December 30, 2018 Share Posted December 30, 2018 I use it, works well. I don't use it for media backup, just my server system files, but I don't see why it wouldn't work for everything. I don't think I would back up media that way... my normal media backup is just fine. I have some other critical files on that server that I would like to have a cloud backup for in addition to my normal backup routines. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 30, 2018 Share Posted December 30, 2018 I don't think I would back up media that way... my normal media backup is just fine. I have some other critical files on that server that I would like to have a cloud backup for in addition to my normal backup routines. then its definitely an option. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 30, 2018 Share Posted December 30, 2018 I was talking to the IT guy at my work, and he asked me how many routers I have set up. Currently I'm using the ISP's fibre router only. He mentioned I should set up two. Something about 10.1.1.X subnets for all local devices on a second router. Then I see @ post and he has those subnets setup. What exactly is happening there? If you're gonna do it, go w/ a Unifi USG. Very slick pro-sumer gear that just works. Very simple to subnet stuff, and vlanning is supported making it even easier. Also has built in Radius and VPN server, which automatically bridges your subnets from an external VPN connection. And guest wifi is easily firewalled from your local subnets (its technically it's own subnet too). Both doofus and I use unifi stuff, as well as a few others on here. 1 Link to comment Share on other sites More sharing options...
tdiguy 96 Posted December 30, 2018 Share Posted December 30, 2018 Do the fios routers not do any sort of nating at all? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 30, 2018 Share Posted December 30, 2018 Do the fios routers not do any sort of nating at all?I believe so. There's a bunch of stuff hidden under advanced. I seem to recall having to fix the double nat nonsense when I first had it installed. I pulled mine and stuck the USG at the edge since I don't use cable boxes anymore anyway. Sent from my SM-G965U using Tapatalk Link to comment Share on other sites More sharing options...
tdiguy 96 Posted December 30, 2018 Share Posted December 30, 2018 I believe so. There's a bunch of stuff hidden under advanced. I seem to recall having to fix the double nat nonsense when I first had it installed. I pulled mine and stuck the USG at the edge since I don't use cable boxes anymore anyway. Sent from my SM-G965U using Tapatalk Hidden settings or settings that are considered too advanced for me to easily find annoy the daylights out of me. I havent had a ISP owned router in a very long time now. But i also dont have fios in my area. I refuse to be a comcast hotspot, literally no benefit for me in it, they should give discounts to their subscribers that transmit that hotspot imho. Link to comment Share on other sites More sharing options...
Guest asrequested Posted December 30, 2018 Share Posted December 30, 2018 (edited) I was talking to the IT guy at my work, and he asked me how many routers I have set up. Currently I'm using the ISP's fibre router only. He mentioned I should set up two. Something about 10.1.1.X subnets for all local devices on a second router. Then I see @ post and he has those subnets setup. What exactly is happening there? My configuration is a little different, but yes, I use pfsense as my router then the USG is next in line. As @@mastrmind11 says, using a USG is a good idea. In this situation, the USG automatically disables NAT, so you won't have problems with a double NAT. I set the USG (I have Unifi switches) to subnet 10.1.1.1/24. pfsense is at default 192.168.1.1. What this does is that pfsense issues an IP to the USG (192.168.1.x), beyond that, the USG handles everything else. It does make port forwarding a little more interesting. You no longer forward your WAN IP through the USG. You forward the local IP, and then you forward the USG IP through your router. So it changes IP. In my case, I'm also using a VPN interface. So I then have to port forward through that. At this point, it changes IP again, and also the port changes. That took a little bit to figure out Edited January 7, 2019 by Doofus 1 Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 11, 2019 Share Posted January 11, 2019 Just wanted to say that pfsense is doing such a great job, that I have in fact disabled IPS on the USG 2 Link to comment Share on other sites More sharing options...
chef 3763 Posted January 11, 2019 Author Share Posted January 11, 2019 When. You built your pfsense box, did you need to add a NIC card? How did you build it? Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 11, 2019 Share Posted January 11, 2019 When. You built your pfsense box, did you need to add a NIC card? How did you build it? I had a dual 10g NIC laying around. I basically built a computer out of spare parts, and installed pfsense. As long as you have dual gig NICs you can use almost any computer. There's a spec recommendation guide on their site, somewhere. 2 Link to comment Share on other sites More sharing options...
chef 3763 Posted January 11, 2019 Author Share Posted January 11, 2019 (edited) I had a dual 10g NIC laying around. I basically built a computer out of spare parts, and installed pfsense. As long as you have dual gig NICs you can use almost any computer. There's a spec recommendation guide on their site, somewhere.10gig NICs is super impressive. The fibre line comming into my house is SPF+ I think. Maybe I need to find a NIC with SPF+... Edited January 11, 2019 by chef Link to comment Share on other sites More sharing options...
chef 3763 Posted January 11, 2019 Author Share Posted January 11, 2019 (edited) And just as a side note, my domain has been hit so many times by China Russia, and the US is crazy... They are not web crawlers either... Which is also crazy I was introduced to a great program called WebLog Expert Probably all VPNs though... Edited January 11, 2019 by chef Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 11, 2019 Share Posted January 11, 2019 (edited) My 10g NIC is RJ45. I wouldn't use SFP+. I've configured the firewall to block failed attempts if 3 per second and for 60mins. And Snort is blocking stuff, too. I also block all IPV6. The logs are long. Watching the firewall log in real time is interesting. Edited January 12, 2019 by Doofus 1 Link to comment Share on other sites More sharing options...
PrincessClevage 173 Posted January 11, 2019 Share Posted January 11, 2019 And just as a side note, my domain has been hit so many times by China Russia, and the US is crazy... They are not web crawlers either... Which is also crazy I was introduced to a great program called WebLog Expert Probably all VPNs though... peerblock is old but works well with a small cost of subscription and you can choose from various blocking list, even block all of China/Russia etc Link to comment Share on other sites More sharing options...
mlcarson 13 Posted January 12, 2019 Share Posted January 12, 2019 Here's my 2 cents. The default setting of any firewall/router will be to block all incoming connections. This is what you want -- anything else is an exception. For emby, I whitelist a remote IP address that I want to watch from. For remote administration, I whitelist my work address (could be anything that you trust, has a static IP, and is available) and use it to add any additional IP's to my whitelist. You shouldn't have outsider threats if you do this. 99% of any malware is going to be you establishing a connection to it via web browsing or downloading a file that contains hidden malware. This is what you're paying for AV, DNS filtering, and firewall IDS for -- detecting what you already allowed in or preventing you from accidentally allowing something in. I've probably been lucky but only use Windows 10 Defender and Malwarebytes and haven't had any issues. My router is an EdgeRouter Lite - it primarily routes and does basic packet filtering; it's not a firewall. Most devices that build in IPS or AV at a consumer level do it poorly, slow down the connection speeds, and create more problems than they solve. I leave on the Windows Defender Firewall on each machine in my network and only allow required connections. The Windows Defender AV used to be very poor but better than nothing -- it's come a long way since the WIn7 days. I think that it's cloud-Delivered protection contributed to that. The best things about Defender though is that it's free, it's not creating system instability, and it's not slowing down my machine. For backup, I'd love to use something like Backblaze but it doesn't seem feasible. I've got Comcast so have 2 problems -- the monthly bandwidth limit and the upload speeds of 10Mbs. Hard drive capacity has grown a lot faster than Internet speeds. I think cloud backup is great for documents and pictures but not so much as a general backup scheme. Even if I could send a provider a hard drive copy of everything I have and just send incremental changes -- it would still take forever to do a complete restore. I've so far opted to just do backups via external USB drives. USB 3.1 is about as fast as it's going to get without using a direct SATA connection but still allows disconnection of the drives so ransomware or environmental concerns are mediated. The downside is that I can't just automate backups so don't do them nearly enough. I don't use storage arrays but admit I may regret this decision at some point. Here's the reasoning. They all require additional storage for rebuilding a bad drive. Less overhead generally means higher complexity and longer rebuild/restore times. A storage array doesn't eliminate the need for backups. My computers don't provide mission critical 24/7 services. If a hard drive fails, it affects one computer and can be restored locally from backup. The biggest downside is the cost of storage but those prices continually go down while the capacities go up. So far, it's been more cost effective and efficient to go with local storage and USB backups than to do a NAS storage array. The cost savings allow me to purchase more HDD's for backup. If my media collection grows to more than a single HDD can contain, there's still ways of presenting it as a single volume with multiple HDD's that don't link the restoration of one to both. Crossing my fingers that I just haven't jinxed myself. 1 Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 12, 2019 Share Posted January 12, 2019 White listing IPs isn't a great option. I connect from a mobile network quite often, and the IP changes. If you have static locations, that's fine, but doesn't work for general use. 1 Link to comment Share on other sites More sharing options...
notla49285 46 Posted January 12, 2019 Share Posted January 12, 2019 (edited) I've only just bought ESET, should I get Sophos instead? Edited January 12, 2019 by notla49285 Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 12, 2019 Share Posted January 12, 2019 I'm not familiar with ESET, so I can't compare them. Link to comment Share on other sites More sharing options...
chef 3763 Posted January 12, 2019 Author Share Posted January 12, 2019 I've been very happy with Sophos. Although I'm not familiar with ESET either. Sophos caught a hidden version of psexec running on a windows theme editor I grabbed from DeviantArt. Took care of it right away. Locked it up and threw away the key. I was super impressed. Bad hackers, go to your room!! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now