My Arris router is a cable + wifi router, pretty rare nowadays tp find one of those

pf/opnsense suck at wifi, don't do this, that's not what they're for. look into openwrt

Built-in Wi-Fi won't work as well as a dedicated AP but more importantly very few chipsets work properly in FreeBSD in AP mode.

Sadly, I COMPLETELY agree with you. THAT is why I’m hoping that people MUCH SMARTER than me (like Dave here) can suggest solutions so we can get that “built into the router” AP without needing that “extra/separate” AP gadget, it’s software and another layer of complexity.

@@eDoc2020 it works from 300' feet away, thats good enough for me

Glad I could bring something new to the table!

Have had it on my todo to figure out how to set up transparent filtering on a naked Linux system. But too many other tasks taking time. In my case, I want an existing firewall to believe an external box with modem should look like a local interface so the firewall sees (and thinks it owns) the public IP.

yeah he reach Saudi Arabia also , i will do as he advice, thanks dave

Me neither and i still dont rly see what the Point of it is. It doesnt come clear to me in this video.

@@SpriGgEx Transparent here means it looks like a layer 2 switch. No changes to any IP numbers. So it isn't visible. Until one of the firewall rules decides to block something. Then it's just a magic cable that blocks the bad connections. So the computer on the inside can still believe that it owns the public IP number and runs without firewall.

If you Google for Suricata there's plenty of people talking about how often it blocks things due to false positives and it wont see most malware as its delivered over SSL. The best you can really do is region and IP blocklists which require much less CPU power.

Experts who needlessly nit-pick are just being difficult. Source, I work in the industry and listen to it daily. From a big-picture standpoint the video is great.

a grown up man advocating for a youtuber. You dont need to defend him, he is old enough and probably accepts his mistakes. Gotta love Fans of youtubers, DONT BE a fan of a youtuber.

@@ICEMANZIDANEYawn. I got bored after grown up.

⁠​⁠@@ICEMANZIDANEAssumption much? Maybe he’s just offering a fellow human being some kindness and support. Even grownups appreciate an attaboy from time to time. If you think that’s only for kids, then I’m sorry for you.

I got to the end and was locked out as you describe. Also, you can't add a Firewall Pass rule to the WAN interface - WAN is absent in the current version of OPNSense. Hoping for an updated video. I bought the dual NIC mini PC just to do this, and I'll have to start all over. Can this all be done from the text interface with the Mini PC just hooked up to a monitor, keyboard and mouse?

​@@SunshineDave Unfortunately, no, you can't perform the install from the CLI (text) interface that the system boots up from. Configuration is primarily performed via the web management portal. This is why I wrote my comment, as I think there is a mistake and the latest versions of OPNSense don't work with the instructions provided in this video. To properly set up the device, I believe 3 ethernet ports are required: - WAN - LAN - Management I honestly don't know if it's possible to set the system up properly with only the dual NIC at this time.

@@funknick I'll probably be looking for another video to setup OPNsense more conventionally. But I do have an ethernet dongle I could use as a third port if I had a clue how to create the management port. The oversight in this video is a fatal one. It should really be redone because success is impossible for most users, even the most advanced.

Could you not have just logged in through the CLI and used option 4 to reset to factory defaults?

@@rustyp21 sure, I guess I didn’t think of that during the moment. Good tip! Do you have a workaround for the management port issue?

Technically, the order DOESN'T matter if you perform them as a single atomic operation, right? :-)

Critical Care Nursing Assistant 😆

@@ingchatboy @davesgarage Uhh...Yeah. I didn't realize it could have so many definitions. 😆

get premium, seriously, it makes youtube everything you want it to be

@@thaphreak really? it will filter sponsor messages that creators include in their videos?! sign me up!

​@@pete3897no it won't

@@pete3897 There is an extension that does this called "SponsorBlock For KZbin". It's a game changer.

@@pete3897 Almost really, however you can scrub past that stuff, so yeah…really is worth the cost of admission.

Ubiquiti is for your average dummy

If you are too poor to turn off the ISP wifi and use your own, are you simultaneously rich enough for a transparent bridge?

@@dirkbester9050 Not helpful. You just wasted my and everyone else's time with this comment.

I plan to disable the wifi from the ISP box and implement a much better managed wifi router behind the OPNSENSE bridge that has full capabilities compared to most ISP boxes these days that limit what you can and can't do

hmm this would be only if they're not using the ISP's box only as a bridge?

​@@johnnygolden7401which did you order

How do you disable wi-fi on the ISP router?

@wilty5 I set mine to bridge mode, so it just acts as a cable modem, and passes it to thr ethernet port, no filtering or wifi. You can probably just disable the wifi, in the settings as another option though.

Congratulations, both of those steps do nothing. Except slowing down your network.

I was wondering if he was joking or not. But, it 4/1 is it not?

it went past me for a moment then i was wait a min... what?!

😂 brilliant.

Still beats MCSA :)

Made me actually laugh out loud 😂

MikroTik makes cool stuff too... there's always a trade off as things become more hardware-focused or software-defined. They seem to be a good mix in between.

cheap mikrotik router + their winbox ui is quick and simple , swiss knife for the network

What is (or is there) the equivalent for transparent filtering bridge for MikroTik, seems pretty CPU intensive so thinking it’s not something a 750 series would offer..

That is what I was wondering, I remember pfsense was unix and I thought maybe they ported it over to Linux? Thanks for the clarification.

why do you hate linux?

You mean there are other *nix based OSs than Linux? FreeBSD is one of the OG versions of Unix. It is horrible what AT&T (or whatever their name was at the time) did to this *nix branch!

@@esk103 Well, since AT&T's Bell Labs _invented_ Unix, they did what they darn well pleased with it back in the day :) @imadam I don't "hate" Linux, I just like FreeBSD a bit better. It's dead stable and I'm used to the way you do sys admin tasks on it. I also like the license it's released with better vs. the GPL. And apparently so did MS back in the day. I understand that they used the BSD network stack to add networking to Windows. Don't have details, but I bet our erstwhile host might...

Thanks Dave for this video! Being on the spectrum this was like eating popcorn for my brain! ❤

OK Dave -- show us an OPNSense install on a TI99 ! Definitely not comparable to the Intel Atom, so it should work pretty good, right?

As a 5th grader in 1967, I would occasionally help my father transcribe his handwritten FORTRAN programs into something an IBM 1130 could read, using, you guessed it, an IBM29 80 Column Card Puncher. (He was getting his BSEE via night classes compliments of his employer.)

@@IBM29 oh god, I remember once helping my dad and dropping a whole stack of punchcards. I don’t remember anything after that.

@@michaeldeloatch7461 lmao!!!

@@michaeldeloatch7461 It’d actually be really fun to see that happen. I’d imagine you’d get close to 309K baud, if not less.

Cool man. What do you use for your VPN client? I tried setting up a native W10 client but didn’t have much luck. Planning to try again and do more searching on best options.

That is one fat pipe!

I used to do the UniFi stack and ripped it all out. I went for microtek, cheap 2.5G switch and a NAS using an amd 4600GE and a stack of cheap nvmes. SMB 3 can combine 2.5G so NAS has 5G and so does my main PC. I have a WiFi 6E ap 2.5G uplink that covers the whole house with 2.4GHz switched off for everything else except my media pc which is on 2.5. It's works ok. Sometimes the microtek router crashes so i added a fan to it and set it to reboot once a week (2 different issues). The NAS uses no raiding and backs up to a pair of 10Tb WD gold on external caddy. I can literrally grab them and have everything. Photos and docs sync to Google drive. 1G symmetric ftth is the fastest i csn get.

pfSense is epic

@@bdlii I use OpenVPN still. Old habbit. There is WireGuard now also available but haven't configured it yet.

How do they "mess it up"? Can we work around this?

It can matter for hardware support. Linux supported Intel i226 NICs before FreeBSD. I use pfSense CE, but I'm thinking of switching to OPNsense. I'm worried that pfSense CE could become paid software like pfSense Plus.

BSD\UNIX\LINUX same thing.

Regarding being BSD based and not Linux, it does matter. The reason I stopped using PFSense, was essentially due to the extremely out of date Intel drivers. Switched to Linux (using VyOS), the exact same box, had a 4x performance improvement doing the same thing.

Me too, got a Netgate 4100, mounts in my rack. pfsense, lots of packages to choose from.

I run pfSense+ with Snort (inline)and pfBlockerNG on a Netgate SG-4860 appliance. I rarely see CPU usage over 20%... and that is only an Atom 4 core C2558. I really like having the ZFS Boot environments.

Yeah, I was wondering about that. Surely it wouldn't be able to inspect HTTPS/TLS packets...?

is it possible to test downloading the test virus from antiviurs site and seeing if ids/ips catches it?

I asked AU - Certainly! Detecting viruses over HTTPS (encrypted) delivery is a crucial aspect of network security. Here’s how Intrusion Prevention Systems (IPS) handle this: Traffic Inspection: HTTPS traffic is encrypted using TLS/SSL protocols, making it challenging to inspect the payload directly. However, modern IPS solutions can perform deep packet inspection even on encrypted traffic. They achieve this by: Decrypting the encrypted traffic temporarily. Analyzing the decrypted content for malicious patterns. Re-encrypting the traffic before forwarding it to the destination. Challenges: Performance Impact: Decrypting and re-encrypting traffic adds computational overhead, affecting system performance. False Positives: Decrypting traffic may lead to false positives if the IPS misinterprets benign content as malicious. Privacy Concerns: Decrypting user data raises privacy concerns, especially in enterprise environments. TLS Inspection: Some IPS systems support Transport Layer Security (TLS) inspection. They maintain a database of trusted certificate authorities (CAs) and use it to validate server certificates during decryption. If a server certificate is not trusted or revoked, the IPS can block or alert on the traffic. Signature-Based Detection: IPS systems use signature-based detection to identify known malware patterns. They maintain a database of signatures for various threats. When inspecting decrypted traffic, they compare it against these signatures. Behavioral Analysis: Advanced IPS solutions employ behavioral analysis. They learn normal traffic patterns and detect anomalies. For example, if an encrypted connection suddenly transfers large files, it might raise suspicion. Heuristics and Machine Learning: Some IPS systems use heuristics and machine learning. They analyze traffic behavior and adaptively learn to identify new threats. Evasion Techniques: Malicious actors use evasion techniques to bypass IPS inspection. They split payloads across multiple packets or use obfuscation. Modern IPS solutions continuously evolve to counter these techniques. In summary, while detecting viruses over HTTPS is challenging due to encryption, modern IPS systems employ various techniques to inspect and protect against threats even within encrypted traffic

@@DaveGamesVT - it can still tell domains/IPs and block known-bad or known-compromised sites. But, yes, to really inspect, it would need to MitM the HTTPS traffic to decrypt, inspect, and then encrypt it again. But it can still detect many types of traffic without decryption, just not payload inspection.

@@jroysdon I'm a newbie to this topic but wouldn't that make the virus scanning option for this completely useless?

Was about to say the same thing 😏

Die-hard fan of both, and was also about to say it.

One of many errors in this vid I'm afraid - eg bridges don't route packets, they bridge frames

When I tried BSD, I was blown away with sheer consistent performance, smoothness and stability. I tried ghostBSD and it was really good.

Beat me to it!

me too and im in the internet biz lol

firsttime hearings

That's why I'm here - UniFI Dream Router chokes!

The Unbound DNS plugin dose a good job for DNS filtering, Pi-Hole is hard to beat from an admin and stats standpoint though.

OPNsense is great. Deciso also offer commercial support but don't seem to be mega cash grabby yet. There's also a third party add on (Zenarmor) available that gives you ngfw features like content filtering and other fancy crap. I'd use it for customers, no problem.

If your pfsense is failing to upgrade, here is the super secret sauce to correct the situation. Just run it into pfsense shell [ press f8 on pfsense console or ssh it ] certctl rehash pkg-static update -f pkg-static install -fy pkg pfSense-repo pfSense-upgrade once completed, just visit upgrade, you will get latest updates.

The use of FreeBSD as a base platform is great from a stability perspective - it is pretty much bombproof as far as *nix is concerned but the community is very slow to add new device drivers and then it takes an extra age for the drivers to trickle down into pfsense and opnsense. Opnsense seem to be more responsive to adding new PHY support than pfsense but it is still a lengthy process. It's a stability vs new shiny thing support tradeoff. Not that we don't need support for new shiny things. I've been running pfsesne for a few years and I'm comfortable with it. But it comes down to what you prefer and get used to. Both forks are great.

What hardware are you using for OPNSense?

Sorry to disappoint you, OPNSense transparent bridge cannot decrease your real gaming latency. Perceived latency because DNS caching does not affect real connection between you and Blizzard server.

He's a "solid bell" for me too.

the momment his stle sunk in , i did the same. Straight to the nitty gritt . love it

Just upgraded to subscribe. Notify all loading

You are!😊

Same thing happened to meet with Explaining Computers - they should leave our teachers alone!

I always ask them to send me their Credit Card Number, SS number and Mothers maiden name before any further communication from them!

Same. I can't stand modern KZbin and their rewarding of crap filler content to meet a certain video length. Thanks Dave!

I got it working in pfSense. Your NIC must support RSS and netmap. I always have issues with igb and em cards (probably because igb drivers are built on em.) igc and ix cards work great. There are both inline and legacy deep packet inspection ids/ips. Inline is a bit more powerful. I use the inline ips on the lan and limiters on the WAN. Also I think for the sake of the NIC memory it may be relevant to consider using two separate NICs of matching types. It is also worth noting that NICs only support certain types of ethernet cables. ie no cat8 on an i225 nic if you want everything to work perfect. cat5e or cat6a

I can't see how the ClamAV works through the bridge. I'm pretty sure the configuration is correct, but when I try the Eicar test download the signature appears instead of being blocked. Any suggestions are appreciated. I suspect the ClamAV plugin depends on a Web Proxy??

You can use "tcpdump" to do this in OPNsense or PFsense, but the bridge is not strictly required. You can run it just as well when configured as a traditional router, as long as the data is flowing through one of the interfaces, tcpdump will see it. The alternative (read: old-school) way to do it is with a switch that does port mirroring, which can be handy since you can then route that mirrored port to another machine on your network that might be better suited for traffic analysis (or simply has a nice GUI for you).

​@@BillLambertCan't OPNSense assign a mirror port to your extra hardware ports? And if it does, does it operate at full speed?

If you're in the middle of the traffic, you can see the entire handshake of establishing the HTTPS/TLS connection, and for corporate networks that use things like Suricata, yes, they do perform HTTPSi, examining the contents of the encrypted packet and then passing them on into the network. The procedure would be the same on your little transparent bridge, it sniffs the keys for the HTTPS connection, and then examines the packets for things that violate the rules you set, and then passes on the good packets while rejecting suspicious or dangerous connections.

​@@orangejuche Nope - that would be an example of a MitM attack. In corporate settings, the HTTPSi inspector has it's own certificate which all corp machines are configured to trust (either by adding it as a certificate, or it being issued by a corp specific root CA, which is added as a certificate). At least, that's what the docs I found say

@@td19xyz My bad, you are correct, and I was incorrect. Suricata can't see what is in an encrypted packet without an HTTPS proxy with a trusted root CA that performs decrypt and encrypt of the traffic and forwarding of the decrypted traffic stream to Suricata. This doesn't mean Suricata is useless for handling HTTPS traffic, as while it can't see what is inside, it still has the metadata of the connection, and can filter attempted HTTPS connections from servers on a list of untrusted clients.

BTW I paused and went to google for a win.ini file example to remember what I used to do, I think it was there that I did dual booting back in the 90's :)

Thanks for clarifying that. Unfortunately, I have and all-in-one.

Does anyone know of a solution to make this work if you’re using an ISP All-in-one router/modem device?

You'd have to have the transparent bridge as the only device connected to the all-in-one device, then duplicate all the functionality (WiFi, switching) downstream of the bridge. (AIO -> Bridge -> switch/APs/other devices)

how do you setup a mgmt interface and access the gui from it?

@@Chester-hk6zp I'd like to know this too.

Yes, the Critical Care Nurses Assistant