Changelog⚓︎

Level of effort - Large Effort

Fixed

• Deleted orphaned child VLAN tag assignment on lagg0 interface
  • Orphaned child VLAN tag was preventing reboot, forcing a manual reassignment of VLAN tags to their respective interfaces
• Recreated parent VLAN with a tag of VLAN2
• Recreated VLAN2 interface
  • Created NAT outbound mapping for VLAN2
  • Recreated firewall rules for VLAN2
  • Mapped VLAN2 to VPN gateway

New

• Decommissioned OpenVPN in favor of WireGuard
• Configured DNS forwarder for VLAN20 and VLAN30
  • Pointed to NextDNS servers
• Setup pfblockerNG for VPN VLANs
  • Added IP and DNS blocklists to sinkhole malicious traffic
• Removed any rules to ingress traffic using the WAN interface
• Configured GeoIP block to reject traffic from top spammers and proxy/satellite regions
• Configured firewall aliases for trusted devices and trusted VLANs
• Setup policy routing for WAN and VPN networks
• Configured Unbound to query root servers for DNS lookups
• Setup firewall rule to egress specific domains through the WAN gateway instead of the VPN gateway
• Blocked admin port access for untrusted VLANs
  • Port 4443 for pfsense webGUI
  • SSH on port 8587
• Setup VPN killswitch
  • Tagged VPN traffic on each VPN VLAN, then setup a separate rule to block any egress tagged traffic from using the WAN gateway
• Redirected NTP lookups to pfSense for all VLANs
• Configured DNS redirects for all VLANs
• Blocked outbound traffic to public DNS servers on port 443
  • Block DNS over https
• Configured Tailscale to provide secure access from Plex to VLAN30
• Setup Cloudflare Tunnel to protect the origin IP of all services
  • Routed all subdomains through the encrypted Cloudflare tunnel
  • Setup tunnel healthcheck with cron
    • Added the --metrics flag to docker-compose to bind the metrics server to a specific port, then curl the /ready endpoint at 'http://localhost:40355/ready'
    • Healthcheck extends to monitoring with Better Uptime using the following:
      • DigitalOcean: https://tunnel.wired.io/ready
      • Grove: https://tunnel.levine.org/ready

Updated

• Reconfigured parent interface with new VLAN for wifi VPN
• Adjusted subnet scope for all VLANs
• Assigned static mappings to most devices
• Restricted cross VLAN communication on untrusted VLANs
• Permit cross VLAN communication for trusted devices to trusted VLANs
• Reconfigured pfSense NTP pool for the following:
  • Make use of Stratum 1 and 2 NTP servers
  • Ensure the closest available servers from the following NTP providers:
    • NTP Pool Project
    • Cloudflare Time Server
    • Apple Time Server
    • Hurricane Electric
• Disabled Dynamic DNS for all subdomains in favor of Cloudflare Tunnel
• Limited anti-lockout firewall rule to trusted devices

Resources

• https://nguvu.org/pfsense/pfsense-baseline-setup/
• https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
• https://netosec.com/protect-home-network/
• https://blog.networkprofile.org/mullvad-vpn-with-wireguard-in-pfsense-setup-guide/
• https://forum.netgate.com/topic/103096/dns-resolver-system-domain-local-zone-type-not-changeable/5
• https://forum.netgate.com/topic/141835/dns-resolver-issues-what-s-going-on-here/8
• https://nguvu.org/pfsense/pfSense-pfblockerng-configuration-guide/
• https://lawrencesystems.com/setting-up-dns-over-tls-dnssec-with-pfsense/
• https://itigic.com/configure-https-and-ssh-web-access-in-pfsense/
• https://b3n.org/hijacked-slow-dns-unbound-pfsense/
• https://kifarunix.com/how-to-configure-ntp-server-on-pfsense/
• https://linustechtips.com/topic/1146769-how-to-route-traffic-to-specific-wan-using-pfsense-router/
• https://itigic.com/how-to-configure-pfsense-internet-vlans-dhcp-dns-and-nat/
• https://networkengineering.stackexchange.com/questions/71603/can-pfsense-do-routing-or-port-forwarding-based-on-dns-name
• https://medium.com/@davetempleton/setting-up-dns-over-tls-on-pfsense-bd96912c2416
• https://blog.zencoffee.org/2018/04/stopping-dns-leakage-with-pfsense/
• https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html
• https://docs.netgate.com/pfsense/en/latest/config/general.html
• https://statath.github.io/blog/configure-ntp-redirection-in-pfsense/
• https://forum.level1techs.com/t/pfsense-routing-between-vlans/162447/8
• https://labzilla.io/blog/force-dns-pihole
• https://mroach.com/2020/08/pi-hole-and-cloudflared-with-docker/#metrics
• https://whitematter.tech/posts/cloudflare-tunneling/
• https://github.com/cloudflare/cloudflared/issues/188
• https://yaleman.org/post/2021/2021-01-11-monitoring-cloudflared/
• https://community.cloudflare.com/t/monitor-tunnel-connection/260468

Level of effort - Small Effort

Updated

• Set transmit power on Grove Downstairs AP to the following:
  • 2.4 GHz Radio
    • Custom (18 dBm) to Low
  • 5 GHz Radio
    • Custom (19 dBm) to Auto
• Set transmit power on Grove Upstairs AP to the following:
  • 2.4 GHz Radio
    • Custom (21 dBm) to Low
  • 5 GHz Radio
    • Custom (21 dBm) to Auto

Level of effort - Medium Effort

New

• Retired Unifi 24 port switch and 8 port PoE switch
  • Replaced with Unifi 48 port PoE switch (USW-48-PoE)
• Labeled all used ports within Unifi Controller

Level of effort - Small Effort

Updated

• Changed the set-inform URL to use an FQDN over https instead of an IP with http.
  • New URL is https://inform.digital.cc/inform.

Level of effort - Small Effort

Updated

• Deleted all cloud firewall rules so droplet is only accessible via Tailscale for SSH or Cloudflared for https.
  • SSH access is restricted to port 8587.