- Jul 26, 2015
- 263
Why the config in that way?
As a Application Firewall I use GlassWire and Block Apps that are very talkative.
The next line of defense is my Security Appliance - Sophos XG Home (HW-Firewall) and isolated my IoT devices.
Example:
The Network is build in segments:
192.168.x.x /24 for Smart-TV, IoT and Mobile-Devices
172.16.x.x /30 for my PC
The Managed-SW has a ACL build in and backed my trusted devices in to it. Like that the Ports on it only communicate with those devices.
My Router is a simple AVM-Cable Router and have configured that my my Firewall (XG) as a Exposed-Host like that I do not get double NATed.
Otherwise all other Ports are closed.
Why the XG?
Is very simple it has DPI HTTPs inspection build-in and scans SSL Traffic for Certificates and Malware with a double engine. (Sophos and Avira) The other upside is IPS (Snort) and many other Security features for free...
Test site for Sophos XG features test -> Sophos Web Security and Control Test Site
START ------------------------------------>>> OLD CONFIG <<<---------------------------------------- START
Then why a Pi-Hole?
To block sites at a DNS Level with RegEx entrys and Blocklists provided by The Block List Project and other projects.
I know my DNS query is quite long but it is more secure (My opinion)
Example:
PC ----> XG ----> Pi-Hole ----> Quad9 Filtered/DNS-Sec
IoT ----> Pi-Hole ----> Quad9 Filtered/DNS-Sec
END ------------------------------------>>> OLD CONFIG <<<---------------------------------------- END
NEW Config Setup Update 25.12.2019
What changed?
The Pi-Hole DNS Server Adblocker is gone and has been replaced with eBlocker! (Open-Source)
Why has it been changed?
Have to say the Pi-hole is a great project but I was in the search to offload advanced tracking protection and blocking of various ads. Adguard is a great project as well (Desktop and Browser Extension) but still I wanted to streamline that level of protection to my whole network.
What was my solution?
I switched from the Pi-hole project to eBlocker that is available now over at: eBlockerOS Download - eBlocker Open Source - Free Privacy & Parental Controls Gateway
What does eBlocker do?
- HTTPS Decryption
- Easylist Pattern File Compatible
- Domain Blocklist Compatible
- Squid ACL Compatible
- Parental Controls
- Network wide protection
- DNS Level Domain blocking
- and lots more...
How complicated was it to setup?
5min. install and final fine-tuning max. 30min. with custom lists.
Cert. flow for the XG?
External Site SSL ----> eBlocker ----> XG -----> PC
All I needed to do is to import the cert. from eBlocker to my XG CA Store and done.
Compatibility self-tested:
- PC = Full HTTPs
- iOS = Full HTTPs (Cert. Import from local eBlocker appliance)
- Android-TV = Limited (because Nvidia Shield does not support import from certificates)
- Ubuntu = Full HTTPs (Cert. Import from local eBlocker appliance) since it is in front of the Firewall appliance. ^^
- SMART TV = Limited (Samsung old TV does not support import of certificates to decrypt HTTPs Traffic)
OK OK but why not do a Backup of your OS?
It is just a blank Windows 10 Ent. install with a few Privacy Settings here and there... Connected to my Microsoft Account and all my data is in OneDrive / Important stuff in OneDrive Vault! - For me it is just insert USB - Click thru the Setup, Install a few Drivers and Connect my Account. Done! Since I have a 1Gbit connection downloading games is a matter of min. ^^
If someone has questions or improvement options I am all ears. I am not perfect and open to critique ^^
Sincerely
Val.
As a Application Firewall I use GlassWire and Block Apps that are very talkative.
The next line of defense is my Security Appliance - Sophos XG Home (HW-Firewall) and isolated my IoT devices.
Example:
The Network is build in segments:
192.168.x.x /24 for Smart-TV, IoT and Mobile-Devices
172.16.x.x /30 for my PC
The Managed-SW has a ACL build in and backed my trusted devices in to it. Like that the Ports on it only communicate with those devices.
My Router is a simple AVM-Cable Router and have configured that my my Firewall (XG) as a Exposed-Host like that I do not get double NATed.
Otherwise all other Ports are closed.
Why the XG?
Is very simple it has DPI HTTPs inspection build-in and scans SSL Traffic for Certificates and Malware with a double engine. (Sophos and Avira) The other upside is IPS (Snort) and many other Security features for free...
Test site for Sophos XG features test -> Sophos Web Security and Control Test Site
START ------------------------------------>>> OLD CONFIG <<<---------------------------------------- START
Then why a Pi-Hole?
To block sites at a DNS Level with RegEx entrys and Blocklists provided by The Block List Project and other projects.
I know my DNS query is quite long but it is more secure (My opinion)
Example:
PC ----> XG ----> Pi-Hole ----> Quad9 Filtered/DNS-Sec
IoT ----> Pi-Hole ----> Quad9 Filtered/DNS-Sec
END ------------------------------------>>> OLD CONFIG <<<---------------------------------------- END
NEW Config Setup Update 25.12.2019
What changed?
The Pi-Hole DNS Server Adblocker is gone and has been replaced with eBlocker! (Open-Source)
Why has it been changed?
Have to say the Pi-hole is a great project but I was in the search to offload advanced tracking protection and blocking of various ads. Adguard is a great project as well (Desktop and Browser Extension) but still I wanted to streamline that level of protection to my whole network.
What was my solution?
I switched from the Pi-hole project to eBlocker that is available now over at: eBlockerOS Download - eBlocker Open Source - Free Privacy & Parental Controls Gateway
What does eBlocker do?
- HTTPS Decryption
- Easylist Pattern File Compatible
- Domain Blocklist Compatible
- Squid ACL Compatible
- Parental Controls
- Network wide protection
- DNS Level Domain blocking
- and lots more...
How complicated was it to setup?
5min. install and final fine-tuning max. 30min. with custom lists.
Cert. flow for the XG?
External Site SSL ----> eBlocker ----> XG -----> PC
All I needed to do is to import the cert. from eBlocker to my XG CA Store and done.
Compatibility self-tested:
- PC = Full HTTPs
- iOS = Full HTTPs (Cert. Import from local eBlocker appliance)
- Android-TV = Limited (because Nvidia Shield does not support import from certificates)
- Ubuntu = Full HTTPs (Cert. Import from local eBlocker appliance) since it is in front of the Firewall appliance. ^^
- SMART TV = Limited (Samsung old TV does not support import of certificates to decrypt HTTPs Traffic)
OK OK but why not do a Backup of your OS?
It is just a blank Windows 10 Ent. install with a few Privacy Settings here and there... Connected to my Microsoft Account and all my data is in OneDrive / Important stuff in OneDrive Vault! - For me it is just insert USB - Click thru the Setup, Install a few Drivers and Connect my Account. Done! Since I have a 1Gbit connection downloading games is a matter of min. ^^
If someone has questions or improvement options I am all ears.
I am not perfect and open to critique ^^Sincerely
Val.
Last edited:
