There's not much, read no, point in allowing encrypted dns to some certain addresses. You either block it outright and force DNS to internal sources where you can filter it or you don't. QUIC is another thing that is just blocked completely in a...
If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through...
That's seems strange. We push PAN hard and still sell 3-5X more Fortinet. Of course the price/performance difference is substantial coupled with much better SDWAN integration on the Fortinet side. For the last year almost every deal has some...
100/101-F or E series Fortigate or use a 60/61-F or E series with one of these:
https://www.amazon.com/Rackmount-RM-FR-T10-Rack-Mount-FortiGate/dp/B01MXMCODG
Pretty sure those cards are FC HBA and not NICS. Also, I'm afraid to ask but .... All that external cable you describe in #7 is plugged into grounding blocks on both ends of the external pieces before being attached to your gear yes? If you were...
I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns...
The OP needs to understand that privacy and security are two different things. Quite often you must sacrifice one for the other. If you are interested in security then your doing TLS deep inspection on everything. If you're interested in privacy...
Sadly this is true. You can still play the cat and mouse game of blocking known DoH servers but that's generally a loosing scenario. This is the primary reason I despise DoH. It's an abomination and should be stomped out of existence. DoT solves...
If you've local DNS resolvers then only those resolvers should be allowed outbound DNS. All other DNS should be blocked on your firewall. There is little point in DNS filtering if all a client has to do is change resolvers.
If someone is doing MITM on your LAN then they have already installed certs on your endpoints. You're already owned and DNS is the absolute least of your worries.
Is this a satellite ISP or a WISP? Are you certain you have a static publicly routable IP? Also, Starlink will not be a solution for this as they use CGNAT so no inbound traffic you. There is a possibility that will change later but as of today...
I'll add that if you have more than one AP you can plug a switch into the new PFSense interface and then plug APs into the switch. Also you said earlier in the thread you needed but didn't have an L3 switch for VLANs. Please note VLAN are layer 2...
Full stop! Again the AP is absolutely not where you control what you want to do. An AP is a just a layer 2 bridge that bridges wifi to ethernet. To do what you want you need to be at the router. Add another interface to your PFSense router using...
First, as others have said, your LAN (local area network) includes your wifi. Now unfortunately MOST consumer class networking equipment stops right there and you get WAN and LAN with routing+NAT/PAT between. The wifi and the ethernet segments...