Networking & Firewall
pfSense gives me a lot of features:
- Internal DNS & DHCP
- DNSSEC & DNS over TLS
- Blacklisting of domains & IPs
- Certificate Management with ACME (Let's Encrypt) integration
- Firewall rules for accessing other network segments
- Suricata NIDS (with Snort rules)
- HAProxy for controlled access of certain servers
- Traffic statistics
Static DHCP leases are automatically registered in DNS. I also records pointing to the router with an internal domain for proxying to local servers using HAProxy. HAProxy is integrated with the ACME DNS challenge to get certificates and proxy select devices to servers with access to private data.
I go between Cloudflare's 220.127.116.11 and Quad9's DNS servers. I like Cloudflare's privacy features, but Quad9 helps block malicious domains. Both support DNSSEC & DNS over TLS, which help ensure DNS integrity.
For security I use a variety of IP & DNS blacklists. The main IP blacklists are from SpamHaus and most of the DNS blacklists are link to by the Pi-hole project. Suricata runs Emerging Threats & Snort rules. Together, these measures can block a significant variety of attacks.
The network is divided into a number of segments. The SRV segment is for servers and is soon to be the only one with access to private data. The SRV segment can only be access by going through HAProxy. The LAN segment is for devices and gets controlled access to other segments. A Wi-Fi access point is also on the LAN segment. The DMZ & LAB segments are isolated for testing things in.