my bad. I answered before reading the post carefully. Thank you for setting the record straight.
you are right.
Adolf thanks again for the clarification i spend 3 days straight 8 hours to go through all possibilities of this firewall
Also i noticed ad blocking is pain in the ass ,in opnsense under unbound u could use predetermined or custom list but here its not easy doesnt work for me yet will keep trying
@himurae like it or not, the current path for this project is undoubtely towards the best security achievable with a firewall distro.
However, not all the features can be “steered” by userbase to what competing products and projects are providing. Still today, IpFire AFAIK cannot manage a redundand/multiple WAN/Red connections via network cards, only as Dialup for a small set of options and setups. IMVHO, today, is feature lacking, as for adfiltering.
However, you can still add a product in your network like PiHole setup and use this as ad-block features for the clients. It only require to design both installation for work as a team.
2 Likes
Using a “lying” DNS server like PIHOLE to help preserve privacy is conflicting with the use of DNSSEC. To me this is an issue of tradeoffs between security (DNSSEC) vs privacy features (PIHOLE). The topic is a bit nuanced..
By the way, there is a script that recreates PIHOLE behavior in unbound.
2 Likes
Currently the securing of DNS channel of communication is still… to be defined.
DoH, DoS and DNSSEC are concurrent options, with different nuances and features among all options, all defined in specific RFCs.
For someone DNSSEC is the only option, even with people developing this project. Market still waiting to decide the winning solution.
I agree, however the phrasing could give the impression that they’re competing protocols, which would not be an entirely accurate interpretation of your sentence, since each addresses distinct challenges.
Encrypted DNS (DoH or DoT) enhances privacy and security by preventing eavesdropping and tampering of DNS data by encrypting it and sending it over HTTPS or TLS. DNSSEC counters the problem of DNS cache poisoning by allowing DNS records to be digitally signed. The main challenge it confronts is ensuring the authenticity and integrity of DNS data.
1 Like
Are you confident that when a standard will be massively adopted, another one for different goals will be also used?
I am not even confident that IPv6 will be the prevailing standard during my life time. I see your point though, I was just a bit pedantic. That’s all.
Again I don’t agree.
You expressed an opinion, maybe personally biased, but an expression of thought. IMO, having someone which don’t agree with you is important for have deeper analisys of personal opinionis, beliefs, experiences.
IPv6 is deployed and working every day. AWS is charging more for IPv4 addresses than IPv6 addresses. It’s working every day, even if in LANs and devices is not that diffused current OSes supports it and can work with it,
I meant exactly what I said and I agree with the quote above.
I was just nitpicking that these 3 protocols solve two different problems and therefore are not exactly overlapping.
You asked if I had any confidence that, assuming one of the three would be chosen by the market, another one could be selected as well. My answer was that I am not confident of anything and to make a point I mentioned a protocol that should be the “chosen one” by the market, and clearly it is not even close to reach that goal (I never implied that was not used at all or not useful) after 20 and more years that has been released.
The point is, I am not even confident that the market will choose any of them. Network effects are difficult to displace. The status quo is always the predominant force. For a new standard to become the dominant force you need a very strong reason for adoption. Or a very long time.
At least a 10 folds improvement is what is needed to displace an incumbent with a new standard. Do any of DoT/DoH/DNSSEC improve 10 X the status quo? Maybe, but I am not so sure. This does not mean that we cannot use them, like you do with IPv6. It means that the market will not “massively” choose any of them any time soon. This is my belief.
EDIT: If we ask a different question: which one of the three will be more prevalent? My money goes to DNSSEC, only because the war on cryptography will only intensify in the coming years. Servers that encrypt DNS traffic probably will be relegated at the margin of Internet. DNSSEC should not upset the authoritarian tendency of our governments (all of them) as much as something that interfere with mass surveillance as encrypted traffic.
2 Likes
I am happy to see knowledgable people here so passionate about networking discussions which help others as well
1 Like
I have no idea, but already tried to configure simply 3 VLAN on one interface, that would be only one VLAN more, what would have to be set up on the switch. With two VLANs it works, I have green and orange as VLAN on one network card.
Please elaborate
This was my question to use one network card with two zones and VLANs
I already had red and green configured into VLANs because my modem is located somewhere else like the Ipfire, now the consideration was to run green as native and orange as VLAN, but because I already had green configured as VLAN, it didn’t work because of the tags. When I then made the green zone also a VLAN it worked. What’s wrong with putting the blue network on eth0 and specifying a third VLAN? As long as the ports on the switches cleanly set the tags and remove them again, this should run cleanly.
interesting my isp is pppoe connection i have now pppoe configured on red ,will need 1 more modem i guess to make it work
Actually not, you would only need to plug a cable from the red interface into your switch and the cable to connect the ISP as well, the two ports on the switch should be tagged into a red VLAN e.g. 05.
The port where the red interface of the IPfire is connected, then also Tagged VLAN for the green01 network.
In the IPfire you now put red05 and green01 on one card each with the VLAN like on the switch 01 + 05.
On this switch the remaining ports are set to Untagged VLAN green01, then this should work.
Only the port to the ISP should be set to PID05, all others should be 01.
I did not try but why should that not work with 3 or 4 VLANS. Ok quite a bottleneck, but feasible actually already.
may try and report back