Don't forget the cronjob to update your blocklists once a day If pfsense doesn't add one automatically.

Thats bad advice. Especially If you use an OS which doesn't get Security Updates since 5 or 2 years depending on your license ago. Don't keep your passwords (un)encrypted on your local hard drive. Even encrypted there is a risk encryption isn't securely implemented. Use an offline password manager or any other encryption and put it on at least one stick better use a backup stick too. Or use an encrypted stick and put your stuff in there. If your local machine gets compromised you don't want to give an attacker access to your router/whole network. Personally i wouldn't write it on paper too.
And always keep your configuration backups safe, just in case an update crashes one of your setups.

Edit: https://www.reddit.com/r/pcmasterrac..._not_cool_for/ this is a two years old post. No hard feelings. I hope it doesn't happen to you.

My OPNsense runs on a cheap topton n100. You could also run it in Proxmox or in another virtualized environment, a BSD compliant Hardware shouldn't be a limiting factor these days.

OPNsense uses UnboundDNS. A recursive DNS resolver which caches requests for a time. If there are multiple persons in your Network it's incredibly fast even If you use DNS over TLS.
With opnsense and unbound you have a great list of blocklists. Trackers, Malware, Ads and so on.
The statistics shows for 60k querries it blocked 15k. On the first few days. You save a lot of traffic and browser cache.
Combined with surricata and zenarmor I'd say your pretty save too.

OpenWRT has a Plugin blocking ads with the same list. I would use openwrt only for my APs though because it lacks features a good router/firewall should have.

The easiest way would be using nextDNS (300k querries per month free), quad9 (non commercial) or other adblocking DNS services. But you have to set the DNS manually on every device.

From your description the at&t modem is not a modem but a router with WiFi etc if I understand you correctly. If you use another router pfsense now? behind it, you should configure the at&t to be in bridge Mode. It should only connect you with the providers network and give your router a public IP. (Don't connect your PC directly on the at&t than, especially not a Win7.) Otherwise the WAN Port of your router becomes a private IP and you have to double NAT. Which even breaks experts necks.

If you don't care what's your public IP you don't need to force the at&t to give your router always the same IP. Also not every provider is compliant with this. If you want to access services in your LAN or want others to access from the Internet (e.g. private Webserver) it becomes useful.

Okay, I put the WRT-1200 in between the AT&T unit and the Zyxel wireless access point, and got it working. Then I removed the WRT-AC1200 and inserted the WRT-AC1900 and got that working. Then I removed the WRT-AC1900 and inserted the pfSense (AMD 5350) and got that working. I'm still not sure how I did it.

Do I really need to FORCE the AT&T unit to give a specific IP address to the MAC address of the WAN port on the pfSense (AMD 5350)? I'll probably never know.

My advice: Keep a list of settings (IP addresses, passwords, and maybe some other settings, for all possible combinations of equipment you have) on your local hard drive, a second copy on paper, and possibly a third copy on a USB stick.

I may need to reset my Amazon Alexa, and reset the TP-Link HS100 smart switch, to turn on the lamps in my front room, but I should be fixed now. I just hope I never, EVER have to go through this again !!!

As for madan1's suggestion about the DD-WRT ad blocking, I do appreciate it, thank you. But I did not see it. But maybe I was not looking diligently or in the right place.

Okay, I did have pfSense working. Use 80x25 text mode to define which ethernet jack is for WAN and which is for LAN. After that, use the web interface (it will give you the address during setup, I think mine is currently 192.168.3.72), but then an adapter failed (SFP+ to RJ-45). So I shut down and put in the Intel I350 4-port PCI-e network card, and then reinstalled pfSense. Now I don't know what's going on.

When things did not work, I removed the pfSense SSD and installed a blank SSD and Linux Mint 18.3 KDE on the AMD 5350 machine. When I plug the ethernet jack from the Intel i350 board to the AT&T fiberoptic unit, and a separate ethernet cable from the Win7 machine to the AT&T fiberoptic unit, I can log in to the AT&T fiberoptic unit's web interface and clearly see that Linux Mint has requested an IP address.

But when I shut down, remove the Linux Mint SSD and put the pfSense SSD back in, the AT&T settings page shows pfSense did not obtain a DHCP lease. Do I need to log into the AT&T unit and static-assign 192.168.3.72 to the pfSense computer, then use the keyboard (80x25 text mode monitor is plugged into the AMD 5350 unit) and static-assign 192.168.3.72 as the WAN address, then reboot both the AT&T and the pfSense machines? I tried that, it didn't work.

Should I tell the pfSense machine to use DHCP for WAN? Why? I don't understand. Shouldn't pfSense petition the upstream AT&T unit for a DHCP lease in some standard "RFC" internet-approved way, and just take whatever address it is given? To me, "use DHCP for WAN" seems to suggest the pfSense/AMD 5350 unit is telling the upstream AT&T what address the AT&T unit must give. I do hope I am wrong.

Should I tell the pfSense machine to "use DHCP for WAN" but tell the AT&T unit to static-assign?

How can I FORCE the pfSense/AMD5350 to request for a DHCP lease from the AT&T unit, or verify that it did so? If I want to engage my engine and my tires, I know what to do. Put the car in gear and remove my foot from the clutch (whether car engine is running or not). But how to verify "engagement" to get a DHCP lease is not something I know how to do. I can use the "ping" command to verify. But why is the lease often not reflected in the AT&T unit's settings page?

I am tempted to just go ahead and buy the pfSense hardware from netgate dot com. Their technical support would get me up and running. But a forum post there suggests the eMMC storage in their compact ARM-powered devices does not last for many write-cycles.

Any idea what is going on here? When bits and bytes don't get where they need to go, how do I diagnose this?

but i thought windows and SMART devices made life easier!

Okay, I got my equipment working. It was a most convoluted process, I gotta say.

First, plug the Windows 7 computer into the AT&T fiberoptic equipment (ethernet cable running across kitchen and down the basement stairs) and tell its DHCP server to assign devices an IP address in the 192.168.3.1 to 192.168.3.253. The wifi radios in the AT&T fiberoptic unit (both 2.4 GHz and 5 GHz) will never be used.

Second, disconnect the Win7 computer from the AT&T unit, and plug the AT&T unit into WRT-1900 I got from eBay (with custom OpenWRT firmware). Plug the Windows 7 computer into the WRT-1900. Log in to the WRT-1900, and tell the WRT-1900's DHCP server to give addresses in the 192.168.2.1 through 192.168.2.253 range.

Third, unpack the Zyxel NWA50AX Pro from the box, plug in the power brick, and plug the ethernet cord into the WRT-1900. Using Win7, log into the WRT-1900 and turn off the wireless radios and apply that change. Log into the NWA-50AX Pro and set up the wireless. Reboot the WRT-1900 and the NWA50AX Pro.

Fourth, remove Win7's ethernet connection from the WRT-1900 and try to reach the internet wirelessly through the Zyxel, which is still plugged into the WRT-1900.

Fifth, install and set up pfSense on the AMD 5350 system.

Sixth, plug the Win 7 computer's ethernet cable into the AMD 5350 system, and log into pfSense. Change the default password and write it down. Tell the DHCP server in the pfSense machine to hand out addresses between 192.168.2.1 and 192.168.2.253, exactly as the WRT-1900 did.

Seventh, shut down the Win7 computer and the AMD 5350 running pfSense. Take the ethernet cable between the Win7 machine and the pfSense machine and put it into storage. Plug an ethernet cable between the Zyxel and the pfSense machine.

If all goes well, the Zyxel NWA50AX Pro will take the 192.168.2.X address given to it by the AMD5350 machine (and the WRT-1900 before it), and give out addresses in the default 192.168.1.X range.

Eighth, log in to the pfSense machine, wirelessly, through the NWA50AX Pro, install pfBblocker NG, and follow Louis Rossman's directions to access and apply the DNS block lists. Do NOT click to use ALL of the feeds. A SENSIBLE number of block lists will go a long way.

NOTES:

First, the NWA50AX Pro uses WPA2-Personal with AES encryption instead of TKIP. Thankfully, Win7 can do that. I am using the same passphrase for 2.4 GHz and 5 GHz radios as always. So how did the ROKU device, Amazon Alexa and the Zapper Box ATSC 3.0 device know to switch to AES? We might never know.

Second, I have not run any speed tests yet. But I still have that 50-foot ethernet wire plugged into the AT&T unit, running up my stairs and across my kitchen. I can test my speed with AND without the pfSense hardware, and compare the speeds.

Third, I am not sure if pfSense recognized the "postage stamp" wifi card (RT3090 chip) in the AMD 5350 machine. I think it did not. And I don't think I can use the RT3090 OR the onboard LAN port on that 17cm by 17cm board. It kind of looks like pfSense wants ONE piece of hardware for LAN, and ONE for WAN. And that's all. And right now the 2-port Intel X520 PCI-E board is doing both.

Fourth, I'm not sure exactly how the "profiles" work on the NWA50AX Pro. It seems I can have up to EIGHT access points on this wireless access point, divided between the two radios. I can read the manual, then if I decide I need more profiles, I can plug both the NWA50AX Pro and the WIn7 machine into the WRT-1900, like the third step above, and use ethernet (and Firefox, of course) to access the NWA50AX Pro's setup screen to configure them, then put the WRT-1900 back into storage and use the pfSense machine again.

Fifth, the KASA smart light switch failed a week ago, and I had to reinstall the app on my smart phone to turn my lamp off. The KASA switch has now failed a second time, maybe I will have to reinstall the app again.

Here they are:

http://techinfodepot.shoutwiki.com/w...ference_Design

http://techinfodepot.shoutwiki.com/w...ference_Design

Later on tonight I'll try to get everything working.

no idea about the wifi chipsets - what are the specs?

Thank you! I revisited the DD-WRT project and did not notice any capability like that. (EDIT: Until you posted that link.)

I finally got the Zyxel NWA50AX Pro a few minutes ago. The NWA90AX Pro just sold out everywhere, except for greedy people on eBay who want DOUBLE the price.

My 17cm by 17cm board has a "postage stamp" spot for a laptop wifi module. I own an RALink 3090 and a 5390. Both antenna terminals are attached to PCI-E brackets with sockets for the desktop "rubber ducky" antennas. Assuming I use the Intel X520-DA-2 network card (or the Intel i350) in my PCI-E slot, which RALink should I use in the "postage stamp" spot? Both seem to have the same capabilities (1x1:1 speed, 150 Mbps. 2.4 GHz radio only), so which is "better"? Does it matter?

The NWA50AX Pro does not have MAC authentication like the NWA90AX does (all MAC addresses I did not whitelist are denied access). Anyone who has the correct wifi password can connect. This does not affect me, since I do not worry about security like a corporation. And I think many wifi chips can spoof MAC addresses anyway.

It turns out pi-hole runs on Linux, and what else runs on Linux? KODI. Years ago I ran Kodi on one of my 17cm by 17cm boards, plugged into an HDMI port on my main television, but I dismantled it because I didn't use it very much. With lots of USB ports on the 17cm by 17cm board, I could bring Kodi back.

So as long as I keep the 50-foot ethernet cord plugged into the AT&T fiberoptic unit in my basement, I can reboot my Win7/Mint 18.3 KDE machine to find out what I did wrong. At some point, I can get the web interface working for pfSense Opnsense, or I can just go over to the keyboard and monitor on my 17cm by 17cm board and try to figure out what is going on. I could even put in an optical drive just long enough to install Ubuntu and Kodi.

So which "postage stamp" laptop wifi module should I use? The 3090 or the 5390? I heard that BSD works well with the 3090, shouldn't it also work fine with the 5390? What do you think?

DDWRT also has adblocks based on host lists. I use this one https://github.com/m-parashar/adblock

i think cat ratings are potentially a scam as long as your cables are copper and shielded (STP)
i recently did a load of cat7 for someone and other than the shielding it seemed to just be thicker insulation making it a bastard to work with.

i dont know about the latest Pi, but the older ones used an ethernet to usb controller and a usb hub, the main chip did everything over one usb port - so comms was slow.
if you want to use a compact computer then check on how they handle ports first.
maybe also check orange-pi / banana-pi
those where created to work around some weaknesses in the raspberry design like adding a sata controller

It seems the WRT-1900 only has about 256 megs of RAM, so this router is the first version. Linksys does not always label version 1. It is as if they never realized they would make a second version later on. When I installed uBlock-Origin on Firefox for WIndows 7, and went to adblock-tester dot com, I blocked 100 percent of the things on their test web page. So the ad-blocking for OpenWRT as stj suggested, along with uBlock-Origin, and I don't actually NEED to install more hardware. But of course I'm going to.

(Very interesting, a "Pi-Hole" made with a raspberry pi can do this firewall / ad-blocking work easily. But all I remember (years ago) about raspberry hardware is that they NEVER had disk controllers. So I would have to get the bootup instructions from a different computer on my home network. And of course, I could never do that because I did not know about networking. And Louis Rossman was very much against me using those pre-made Raspberry firewalls anyway, because he could not do the sophisticated things he talks about with a Raspberry unit. I don't want to do those fancy things, and Raspberry units DO boot from microSD cards, so yes, I could have used a Raspberry. But I already have the 17cm by 17cm AM1/FM1 board [whatever it is], the AMD 5350, and the large passive heat sink, and since it is the MSI model, it can run from a laptop power adapter (and I own one of those also). So I'll boot from a cheap SSD and use the FM1 board with pfSense.)

I may be going into my attic in a few days. I am getting old, and I do NOT want to have to do this again. I moved the AT&T fiberoptic unit in my basement so it is closer to the spot where I can drop ethernet cable down through the walls. There are only two or three places in my house where I can do that.

If I replace the Cat5e cable in my walls with Cat6, is it really that much better?

version is probably on the label - so people dont flash it with the wrong file

you dont need to reboot the router when adding stuff or changing firewall or addblock settings btw,
the pages for them have a button to restart the service on a running system.

Okay. It looks like my router is a version 1, not a version 2. When I tried to install OpenWRT for version 1, it suddenly worked perfectly (maybe v2 of the software runs sanity checking). When I I changed OpenWRT to a decent password, the summary screen said it had about 242 megs of memory. I found and installed the adblock package, added a couple of block lists (beyond the ones they "selected me" for, rebooted and then went to adblock-tester dot com. I scored 47 points out of 100.

Now, with the confusing info out there about how to determine whether I have version 1 versus version 2 of this router, well, I don't know what I'm going to say to this eBay seller. But if more blocklists interfere with each other, maybe I won't need the 1900 v2 with double the memory.

Thank you. I got the WRT-1900 in the mail today. When I read the manual, I discovered I had to go to linksyssmartwifi dot com when there is nothing connected to the WAN port. A routine in the firmware will then bring up the settings page (192.168.0.1 no longer brings up the settings page for either the 1200 or the 1900). This is how I know both the WRT-AC1200 and the WRT-AC1900 still have stock firmware, NOT OpenWRT. And the "cold" 120-volt adapter brick for the WRTAC-1200 is NOT defective. (When there IS an upstream connection and you go to linksyssmartwifi dot com, you sign in with your Linksys account, and manage it from there.)

I tried numerous times to install the correct OpenWRT image on both. I downloaded the "OpenWRT factory upgrade" image (for upgrading from Linksys to OpenWRT) for both. After shutting down both router and Win7, then restarting with no internet access, I uploaded through the GUI in the factory firmware. I rebooted, I chose "restore previous firmware", I turned both off and on quickly 3 or 4 times, used the red reset button on each, nothing worked. Either they just won't upgrade or I am just not smart enough.

It will be several more days before I receive the rest of the equipment. I bought the Zyxel NWA90AX Pro wireless access point. I found "SFP to ethernet" adapters for the "rack-mount" ethernet connectors on my Intel X520 LAN card, but I did not buy them. I bought a 4-port Intel I350 PCI-E wireless card instead. It uses regular consumer ethernet plugs. The X520 won't be used at this time.

I think I have the knowledge I need. The AT&T/Humax unit can be set to give addresses in a range I specify (let's say 192.168.3.32 to 192.168.3.64). The Intel I350 LAN card in the AMD5350 machine will get an address in that range. I will then use a keyboard, mouse and monitor on the AMD 5350 to make sure the Zyxel can give out 192.168.1.X, because the Zyxel seems to prefer 192.168.1.1 for the settings page. So my devices (Roku, Alexa, ZapperBox ATSC 3.0 unit, Galaxy S10+ Android phone) will have IP addresses starting at 192.168.1.2.

(They say you can flash the Zyxel to OpenWRT, but after the last three days with no success on this Linksys hardware, I would rather kiss my car's hot exhaust pipe than use OpenWRT. Also, judging by the screen shots of the settings, the Zyxel's stock firmware has great features.)

Then I'll need to work on the ad-blocking in pfSenseNG and the auto-login so the AMD 5350 will restart "headless" in the event of power failure. I could also use that spare UPS (APC UPS-1500). It has a fresh battery.

maybe this is usefull

I'm sorry, I cannot just upgrade twice. I upgraded at least 5 times, but I did it wirelessly, which might not have worked. I should have done it with an ethernet cord. Also, a week or two ago the Linksys downloaded a firmware update. This update might have removed the ability to switch to third-party firmware (it might have also removed the ability to ssh into the unit). They might have even removed the "secret counter" that records 3 unsuccessful boots before booting the other partition. Perhaps the only way to recover the unit is to solder connectors for a "console", which is beyond my ability.

Also, when I walked over to the WRT-AC1200 a few minutes ago, the power adapter brick was cold, not warm. My voltmeter says it is providing 12 volts, but I suspect it won't provide the proper voltage OR current when the WRT-AC1200 is actually switched on. Windows 7 no longer sees the wireless access points (2.4 GHz OR 5 GHz), so I suspect the power is insufficient.

I bought a used WRT-AC1900 from eBay, it may take a week to get here. I will NOT expose it to the internet until I flash to OpenWRT. When I plug my Win7 in to the LAN port on my old WRT-54GL (not exposed to the internet) I can find the settings page at 192.168.1.1 because I flashed it to DD-WRT years ago. Hopefully, flashing the WRT-1900 will go smoothly. THEN I can expose it to the internet.

If I wanted to use my AMD 5350 board for an ad-blocking firewall, well, some people on the OPNSense boards suggested my hardware was not as good as it could be. Intel X520 2-port WIRED PCI-E card, plugged into a wireless access point, will not match the capabilities of the "system on a chip". They suggested a motherboard using the 6-watt Intel N100 chip, which could be somewhat better. But those boards start at $150. My mini-ITX is already paid for.

It may take 2 weeks before we know anything further (maybe I'll put in the old 10/100 WRT-54GL with DD-WRT, I don't know). Until then, there is no wireless in my house. No music or weather from Alexa. But I do have some ethernet cable inside my walls, so I could use the ROKU to watch some movies.

a fresh openwrt install has no password -just press enter.
as for the dual partitions,they alternate so just upgrade twice

Oops. Edit post #12. BSD does indeed support wireless chips. I thought it did not. But I also thought the radios and processing power of the WAP and the Intel PCI-E card would be better. It seems my PCI-E Atheros 9380 card is nicely supported in BSD, but it might give terrible results if I try to download a Linux distribution while watching a movie on my Roku device. I don't know.

No. The WRT-AC1200 has two different partitions. I put OpenWRT on one, but I can't make the router switch to that partition (even if I go into the settings and click on "revert to previous firmware" and then "apply"). There were some "ssh" commands to check the partition and make it switch, but I have not been able to get them to work. What do I type? How about "sudo ssh 10.165.249.151 <command to view active partition>"? When I am prompted for my password, I suppose I'll use my Linux system's admin password? Will the router reject my command because I never supplied the router's password? This is just a little more complex than I think I can handle. And passwords, just like networking, won't tell you why you failed.