pfSense is installed in this setup.
pfSense is installed in this setup.
You're thinking about organizing your network in a way that keeps your home router's settings safe. Placing a pfSense device between the modem and router makes sense because it centralizes management while isolating your personal traffic. This setup lets you handle servers and other needs without affecting your family's connection.
You can achieve this by configuring pfSense to use double NAT. However, normal LAN access to pfSense or devices will be blocked unless you enable port forwarding rules or allow WAN traffic into the router. If you connect pfSense directly to a modem, remember to revert those settings to default to avoid exposing everything to the public internet.
LIGISTX provided a solid response. I’d like to share some suggestions for your PFSENSE box: activate the NTP server and forward any domain requests for “time” to the PFSENSE IP address. This will minimize device tracking and cut down on redundant time queries from all your gadgets. Adjust the unbound DNS resolver cache settings so DNS lookups stay valid for 259,200 seconds—this is longer than the default 175 seconds, effectively extending the period. Doing this helps speed up DNS resolution and connecting to an IP, lowers outbound network traffic, and eases pressure on DNS servers, possibly saving energy. Consider setting up a pi-hole (though not directly UNIX compatible, alternatives like pfblocker-ng work well) on a Debian VM; it uses minimal memory—under 250MB initially, dropping to half once running on Debian with pi-hole enabled. If you’re unsure about running a VM on PFSENSE, I’m happy to guide you through it or suggest another option. For more details on why online tracking is becoming problematic, check this link: https://pi-hole.net/blog/2017/02/22/what...h-pi-hole/ Even large companies now advise using adblockers to block malware.
Enterprise firewalls include URL, DNS and Domain blocking options with vendor updates so you simply turn on the feature set and select the 'advertising' category for blocking. Each vendor works a bit differently, but these are the general steps. Keep in mind that the advertising category usually doesn’t stop legitimate services like Google Ads or other ad platforms from functioning, which have previously used malicious ads through them. You can exclude Google Ads, etc., but on the enterprise side it’s common to avoid disrupting systems and maintain good relationships with trusted services, rather than using tools like Pi-hole.
Absolutely. I handle many Sophos XG firewalls and wasn’t sure if we were on a bigger scale. I don’t see much harmful ads, but I’ve got adblock enabled. I’ve noticed some bad Google ads—like when someone searches “Home Depot” and clicks a legitimate link that actually leads to a malicious site. I’m not sure how Google allows this kind of traffic. I’ve seen it a few times too.
I aim to understand how this configuration works and what outcomes I'm targeting. The main objective is to reach a specific result, which guides the design and testing process.
Pfsense is designed with an open DNS setup in mind. Have you adjusted the caching rules or directed NTP queries locally back to Pfsense? Doing so would cut down on outbound server resource usage and boost precision, especially when paired with tools like NTPd or Chrony. You can also configure it to rely on your network's Ethernet clock instead of the motherboard time source for enhanced accuracy and better network timestamping.