I’ve neglected posting for numerous reasons. I’ve wanted to come back and post on several occasions. Things just keep popping up or I feel lazy. Since there are a lot of things that have happened during that time I thought I’d update some.
- Going way back I’ve been working with getting the pihole working. This is an amazing tool. Integrating it with my network is a bit tricky. Each time I do something like adding stuff to my network I learn what doesn’t work and hence I learn new things. That’s really why I am in this field and stay at this level. The pihole provides a LAN wide blocking of ad and tracking sites. How it works is pretty simple. It’s based on the concept of DNS. That’s domain name system. DNS is a way of converting those human type names that you type into your browser into the real number for that computer. The pihole operates as a DNS forwarder. You query the DNS part of the pihole. It looks at your request and checks the list of sites that are not permitted. If it is permitted it passes the DNS request to the real DNS server. If the query’d site is on the blacklist or the long list of ad/tracking sites, then it doesn’t forward the query and instead puts up a page telling you that the site is blocked. To configure it you tell your router that the pihole is the DNS server, that way if you have kids that might be trying to get into porn sites they can’t work their way around it since they have to go through your router to get out. Or if you are a business and you don’t want your employees constantly on facebook. The unique part of my situation on my LAN is that I use pfSense. It appears to have some special considerations. I am able to configure each workstation to give it a specific IP via the dhcp server. At that time I can also assign the DNS server for each workstation independently. However, if you list the pihole as the default dns server in the general settings it will cause the pihole to not work. You must assign a static ip to your devices (which is the preferred way) and then add the pihole as the dns via the dhcp server config for each device. It only has to be done once. I do know also that pfSense has something called pfblockerng which also has a dnsbl (or DNS blacklist) that allows you to configure lists such as easylist. This brings me to the next thing that I had been dealing with.
- I have a vpn and have used one for some time. Congress and the president just signed a law that allows your ISP to collect and sell your internet history. Many of us don’t like this. Though the ISPs have been able to do this all along the law that was created made it legal and hence created an incentive to do it since there’s nothing we the people can do about them selling the information. Or is there? Well, there is. What people are doing is buying a VPN service and configuring their network to use that as their exit point for their internet activity. Since the VPN acts like a tunnel and it is encrypted the ISPs can’t read it and you can go back to being semi-anonymous. VPNs are realtively inexpensive. They cost between $3.00 a month to $10 a month. I don’t think the higher priced ones are that much better so stick to the low end unless you find one that doesn’t perform. Most VPN providers will tell you that they don’t log. That is really what you want. You want one that doesn’t sell you vpn services where you are counting on no tracking yet they log and then sell that information. Anyway, I have used a vpn for the past couple years for one thing or another. It is nice to just have it for those times when I needed it and it has come into favor with me as I don’t want nor need my ISP tracking anything that I do. It is none of their business. Bear in mind that if an ISP says that they don’t track or log this information they don’t until they do. That means you have no control over when or if they start. They can start simply by changing the terms of service, and since you are likely not able to get more than one ISP in your area you are stuck allowing them to do so. A VPN provider you say could do the same thing. And they could. But there are lots of VPN providers and you could simply switch to one that doesn’t. The cost to start as a VPN provider certainly is much less than starting as an ISP, so the barriers to entry are much smaller. Here’s how I protect myself. I paid my VPN provider a year in advance. It is cheaper to do it that way. Now, any machine that I set to use the VPN provider will go thorugh that encrypted tunnel and my ISP knows nothing. Which brings me to what I do with pfSense.
- With pfSense you can run openvpn on your router. This allows you to centralize the VPN service instead of running it on each machine. It also has some other inherent benefits. To start in pfSense you install the openvpn package. Then you create an interface, which adds a gateway. Then you configure openvpn with your VPNs private keys that they sent you and configure and then you are off to the races. It’s a bunch more complicated than that so be advised me making it seem like a few easy steps is a lie. Once you’ve done it a few times though, as every one of us does trying to implement it, you get tot he point that it seems easy. You have to get past the learning curve and you’re done. What I learned is that my VPN provider allows for 5 consecutive connections. Initially I thought this meant 5 connections to different exit points. That meant 5 machines exiting to various exit points. It may still be true but my tests proved otherwise. I could get 5 connections to the same exit point where each connection had a different IP address. Oh well. This doesn’t minimize the value. There’s bunch more. For instance, I found that I can set the default DNS in general setting in pfSense to use a specific gateway. If you read back some you’ll note that I said you create an interface which automaticaly creates a gateway for that. You set the VPN to be the route for the gateway. So setting the general settings dns gatewway ot the vpn it means that all the machines on your network get to encrypt your dns queries so your ISP can no longer read your history. That’s pretty neat. That’s what I did. The issue that cropped up for me was when I discovered that if I set the pihole as the dns forwarder I had to tell the pihole that the dns queries that passed should go back to the pfsense router. Luckily the pihole guys were smart enough to have included that instead of just assuming specific logic without telling us what it is or making it configurable. Using the pihole has also lead to a few additional discoveries.
- The pihole will allow you to wildcard block domains. There are domains such as google.com and there are domains such as video.google.com. The video.google.com is a subdomain. There can be an endless number of them so having the ability to wildcard block is important. Don’t go too hog wild because you could block sites you didn’t intend, so as with pfSense rules go from the specific to the general (in that order). What this blacklisting provides is the ability to custom block sites that aren’t included in the default lists provided by the pihole guys. There are other people on the web that maintain lists that you can incorporate. I think at one point I had nearly 2 million sites blocked. Needless to say you have to go back and whitelist sites that you want if you want to continue to use those extensive lists. One more thing that you’ll note with the pihole is that it provides you with lists and graphs of the number of queries over the past 24 hours along with the top domain and machines involved in the query. In other words, it will tell you wich machines on your network are doing the queries and which sites are being queried the most. I found at home that my TV set was doing the most queries every day. It was trying to report back my activity. Of course I don’t use the smart capabilities of the TV instead I use Linux running on a oDroid C2 as my media center. I do use netflix once in a while so I have to have give the TV manufacturer the rights to it all if I want to continue. It’s an all or nothing thing. To solve this I use the pihole to block the sites that the TV is querying. I found that the tv was doing a lot of queries, mostly around 6pm. I kept an eye on the pihole charts and graphs and that told me the top domains and that told me what I needed to do to block that activity, so I get to keep the smart TV features on while blocking their tracking. I also found something else about everyone’s internet use.
- Basically every machine on your network, on your LAN, is constantly querying the DNS. The important thing to realize here is that the number of DNS queries to ad/tracking sites is sometimes upwards of 40% or more your total queries. If you hit a web page your router does a dns query. As the page loads it is loading content from various other sites including the ad and tracking sites. That means it has to query those sites. In doing so this adds to the total number of queries. Any given page could have 10 to 100 different dns queries. Having that happen adds to your load time for each page. Blocking that activity at the router (or pihole) level will speed up your browsing activity because not only are the sites block from being queried so is the content that those would send. It doesn’t prohibit the site from sending you the main content it just stops the ads from coming through with them. That 40%+ is sizable and you should note it. Also noting the activity of your smart TV is important because you may not have known this was happening and you would not have permitted it had you known. You might be asking what is the cost involved in getting this done. It is twofold however it is not expensive.
- The pihole runs on a raspberry pi which is a $35.00 device. Very cheap. You still need a flash card, a power cable/adapter, and a couple of other cables to set it up (ethernet, temporarily an HDMI cable, and maybe a thing or two extra such as a keyboard. You’ll need to install linux to boot off the sd card and then you’ll need to install and configure the pihole software. After that you’ll need to know how to configure your router. That’s were the cost comes in. The first is the physical hardware and the second is the knowledge about how to get it all installed and configured. That actual monetary cost is very small but the knowledge cost is more. You can learn how to do it yourself but it might be wise to pay someone some money to do the heavy lifting for you. Once it is all configured you’ll still need to know how to do some work yourself, however after a period of time that activity will drop off to next to nothing.
- On to another topic. A buddy of mine where I live told me that the power was going out on a specific night and that it would come back up at 8am the next morning due to some maintenance the power company was doing in the area. He was off by a day on his notice to me. They’d scheduled it the next night rather than the night he told me. Oh well, I guess all is well. The next day I was somewhat prepared. I shut most everything down that night and in the morning I woke to the outage. I was happy to find my water heater kept the water hot. Just as I was about to leave the power came back on. I left and arrived at work to find about 10 different thing had gone wrong. The power outage was not supposed to have affected my work. It was only supposed to affect the housing area where I was living which is about 20 miles away from work. I check to see if the power had gone out. It had not yet there were still all thee odd things that had happened. For instance, when I turned the tv on at work (I use it to watch youtube videos of things like how to manage a pfsense router box, etc) the icons on the tv were huge. That meant I had to reboot that computer. I found that on my main computer I was getting the message that ethernet connection 2 had connected and then disconnected. It was doing this over and over. I shouldn’t have an ethernet connection 2 so I started to wonder what that was about. Upon doing an ifconfig I noted that yes there was an ethernet 2 connection. I just didn’t know what it was from. Restarting things didn’ make it go away. Also the asterisk voip phones seemed to work that morning when I tested t hem but stopped working in the afternoon. I had rebooted some equipment and since the asterisk voicemail is stored on a remote machine (for backup purposes) and I’d rebooted that machine I decided to reboot the asterisk voip server. No luck. However things did calm down some. I found that the cause of the constant connect/disconnect on ethernet 2 was due to having an iphone plugged into a powered usb hub that I’d plugged it into to charge the battery. I would never have expectd that. I plug my andoid phones in all the time. Which leads me to my android phone adventure.
- One of my customers brough in her new unlocked Amazon purchased android phone that she wanted to put on Total Wireless. You get monthly cards from them and you get to have unlimited calls and text as well as 5gb of data every month for $35.00. Not bad. The problem is that she’d tested it out by inserting the imei number into their web page that is used to verify compatibility only it told her no, it was not compatible yet online others were saying that it is compatible. The issue is that they weren’t actually asking for the IMEI number they had labled it as something else and she had put that number in. THe IMEI number is one digit longer that the number labled on the website. When I put the full IMEI number in it popped up as a compatible device. She went and bought a sim card and a minutes card and we successfully set her up. That got me to thinking. I should try that on one of the two brand new Samsung S6 phones that I’d bought from someone who needed cash more than the phone. I checked mine and it said it was compatible. I went and bought a sim and minutes card and had it up and running in no time. I think I’m happier with that than I was when I using my Nexus 4 with T-Mobile. I get more minutes and texts (which I never use) and I also get 5gb of data. Though T-Mobile says unlimited data anything over 2gb pushes you to the edge network. Data transfer on the edge network might as well be non-existant as it is so poor. And, at home i can get calls on the verizon network which is what total wireless uses whereas with T-Mobile I get zero signal. One thing to note is that when I use my asterisk voip server I can ring an external number in the ring group along with the extensions in the ring group. It works quite well, however it only tells me that the caller is coming from my work number. At least it lets me know calls are coming in. I also have asterisk set to send me an email whenever someone leaves a voicemail. That email tells me the number of the person that originally called. So, even though I can’t risk picking up the phone to answer I can know a call came in and I can know a short time later who it was that called.
That’s about it for now. There were so many other things that happened inbetween my last post and this so I’ll try to fill some of that in. Sorry for the lack of edits and lack of spell checking and grammer. I’ll correct some of that shortly.