So, I am very strict on what comes in and goes out of my network. Most of it is a privacy thing. Without your privacy you have nothing. Bear that in mind. I have pfsense set up and it uses something called pfblockerng-dev (the development version of the package) and within that is something called DNSBL (or Domain Name System Block List). It works like the pihole except it is much more extensive. Unfortunately it can get in the way as I fix customer computers and those need access to some parts of the Internet that I normally have blocked. The machines generally are here for a short time and are here for cleaning and other types of repairs.
With pfsense I set up a couple VLANs to keep the place secure. VLAN1 is used to allow unfettered access to the net whereas LAN is highly restricted. VLAN2 is unfettered outgoing but highly restricted incoming. In fact, packets don’t route from VLAN2 into the LAN. This is very important because if any machine on VLAN2 were to be broken into they can’t get inside the LAN where most business activity takes place.
Anyway, the goal is to have customer machines added to VLAN1 and internal business machines on the LAN and VLAN2 being the jail for some activities and in that there is an additional series of jails.
However, when I set this up long ago it had cables running from the router off the main switch over to the counter where customer’s computers are initially diagnosed and where some repair work takes place. The problem is that if I try to do updates from say Microsoft, since Microsoft is heavily blocked due to their tracking tactics, that means that updates can’t take place and I have to periodically turn off pfblockerng and dnsbl.
Today I added another gigabit switch and ran a cable from the VLAN2 to it. Then I rerouted a cable going to the front counter, and also connected the cable going to the back room to it — where additional work is often done.
It wasn’t hard, but I had to trace down which switch did what, by plugging and unplugging switches and marking them (always mark your equipment) to make it easier next time. Once I determined which cable went to which VLAN I was able to quickly reroute existing cables to provide this functionality. Now I can keep the LAN secured and ad/tracking free while I can allow computer on VLAN2 to get updates and I don’t have to enable/disable pfblockerng each time.