pfsense with Community Fibre Internet

Use my referral link for £100 Amazon voucher when you join Community Fibre!

I recently got set up with Community Fibre Internet. The latency and bandwith are fantastic, however the Linksys Velop routers are bare bones, so I decided to just use it as a wireless bridge and replace the routing / firewall aspect with a custom Pfsense device.

I bought an n5100 fanless mini-pc from AliExpress. You can get bare bones and buy the drive & memory yourself.

I then installed Proxmox. I recommend you enable the non-free repository and install the intel-microcode package (otherwise VMs will crash) – this may no longer be required for Proxmox 8.

(I already have a Pi-Hole handling DNS & DHCP – you can do this in docker inside another VM on the n5100 if you like).

On proxmox one interface was designated LAN * – connected to my internal network & one WAN – initially unconnected and bridges (vmbr0 & vmbr1) were created for both of these.

I then installed pfSense from ISO image, configuring the 2 interfaces as above.
Finally I moved the WAN cable from the Velop to the n5100 WAN port. Shortly after DHCP got an external address (different from the original, based on MAC?) and I was connected.

Finally, I changed my default gateway on my static devices to the LAN address of the pfSense VM and also changed it in the piHole DHCP settings & reconnected devices.

Post install I disabled intel turbo boost to keep the CPU temperature down. Update: I re-enabled turbo boost and instead bought a USB fan from AliExpress to sit on top of the case.

* Actually I used a bonded pair, but you require special switch support for this.

Keyboard laggy on Linux?

If your keyboard seems to take a keystroke to “wake up” on Linux it could be USB power-saving. If the output of cat /sys/module/usbcore/parameters/autosuspend is not -1, you can disable this by adding the kernel parameter usbcore.autosuspend=-1 and rebooting.

Apache RewriteRule Mitigation for log4shell

Yes, you should update ASAP to a patched version of Log4J.

You should also consider other ways you can be exploited – do you have java processing emails?

But layers of security never hurt, so you can also try this:

RewriteCond %{THE_REQUEST}     \${     [OR]
RewriteCond %{REQUEST_URI}     \${     [OR]
RewriteCond %{QUERY_STRING}    \${     [OR]
RewriteCond %{HTTP_USER_AGENT} \${     [OR]
RewriteCond %{HTTP_REFERER}    \${
RewriteRule .*                 -       [L,R=403]

Of course, if you expect ${ in any of these headers, this will break your site, in which case you may want to restrict the application in some way (such as check for the presence of a tracking cookie).

Note also this will be checked for every single page request, include static. Again this can be customised.