Level1 Presents: THE FORBIDDEN ROUTER II - DIAL-UP BY DAWN
Vložit
- čas přidán 8. 06. 2022
- Wendell walks you through some of the software that makes the FORBIDDEN ROUTER tick!
+ Forum thread: forum.level1techs.com/t/forbi...
Follow The Series!:
+ Level1Mini Series: The Forbidden Router Trilogy • Level1 Mini Series: Th...
**********************************
Check us out online at the following places:
linktr.ee/level1techs
IMPORTANT Any email lacking “level1techs.com” should be ignored and immediately reported to Queries@level1techs.com.
-------------------------------------------------------------------------------------------------------------
Intro and Outro Music By: Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
creativecommons.org/licenses/b... - Věda a technologie
The only haiku you need to know to work in IT (and I say this as I enter into my 21st year in the industry):
It's not DNS.
It cannot be DNS.
It was DNS.
I’ve been running a pi hole for about a yr and it’s been great. You don’t realize how many ads are fired at you until you see zero.
3:02 - Docker still has a lot more usable implementations for container work on Mac and Windows, IMO... until they overcome those issues, I'm still sticking with Docker CE on my servers. Seems like most of the people using and pushing Podman are already deep in the RHEL ecosystem.
Gibson's DNS benchmark is fabulous. I can't believe I forgot about this, but I saw it in the background on the monitor.
And you can set up pi-hole to be a DNS cache as well as blocking. That way you are only two levels on anything cached, and only three levels on the first visit.
I'm trying to do a DNSBench myself... Is it just me or does Gibson's dns bench not allow IPv6 DNS servers?
fucking damn usefull thing, even if it is 13years old now. it is always dns, maybe dns is working inside, but if your routers dns is not responding, everything takes 3 refreshes and 12seconds to get anywhere
My dad was just talking this afternoon about how a website he was using is more ad than content. Maybe I could set up an idiotproof Pihole system for him...
Love this series! Definitely interested in the DNS video.
you just called your dad an idiot?
@@emeraldbonsai Use both, but pihole makes things way faster, because you get an instant nxdomain rather than it waiting ages to do its real-time bidding thing to decide which ad to serve to you.
Made the bold decision to use my forbidden router and set up a Samba domain controller, in combination with pfSense Unbound DNS resolver/adblock. Choreographs the systems I've got racked. Little flaky for machine name resolution, but the Windows domain remains consistent. Cool to see similar stuffs. ProxMox, Debian, Windows, pfSense.
Really cool to be about to control my drive share mapping via Group Policy for the home lab. Set processes to run as domain accounts for Windows auth. Makes the whole network feel more cohesive.
I'm up 4 hours into midnight and finally do something with my life. Thanks for the tips!
I've been running portainer for months now. Amazing piece of software. I have been manually deploying services using multiple compose files for years and it's a big pain to maintain.
I love the beam-out at the end!
I had to go a few months without using pfBlockerNG with DNSBL... holy hell, the naked web is terrible.
Delightfully geeky.
Thanks!
Pihole + Unbound = Simple, Elegant, and Private
Pihole Caches DNS lookups
Excellent content as usual! However, being a technician for M365/Azure services I have to point out one minuscule item of correction around 12:25.
Endpoints that are Azure AD-joined do not use a domain controller so no special considerations for DNS are necessary.
@2:00 Mikrotik RouterOS v7 lets you run containers, and their example is Pihole
Wendle you bastard. Somehow I find myself building a mini version of this with a ryzem 3600 right now.
A bit silly that during the DNS bench portion I didn't realize the DNS name was off to the right as I recognized so many of the IPs. Good series.
Great series
6 days ago… k bro..
Our Patreon and Floatplane supporters get to see stuff early, just fyi ~Editor Autumn
I used to run a caching proxy server back in the late 1990s / early 2000s. That did the same thing as the Steam Cache system you describe. I think Microsoft's later proxy server (ISA Server?) had caching capability too.
Using Pi-Hole some zears now. Great filter. People do not understand that firewalls block traffic by IPonly however DNS is still being asked. Pi Hole seals this leak.
4:50 the first time you access a site and DNS is used to get the IP, once it is cashed locally it is not 'slow' anymore as the info is then local (for quite some time).
When talking about DNS "slowness" we refer to it as latency. DNS doesn't "slow" your computer but it can take a long time to resolve whatever internet namespace you request. That delay is called latency. I do my own DNS for my LAN and I know it has some latency issues but whatever. I go back to the days of dial-up and so I naturally compare my computing experience to that quagmire.
pihole has a "local dns" settings where one could set the domains to be cached to point to the lancache, but one would have to enter everything manually (or edit the file pihole saves them to)
Surely that edit could be (and possibly has already been) scripted
You can also set lancache as an upstream for pi-hole
Pi hole on Pi B 4gb inside a docker container has worked for my small set up at home with 7 people
Interesting video, I also went the virtualization route, took me a few days, but now I have a Proxmox server, with PFsense, Truenas, Linux (for my docker, portainer stuff), Windows for Blue Iris virtualization, and it all runs very well on a 5950x (which I also use for Blender network renderings). I will also have a look at the things you suggest here, but of course I don't have your powerful hardware.
Nice! I went much the same way software-wise, but with a 2P Xeon system (used mainboard, CPUs, memory from eBay). It's quite a bit slower than your 5950X but at the time it was a relatively cheap way to get 16c/32t w/ 128GB ECC. I think 64GB is the limit for AM4 (?) but that's enough to do a lot. I could actually make 64GB work for my own needs, but I like the extra breathing room.
@@vonkruel Interesting, yes this virtualization is a great thing, Proxmox is pretty amazing, I was a bit hesitant to go the forbidden router route at first. I now have 64 GB, but will go to 128GB as well, just to have some headroom like you mentioned. For Truenas and Ubuntu I still need to figure out how to install a qemu-agent . When I look at some tutorials, they look messy, installing about 150 Mb for an agent its ridiculous, in contrast with Win11 and Pfsense it was relatively clean and easy. I did have some problems with passing through an old Areca1320 HBA adapter through Truenas, decided to leave the adapter on Proxmox and pass 8 individual drives to Truenas, performance seems ok.
@@rudypieplenbosch6752 In TrueNAS SCALE qemu-guest-agent is loaded by default. You may not want to switch for that reason, but I thought I'd mention it. I believe your ZFS pool(s) will be safer with a passed-through HBA. Maybe if you move it to a different slot it's easier to pass through? Those IOMMU groups can be a pain, and it could be an advantage of HEDT & especially server mainboards that more thought has been put into the IOMMU groupings. There's a kernel hack that'll let you _force_ a device into its own IOMMU group, but if devices were grouped together for good reason, "you're gonna have a bad time".
@@vonkruel Thanks for your suggestions, I did test Truenas Scale on an older system, performance was not great, I understood they are still working on that, so I decided to stay on Truenas Core for now. The passthrough for the HBA was a bit weird, I could see during bootup, the adapter was recognised and all drives were shown, then Seabios came and started alphabetically number each drive, which it should not, after that in Truenas none of the drives were shown . Only yesterday I discovered you can interrupt Seabios in Proxmox, during bootup of a VM. I'll have a look if Seabios can leave my HBA drives alone, because of course I prefer passing through that adapter completely. I don't have a serverboard, but the Aorus Pro, which has IOMMU, seems todo a good job, since all VM's can access the NVMe drive they run on at blistering speeds, 6GB/s. Never expected that kind of speeds when running on a hypetvisor, that is almost native speed for a PCIe4 NVMe drive, amazing. I will run this system for a few years, if I ever upgrade, I want definitely want a server MB, with integrated HBAS controllers, IPMI and more of that server grade features, although I can't complain about the Aorus mainboard. It will be interesting how the NVMe capacities will evolve and how boards will accommodate for more of these speed monsters on a MB. The Icy Dock, which could accommodate 8 of them looks like a direction things are going, I guess the mainboards will have to have an increased amount of onboard ports to easily connect to these kind of devices. Interesting times ahead anyway.
@@rudypieplenbosch6752 Yes, the performance can be surprisingly good!
Okay, for passthru to work, we need 2 things:
1. The PVE host system's vfio-pci driver needs to attach to the device, _not_ the "normal" driver
2. The VM configuration file needs a new line that tells PVE to give that reserved device to that VM
For example, if your VM has id "100" and your HBA has id "83:00" (with no other devices in the same IOMMU group):
1. Edit /etc/default/grub, adding the following to GRUB_CMDLINE_LINUX: "amd_iommu=on iommu=pt kvm-amd.nested=y vfio-pci.ids=83:00"
2. Run "update-grub" (as root)
3. Edit /etc/pve/qemu-server/100.conf, adding the line "hostpci0: 83:00"
If that doesn't work, you probably have 1 or more additional devices in your HBA's IOMMU group, or required IOMMU support is disabled in the BIOS. You can find short shell scripts online that will dig through /sys/kernel/iommu_groups/ and use *lspci* to provide information about devices in each group. If your BIOS is cooperative and there's nothing in the target device's IOMMU group that you don't want to pass to that VM, you can just pass all the devices through.
I hope it helps. A bunch of things need to be right for it to work, but in a lot of cases it's pretty easy on modern hardware.
Lancache only helps if you frequently download the same things though, if you're just one person, downloading a game and probably not redownloading it for like a few months/years it's probably not worth it, cool for conventions or benchmarking though
If you do a video for DNS, perhaps you could briefly cover ISP server vs. public server vs. straight to root servers?
I imagine the latter would usually be slower unless you have a decent number of users and processes on your LAN caching stuff, but to be honest I never benchmarked it. I've been using my own bind9 server with a list of root servers for years and usually it's fast enough for me.
run your own dns resolver? unbound in recursive mode? it is actually default on pfsense iirc and also available on openwrt and such
Conditional forwarding in named.conf or local AD -> pihole -> internet DNS?
While not related to this project. What would the implications be of using a CCR2004-1G-2XS-PCIe tied to a VM server? Would this router direct attached to a VM server have more use, or just be confusing? It would definitely be in the forbidden router category, but also the confused role and function category!
Any thoughts about using/benchmarking Unbound as a root server rather than going to a provider?
I get to do this with the extra layer of Consul because my UniFi gear apparently doesn't have the ability to specify which IP my monitoring VM resolves to.
In terms of blocking ads, I know with ublock and other extensions you can unblock individual, say, youtube channels, not just sites. I'm guessing pihole has a similar provision (though I also run youtube premium, so not only do I get no ads, from what Linus has said, I'm also giving more to the people I watch, as compared to just watching ads).
does this setup support dnssec or dns over tls/https?
could you use regex in pi hole to whitelist and send dns requests to the steam cahe?
MikroTik RouterOS 7 allows docker containers to run on the router. I play it safe so I'm going to wait a while until it's prod ready
its possible to import the lancache domains,
did it on my system with a small script that is supplied in the github repo for the DNS list that lancaches uses.
the annoying part is to have to manually add the generated files to the dnsmasq config for pihole.
I do Pi-hole with the vm as the resolver (craft computer video) then onto cloudflair. Do I really want my isp dns anywhere near me?
If piHole and lan cache could join forces it would be amazing, I hope we see that some day
I use pihole’s lists in pfBlocker-ng rather than running pihole, but couldn’t the DNS Resolver in pfSense use override lists to send lancache/pihole requests to the respective containers? Else the rest to your chosen pubDNS. It’s something I’ve always wondered, but I haven’t felt the need for a lancache.
I would love to see a video dedicated to DNS and DNS troubleshooting
Why did you choose pihole over pfBlockerNG?
Still dreaming of a bromance between Wendell and Jeff Geerling. Cuz it was always DNS!
Also Wendell will totally get along with red shirt Jeff and the other pi guy
Great series! One question on this: What's the best way to setup fallback?
If something in the chain breaks, is there a way to direct to an alternate DNS? From what I read, "Primary" and "Secondary" DNSs aren't really a thing. They get picked depending on which one is fastest. So how would you set a hierarchy there?
Both Pfsense and pihole let you add multiple DNS servers for their requests. You can configure pfsense to hand out multiple DNS servers via DHCP to clients.
Order/priority is often opaque. I just loaded 8 DNS ips in opnsense/unbound so it's got options. DHCP hands out the ipv4 and IPv6 addresses for my router as DNS servers
@@MichaelSmith-fg8xh Yeah, it's the order/priority bit I'd like to figure out. Unless of course there's just a better way to handle DNS failures / fallback that I'm not aware of.
@@richardbeirne827 If you really need it for your WAN dns, Dnsmasq has a checkbox for query sequence
Can the router do internet bonding ?
Seems like this might work on TrueNAS Scale
Any reason your using Pi-hole over pfBlockerNG pfSence plug in, besides the nice dashboard?
Pihole is less resource intensive. Pihole outright serves a response to say request unavailable. Pfblocker on the other hand serves a 1x1 image in response to a blocked request. It also tends to be a little bit slower when responding.
My Raspberry Pi-hole will work for like a month then randomly die and not reboot until I burn another image onto the SD Card? This has happened 2 or 3 times now on the same memory card. I don't know what's happening.
2:50 did Wendell expose his Portainer GUI into WAN or is the editor less technical?
I tried running the DNS Benchmark, but I've set my edgerouter to cache DNS, I think If I ignore the number 1 result (that's my router) I'll still get a valid benchmark?
Thankfully for me settings steam server to *the other side of the continent* makes it way better.
Also, if you are concerned about ad income, donate $1 through patreon to the creators, that's way more than what they would get for showing you personally any number of ads.
Look at me with my "super precocious" Active Directory home network. I feel seen.
Podman is nice, but it's not a drop-in replacement though
Why not block ads with the pfBlockerNG addon for pfsense? One less VM to manage.
Wendell:"I don't want a whole separate video on DNS"
Me: 🥺🥺 P-pwease do a whole separate video on DNS, Senpai
Btw, Gibson's DNS Benchmark runs fine on linux with Wine.
This went from a DNS discussion to a caching proxy discussion.
We really need dns-server/framework to unify all the query modification and make pihole and similar basically a middleware/plugins.
You should make a second casual channel for the Docker shmucks
I feel like I'm talking back to my teacher (Wendel's Pfsense vidéo got me started years ago)... but why use lancache and pihole when the same functionality (DNS cache, ad blocking, http cache) exists in your router software (pfsense or opnsense).
pfsense doesn't cache steam downloads natively, its kinda been a theme with Wendell, that's his specific use case. Which actually is the case with a lot of gamers.... in my house hold, we play a lot of the same steam games, so when there's an update, that's N times the downloads that have to occur, which is a waste of bandwidth and time. So... lancache.
@@romevang Squid (as a transparent http proxy in pfsense)... Or does it hit a bunch of different domains for successive requests of the same updates?
6:50 - WAIT!! How did he know?? 😲 I told no one. 😳
This is really cool and all, but how can i do any of this when my internet is provided by Cable/Coaxial? xp
On a Microsoft Active Directory Domain, it does almost all of it's security providing using DNS. So if your LAN is an Active Directory domain and your Windows workstation is a member of that domain then turning primary DNS over to a third party provider is a very bad idea. I've had clients do that to their member workstations and then I'd get a call where they'd be experiencing very strange network related issues. One client had a user who thought she knew better than I did and kept pulling her workstation out of the domain this way. I told her that she can't do that on a domain computer but she kept doing it then I'd get a call. I didn't want to lock down the workstations but I did after awhile.
I have all endpoints pointing directly to Pi-Hole first, and Pi-Hole forwards any steam cache requests to my local server.
1 MB/s when using the isp steam Cache? I would love to see this kind of performance
The steam cache of my isp caps out at 200kb/s... Completely unusable
Would Unbound be the thing that could "string together the things" (unbound be the single thing for pihole/lancache/dns)? Unbound is self hosted recursive dns cache, I wonder if it could locally cache the multi step dns path you setup to make it even faster by being a local single point.
Azure AD actually doesn't provide any DNS. You have to have "Azure AD DS" which is stupidly expensive and an additional product.
MikroTik just added docker support to RouterOS 7.4 beta4
Wendell i'm sorry to break it to you but your MSN page still has ads, they are marked with a green "Ad" ticker
"2 cards charging 0% interest until 2024"
I guess not all ads can be blocked, especially if they are using their own domain to show off other domains that aren't normally ads.
Can somebody point me to a home networking primer? Something addressed to a user who can spec, build and commission a PC, but who has long been baffled by how hard it is to share files from one PC to another, day in day out. There was that one time I put a USB drive in the back of my wireless router, and it worked for a week or two as a network drive that all the computers in the house could see, but then it vanished.
What's a NAS? What do I want it for? What is RAID in the context of 2022. It does me no good to tell me that RAID hardware is dead, since I really don't know what RAID hardware is. I have a vague understanding that RAID can provide various degrees of speed and redundancy improvements.
The box my cable company gave me has some wifi and RJ45 sockets. What should I do with it?
I wish somebody would make a coherent series on this stuff. Level1 has the expertise, but it doesn't seem that Wendell & crew want to get to such elementary questions, such uninformed users. Which is fine for them and their usual audience.
all i have is an old ISP router running OpenWRT (as an AP)...
Why a PiHole next to the pfSense and not just configure pfBlockerNG on pfSense ??????? I like virtual machines, but why run 2 if one can already do the job.
do a video on Ceph plz. I want to roll it out but want you to make all of the mistakes for me first
Um, there's a toothbrush leaning against the computer there... I have questions.
I got a Pixel 6 Pro and getting it to use PiHole for DNS on it was a whole ordeal because of the built-in VPN and DNS over HTTP.
POD MAN FRAGRANCE SPRAY!
Fragrance for… oh
Dead by dawn, dead by dawn!
Engagement
I know the benchmark for dns I tested the dns years ago I don't think it all works, at least I found something faster on the net linux is not mine at the moment I'm over a hundred anyway, even with google just not on my cell phone I'm at 4g with 899MB/s that's the only reason it's crazy for 4g
My brain went apple Linux? What Macs have to do with this?
Then i remembered not everyone mixes Hungarian with English...
Its neat to watch you do this. But I stil wouldnt recommend people virtualize pfsense unless you really understand networking and know what ur doing (as you say in the videos). It feels like asking for trouble and fixing what ain't broke lol.
I like the discussion of the plugins and whatnot. And please more xcpng content, the world's needs to hear about it :)
Every time I think I get land cash set up correctly DNS breaks and new and interesting ways or my router runs at 100 million% CPU usage
Like for thumbnail and title alone.
I live off-grid on solar photovoltaic so any reduction in power use is a godsend for me. I just ordered a J4125 Celeron box with 6x 2.5gbps interfaces to replace a raspberry 4.
i know i'll never get that much (6x 2.5gbps) of, especially QoS'd throughput, but it's actually way cheaper than buying a 2.5gbps switch. have you used them?
It's always DNS...except when it's MTU!
I wish they would do a tutorial for xbox to create something similar to thr steam cache.
Like I get what is going on here but I feel dumb every time you explain these builds.
First
Quad9.
why not just use unbound with pihole, I run pihole + unbound on my rpi 3 with no issues or bandwidth problems with 1gb fiber. Also firebog has really good lists to add to pihole for site blocking.
Thats what i do too. Any way i can then still use Lancache, because i dont have 1Gb fiber (yet)?
@@xxcr4ckzzxx840 no clue, I would do a search for pihole and lancache. looks to be a few guides out there for it.
because unbound isnt as good of a router software than pfsense.
@@kenzieduckmoo your comparing apples to grapes, unbound is just a dns server, pfsense is that plus more and also cost as much as a top of the line name brand router if not more.
So lancache is like DNS for bad DNS, or DNS for bad DNS replies?
I have to watch the 1st video, don't I? Though router that preemptively recognizes ads and doesn't even download them AND is system wide seems like a fantastic thing to have. Especially, because malware defense is something other people in my house have problem with. Though I have to check the video to know how expensive it would be to build one.
Docker... Keep breaking ever update...
There is no benefit of lancache if you are a single user. This is only useful if multiple clients in the same network download the same game or if you setup an instance which automatically downloads games while you are away. But then again you could just download games over night or left your PC on....
dns doesn't work as you explain...
143,000 blocklist entries....... am I the only one here with over 6 million ips on my pihole blocklist?
...if possible, set whitelist instead. Then you need just few IPs
@@GameBacardi It's a home network with over 20 devices on it. It's easier to blacklist than whitelist.
Please don't support Redhat. Look what they did to CentOS. It's a joke.
@5:30 Jeff: "Hold my beer..." A few hours later... $ ansible-playbook pi_steam.yaml