How would you change his setup to prevent ARP attacks? More network segmentation (clients and servers on separate VLANs) or does OPNsense additional protections I should look into?
How would you change his setup to prevent ARP attacks? More network segmentation (clients and servers on separate VLANs) or does OPNsense additional protections I should look into?
What are too currently using for your OpenWRT router? I just got one of these and I would highly recommend it: https://a.aliexpress.com/_mq4HxaS
Get the N100 barebones version because you can slap an SSD and RAM in there for cheaper and have more selection. It has four 2.5Gb NICs and the internal PCIE slot for a WiFI card if you really want, though I would recommend getting a Ubiquiti AP to go along with it.
You can put OPNsense on it bare metal, or proxmox and then run your network related VMs there instead of your main server. Your choice.
Why buy a mobo when you could get this for cheaper, in a smaller footprint, and comes with a case and PSU? Do you really need the SATA ports?
Are you using the Unbound built into OPNsense, or something else? I ask because it’s easy to configure Unbound in OPNsense for DoT. If your ISP isn’t blocking DoT it will be just as secure.
And yes, it will be much more private. Right now if you’re using neither DoT or DoH your ISP will be able to see all your DNS requests in the clear. With either of the above it will be encrypted and they will not be able to read them.