Sigh, okay I am trying XG again...

Yep, got it there now.  Thanks.

Isn't that 169.x address assigned to a device when it can't find the default gateway?

I meant... 169.254.X.X means a device cannot obtain an IP address from a DHCP server, and this address cannot reach the internet.

This is an APIPA address www.lifewire.com/automatic-private-internet-protocol-addressing-816437

Yeah, and yet they still would try when I had UTM running.  You could see the traffic going to some IP in China.  I think UTM was picking that IP up, while they were using their own IP to transmit.  I leave off the gateway in the cameras, and I access my camera system via VPN if I am not at home.

Edit:  My guess would be a built in P2P.  I had an older set of cameras that had that so hidden, I had to contact the seller to get the firmware update to make the P2P visible to users to turn it off.  I have changed cameras since to Reolink, but they could be just as shady with that stuff.

I see. Lucky your brand of camera does not automatically reboot and load Google's DNS servers (8.8.8.8)  if it can't find the default gateway. These have hard-coded DNS. For that reason, I use a NAT rule which might be of use.

(Camera's IP address) using (any service), going to (Google DNS)......change destination to (Blackhole)

That way the camera as it's normally configured can still connect to the internet do do NTP. PiHole blacklist the camera's cloud service, and if the camera reboots for any reason, all DNS queries to Google are sent to the blackhole. I could just as well create a NAT rule directing all DNS from the camera to the Pi-Hole which always blocks the cloud service but it requires a source NAT rule too which causes issues.

Luckily, I can set all of that (that I know of, lol) when I set up the cameras, even NTP.  I've set up a rule to drop that traffic and log it, so I can see if that works.  If there's nothing in the log by tomorrow, I'll know I set it up wrong or need a better solution.  ;)

At the moment, because I changed my IP schema, I have to hunt down those IPs...  I put them here somewhere.

Reolink are a french company as far as I can tell and mine have not tried talking to Chine, Russia yes, but that is blocked as well.

f use clientless users and static IP addresses. They pickup the address but do not provide their ID to the DHCP server.

ian

First of all - SFOS (and UTM) was never build to be used in a Home Network. That is the reason, some of those points are not applying to most customers (at all). The reason is: Home networks uses weird approaches to certain technologies, as most vendors of software expect to have "internet access". For example, if you look into most IoT hardware and how they work, you see weird implementations of connection technologies. 

- Why are we not allowed to edit the Exceptions lists that are built-in? Microsoft Updates are disabled by default in exceptions, and Office Updates are being blocked by default. That's a bit concerning to me.

You should look into TLS / SSL decryption instead. There is a "managed TLS exclusion List, which includes Exceptions as well. The "Exception List" you are talking about, is the "old world of standard proxy". 

- Rules and Policies are still an absolute mess to me, but the Assistant does help a little bit (a lot) with this.  Thank you for that tool built-in.

Use a LAN to WAN Policy and work your way up to a more filtered way. It is actually easy to do it compared to UTM, where you have to do the same stuff 4-5 times. Think about it like: "Allowed Networks in UTM is the firewall rule in SFOS". 

- I do a lot of gaming and I am used to having to open ports to make things work. I have yet to open a gaming port after being on XG - how is that possible? And, adding a custom port to open (HomeAssistant) was painful to get right. Does XG 'just know' what to block here? This is my big concern with this: A rogue PC/device/etc on the local LAN transmitting out to a site. It seems pretty solid for anything incoming, but outgoing I question. Perhaps I don't understand the behavior of XG in how it handles outbound traffic, but at first look it feels like everything is open and you have to close everything up, completely contradictory to what it's always been.

It is 100% the same like UTM. As long as you are not doing TLS Decryption, you can get a firewall rule, LAN to WAN, open the ports, you had on UTM and you are in the same world. But if you start to inspect the traffic with TLS decryption, most of those apps will break, due the fact above. I personally gave up on this matter, it is not possible to workaround home apps, as they are moving with firmware updates, they build weird ways to interact with servers etc. 
But the foundation of stateful firewalls are 100% the same. Create a firewall rule, include the ports and you have the app running. 

- I have an extremely large list of web ad URLs.  It appears that the only thing I can use to add this for filtering is creating categories and applying them to be blocked in my policy.  The issue I have with this is that I am only allowed 2,000 entries per category, so this isn't an effective method of blocking ads.  I had to create seven categories and add them to a policy to filter out some ads (aside from any other filtering going on).  I could have just set this up completely wrong, but was the only thing I saw where I could import text files.

Again the same answer like above - This is something, only home users are following up. Using Web categories is a way to do this, yes - But i am doing it client based (on the client itself) and not on a firewall. 

- Is there going to be any kind of allowed modifications to change the display such as the connection list?  I have a 4k monitor with a 3840 resolution.  Everything I have to scroll through to be able to see everything even with this large of a resolution because these lists don't adapt to screen sizes.

This is currently under review to rebuild the webadmin.

And to be honest, if you are a home user only, the question is, why sticking with UTM/SFOS in the first place? Other products on the market offers you a set of technologies for the home network only. You properly know the vendor namens, but it is about the use case. UTM / SFOS home is a successful tool, as people can play with the technology they are using, but it does not include modern "requirements" of the home users, which come up quite frequently. It is not the targeted market for both technologies. Just talking about stuff like builtin ADblock, Pihole integration, Wildcard LE Support, and other technologies are more frequently implemented by other sharedware. 

I'll disagree somewhat on the UTM/SFOS "not made for home use" theory. It can be configured relatively easily for home users since network topologies are simpler and you don't have to be an expert in networking to use it. It is in some cases easier to configure than pfSense/OPNsense and offers so...much....more out of the box.

LuCar Toni said:

And to be honest, if you are a home user only, the question is, why sticking with UTM/SFOS in the first place? Other products on the market offers you a set of technologies for the home network only.

What other products do you recommend for home user? I read good things about the Ubiquity Dream Machine and some very basic VPN routers. Other than that, there's not much else out there that is  like SFOS.

Some 15 or more years ago I investigated available systems for home use and decided that the UTM met my requirements, nothing else came close.

When XG was released I moved to that product because it was similar to what we were using at work and became my learning tool. So, yes the XG is a very good home security product with some limitations which I have learnt to live with.

Ian

I've been using the XG for a few days now and the DPI sometimes blocks the eicar test file, sometimes it doesn't. The default TLS inspection rule was set to "don't decrypt". Also, web browser caches interfere with testing various settings since the eicar test file link is saved in the web history. The only way to truly test it is to use incognito mode so that the browser is forced to re-download the file again. I think I got it working but it is still quite complicated with the rules all over the place and having to go back and forth trying to remember where everything is.

XG is very powerful with DPI but in some cases the test virus is blocked by simply being categorized as "Spyware and Malware" rather than the actual test file "eicar.com" being scanned and detected as a virus by Avira, or blocked by file extension. Of course a web filtering exception can be made for the test file to be scanned by AV instead of web filter URL/SNI.