KMSP42 Site Upgrade

Philosophy: Assume compromised and hostile.

Compromised and each layer has been breached.

Network hostile until proven otherwise.

Data Rack


CyberPower Sinewave UPS PFC

Tripp Lite ISOBAR Surge Protector on each row.

Fiber Switch at KMSP42

OpenBSD Router pcengines APU2 APU2 Board Topside


"Is breaking DNS and possibly incurring the wrath of someone trying to run a bitcoin miner pool worth it?"
My users report a night and day difference in ads and network functionality, some things not working on their mobile or logging in from a friends house

pass in on $lan_if proto { udp, tcp } from any to any port domain rdr-to port domain

or enable NAT and DNS Redirect

$lan_if = “”
pass in on $lan_if inet proto { udp, tcp } from $lan_if:network to any port domain rdr-to $dns_server port domain

OPNsense on HardenedBSD Firewall

Protectli FWSD

FW6D – 6 Port Intel® i5

Next Upgrade (Pending Decomission)

Pro: Deployed, contained, awesome mesh, professional grade


Is there something better or a better way to manage it? Upgrade Firmware on Security Gateway to OpenBSD?