Forem: Lorikeet Smart

RAM Speed and Timings Explained: Does it Actually Matter for Your Build?

Lorikeet Smart — Tue, 07 Apr 2026 15:00:06 +0000

When building or upgrading a workstation, memory is often treated as a secondary concern after the CPU and GPU. Many users simply look for the largest capacity they can afford and ignore the technical specifications listed on the box. However, the relationship between RAM frequency and latency defines how quickly your processor can access the data it needs to perform calculations. Understanding the difference between raw megahertz and clock cycles is essential for maximizing system stability and performance, especially in high throughput environments like virtualization or video rendering.

Frequency vs. Latency: The Great Balancing Act

RAM performance is dictated by two primary factors: frequency and timings. Frequency is measured in MegaTransfers per second (MT/s), though often incorrectly labeled as MHz. This represents the bandwidth, or how much data can be moved at once. Timings, specifically Column Address Strobe (CAS) latency, represent the delay between a command being sent and the data being available. While high frequency sounds better on a spec sheet, it often comes at the cost of higher latency.

True latency is calculated by a specific formula: (CAS Latency * 2000) / Frequency. For example, a 3600 MT/s kit with CL16 has a true latency of 8.88 nanoseconds. If you move to a 4000 MT/s kit but the latency jumps to CL20, your true latency is 10 nanoseconds. In this scenario, the 'faster' RAM is actually slower to respond to initial requests. This matters significantly for tasks that require frequent, small data access patterns rather than large, sequential transfers.

The Impact on Modern CPU Architectures

The importance of RAM speed depends heavily on your processor architecture. AMD Ryzen processors utilize a technology called Infinity Fabric, which links the CPU cores together. The speed of this fabric is usually tied directly to the memory clock. If your RAM is slow, your entire CPU communication bus slows down. For most modern Ryzen builds, 3600 MT/s is considered the sweet spot for performance and stability.

Intel processors are generally less sensitive to memory frequency because their internal architecture is decoupled from the memory clock. However, if you are running a high end workstation for data science or local network management tasks, every millisecond counts. If you are also managing a complex home lab environment, ensure your hardware is backed up correctly by following The 3-2-1 Backup Rule to prevent data loss during hardware testing.

Verifying Your Current Memory Configuration

Many users buy high speed RAM but never actually run it at the advertised speeds. By default, most motherboards boot into JEDEC standard speeds, which are often much lower than what you paid for. You must enable XMP (Extreme Memory Profile) or EXPO (Extended Profiles for Overclocking) in your BIOS to hit the rated speeds. You can verify your current operational speeds in Windows using PowerShell or the Command Prompt without installing third party bloatware.

wmic memorychip get speed, manufacturer, partnumber, capacity

This command will return the physical speed currently being utilized by the hardware. If you see 2133 or 2666 but your kit is rated for 3600, you are leaving significant performance on the table. For those running Linux servers or network appliances, tools like dmidecode provide similar insights into hardware bottlenecks.

Practical Tips for Stability and Troubleshooting

Pushing RAM to its limits can introduce system instability that is difficult to diagnose. Memory errors often manifest as random blue screens or corrupted files rather than immediate crashes. If you are building a system that requires high uptime, such as a dedicated network security box, stability should always take precedence over the last 2% of performance. Before you start hardening your system using our Windows 11 Security Hardening guide, ensure your hardware is rock solid.

Always install RAM in the correct slots for dual channel mode, usually slots 2 and 4 on a four slot board.
Avoid mixing different kits of RAM, even if they have the same rated speed, as the underlying memory chips may be from different manufacturers.
Use MemTest86+ to run at least four passes if you manually adjust timings or enable aggressive XMP profiles.
Check your motherboard QVL (Qualified Vendor List) before purchasing to ensure the specific RAM model is verified to work at rated speeds.

When Does It Actually Matter?

For the average office workstation or a simple file server, expensive low latency RAM is a waste of budget. The performance gains in standard productivity apps are negligible. However, if your workload involves heavy multitasking, compiling large codebases, or running multiple virtual machines, the investment pays off. High speed RAM reduces the 'stutters' and frame time inconsistencies that occur when the CPU is waiting for data from the system memory. If you find your system is still sluggish after optimizing RAM, it might be time to look at your network overhead by using Essential Free Tools for Professional Network Monitoring to ensure the bottleneck isn't external.

Want to go deeper?

Going further with PC building? Our First PC Build Guide covers component selection, compatibility, step-by-step assembly, BIOS setup, and Windows 11 install. 60+ pages, $12, instant download.

Get the PC Build Guide

Originally published at lorikeetsmart.com

Ransomware Prevention for Small Businesses: Practical Steps Without Enterprise Budgets

Lorikeet Smart — Mon, 06 Apr 2026 15:00:06 +0000

Small businesses are often the preferred targets for ransomware operators because they lack the dedicated security operations centers and multi-million dollar budgets of enterprise corporations. However, effective defense does not require a massive investment in proprietary security suites. By focusing on fundamental technical controls, robust backup strategies, and a hardened network perimeter, you can reduce your attack surface to a point where most automated and opportunistic attacks will fail. This guide focuses on high-impact, low-cost technical configurations that any small business owner or IT lead can implement today.

Implement Immutable Backups and the 3-2-1 Rule

The only guaranteed recovery path from a ransomware infection is a clean backup. Modern ransomware specifically targets backup servers first to ensure the victim has no choice but to pay. To counter this, you must follow the 3-2-1 backup rule: three copies of your data, on two different media, with one copy off-site.

For small businesses, this usually means a local NAS for speed and an encrypted cloud tier for disaster recovery. If you are setting up a NAS for the first time, ensure that you use a filesystem like ZFS or BTRFS that supports snapshots. Snapshots should be set to 'read-only' and 'immutable' where possible. This prevents ransomware running on a compromised workstation from deleting the version history on the network share.

Use a tool like Rclone to sync encrypted backups to low-cost object storage like Backblaze B2 or AWS S3. You can set an 'Object Lock' policy on these buckets, which prevents any file from being deleted or modified for a set number of days, even if your admin credentials are stolen.

Hardening the Network Perimeter

Stop exposing RDP (Remote Desktop Protocol) directly to the internet. This is the single most common entry point for manual ransomware deployments. If your staff needs remote access, use a VPN. We recommend deploying WireGuard because it has a significantly smaller attack surface than legacy protocols like PPTP or L2TP.

Your edge firewall should be doing more than simple NAT. Transitioning to an open-source, enterprise-grade firewall can provide deep packet inspection and intrusion prevention without annual licensing fees. When comparing OPNsense vs pfSense, both offer robust plugins for Geoblocking and IP reputation filtering. Use these to block traffic from countries where you do not do business.

Additionally, implement DNS filtering to block known malware domains at the gateway. You can use a Pi-hole setup or a cloud-based filter like Quad9 (9.9.9.9) to prevent systems from reaching out to ransomware command-and-control servers.

Endpoint Hardening and PowerShell Security

Windows workstations are the primary target for initial access. You do not need expensive EDR (Endpoint Detection and Response) tools to make a significant impact. Start with Windows 11 security hardening by enabling Attack Surface Reduction (ASR) rules. These are built into Windows Pro and Enterprise and can block common ransomware behaviors, such as Office apps creating child processes or unauthorized scripts running from USB drives.

One of the most effective moves is restricting PowerShell. Most ransomware uses PowerShell to download secondary payloads. You should enforce Constrained Language Mode and enable Script Block Logging. You can check your current PowerShell execution policy with this command:

Get-ExecutionPolicy -List
# To set a more secure policy for the local machine:
Set-ExecutionPolicy Signded -Force

By requiring scripts to be digitally signed, you prevent the execution of raw scripts downloaded from the web by an unsuspecting user.

Credential Hygiene and Identity Protection

Ransomware thrives on lateral movement. If an attacker compromises one machine, they will attempt to harvest credentials from memory to move to the next. The first step to stopping this is eliminating password reuse. Every employee should be setting up Bitwarden or a similar tool to generate and store unique, complex passwords.

The second step is mandatory Multi-Factor Authentication (MFA). However, not all MFA is equal. SMS-based codes are vulnerable to SIM swapping. Use TOTP apps or hardware keys. For a deeper dive into why this matters, refer to our two-factor authentication guide. Finally, disable LLMNR and NetBIOS on your network to prevent attackers from spoofing network resources to steal hashes. You can do this via Group Policy or by running this command on individual critical machines:

# Disable LLMNR via Registry
New-Item "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Force
New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -PropertyType DWORD

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download.

Get the Security Guide

Originally published at lorikeetsmart.com

The 3-2-1 Backup Rule: How to Never Lose Your Data Again

Lorikeet Smart — Sun, 05 Apr 2026 15:00:06 +0000

Data loss is not a matter of if, but when. Whether it is a mechanical drive failure, a botched firmware update, or a ransomware infection, your files are constantly at risk. Most users believe that syncing files to a cloud provider like Dropbox or OneDrive constitutes a backup, but synchronization is not protection. If you delete a file or it becomes corrupted, that change syncs instantly across all devices. To truly protect your digital life or business operations, you need a structured methodology. The 3-2-1 backup rule remains the industry standard for data resilience. It requires three copies of your data, stored on two different media types, with one copy kept offsite. This post breaks down exactly how to implement this workflow using professional grade tools and automation.

The Core Architecture: Three Copies and Two Media Types

The first pillar of the 3-2-1 rule is redundancy. You must maintain three copies of your data: the original working data and two backups. Relying on a single backup is a dangerous gamble because the backup hardware itself can fail during the restoration process. When you stress an old hard drive to pull hundreds of gigabytes of data, that is often when its mechanical components finally give out.

The second pillar requires using two different media types. This is designed to protect against common failure modes. If you store your primary data and your backup on two separate internal SATA drives, a power surge or a motherboard failure could easily fry both. A better approach involves using a Network Attached Storage (NAS) device for your first backup layer. If you are new to this hardware, check out our guide on Setting Up a NAS for the First Time to understand how RAID and filesystem choices impact your data integrity.

For the second media type, consider external USB drives or LTO tape if you are managing multi-terabyte datasets. External drives should be disconnected when not in use to prevent them from being encrypted during a malware attack. If you manage your own network security via OPNsense or pfSense, you can even isolate your NAS on a specific VLAN to further restrict access to your backup repositories.

The Offsite Requirement: Protecting Against Physical Disaster

The final '1' in the 3-2-1 rule is the offsite copy. Local backups protect you from hardware failure and accidental deletion, but they do nothing if your building experiences a fire, flood, or theft. An offsite copy ensures that even if your entire physical infrastructure is destroyed, your data survives elsewhere.

Modern offsite backups typically leverage cloud object storage. Services like Backblaze B2, Amazon S3, or Wasabi offer high durability at a low cost per gigabyte. The key here is encryption. You should never upload raw data to a cloud provider without encrypting it locally first. Tools like Rclone or Kopia allow you to create encrypted 'remotes' where the cloud provider only sees scrambled blocks of data, but never the actual filenames or content. This ensures that even a breach at the provider side does not compromise your sensitive information.

Automation with Restic and Rclone

Manual backups fail because humans are forgetful. You need a CLI tool that can be scheduled via cron or systemd timers. Restic is an excellent choice for this because it is fast, handles deduplication effectively, and supports encryption by default. Deduplication is vital because it ensures that if you have ten copies of the same 1GB file, it only takes up 1GB in your backup repository.

Below is an example of a shell script that initializes a repository and performs a backup to an offsite S3-compatible bucket. You would typically run this as a nightly job.

# Initialize the repository (only done once)
restic -r s3:s3.amazonaws.com/your-bucket-name init

# Run the backup
export RESTIC_PASSWORD="your_secure_passphrase"
restic -r s3:s3.amazonaws.com/your-bucket-name backup /home/user/data \
    --exclude-file=/home/user/.backup_exclude \
    --verbose

# Prune old backups to save space (keep last 7 daily, 4 weekly)
restic -r s3:s3.amazonaws.com/your-bucket-name forget \
    --keep-daily 7 --keep-weekly 4 --prune

By using the forget and prune commands, you maintain a rolling history of your data. This allows you to 'go back in time' to retrieve a version of a file from three days ago if you realize today that it was corrupted.

The 3-2-1-1-0 Extension for Ransomware Protection

In recent years, the 3-2-1 rule has evolved into the 3-2-1-1-0 rule to combat sophisticated ransomware. This adds two new layers: one offline (air-gapped) copy and zero errors in backup verification. An air-gapped copy is a backup that has no physical or network connection to your primary system, such as a rotated USB drive or an unmounted cloud snapshot with 'Object Lock' enabled.

Object Lock (Immutability) is a critical feature provided by many cloud storage vendors. When enabled, it prevents any user or process from deleting or modifying a backup for a set period, such as 30 days. Even if a hacker gains access to your backup credentials, they cannot wipe your offsite data. This provides the ultimate safety net. To ensure 'zero errors', you must schedule regular 'check' or 'verify' commands to read back the data and confirm it matches the source hashes. A backup that has never been tested is not a backup, it is merely a hope.

Practical Implementation Checklist

To get started, follow these specific steps to secure your environment:

Identify your 'Crown Jewels' data. Do not waste bandwidth backing up OS files that can be reinstalled, focus on unique documents, databases, and configurations.
Set up a local NAS or a dedicated external drive for your first backup target.
Choose a cloud provider and set up an encrypted bucket using a tool like Restic or BorgBackup.
Automate the process using a task scheduler. If you are on Windows, use Task Scheduler with a PowerShell script, on Linux, use a systemd timer.
Test your restoration process. Try to recover a single folder to a different location once a month to ensure your encryption keys and passwords still work.
Secure your backup credentials. Use a dedicated vault, and if you are looking for a recommendation, see our guide on Setting up Bitwarden to store your repository passphrases securely.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download.

Get the Security Guide

Originally published at lorikeetsmart.com

Windows 11 Security Hardening: Practical Steps That Actually Matter

Lorikeet Smart — Sat, 04 Apr 2026 15:00:05 +0000

Windows 11 is arguably the most secure version of the operating system to date, but the default configuration is designed for compatibility rather than maximum resilience. Out of the box, many critical protections are either disabled or set to their most permissive levels to avoid breaking legacy software. For professionals and power users, this creates an unnecessary attack surface. Hardening Windows 11 isn't about running a dozen 'privacy' scripts that break system updates. Instead, it involves leveraging built-in enterprise-grade features and modern hardware standards to ensure that even if a system is compromised, the damage is contained and the data remains encrypted.

Hardware-Rooted Security and Core Isolation

Modern Windows security relies heavily on Virtualization-Based Security (VBS). This feature uses hardware virtualization to create a secure region of memory that is isolated from the normal operating system. This is where sensitive processes like the Kernel Mode Code Integrity (KMCI) and the Local Security Authority (LSA) process reside. If an attacker gains administrative rights on your machine, VBS makes it significantly harder for them to extract credentials from memory.

To verify and enable these features, navigate to Windows Security > Device Security > Core Isolation details. Ensure that Memory Integrity is toggled on. If you encounter driver compatibility errors, do not disable the feature. Instead, identify the outdated driver and update it or remove the associated hardware. For those managing multiple machines, you can enforce this via the Registry or Group Policy.

# Check if VBS and Memory Integrity are active via PowerShell
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

Additionally, ensure that Firmware Protection and TPM 2.0 are active in the same menu. These features prevent bootkits from infecting the system before the OS even loads.

Disk Encryption and Boot Security

BitLocker is no longer optional for a secure setup. Without full disk encryption, physical access to your device means total access to your data. While Windows 11 Pro enables BitLocker easily, you should go beyond the default settings. By default, BitLocker often relies solely on the TPM for unlocking. This is convenient, but it means anyone who can boot the computer to the login screen can attempt to exploit vulnerabilities in the OS to bypass authentication.

For maximum security, configure BitLocker to require a PIN at startup. This adds an extra layer of pre-boot authentication. You can configure this in the Local Group Policy Editor under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set 'Require additional authentication at startup' to Enabled and check the box for 'Require startup PIN with TPM'.

Once your local disk is secure, consider how your data moves across your network. If you are accessing files on a server, ensure you are using a secure tunnel. You might find our Practical Guide to Deploying WireGuard on Your Home Server useful for maintaining encryption while remote.

Reducing the Attack Surface with AppLocker

Most malware relies on the user or a process executing an unsigned binary in a temporary folder. One of the most effective ways to stop this is by using AppLocker or Windows Defender Application Control (WDAC). While WDAC is the modern path, AppLocker remains highly practical for professional workstations. The goal is to create a policy that only allows applications to run if they are installed in protected directories like C:\Program Files\ or if they are signed by trusted publishers.

To get started, open secpol.msc and navigate to Application Control Policies. You can start by right-clicking 'Executable Rules' and selecting 'Create Default Rules.' This ensures that Windows and installed programs function normally while blocking random .exe files from running out of the Downloads or AppData folders. Always test these rules in 'Audit Only' mode first to ensure you don't lock yourself out of critical tools.

Network Level Hardening and DNS

Security does not stop at the OS level. Windows 11 now supports DNS over HTTPS (DoH) natively. This prevents your ISP or local attackers from snooping on your DNS queries. You can enable this in Settings > Network & internet > Ethernet/Wi-Fi > DNS server assignment. Set the DNS to a provider like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) and select 'Encrypted only (DNS over HTTPS)'.

For a more robust solution that protects every device on your network simultaneously, you should look into a Pi-hole Setup Guide to block telemetry and malicious domains at the network level. Combining local OS hardening with network-wide filtering creates a layered defense that is much harder to penetrate.

Account Security and the Principle of Least Privilege

Running as a full Administrator for daily tasks is a significant risk. If a browser exploit or a malicious script runs under an Admin account, it has full reign over the system. Create a standard user account for your daily work and only use the Administrator credentials when prompted by User Account Control (UAC). This simple change stops a vast majority of automated exploits.

Furthermore, ensure that UAC is set to the highest level: 'Always notify.' This prevents programs from making changes without a dimming of the desktop, which is a protected environment that scripts cannot easily interact with. To further secure your identity, move away from simple passwords. Using a dedicated manager is essential, and you can follow our guide on Setting up Bitwarden as your Password Manager to manage complex, unique credentials for every service you use.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download.

Get the Security Guide

Originally published at lorikeetsmart.com

Two-Factor Authentication Explained: Which Method is Actually Secure

Lorikeet Smart — Fri, 03 Apr 2026 15:00:05 +0000

Standard password security is dead. With credential stuffing attacks and massive database leaks being a daily occurrence, relying on a single string of characters to protect your infrastructure is a liability. Two-factor authentication (2FA) is the industry standard for mitigation, but not all methods provide the same level of protection. Many users mistakenly believe that any form of 2FA is unhackable, yet attackers regularly bypass weaker implementations like SMS and email codes using SIM swapping or sophisticated phishing kits. To truly secure your accounts, you need to understand the technical hierarchy of authentication factors and move toward hardware based solutions.

The Hierarchy of 2FA Security

Security professionals categorize 2FA methods into three primary tiers based on their resistance to interception and spoofing. At the bottom is SMS and Voice based 2FA. This is the least secure method because it relies on the telephony backbone, which was never designed for security. An attacker can perform a SIM swap by social engineering a carrier representative to port your number to their device, effectively hijacking all your codes.

The middle tier consists of Time based One Time Passwords (TOTP) and Push notifications. These are significantly better because they do not rely on a cellular provider. However, they are still vulnerable to 'man in the middle' (MITM) attacks. If you enter your TOTP code into a convincing phishing site, the attacker can proxy that code to the real service in real time and gain access. The top tier is FIDO2 and WebAuthn, which uses hardware keys to create a cryptographic link between your device and the specific domain you are visiting.

TOTP: The Practical Standard

TOTP is the most common form of 2FA for a reason. It is free, works offline, and is supported by almost every major service. It works by sharing a secret key (the QR code you scan) between the server and your app. Both sides use the current Unix time to generate a matching six digit code. While better than SMS, the biggest risk here is the 'secret' itself. If your phone is compromised or if you store your secrets in an unencrypted manner, your 2FA is broken.

For managing these codes, we recommend using a dedicated manager rather than relying on individual apps for every service. If you are already following our Setting up Bitwarden as your Password Manager guide, you can store TOTP seeds directly within your vault. This allows for seamless cross platform syncing while keeping the underlying secrets encrypted. For those who prefer a standalone app, Aegis (Android) or Raivo (iOS) are excellent open source choices that allow for encrypted backups.

Hardware Keys and FIDO2/WebAuthn

If you want to be truly phish proof, you must use hardware security keys like those from Yubico or Nitrokey. These devices use the FIDO2/WebAuthn protocol. Unlike TOTP, where you manually type a code, the hardware key performs a cryptographic handshake with the browser. The browser sends the domain name to the key, and the key only signs the challenge if the domain matches the one stored during registration. This means even if you are on a perfect replica of a login page, the hardware key will refuse to provide a valid signature because the URL is different.

Implementing this at a system level, such as securing SSH access to your servers, is a critical step for any admin. You can configure OpenSSH to require a FIDO2 resident key for authentication. This ensures that even if your private key is stolen, the physical hardware button must be pressed to complete the login. This is a common requirement when managing sensitive infrastructure like a hardened home router.

# Example: Generating an ED25519-SK key for hardware 2FA
ssh-keygen -t ed25519-sk -O resident -O application=ssh:your-label

# This creates a key that requires the physical touch of a USB security key

Push Notifications: Convenience vs. Fatigue

Push based 2FA, popularized by Duo and Microsoft Authenticator, is incredibly convenient. You simply tap 'Approve' on your phone. However, this convenience introduces a specific vulnerability known as 'MFA Fatigue.' In this scenario, an attacker who has your password triggers dozens of push requests to your phone at 3:00 AM. Many users eventually tap 'Approve' just to make the notifications stop or out of half asleep confusion.

To mitigate this, many services are moving toward 'Number Matching.' Instead of a simple Approve/Deny button, the login screen displays a two digit number that you must type into the app on your phone. This forces the user to be physically present and looking at the login screen, effectively bridging the gap between convenience and security. If your service provider offers number matching, enable it immediately.

Practical Implementation Strategy

Securing your digital life is about layers. Start by auditing your accounts and removing SMS as a recovery or 2FA option wherever possible. For your primary email and password manager, buy two hardware security keys. Register both, use one on your keychain, and keep the other in a physical safe as a backup. For services that do not support FIDO2, use TOTP stored in an encrypted vault.

When setting up local services or home labs, don't ignore the internal network. If you are running a local dashboard or a management interface for your network, ensure it is behind a reverse proxy that enforces its own 2FA layer. This is especially important for remote access tools. If you use a VPN for your lab, ensure the authentication flow is robust. You can see how this fits into a broader network strategy in our Practical Guide to Deploying WireGuard on Your Home Server. By combining a secure tunnel with hardware backed 2FA, you create a formidable barrier against unauthorized access.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download.

Get the Security Guide

Originally published at lorikeetsmart.com

Setting up Bitwarden as your Password Manager: A Complete Beginner Guide

Lorikeet Smart — Thu, 02 Apr 2026 15:00:06 +0000

Password fatigue leads to dangerous security habits like reusing the same password across multiple sites or using simple, guessable strings. Bitwarden is an open source, audited, and highly versatile password manager that solves this problem by creating a secure, encrypted vault for all your credentials. Unlike proprietary competitors, Bitwarden offers a robust free tier and allows you to sync across an unlimited number of devices. This guide will walk you through the technical steps of setting up Bitwarden, configuring your master password, and migrating your existing data to a more secure environment.

Step 1: Creating a Secure Account and Master Password

The security of your entire digital identity relies on your Bitwarden Master Password. This is the only password you will need to remember, and it is the key that decrypts your local vault. Bitwarden uses zero-knowledge encryption, which means your master password never leaves your device and Bitwarden staff cannot reset it for you if you lose it.

When choosing a master password, avoid common words or personal information. A passphrase of four or five random words is often more secure and easier to remember than a short string of complex characters. For example, a phrase like Correct-Horse-Battery-Staple is significantly harder to brute-force than P@ssw0rd123!.

Once you have created your account at bitwarden.com, immediately enable Two-Factor Authentication (2FA). Even if someone steals your master password, they cannot access your vault without the second factor. Navigate to Settings > Security > Two-step login and choose an authenticator app like Aegis or Authy. For those running advanced home setups, securing your vault is just as critical as your network perimeter. If you are interested in further securing your infrastructure, check out our Home Router Hardening Checklist.

Step 2: Installing Extensions and Mobile Apps

To make Bitwarden useful, you must integrate it into your workflow. The most efficient way to use Bitwarden is through the browser extension, available for Chrome, Firefox, Edge, and Brave. Once installed, the extension will detect when you are on a login page and offer to auto-fill your credentials.

On mobile devices, Bitwarden uses the native Auto-fill API on both Android and iOS. This allows the app to prompt you for a fingerprint or face scan to unlock your vault and fill passwords directly into other apps. To set this up on Android, go to Settings > Auto-fill Services and select Bitwarden. On iOS, navigate to Settings > Passwords > Password Options and enable Bitwarden.

If you are a power user who prefers the command line, Bitwarden also offers a CLI tool. You can install it via npm or download the binary. This is particularly useful for scripting or retrieving secrets in a DevOps environment. To log in via the CLI, use the following command:

bw login
bw unlock
export BW_SESSION="your_session_key"

Step 3: Migrating and Organizing Your Vault

Most users start with passwords saved in their browser or an old manager like LastPass. You should export these as a CSV file and import them into Bitwarden immediately. Once the import is complete, clear your browser's saved passwords and disable the built-in browser password manager to prevent conflicts.

Inside Bitwarden, use 'Folders' to organize your entries. I recommend categories such as 'Financial', 'Work', 'Social Media', and 'Infrastructure'. If you have a complex home lab, you might store credentials for your network gear here. For instance, if you followed our guide on Pi-hole Setup, you should store your admin dashboard password in a dedicated 'Networking' folder.

Every entry in your vault should have a unique, randomly generated password. Use the Bitwarden Password Generator tool to create strings that are at least 16 characters long and include a mix of uppercase, lowercase, numbers, and symbols. There is no longer a reason to know what your Netflix or banking password actually is, as Bitwarden handles the memory work for you.

Step 4: Advanced Security Settings

After the basic setup, fine-tune your vault timeout settings. By default, Bitwarden might stay unlocked for too long. Navigate to Settings > Security > Vault Timeout and set it to 'On System Idle' or a specific time like 15 minutes. This ensures that if you walk away from your computer, your vault locks itself automatically.

You should also consider the 'Vault Health' reports if you opt for a premium subscription. These reports identify re-used passwords, weak passwords, and accounts that have been compromised in known data breaches. Even without the premium version, you can manually audit your entries. Look for any account where you have not yet enabled 2FA and prioritize those for updates. Securing your passwords is the first step, but ensuring your remote access methods are also encrypted is equally important, such as when you are deploying WireGuard on your home server.

Finally, create an Emergency Access contact. This allows a trusted individual to request access to your vault in case of an emergency. You can set a waiting period, such as 7 days, during which you can decline the request if you are still able to manage your account.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download.

Get the Security Guide

Originally published at lorikeetsmart.com

Home Router Hardening Checklist: 10 Settings to Change Right Now

Lorikeet Smart — Thu, 02 Apr 2026 00:19:07 +0000

Most consumer routers ship with settings optimized for convenience rather than security. Out of the box, your gateway is likely broadcasting its model number, responding to external pings, and utilizing weak authentication protocols that are trivial to bypass with modern hardware. Hardening your network perimeter is not just about choosing a long password. It requires a systematic approach to disabling legacy features, segmenting traffic, and closing backdoors that manufacturers leave open for support purposes. This guide provides a technical checklist to transform your router from a vulnerable entry point into a robust first line of defense.

1. Disable WPS and UPnP Immediately

Wi-Fi Protected Setup (WPS) is a massive security hole. It allows devices to join the network via an 8-digit PIN that is vulnerable to brute-force attacks using tools like Reaver. Even if you use a complex WPA2 or WPA3 password, an attacker can bypass it by cracking the WPS PIN in a matter of hours. Disable WPS in your wireless settings and never look back.

Similarly, Universal Plug and Play (UPnP) should be turned off. While it makes gaming and media streaming easier by automatically opening ports, it allows malware on your internal network to punch holes through your firewall without your consent. If you need to host a service, do it manually through port forwarding or, better yet, a secure tunnel. For those moving beyond basic consumer hardware, see our guide on OPNsense vs pfSense to gain more granular control over these protocols.

2. Update Your DNS and Encryption Standards

Stop using your ISP default DNS servers. They are often slow and serve as a goldmine for data harvesting. Switch to a privacy-focused provider like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). If you want to take it a step further, you can implement network-wide blocking by following our Pi-hole setup guide.

On the wireless side, ensure you are using WPA3-SAE if your hardware supports it. If you are still on older hardware, use WPA2-AES (CCMP). Avoid any setting that mentions TKIP, as it is deprecated and insecure. Also, disable the 'Remote Management' or 'Web Management via WAN' feature. There is almost no reason to allow your router login page to be accessible from the public internet. If you need remote access to your network, use a dedicated VPN solution.

# Example: Checking for open ports from outside your network
# Run this from an external VPS or cellular hotspot
nmap -Pn -p 80,443,8080 [Your_Public_IP]

3. Segment Your Network and IoT Devices

The average home is now filled with smart lightbulbs, cheap cameras, and appliances that rarely receive security updates. These devices are notorious for having hardcoded credentials and vulnerabilities. You should never allow these devices on the same VLAN or SSID as your primary workstations and NAS. Use the 'Guest Network' feature on your router to isolate these devices. This ensures that if a smart fridge is compromised, the attacker cannot easily pivot to your computer to steal sensitive data.

Ensure that 'AP Isolation' or 'Client Isolation' is enabled on your guest network. This prevents wireless clients from communicating with each other, adding another layer of security for guests and untrusted IoT hardware.

4. Manage Credentials and Firmware

Changing the admin password is obvious, but you must also change the default admin username if the router allows it. Many automated scripts specifically target the 'admin' or 'root' accounts. Furthermore, disable the SSID broadcast if you want to stay off the radar of casual wardrivers, although this is security through obscurity and not a replacement for strong encryption.

Check for firmware updates monthly. Unlike your PC, routers often do not update themselves automatically unless specifically configured. If your manufacturer has stopped providing updates, your router is EOL (End of Life) and should be replaced or flashed with open-source firmware like OpenWrt if supported. Security patches are the only way to protect against recent exploits like FragAttacks or KRACK.

5. Optimize Physical and Signal Security

Security is not just digital. Reduce your radio power if you live in a small apartment. There is no reason for your Wi-Fi signal to be crystal clear three houses down the street. Lowering the transmit power (Tx Power) limits the physical area where an attacker can attempt to intercept your traffic. Additionally, disable any 'Ping from WAN' or 'ICMP Echo' requests. This makes your IP address appear dead to automated scanners that are looking for active targets on your ISP subnet.

Disable MAC Address Filtering: It is easily spoofed and provides a false sense of security.
Enable Logging: Point your router logs to a Syslog server if possible to track unauthorized access attempts.
Set a DHCP Lease Limit: Only allow as many IP addresses as you have devices to prevent unauthorized connections from staying hidden.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download.

Get the Security Guide

Originally published at lorikeetsmart.com

Setting Up a NAS for the First Time: Storage, Backups, and Remote Access

Lorikeet Smart — Thu, 02 Apr 2026 00:16:07 +0000

A Network Attached Storage (NAS) device is more than just a hard drive with an ethernet port. It is a dedicated server designed to provide centralized data storage, media streaming, and automated backups for your entire network. Whether you are using a pre-built solution like Synology or building a custom box with TrueNAS, the fundamental principles of data integrity and security remain the same. This guide moves past the basic unboxing and focuses on the technical decisions that determine whether your data survives a hardware failure or stays secure when you access it from outside your home.

Storage Strategy and RAID Selection

The first decision you face is how to arrange your physical disks. While it is tempting to use JBOD (Just a Bunch Of Disks) to maximize capacity, this offers zero redundancy. If one drive fails, you lose data. For most first-time setups, RAID 1 or RAID 5 provides the best balance of protection and usable space.

RAID 1 mirrors two identical drives. It is simple and highly reliable, but you lose 50 percent of your total raw capacity. RAID 5 requires at least three drives and uses parity to protect data. This allows one drive to fail without losing anything, though the rebuild process puts significant stress on the remaining disks. If you are using drives larger than 8TB, consider RAID 6 or ZFS RAID-Z2, which can survive two simultaneous disk failures. For those building a custom server, the ZFS file system is the gold standard because it protects against silent data corruption, also known as bit rot, by using checksums to verify data integrity every time it is read.

Implementing the 3-2-1 Backup Rule

A common mistake is assuming that RAID is a backup. RAID protects against hardware failure, but it does not protect against accidental deletion, ransomware, or fire. A professional NAS setup must follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy kept offsite.

Your NAS is your primary copy. Your second copy should be a local backup, such as an external USB drive plugged directly into the NAS that runs a daily rsync job. The third copy should be in the cloud or at a different physical location. Tools like Hyper Backup or Rclone are excellent for encrypting your data locally before sending it to a provider like Backblaze B2 or Wasabi. Here is an example of a basic rsync command to sync a local share to an external mount point:

rsync -avh --delete /mnt/user/documents/ /mnt/disks/external_backup/documents/

This command ensures that your external drive is an exact mirror of your NAS share, removing files from the backup that you have intentionally deleted from the source.

Network Configuration and Security

Once your storage is stable, you need to ensure the NAS does not become a bottleneck or a security risk. Always assign a static IP address to your NAS so that mapped network drives do not break when your router reboots. If your NAS has multiple ethernet ports, you can use Link Aggregation (LACP) to increase total bandwidth, though this requires a managed switch that supports the IEEE 802.3ad standard.

Security starts at the network level. Disable the default admin account and enforce two-factor authentication (2FA) for all users. You should also disable services you do not use, such as Telnet or UPnP. To monitor your network traffic and ensure your NAS is not communicating with suspicious external IPs, you can use essential professional network monitoring tools to keep an eye on bandwidth and connection logs.

Secure Remote Access without Port Forwarding

Opening ports on your router to access your NAS files from the internet is a major security risk. Attackers constantly scan for open ports associated with common NAS manufacturers to launch brute force attacks. Instead of exposing the NAS web interface directly, use a Virtual Private Network (VPN).

WireGuard is the current industry standard for remote access because it is fast and uses modern cryptography. By setting up a VPN gateway, you can access your NAS as if you were sitting on your home Wi-Fi. For a detailed walkthrough on this, see our practical guide to deploying WireGuard. If you want to add an extra layer of privacy and performance to your network before you start streaming 4K video from your NAS, it is also worth checking out our comparison of Wi-Fi 6 vs Wi-Fi 6E to ensure your wireless backhaul can handle the throughput.

Maintenance and Health Checks

A NAS is not a set and forget appliance. You must configure automated S.M.A.R.T. tests to monitor the health of your hard drives. A short test every week and a long test every month will help you identify failing sectors before the drive completely dies. Additionally, set up email or push notifications. You need to know immediately if a fan fails or if a drive enters a degraded state. Most modern NAS operating systems include a notification center where you can link an SMTP server or a service like Pushover. Regular firmware updates are also critical, as they often contain patches for critical vulnerabilities that could allow unauthorized access to your file system.

Want to go deeper?

Need to audit your server setup? Our Small Business IT Audit Checklist covers hardware, software, security posture, backups, and network documentation. $9, instant download.

Get the IT Audit Checklist

Originally published at lorikeetsmart.com

Wi-Fi 6 vs Wi-Fi 6E: What Actually Matters for Your Setup

Lorikeet Smart — Thu, 02 Apr 2026 00:13:06 +0000

If you are planning a network refresh, the marketing surrounding Wi-Fi 6 and Wi-Fi 6E can be confusing. While Wi-Fi 6 (802.11ax) was a significant upgrade over Wi-Fi 5 in terms of efficiency and capacity, Wi-Fi 6E is the first standard in nearly two decades to open up new spectrum. The difference between the two is not just a minor speed bump. It represents a fundamental shift in how we handle wireless interference and congestion. For a senior IT professional or a home lab enthusiast, choosing between them requires looking past the theoretical gigabit speeds and focusing on your specific environment, device density, and physical layout.

The Spectrum Advantage: 6GHz is the Game Changer

The primary difference between Wi-Fi 6 and Wi-Fi 6E is the addition of the 6GHz band. Wi-Fi 6 operates on the traditional 2.4GHz and 5GHz frequencies. These bands are incredibly crowded. In a typical urban environment or office building, the 5GHz band is often saturated with overlapping channels and interference from older legacy devices. Wi-Fi 6E solves this by adding 1,200 MHz of new spectrum in the 6GHz range.

This new band provides up to seven additional 160 MHz channels. On the 5GHz band, finding a clean 160 MHz channel is nearly impossible without encountering DFS (Dynamic Frequency Selection) issues or interference from neighbors. Because the 6GHz band is exclusive to Wi-Fi 6E and Wi-Fi 7 devices, there is no legacy overhead. You do not have to share airtime with a 10 year old laptop running 802.11n. If you are already running advanced network services like a WireGuard VPN on your home server, the low latency of the 6GHz band ensures your tunnel performance is not bottlenecked by wireless jitter.

Range and Penetration Realities

Physics dictates that higher frequencies have a harder time passing through solid objects. While the 6GHz band offers massive throughput, its effective range is shorter than 5GHz and significantly shorter than 2.4GHz. In a real world deployment, this means that a single Wi-Fi 6E access point might not provide the same coverage footprint as a Wi-Fi 6 unit if your walls are made of brick or dense drywall.

For optimal 6E performance, you generally need a line of sight or at most one wall between the client and the access point. If your goal is to provide high speed connectivity across a large multi story home, you will likely need a wired backhaul mesh or multiple access points. This is where professional planning tools become essential. You can use command line tools to check your current signal strength and noise floor before deciding where to place new hardware.

# On Linux, use iw to check link quality and signal levels
sudo iw dev wlan0 link

# On macOS, use the airport utility to scan for congestion
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

Hardware Requirements and Backhaul Bottlenecks

Upgrading to Wi-Fi 6E is not just about the access point. Every client device must have a 6GHz compatible radio. Most flagship phones and high end laptops released after 2022 support 6E, but your smart home sensors and older IoT gear will remain on 2.4GHz. To manage this mixed environment effectively, many professionals use a dedicated firewall like those discussed in our guide on OPNsense vs pfSense to VLAN off the older, less secure devices from the high speed 6GHz traffic.

Another critical factor is your wired infrastructure. A Wi-Fi 6E access point can easily exceed 1Gbps of real world throughput. If your access point is connected to a standard Gigabit Ethernet port on your switch, the wire becomes the bottleneck. For a meaningful 6E upgrade, you should look for access points and switches that support 2.5GbE (Multi-Gigabit) ports. Without a 2.5GbE uplink, the extra spectrum of 6E is largely wasted for single client peak speeds.

Practical Troubleshooting and Validation

Once you deploy Wi-Fi 6 or 6E, you need to verify that you are actually getting the performance you paid for. Do not rely on internet speed tests alone, as they introduce external variables like ISP congestion. Instead, use iperf3 to test local throughput between a wireless client and a wired server. This isolates the Wi-Fi performance from your internet connection.

If you notice high latency despite having a 6E connection, check for channel width settings in your controller. While 160 MHz is the selling point of 6E, in some high density environments, dropping to 80 MHz can actually provide a more stable experience by reducing the noise floor. To keep a close eye on your network health, you should implement some of the essential free tools for professional network monitoring to track packet loss and latency trends over time.

# Run iperf3 server on a wired machine
iperf3 -s

# Run iperf3 client on your Wi-Fi 6E laptop to test raw bandwidth
iperf3 -c 192.168.1.50 -P 8 -t 30

Decision Matrix: Which Should You Choose?

The choice between Wi-Fi 6 and Wi-Fi 6E comes down to your environment. If you live in a rural area with little neighbor interference and you do not have 2.5GbE infrastructure, standard Wi-Fi 6 is more than sufficient. It is cost effective and provides excellent range. You can spend the saved money on other network improvements, such as a Pi-hole setup to clean up your DNS traffic.

However, if you live in a dense apartment complex or a city where twenty different 5GHz networks are visible from your living room, Wi-Fi 6E is worth the premium. The ability to jump onto the empty 6GHz highway will provide a much more consistent experience for gaming, video conferencing, and large file transfers. Just ensure you are prepared to run cables for additional access points to compensate for the reduced range of the higher frequency.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, VLANs, Pi-hole, WireGuard VPN, and firewall rules end to end. $12, instant download.

Get the Network Security Guide

Originally published at lorikeetsmart.com

Essential Free Tools for Professional Network Monitoring and Troubleshooting

Lorikeet Smart — Thu, 02 Apr 2026 00:06:27 +0000

Modern business operations and home productivity depend entirely on network stability. When the internet feels slow or a printer disappears from the network, guessing is not a strategy. You need visibility into what is happening at the packet level and the device level. Professional network monitoring does not always require a five-figure enterprise budget. By using a combination of open source utilities and community editions of professional software, you can gain a granular view of your bandwidth consumption, device health, and security posture without spending a dime.

Network Discovery and Mapping with Nmap

Before you can monitor a network, you must know exactly what is on it. Nmap (Network Mapper) is the industry standard for discovery. It is a command line tool that identifies every IP address in use, the operating systems of those devices, and which ports are open. This is critical for finding unauthorized devices or identifying services that should not be exposed to the local network.

For a basic scan of your entire local subnet, you can use the following command. This will ping every possible address and report back which ones are active:

nmap -sn 192.168.1.0/24

If you need more detail, such as the version of services running on a specific machine, use the service detection flag. This is helpful when you need to confirm if a server is running an outdated or vulnerable version of a web service:

nmap -sV 192.168.1.50

For those who prefer a graphical interface, Zenmap provides a visual representation of Nmap results, making it easier to see the topology of your office network at a glance.

Deep Packet Analysis with Wireshark

When connectivity is intermittent or an application is behaving strangely, you need to look at the actual data packets. Wireshark is the premier tool for this task. It intercepts traffic and decodes it into a readable format, allowing you to see exactly where a handshake is failing or if a device is flooding the network with junk traffic.

Filter by IP: Use the filter ip.addr == 192.168.1.10 to isolate traffic from a single problematic machine.
Identify Latency: Look for TCP retransmissions, which are highlighted in black and red by default. High counts of these usually indicate hardware failure or severe congestion.
Security Audits: Search for unencrypted traffic like HTTP or Telnet to ensure sensitive data is not being transmitted in plain text across your office.

Wireshark is powerful but can be overwhelming. Focus on the 'Statistics' menu to get a high level overview of protocol distribution before diving into individual packets.

Continuous Monitoring with GlassWire and PTRG

Manual scanning is useful for troubleshooting, but continuous monitoring helps you catch issues before they result in downtime. For Windows users, GlassWire provides a beautiful, real-time graph of network activity. It alerts you the moment a new device joins the network or when an existing application starts communicating with a suspicious IP address.

For a more robust, server-style setup, Paessler PRTG offers a free version that includes up to 100 sensors. A sensor is a single data point, such as the CPU load of a router, the available space on a NAS, or the ping response time of a web server. PRTG runs in the background and can send email or push notifications if a critical device goes offline. This is the closest you can get to enterprise monitoring without a subscription fee. It uses SNMP (Simple Network Management Protocol) to pull data directly from your hardware, giving you hardware-level insights that software-only tools cannot provide.

Testing Throughput with iPerf3

Internet speed tests like Ookla are fine for checking your ISP connection, but they do not tell you how your internal network is performing. If you are experiencing slow file transfers between computers, you need to test the local throughput. iPerf3 is a cross-platform tool that creates a TCP or UDP data stream between two points to measure maximum bandwidth.

To use it, run iPerf3 in server mode on one machine:

iperf3 -s

Then, run it in client mode on a second machine, pointing to the first one's IP address:

iperf3 -c 192.168.1.20

This will give you a pure measurement of your network cables, switches, and Wi-Fi access points. If you have a Gigabit network but iPerf3 shows only 90 Mbps, you likely have a damaged Cat5e cable or a port that has negotiated down to 10/100 speeds. This eliminates the ISP as a variable and lets you focus on the physical layer of your office infrastructure.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, VLANs, Pi-hole, WireGuard VPN, and firewall rules end to end. $19, instant download.

Get the Network Security Guide

Originally published at lorikeetsmart.com

OPNsense vs pfSense: Choosing the Right Firewall for Your Network

Lorikeet Smart — Thu, 02 Apr 2026 00:05:16 +0000

Choosing between OPNsense and pfSense is a common dilemma for IT professionals and small business owners looking to move beyond consumer grade routers. Both platforms are built on FreeBSD and offer enterprise grade features like VPN support, intrusion detection, and advanced traffic shaping without the recurring license fees of commercial vendors. While they share a common ancestor, their development philosophies, user interfaces, and release schedules have diverged significantly over the last decade. This guide cuts through the marketing noise to help you decide which system fits your specific deployment requirements based on stability, hardware support, and daily management needs.

The Core Architecture and Shared DNA

Both platforms utilize the pf packet filter and are based on the FreeBSD operating system. This means that if a network card works on one, it will likely work on the other, provided the versions of FreeBSD are aligned. However, OPNsense has transitioned to using HardenedBSD for its security enhancements, offering features like Address Space Layout Randomization (ASLR) to mitigate memory corruption vulnerabilities. This makes OPNsense theoretically more resistant to certain types of exploits.

When it comes to hardware, both favor Intel NICs over Realtek due to driver stability in the BSD kernel. If you are building a custom box, look for the i210 or i225/i226 series chipsets. You can verify your network interfaces via the shell using the following command:

pciconf -lv | grep -A1 -B3 network

This command allows you to see the exact hardware vendor and device ID to ensure your drivers are loaded correctly. While pfSense is often seen as the more conservative and stable option for mission critical environments, OPNsense updates more frequently, which can be a double edged sword depending on your tolerance for maintenance windows.

User Interface and Management Experience

The most visible difference between the two is the web interface. pfSense uses a traditional, somewhat dated UI that has remained largely unchanged for years. It is functional and fast, but it can feel cluttered to new users. OPNsense features a modern, responsive Bootstrap based UI with a searchable menu system. For many administrators, the search bar in the OPNsense sidebar is a game changer, as it eliminates the need to remember exactly which submenu contains the firewall rule or plugin settings.

OPNsense also prioritizes a modular plugin system. Instead of including every possible feature in the base install, you add what you need. This keeps the base system lean. Popular plugins include:

os-haproxy: For load balancing and SSL termination.
os-crowdsec: For community driven IP reputation blocking.
os-wireguard: For high performance VPN connectivity.

pfSense handles packages similarly via its Package Manager, but the integration often feels less unified than the OPNsense approach.

The Licensing and Commercial Divide

The split between these two projects was driven by differences in philosophy regarding open source. pfSense is owned by Netgate and follows a dual track model. There is pfSense CE (Community Edition) and pfSense Plus. While CE is free, Netgate has shifted most of its development focus to the Plus version, which is required for their official hardware and includes features like ZFS boot environments and better support for specialized crypto acceleration. This has led to concerns in the community about the long term viability of the CE version.

OPNsense is managed by Deciso and remains strictly open source. There is a Business Edition available for a fee, but the core features are identical to the free version. The Business Edition simply offers a more stable update track and access to a professional plugin repository. If you are a small business that values transparency and wants to avoid vendor lock in, OPNsense is often the more attractive choice.

Security Features: IDS, IPS, and WireGuard

Both firewalls excel at Intrusion Detection and Prevention Systems (IDS/IPS). They both offer Suricata, which can be configured to monitor traffic for malicious patterns. OPNsense has a slight edge here for home users because it includes a built in graphical reporting engine for Suricata alerts, making it easier to see what is being blocked without digging through raw logs.

WireGuard implementation is another area of interest. OPNsense was an early adopter and has a very clean configuration workflow for it. pfSense also supports WireGuard, but the setup involves a few more manual steps in the interface. For remote access, both systems support OpenVPN, though WireGuard is recommended for its lower latency and higher throughput on modest hardware.

To check the status of your WireGuard tunnels from the command line on either system, you can use:

wg show

This provides a quick snapshot of active handshakes and data transfer per peer, which is invaluable for troubleshooting remote worker connections.

Practical Decision Matrix

To make the final call, evaluate your specific environment. If you are a small business that wants to buy a pre configured appliance with a support contract, pfSense Plus on Netgate hardware is the gold standard. It is a proven, reliable ecosystem with a massive amount of documentation and community tutorials available.

If you are a home lab enthusiast or a tech savvy small business that prefers building your own hardware, OPNsense is usually the better fit. Its frequent update cycle, modern UI, and commitment to open source principles make it a more agile platform. It also handles modern web standards better, providing a more intuitive experience for administrators who do not want to spend hours reading through legacy forum posts to find a single setting. Regardless of your choice, both platforms will provide significantly better security than any off the shelf consumer router.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, VLANs, Pi-hole, WireGuard VPN, and firewall rules end to end. $19, instant download.

Get the Network Security Guide

Originally published at lorikeetsmart.com

Pi-hole Setup Guide: Block Ads and Malware for Every Device on Your Network

Lorikeet Smart — Wed, 01 Apr 2026 23:59:44 +0000

Modern web browsing is cluttered with invasive trackers, bandwidth-heavy advertisements, and malicious domains that pose a risk to your infrastructure. While browser-based blockers work for individual computers, they do nothing for smart TVs, mobile apps, or IoT devices. Pi-hole solves this problem by acting as a private, network-wide DNS sinkhole. By intercepting DNS queries before they reach the internet, it can drop requests to known ad servers and malware hosts. This guide provides a technical walkthrough for deploying Pi-hole on a Linux-based system to secure your entire environment from the gateway down.

Hardware and OS Requirements

Pi-hole is remarkably lightweight and does not require high-end hardware. While the name suggests a Raspberry Pi, you can run this on any Debian-based distribution, a virtual machine, or a Docker container. For a dedicated hardware appliance, a Raspberry Pi Zero 2 W or an old Raspberry Pi 3 is more than sufficient. If you are running a homelab, a small Ubuntu Server VM with 512MB of RAM and 1 CPU core is the ideal configuration.

Before starting, ensure your host has a static IP address assigned. If your IP changes via DHCP later, your network DNS will break and you will lose internet connectivity across all devices. You should also ensure that your system packages are up to date by running a standard update command.

The Installation Process

The Pi-hole project provides an automated installer that handles the configuration of the web server, the DNS engine, and the initial blocklists. You should run the installer with root privileges. During the process, a text-based interface will guide you through selecting an upstream DNS provider, such as Cloudflare (1.1.1.1) or Google (8.8.8.8), which Pi-hole will use to resolve legitimate traffic.

curl -sSL https://install.pi-hole.net | bash

Once the script finishes, pay close attention to the final output. It will provide your admin interface password and the IPv4 address of the Pi-hole. You can change this password later using the command line tool if necessary. The installer also configures lighttpd, a lightweight web server, to host the administrative dashboard where you can view real-time statistics and manage your blocklists.

Network Configuration and DNS Routing

After the software is installed, you must tell your network to use the Pi-hole for DNS resolution. There are two primary ways to do this. The most efficient method is to log into your router settings and change the DHCP DNS server to the static IP of your Pi-hole. This ensures that every device that joins your network automatically receives the correct DNS settings without manual intervention.

If your router does not allow you to change DNS settings, you can disable the DHCP server on the router and enable the built-in DHCP server within the Pi-hole settings. This gives the Pi-hole full control over network addressing and provides better visibility into which specific devices are making which requests. If neither of these options is possible, you will have to manually configure the DNS settings on each individual device, which is tedious but effective for targeted blocking.

Advanced Filtering and Maintenance

The default gravity list provided by Pi-hole is a great start, but you can significantly improve your security posture by adding specialized blocklists. The community maintains lists specifically for telemetry, tracking, and known phishing domains. You can add these URLs in the Adlists section of the web interface. Be careful not to over-block, as aggressive lists can sometimes break legitimate services like streaming video or banking apps.

To maintain your installation, you should periodically update the gravity database and the core software. The gravity database, which contains the actual list of blocked domains, updates automatically once a week, but you can trigger a manual update via the dashboard or the command line. For software updates, use the following command:

pihole -up

Monitoring the Query Log in the web interface is also a critical task. It allows you to see blocked requests in real time. If a legitimate site is not loading correctly, you can identify the blocked domain in the log and add it to the Whitelist with a single click, ensuring a balance between strict security and daily usability.

Want to go deeper?

Our Home Network Security Setup Guide covers router hardening, VLANs, Pi-hole, WireGuard VPN, and firewall rules end to end. $19, instant download.

Get the Network Security Guide

Originally published at lorikeetsmart.com

Forem: Lorikeet Smart

RAM Speed and Timings Explained: Does it Actually Matter for Your Build?

Frequency vs. Latency: The Great Balancing Act

The Impact on Modern CPU Architectures

Verifying Your Current Memory Configuration

Practical Tips for Stability and Troubleshooting

When Does It Actually Matter?

Want to go deeper?

Ransomware Prevention for Small Businesses: Practical Steps Without Enterprise Budgets

Implement Immutable Backups and the 3-2-1 Rule

Hardening the Network Perimeter

Endpoint Hardening and PowerShell Security

Credential Hygiene and Identity Protection

Want to go deeper?

The 3-2-1 Backup Rule: How to Never Lose Your Data Again

The Core Architecture: Three Copies and Two Media Types

The Offsite Requirement: Protecting Against Physical Disaster

Automation with Restic and Rclone

The 3-2-1-1-0 Extension for Ransomware Protection

Practical Implementation Checklist

Want to go deeper?

Windows 11 Security Hardening: Practical Steps That Actually Matter

Hardware-Rooted Security and Core Isolation

Disk Encryption and Boot Security

Reducing the Attack Surface with AppLocker

Network Level Hardening and DNS

Account Security and the Principle of Least Privilege

Want to go deeper?

Two-Factor Authentication Explained: Which Method is Actually Secure

The Hierarchy of 2FA Security

TOTP: The Practical Standard

Hardware Keys and FIDO2/WebAuthn

Push Notifications: Convenience vs. Fatigue

Practical Implementation Strategy

Want to go deeper?

Setting up Bitwarden as your Password Manager: A Complete Beginner Guide

Step 1: Creating a Secure Account and Master Password

Step 2: Installing Extensions and Mobile Apps

Step 3: Migrating and Organizing Your Vault

Step 4: Advanced Security Settings

Want to go deeper?

Home Router Hardening Checklist: 10 Settings to Change Right Now

1. Disable WPS and UPnP Immediately

2. Update Your DNS and Encryption Standards

3. Segment Your Network and IoT Devices

4. Manage Credentials and Firmware

5. Optimize Physical and Signal Security

Want to go deeper?

Setting Up a NAS for the First Time: Storage, Backups, and Remote Access

Storage Strategy and RAID Selection

Implementing the 3-2-1 Backup Rule

Network Configuration and Security

Secure Remote Access without Port Forwarding

Maintenance and Health Checks

Want to go deeper?

Wi-Fi 6 vs Wi-Fi 6E: What Actually Matters for Your Setup

The Spectrum Advantage: 6GHz is the Game Changer

Range and Penetration Realities

Hardware Requirements and Backhaul Bottlenecks

Practical Troubleshooting and Validation

Decision Matrix: Which Should You Choose?

Want to go deeper?

Essential Free Tools for Professional Network Monitoring and Troubleshooting

Network Discovery and Mapping with Nmap

Deep Packet Analysis with Wireshark

Continuous Monitoring with GlassWire and PTRG

Testing Throughput with iPerf3

Want to go deeper?

Related Posts

OPNsense vs pfSense: Choosing the Right Firewall for Your Network

The Core Architecture and Shared DNA

User Interface and Management Experience

The Licensing and Commercial Divide

Security Features: IDS, IPS, and WireGuard

Practical Decision Matrix

Want to go deeper?

Related Posts

Pi-hole Setup Guide: Block Ads and Malware for Every Device on Your Network

Hardware and OS Requirements

The Installation Process