openWRT already has a good adblock app - i'm using it.
https://openwrt.org/packages/pkgdata/adblock

Wow. That's incredible. Thank you ! Unfortunately, I cannot use it. Because:

(1) When I change settings incorrectly, I must reset the AT&T fiberoptic modem. I don't REALLY know enough to change the settings intelligently. And when I reset the modem, it often does not reset properly. Sometimes the AT&T fiberoptic unit "somewhat" works, but it will be very slow, or it will let me go to some websites but not others.

(2) Sometimes the AT&T fiberoptic unit will work, and I can change the settings by going to http://192.168.1.254. And sometimes I can also see the settings on the WRT-AC1200 by going to http://10.165.249.151. But the WRT-AC1200 settings page will be unreachable if there is a 20 second power outage or reboot. I must turn the Linksys off, then walk down the stairs to remove 120 volt power from the AT&T unit. 20 seconds later I do those things in reverse.

(3) The WRT-AC1200 has two boot partitions, and it seems to alternate between them whenever you upgrade the firmware. I upgraded from factory firmware to Open WRT. I can choose "revert to previous firmware", so it will boot from the OpenWRT partition next time. But this does not actually work. If I reboot into Linux Mint, and type "sudo ssh 192.168.1.65" (which is where I believe the WRT-AC1200 is located) and then type my Linux Mint administrator password, I get the following message:

192.168.1.65 port 22: Connection refused.

I was supposed to get a command prompt, where I could check which partition was active, and instruct it to choose the other one next time and then tell it to reboot immediately. But that didn't work either. So it will probably have the factory firmware forever. I upgraded the old WRT-54GL 1.1 to DD-WRT (it is sitting on the floor of my kitchen right now) but upgrading the WRT-AC1200 is beyond my ability.

I'd love to get this to work, but I think I'm going to need to hire someone here in town. And before you say "buy a Netgate or Synology hardware solution", remember -- I must instruct the fiberoptic modem to work with this thing I bought, or it is just a fancy decoration. And I don't seem to be smart enough to do that.

Computer networking is not like a car -- if the headlight does not work, and the bulb is good, and the fuse did not blow, and the switch did not fail, then the problem can be traced with a volt meter to figure out where the wire is broken. But if a 1500 byte packet disappears because it is routed incorrectly, I'm not smart enough to know what happened, and there are no error messages to tell me. Years ago (1988 I think) I spent over 12 hours staring at a terminal in the room with the university mainframe trying to troubleshoot a simple for/next or gosub/return loop (I had to take a class in BASIC). I couldn't make the loop work until the person minding the mainframe accidentally gave me more help, I think, than he was supposed to. Would that surprise you?

I do appreciate your suggestion. I passed a difficult 2-day exam for the accounting profession, but I am too stupid to make a network work. I will probably have to hire someone here in town.

trying to understand all this.
so the fiber modem feeds the wan port on the ac1200,
and the ac1200 feeds the house?

192.168.1.65 port 22: Connection refused. could be several things,
why port 22?
use the web browser to go to the i.p. without a port number but with https - let the router sort that out.
or dont type http:// just put the number in.
maybe you should get a cheap chinese 18650 based ups for that router - if it only holds up for 10 minutes it will be good enough.

Yes, I want the fiberoptic modem unit to feed the WRT-AC1200, and the WRT-AC1200 to feed the house. Right now, the wireless is turned OFF in the fiberoptic modem. And yet I can wirelessly access the fiberoptic modem's settings at 192.168.1.254, AND the Linksys settings page at 10.165.249.151. I thought the Linksys would block me from seeing the settings page at 192.168.1.254, but I guess not.

So maybe I already achieved what I wanted, and maybe I can write down the settings on the WRT-AC1200 and substitute the 25-watt passive-cooled computer? I'll need a keyboard, monitor and mouse to change the settings on it, and configure the wireless, then I can set up auto-login in case of power failure. Then configure the ad-blocker and let my 25W computer do its work.

(I found a FANLESS Seasonic 460 watt PSU, sitting UNUSED on a merchant's shelf since it was manufactured 8 or 10 years ago, I'll buy it in a few minutes. And I have seen many videos of Chinese E-bikes and "BYD" cars burning. So I will use the APC UPS-1500 I already have in my house. The battery is fresh, and from a trusted supplier.)

Can the TP-Link N900 wifi card (Atheros 9380 chip) use both radios at the same time? Win7 and Linux on my main computer (same wireless card) never use both radios at the same time. If I want to run many devices using wifi at the same time, will the 25 watt ipfire linux hardware firewall operate both radios at once? I guess I'll have to try it to find out.

I thought this was a case where the fiberoptic unit was handing out dotted quads to my devices in the 192.168.0.X space, and the Linksys was handing out addresses in the 192.168.1.X space, but obviously that might not be true, and it might not even be relevant, and it is more complicated than that.

Look at the third-party "for-profit" repair manual for my car. "Power is generated by a 4-cylinder engine (gas only, no diesel), transversely mounted in the front. Power is transmitted to the front wheels through either a 4-speed automatic or a 5-speed manual transaxle, through equal length halfshafts." I omitted steering, brakes and suspension, but you get the idea.

Here is my "Networking for Dummies" book that I am re-writing (only discussing IPv4 in this post):

Routers (switches and gateways also?) analyze packets that are usually 1500 bytes long, attempting to flow in either direction. The source and destination of packets (presumably contained in the packet, and expressed as "dotted quads" between 0.0.0.0 and 255.255.255.255) are examined according to a series of rules, and if permitted, they are passed out of the device on to their destination. Rules can also silently drop the packets or reject them back to the sender. Rules can be made to drop outgoing packets sent to various domains, or packets sent by unauthorized users or computers. For example, a request to download the "/index.html" top landing webpage on a forbidden domain (website, FTP server, possibly others), would be dropped. Incoming packets can be restricted to only certain users or "subnets" (maybe with a separate sub-set of dotted quads like 192.168.3.X?). Incoming packets can also be examined for their source (from a forbidden dotted quad) and destination (only certain users are allowed to get these packets), just like outgoing packets.

(This is called "stateful packet inspection". And if a packet is part of a connection that was previously established and allowed by the rules, it is automatically allowed through.)

Also note that packets are sent and received on "ports". There are 32,768 of them. Because of tradition (established by various RFCs, establishing the standards), some of the first 1,024 are used for common services like HTTP/HTTPS (web pages), SMTP (e-mail) and so forth. The rest can be used by anything, as long as the sending and receiving computer agree, and the rules (of intervening equipment) do not drop or reject the packets.

Packets for one purpose (HTTP, e-mail, FTP) that come in on a non-standard port can be rejected, correct?

Private home or business networks are in a "private" address space with dotted quads that are either in the "192.168.X.Y" address space or the "10.165.X.Y" address space, where X and Y are numbers between 0 and 255. Public web servers like corporate websites cannot use these "private" address spaces out on the world-wide web, correct? When Ford car company established a website, those in charge of DNS (ICANN?) would not be dumb enough to allocate "ford.com" to resolve to 192.168.X.Y, right?

No, I have no idea how to make sure your mail server has a "reverse DNS lookup" or if that has any bearing on the "rules" discussed above. I have no idea how to lock an e-mail server so it is not an "open relay" for spam. I don't know if packets on an e-mail port can be checked to see if the sender's dotted quad actually belongs to that e-mail server ("spoofing the sender"). And I don't know if e-mail packets, on e-mail ports, can be checked to see if the recipient "John_Smith@domain" actually exists. Maybe that is the job of "Microsoft Exchange Server" or other mail server software.

Everyone should please feel free to answer the questions I have asked here.

I also did not mention, in my little "mini-wiki" how typing "ford.com" causes a query to a DNS server, where the correct dotted quad is obtained, and the surfer's web browser really asks Ford Car Company's "dotted quad" for the web pages. The dotted quads assigned to any server (web pages, e-mail, FTP, whatever) can change, but this is avoided, since it can take a day or so for the worldwide DNS "recordkeeping" servers to reflect the change. Do e-mail servers and packets (and FTP servers, and other protocols) also use DNS or something similar? Please post in this thread if you know the answer. And I also did not discuss how popular websites like Google, Yahoo, or other high-volume websites buy "load balancing" from their ISPs (which is really additional servers) so many megabytes per second worth of packets for web pages, e-mail traffic, FTP downloads, etc can all appear to be located at the correct dotted quad, coming from and going to many concurrent users.

I'm just a retired Amazon clerk who never used the accounting skills or the heating and air conditioning training I received. I hope I can get this whole "networking" thing to work.

I, first, must say that "dotted quad" = IP address. Please use the term IP address when discussing networking and/or computing topics. Unless I'm missing something...

A1: Firewall Rulesets determine what packets are either accepted, or rejected, or dropped.
A2: A public website will have a public IP address. A public IP address is required for the world to reach any specific website; however, DDNS works well and also accomplishes that task. DNS maps domain names to IP addresses. That is it's purpose...
A3: Yes email clients/servers and pretty much everything that accesses the Internet utilizes DNS.

I, personally, have loved pfSense since the moment it was booted on my hardware for the first time.

pfSense is clearly nice. But I don't know about the [BSD] hardware. I don't think my Asus P5GC-MX would be a good choice. I'm sure I can get decent USED hardware from eBay, but what do I look for? Louis Rossman suggests an Intel X540 PCI-E ethernet card with two ports. Which means I would need a wireless access point (unless you can get a wifi card with both radios and Intel chips that are more likely to work with BSD). Will the WAP try to hand out IP addresses in the 192.168 space (or the 10.165 space), conflicting with the pfSense hardware? Will the WAP have both radios? I don't want a situation where every problem I solve causes more problems.

What hardware do YOU use? Do you have both radios?

start by fixing the fiber modem, it's all kinds of fucked up if wifi doesnt turn off and you can use it to get into settings.
check for a firmware upgrade for that security bug.
if you dont find one then mail the makers and tell them they have a security bug that needs fixing fast.
and post here the make & model - lets give them a damned good incentive to fix stuff.

Actually, I think the fiberoptic unit might be working properly. I might need to hold down the red "reset" button for a good length of time, like more than 5 seconds. When I come back upstairs, and the modem's settings page has changed to a page that says "waiting to determine your type of broadband connection", I think this shows I did it right. Last time I reset it, I did it right. I suggest it is working properly right now. All websites come up reasonably quickly.

Interesting story: years ago (probably 1996 - 1998), before web hosts monitored, tracked and monetized you with all these "tracking cookies", I ran special software on my Windows 3.1 computer (EDIT: that did the same thing, nowadays ISPs use cookies to regularly report server-side stuff like page views to the "dot-com" client). The software was sent to me by the Nielsen company, the same company that measures the popularity ratings of radio and TV shows here in the US. Every 6 months, for about 3 years, they sent me a $50 US Savings Bond as payment. I got 5 or 6 of them stored in a safe place.

If I ping www.badcaps.net, the pings time out. If I ping www.microsoft.com, it works fine. Maybe there is a server-side reason for this I don't know about. I would think you could ping EVERY website, but maybe if the badcaps website is hosted on an ISP's rack-mounted equipment (along with many other client websites), ping doesn't work......

I have some ideas about my network, but it could take a few days (or weeks) to test my theories. Watch this space.

set your fiber modem as a passive modem,
use the ac1200 as the DNS server and set the DNS servers in it to private ones that are not owned by government or isp's etc.
look here:
https://www.opennic.org/

because using default DNS servers leaves you vulnerable to tracking, re-direction and even blocking.

That is basically what I am trying to do. I THINK I have successfully set up the AT&T fiberoptic unit as a "pass-through" device. As for DNS, here is Louis Rossman's "Introduction to a Self-Managed Life":

http://wiki.futo.org/index.php/Intro...ing_in_pfSense

Every time I type a website that does not exist, I see an AT&T (American Telephone and Telegraph) page. In the past, I have tried to over-ride this, but I cannot. Louis mentions something in there about how to fix things so the ISP CANNOT over-ride my choice of DNS server. I will look at it later.

During the Super Bowl tonight, I realized I might have perfectly good hardware for pfSense (BSD-based). When I went to the basement, what was on my AMD 5350 Mini-ITX system? TrueNAS, which is based on FreeBSD. I played around with that several years ago. It worked and booted up, but I never used it. TrueNAS was 80x25 text mode, so I don't know if pfSense will like my 5350's "system on a chip" graphics. As for networking, continue reading.

BSD famously does not support wireless chips AT ALL. So I purchased an Intel X520-AX2 card (used) from eBay. It has two 10 GB WIRED ports on it, perfect for the PCI-E (x16) slot on my passive-cooled mini-ITX system. I also bought a TP-Link AX-1800 wireless access point. I think I can make everything work properly, but it could be a week or more before all the parts get here.

If PfSense (BSD) doesn't like my graphics hardware, I'll just use ipFire.

I should clear my browser cookies (and maybe cache and browsing history) every few weeks. Years ago, up until Firefox 2.0.0, I had a plug-in that would let me accept or reject every single cookie (when FF was updated after that, the plug-in was no longer available). When I went to a new website, I would allow cookies that were set to expire in one year. But if I saw one that was set to expire in 2037, or even the year 2300 (yes I did see this), I would reject them.

My next post should be more about the mini-wiki I am building in this thread.

The AT&T unit (HUMAX BGW320-500), according to the "settings" page, gives out "private" IP addresses between 192.168.1.64 and 192.168.1.253. This is how it came from the factory, but all four parts of the IP address can be changed (which could be dangerous -- read on). DHCP is currently turned ON, wireless is currently turned OFF. When I look at the Linksys settings, it is capable of handing out addresses from 10.165.X.Y. Right now it is set for 10.165.249.100. Maximum users is set at 99. The Linksys limits me to typing in numbers between 1 and 155.

So I think I know what's going on here. The AT&T unit is in "passthrough" mode. DHCP is ON, so it gave a "private" address (192.168.1.65) to the Linksys. If I then plugged in a WIRED computer to the AT&T unit, it might be given 192.168.1.66. After that, if I turned on and set up the wireless in the AT&T unit, and typed the encryption key into a laptop, the laptop might receive 192.168.1.67.

The Linksys ALSO has DHCP turned on. So if I plug in a WIRED computer to it, it might receive an IP address of 10.165.249.101. If I then set up the wireless in the Linksys, which I did, the Linksys will give out unused IP addresses in its range (10.165.249.100 to 10.165.249.199 at present).

So you CAN HAVE more than one router with DHCP turned on. Each router will hand out addresses in its assigned space, to wired clients (and wireless clients, if the router has a wifi chip in it).

In fact, corporate routers and switches won't limit you to a small range like my consumer-grade Linksys (10.165.X.Y). They will let you use any legal "private" address (see the internet for a full list of these, one example is 192.168.0.0 all the way to 192.168.255.255). Corporate equipment will also have MUCH more powerful processors, capable of handling MANY more connections at once. Corporations will also have range extenders, and a "mesh" setup. Both Amazon buildings I worked in had HUNDREDS of wireless access points mounted on ceilings, and they would "hand off" my laptop's wifi signal as I pushed my laptop on its cart down the length of the building. But corporate equipment (indeed, this whole paragraph) is beyond the scope of my little wiki.

I wanted to set up several more computers (ethernet only, since that is faster) and plug them in to the AT&T fiberoptic modem, and then boot them while connected to the Linksys, to prove they got IP addresses in the range each router was "supposed to be" handing out. I have two more of those mini-ITX boards and a couple of other computers I can assemble from parts, but I am confident this is how things will work, so I am posting this now. I'll test my theories soon.

It should be noted here that if you want to have different wireless stations broadcasting, they MIGHT be able to have the same encryption key (can they? Someone please tell me) but for good practice, they should have different keys. And they DEFINITELY need different NAMES (and use different wifi channels, but most consumer equipment today automatically selects the best channel for the least interference).

dns lookup can be done by the o.s. or the router,
normally the o.s. is set to use an external dns lookup but you can put an address in instead.
same with the router - normally it asks the isp for a dns, but you can override it manually

get the ac1200 running first and stop trying to cause yourself more problems with the pfsense box.

infact grab a laptop and change the dns to one from that link.
then plug it directly into the fiber modem and try to acess some sites real and fake.

did you put openwrt on the 1200 yet?
https://openwrt.org/toh/linksys/wrt1200ac

i can build a custom version if you want with added mesh networking and built-in addblock and maybe the ability to tether it to a phone to use 4g if the fiber goes down.
although the fone bit isnt 100% - it depends on the fone

your dhcp range is limited by the firmware,
openwrt lets you go from 1 to 254 pretty much.
never use 0 or 255 - they can have special uses like global broadcast.

Oops. Edit post #12. BSD does indeed support wireless chips. I thought it did not. But I also thought the radios and processing power of the WAP and the Intel PCI-E card would be better. It seems my PCI-E Atheros 9380 card is nicely supported in BSD, but it might give terrible results if I try to download a Linux distribution while watching a movie on my Roku device. I don't know.

No. The WRT-AC1200 has two different partitions. I put OpenWRT on one, but I can't make the router switch to that partition (even if I go into the settings and click on "revert to previous firmware" and then "apply"). There were some "ssh" commands to check the partition and make it switch, but I have not been able to get them to work. What do I type? How about "sudo ssh 10.165.249.151 <command to view active partition>"? When I am prompted for my password, I suppose I'll use my Linux system's admin password? Will the router reject my command because I never supplied the router's password? This is just a little more complex than I think I can handle. And passwords, just like networking, won't tell you why you failed.

a fresh openwrt install has no password -just press enter.
as for the dual partitions,they alternate so just upgrade twice

I'm sorry, I cannot just upgrade twice. I upgraded at least 5 times, but I did it wirelessly, which might not have worked. I should have done it with an ethernet cord. Also, a week or two ago the Linksys downloaded a firmware update. This update might have removed the ability to switch to third-party firmware (it might have also removed the ability to ssh into the unit). They might have even removed the "secret counter" that records 3 unsuccessful boots before booting the other partition. Perhaps the only way to recover the unit is to solder connectors for a "console", which is beyond my ability.

Also, when I walked over to the WRT-AC1200 a few minutes ago, the power adapter brick was cold, not warm. My voltmeter says it is providing 12 volts, but I suspect it won't provide the proper voltage OR current when the WRT-AC1200 is actually switched on. Windows 7 no longer sees the wireless access points (2.4 GHz OR 5 GHz), so I suspect the power is insufficient.

I bought a used WRT-AC1900 from eBay, it may take a week to get here. I will NOT expose it to the internet until I flash to OpenWRT. When I plug my Win7 in to the LAN port on my old WRT-54GL (not exposed to the internet) I can find the settings page at 192.168.1.1 because I flashed it to DD-WRT years ago. Hopefully, flashing the WRT-1900 will go smoothly. THEN I can expose it to the internet.

If I wanted to use my AMD 5350 board for an ad-blocking firewall, well, some people on the OPNSense boards suggested my hardware was not as good as it could be. Intel X520 2-port WIRED PCI-E card, plugged into a wireless access point, will not match the capabilities of the "system on a chip". They suggested a motherboard using the 6-watt Intel N100 chip, which could be somewhat better. But those boards start at $150. My mini-ITX is already paid for.

It may take 2 weeks before we know anything further (maybe I'll put in the old 10/100 WRT-54GL with DD-WRT, I don't know). Until then, there is no wireless in my house. No music or weather from Alexa. But I do have some ethernet cable inside my walls, so I could use the ROKU to watch some movies.

maybe this is usefull

Thank you. I got the WRT-1900 in the mail today. When I read the manual, I discovered I had to go to linksyssmartwifi dot com when there is nothing connected to the WAN port. A routine in the firmware will then bring up the settings page (192.168.0.1 no longer brings up the settings page for either the 1200 or the 1900). This is how I know both the WRT-AC1200 and the WRT-AC1900 still have stock firmware, NOT OpenWRT. And the "cold" 120-volt adapter brick for the WRTAC-1200 is NOT defective. (When there IS an upstream connection and you go to linksyssmartwifi dot com, you sign in with your Linksys account, and manage it from there.)

I tried numerous times to install the correct OpenWRT image on both. I downloaded the "OpenWRT factory upgrade" image (for upgrading from Linksys to OpenWRT) for both. After shutting down both router and Win7, then restarting with no internet access, I uploaded through the GUI in the factory firmware. I rebooted, I chose "restore previous firmware", I turned both off and on quickly 3 or 4 times, used the red reset button on each, nothing worked. Either they just won't upgrade or I am just not smart enough.

It will be several more days before I receive the rest of the equipment. I bought the Zyxel NWA90AX Pro wireless access point. I found "SFP to ethernet" adapters for the "rack-mount" ethernet connectors on my Intel X520 LAN card, but I did not buy them. I bought a 4-port Intel I350 PCI-E wireless card instead. It uses regular consumer ethernet plugs. The X520 won't be used at this time.

I think I have the knowledge I need. The AT&T/Humax unit can be set to give addresses in a range I specify (let's say 192.168.3.32 to 192.168.3.64). The Intel I350 LAN card in the AMD5350 machine will get an address in that range. I will then use a keyboard, mouse and monitor on the AMD 5350 to make sure the Zyxel can give out 192.168.1.X, because the Zyxel seems to prefer 192.168.1.1 for the settings page. So my devices (Roku, Alexa, ZapperBox ATSC 3.0 unit, Galaxy S10+ Android phone) will have IP addresses starting at 192.168.1.2.

(They say you can flash the Zyxel to OpenWRT, but after the last three days with no success on this Linksys hardware, I would rather kiss my car's hot exhaust pipe than use OpenWRT. Also, judging by the screen shots of the settings, the Zyxel's stock firmware has great features.)

Then I'll need to work on the ad-blocking in pfSenseNG and the auto-login so the AMD 5350 will restart "headless" in the event of power failure. I could also use that spare UPS (APC UPS-1500). It has a fresh battery.