Hello all, if I have CINS Army enabled in Protectli vault with pFsense, is it necessary or recommended to also have CINS army enabled in my Unifi control plane? Will this cause things to slow down or negatively affect my equipment’s speed? Thank you !!
I don’t see any value in putting in anything other than pfsense if that is what is at the edge of your network.
1 Like
It is and thank you as always for your prompt and clear answers. 
I
Actually I would say that it depends, as always.
If you are blocking incoming connections using this list and pfBlock-ng, then yes, do it at the outermost router.
However if you are using this in an IPS functionality like suricata on pfSense or Unifi, you want to do that on a router where OUTGOING traffic still has original source addresses. If you are NATing source addresses on a router that is internal and not your uplink to your ISP, you want detect/block/log the traffic on that router, so you can see which internal IPs are contacing “bad external IPs”. If you do it on router that only sees NATed source addresses, the IPS log won’t be of much use.
logging bad external IP traffic that is incoming is not of much use, unless you are very curious. Just silently blocking this traffic is OK.
However, you definitely positively do want to know which internal hosts are reaching out to these bad external IPs, even if you are blocking it, you would want to log this and investigate what application is causing the traffic. and what this bad external IP means.
if this traffic turns out to be fine, you can whitelist that “bad IP”. if this traffic is undesirable but cannot be avoided to be generated by some app, you continue to block it but you can have a whitelist that is filtering out such line from the log.
This is of course some effort and depends on what this network is (just a homelab or a big company?). The effort will go down with time as the whitelists / filterlists are getting closer to what traffic mix you have.
Only if you don’t have the ressources / capacity and capability to investigate these findings, then simply silently blocking incoming and outgoing traffic to/from the “bad external IPs” is the best answer.
sorry, but i think this question doesn’t really have such a clear-cut simple answer as you have wished for 