Secure Your OPNsense Network with Zenarmor NGFW!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so today I am taking a look at a nextg firewall package for open sense now open sense is of course my absolute favorite open source firewall router Zen armor is not open source but I'm still taking a look at it anyway cuz if you use open sense it's a package you might want to consider it's especially useful if you're in a larger environment where you have some requirement to do blocking so you might be familiar with something like DNS base blocking using adg guard home or py hole both of those certainly work and they have their use case but if you actually need to inspect traffic on the wire flowing over your network Zen armor is a tool that will do that now Sunny Valley cyber security the makers of Zen armor they did send me a license to make this video but no money changed hands they'll see this review the same time you do let's get started on this adventure so if we're going to call something a nextg firewall we probably need to get behind the marketing fluff and understand what that really is so most firewalls today have essentially two different options and how they can deal with filtering so at the most basic level we have SIMPLE Access Control lists these are really commonly used in networks today to protect layer 2 segments things like preventing DHCP or router advertisement hijacking these are really basic they basically look at the contents of a packet and decide if it should pass or not and that's all they do they can't associate multiple packets with each other you can look at Fields like the Mac addresses the IP addresses UDP TC P ports protocol numbers things like that that's all you have access to is information in one packet or Mac frame going up a layer from there we have the modern stateful packet firewall this uses connection tracking to match up packets that belong to an existing session so I'm appal I write some firewall rule that says Apple art May access the internet then I write another firewall rule that says the internet may not access anything so what happens when I send a packet out to YouTube I expect YouTube to respond to me with some data but if I just had a simple stess firewall the firewall wouldn't know that my request expected a response it wouldn't match those two up together so that's what a stateful firewall does it keeps track of existing sessions and it uses rules from the first packet in the session and matches up uh subsequent packets so if my rule says Apple ARS allowed to connect to the internet I initiate a connection to YouTube YouTube responds that packet coming in from YouTube isn't a foreign packet from the Internet it's matched up with an existing session and that session was allowed because it was initiated by me so that's the mod connection tracking stateful firewall that's what open sense does is its bread and butter layer three layer four stateful packet filtering this is also what a lot of people confuse with Gat as being security but really the connection tracking can be done on V4 and V6 just as well Nat doesn't need to be involved in that so what do we do for the next level of security the NextGen firewall marketing term essentially what a nextg firewall is is a class of deep packet inspection firewalls that take a look beyond the layer three layer four headers and connection tracks They look at the contents of these packets and they try to understand the application Level traffic that's going on so Zen armor in particular and most ngfws are designed to protect client access so users that are accessing the web they're accessing other applications on the internet this is connections that are going out ordinarily your firewall would probably have a rule that says normal computers are allowed to access the internet and maybe you have some IP block list that block certain countries or things like that at the IP level maybe you block certain ports if you have a specific need to do that so what a firewall like xen armor is going to do is it's going to try to classify packets based on their protocol if there's specific peer-to-peer protocols that have notable signatures it can detect that um if they're HTTP or TLS traffic it's very easy to see what the website going to is that'll be in the Sni header of a TLS connection if it's unencrypted HTTP that's just all out in the open to be inspected and so doing this method means that all of the traffic is going to get filtered and you have a lot more granularity on especially web traffic but also web adjacent traffic too um to be able to detect and filter it now of course you could use DNS based blocking but that only works if your client's Cooperative so if you're running a school network for example your clients are almost never Cooperative they're going to find any excuse they can to get around the firewall and so you're going to need something a little bit more aggressive than just DNS now what this is not going to help you protect is your servers so this is primarily looking at threats such as websites you don't want your users to visit websites that could be dangerous to your users things like that known malware command and control servers um most of that stuff shouldn't be happening on a server Network anyway if you have a problem with your servers connecting to chat GPT on their own you probably should be pretty scared of those servers so another neat thing about Zen armor is that it is just the NextGen firewall it is not the base operating system so you can install Zen armor on Linux or BSD um But it includes a package for open sense that's much more tightly integrated with open sense than their Linux or BSD offerings so if you run zenr armor on Linux or on BSD you can build out the whole nextg firewall but there's no user interface local you have to use their Cloud manage system however with open sense they brought their whole management system onto the local open sense box so if you use Zen armor with open sense it's fully local aside from licensing now the other thing that may or may not be local is your database so Zen armor needs a database back end it supports mongod DB and elastic search and if you use mongod DB you can run that on the open sense firewall as well the package will help you with that my experience mongodb is rather slow and if you're in a big environment you're probably going to want to be using elastic search however I did try to set up elastic search on a proxmox system and elastic search decided that I was not worthy of the amount of ram it needed it's extremely Ram hungry and it would just quit so anyway with all that said let's get started on installing Zen armor on open sense so we can see what that process is like and get it set up so got my little protect Le firewall we're going to install Zen armor on this let's see how the process goes so Zen armor has a page on how to install it but it's really quite simple we basically just have to add the plug-in add the package package for open sense nice and easy so over here on my open sense system I'm going to go to system firmware status and click check for updates we have to be on the most recent minor version for whatever major version you're on so if I'm on Major version 23.7 I have to to be on the most recent minor version yep there we go no updates available so currently the time of this writing is 23711 so if you're not already up to date do an update to open sense first then we'll continue with the install so now we go over here to plugins and we search for sunny so Sunny Valley is the name of the company that runs Zen armor so here we go so OS Sunny Valley we click plus and we wait for that to install that's going to install the repository onto open sense and from there we can install packages from the the sunny Valley repository so they're not distributed by open sense just this kind of pointer to the repository is so once we install this pointer then we can go into packages and install the package so now that that's done we go back to the plugins Tab and we see a couple more things happen so Sensei Sensei agent Sensei updator so Zen armor used to be named Sensei so the package is called Sensei so we click Plus on that guy and say install so now we just wait for this to finish and then it should show up on our sidebar okay so once we see the D then we can refresh this page so now on our sidebar we have Zen armor so it's going to ask us to do some initial setup the first time so we have to read the terms and conditions Etc now we have to choose our database uh I would definitely not recommend SQL light that's probably going to be real slow I used local mongodb so at this point we're going to install mongod DB or you could set up and configure a remote elastic search server if you're running a network with like a decent number number of actual users that's probably the approach you're going to want to take there's quite a bit of data coming in um elastic search does a better job at indexing it and things like that even though elastic search needs an outrageous amount of memory so now we're going to install mongodb and we'll come right back okay so we're done with mongod DV so we click next so we have a couple different options here if you're running Zen armor you probably care about more than just reporting you probably want to do blocking too so in general we want L3 mode so we're going to pick that and so I have options on what interfaces I can pick so I'm going to just pick both of them so that'll be my Lan and I don't know we'll call this guy there so we got two different security zones and two interfaces and there we go so you have the option of choosing your license here or you can start with the free edition here we go no email required and here we are so now that's done let's go ahead and set it up so while I did just set it up in an example I'm actually going to use my own router on my own network for these demos so I've had Zen armor running for over a month now on my home network and I've gotten a feel for how it works how to set things up Etc so I'm going to go through that process again on my network now we're going to see how that looks so we're here in the dashboard so when you install an open sense you get a new tab here so we've got the usual stuff firewall routing Services Zen armor so I'm just at the dashboard here you can see stuff's going on I'm running mongodb not well not a lot going on right now so one of the cool things we can do is we can bend things into devices so this guy here says they found 86 devices on my network it'll try to do reverse DNS and see if we can figure out what they are so some of them got a host name that way or by inspecting DHCP packets so it discovered these devices on my network it shows their legacy IP address but under the hood it does actually match all their V6 addresses correctly so I believe it's actually filtering by Mac address and not by IP so we can see these are all of them I Got No cameras I got some desktops gaming that's not a gaming console it did its best it tried to filter these guys those are all laptops some of these are mobiles that is a TV most of these are a these four are access points that one's a camera so we'll go move him over to cameras and I think he is Keyhole one so I could go through these and categorize them all so big store is a server Corona is a server Columbia is printer basically if I go through this process and I categorize all my devices then I can add filter rules based on category instead of having to call out individ idual devices so depending on how you manage your network this could be very useful it could be not super useful but uh I thought it was a pretty cool feature that I liked so despite me liking the devices page there are a couple quirks you should be aware of especially if like me you're running a very complicated IPv6 mostly network using dhtp option 108 it does not seem to be particularly happy with that exact setup if you're running a normal dual stack Network you're probably fine so over here I got a bit of a demonstration here so I search for spaceship 3 that's the name of my laptop so I name most of my devices after space related themes my desktop is White Knight 2 my first laptop was spaceship 1 and then spaceship 2 which is this beautiful plane here and the next one on the sequence would be spaceship 3 which doesn't exist yet in the real world so anyway search for spaceship 3 I expect to get spaceship 3 which used to have an ipv4 address of 17 22781 so it found this device a while ago and it called it spaceship 3. loal which makes sense because it probably saw some mdns traffic from it and it categorized it as others so that's a laptop um and nothing is wrong with this except this is not spaceship 3 anymore so in an IPv6 mostly Network we adverti dhcpv4 option 108 I have a video upcoming on this so I didn't make a video on that topic yet but basically if a device is capable of acting without ipv4 it can choose to reject its ipv4 address over DHCP and Apple devices all support this and they have done that so this device used to have that address it no longer has that address it now has no ipv4 address so it'll have a couple of IPv6 addresses one of which is a IPv6 clat translation so it will create its own ipv4 address on the Local Host give that a corresponding V6 address in the V6 space and translate V4 packets using 464xlat which is beautiful so this number here 1922 that is the cat number so if we come down here to Wikipedia there's a range here that was reserved for DS light and this range for DS light is also used by 464xlat for gateways so now Zen armor has found every device in my Network that has a cat all of them use 19202 which is part of the DS Light range as their calad address and somehow it can't figure out how to differentiate them and I guess that makes sense if you think about IP addresses as addresses but if it looked at the MAC address it would realize that these are all different machines so in this case it says this spaceship 3 is actually Lou's iPad and I would bet this is actually Louis's iPad and this one here just has an fe80 I guess we can just delete that one because we need to keep f8s around this one is suzan's iPad but it's also spaceship 3 this one is actually spaceship 3 that one is also spaceship 3 and that one is Louis's iPad that one is spaceship 3 yeah so it's a bit confused on my 464xlat setup here I'm guessing most of you are not doing 464xlat at home but even if you're not it's still gets a little bit confused by slack privacy addresses sometimes these are the IPv6 addresses that changed daily so coming back here to the 236 new devices I have if I view those a lot of these say other device it's like this one I don't know what it is it's 130 I could go look it up but I can't be bothered so but it has an ipv4 and same with this one I not bother to look that one up either but they exist and they're probably real this guy here he's got a V6 address and this guy here he's got a V6 address to and it hasn't been able to identify it it's still says initial identification in progress and so if I click down all these other devices all of them just have a V6 and they don't have a V4 so what's happened is it's trying to identify a device and once it identifies it it kind of locks that in so for a given device it'll try to find its Mac address its V4 and its V6 then when the V6 changes it sees a new device and it's like well this device already has a V6 so it can't be that one right and it's not putting all of the v6s together which is a bit odd um if you were on an Enterprise Network running dhcpv6 you would never have seen this so my guess is that their test setup doesn't use slack with privacy addresses which makes sense to me why they wouldn't have seen this but it's also a bit of a frustrating issue for me as someone who does use slack with privacy extensions that it's not grouping these devices together properly when they change their V6 address and then of course I have five pages of these and all of them are V6 devices we detected some number of days ago so I could merge these with parents if I could figure out what their parent was but if this was a temporary address six days ago it probably doesn't even exist anymore and I should probably just delete it so device page very useful at the start this little Quirk Mak it a lot less useful to me that said if your device is there and you write a rule based on a specific device it'll actually use the MAC address and it'll catch all of the V6 addresses even if it didn't group them together properly on the devices tab so that functionality still works it's just that the devices tab will have a bunch of extra devices for all these temporary privacy addresses that aren't real I mean the addresses were real but they're not real anymore they've expired so next up after we've categorized our devices we can start creating policies now policies are one of the things that changes with license levels that's something to be aware of so here on my setup here I have the default policy you're always going to have a default policy and all devices that don't fit into any other category will always take the default policy now in addition to the default policy there's one other option you have that's to block untrusted devices so back in the devices page we could Mark devices as trusted or untrusted you have the option here to say untrusted devices have no access at all and then beyond that trusted devices fill into the default policy or additional policies beyond that if you have a free license the default policy is what you can do the home license allows two additional policies and Beyond there you have more flexibility in creating policies with business or Enterprise licenses also all of this only applies to interfaces that are running Zen armor so in my case I'm only running Zen armor on My Lan interface not my server interface so my servers aren't affected by these policies because Zen armor isn't protecting that interface so I've chosen for my default policy to be pretty open in here I've chosen to block pretty much just malware and dangerous things I'm not filtering what my users can access other than things that are actually dangerous to them so let's take a look now at what we're capable of filtering on within a policy what options do we have so for non-default policies love more of the configuration tab we'll get to that in a bit but then the other tabs we have are security app controls web controls and exclusions so each of these are essentially a type of traffic or a type of category that we canable able and disable filters on so first tab is security we have all of these categories in essential and advanced and we can choose to allow or block essentially anything from these categories so these are not terribly specific they're probably getting these lists from other sources but we have known DNS over hdps malware sites fishing sites hacking related sites I like those those are fun and other stuff like that and then down a bit further we have some more stuff unique stuff you might want to block or allow that one might want to be blocked that one's new some of these aren't necessarily insecure on their own like DNS over htps or DS tunneling but they allow your user to evade certain types of blocks and so blocking them here might be a good idea depending on your use case now Zen armor is still blocking based on TCP TLS web traffic so even if your user does evade DNS they still won't evade Zen armor but sometimes those things are just nice to block anyway so next up we have app controls this is where we have a lot of things we can look at lots and lots of categories to drill down into if you want to block a common website there's a good chance it'll be in here so for example AI tools every school now is trying to block chat GPT boom look chat gpt's blocked Google bar they're blocked too oh wow look at all these guys but I could just come up here to category and I could block the whole thing so subcategories there's 26 AI Tools in here to look at don't have have to click all 26 we can just block them all same with ads 352 subcategories going on here so these are different um ad networks we can scroll through and they're just they're all here all over now I'm not going to comment on sites that will ban you or otherwise prevent you from using their site if you block ads no idea how that works um I didn't rely on this for ad blocking I use a in browser ad blocking extension so this wasn't something that was need for my particular use case but it's something that's certainly here if you want to look at it block yeah so even stuff like IMAP or pop 3 these are protocols these aren't websites but we could block IMAP and POP 3 if we wanted to some of these are Web Mail some of these are not so security mail so s IMAP and spop 3 these would be SMTP or secure SMTP so some of these again are based on it's like bit torrent is going to be based on a protocol filter if it detects bit bit torr like packets AFP that's also a protocol cifs that's the samba protocol um Dropbox also has their own protocol some of these are websites some of these are protocols so common theme Here is that we don't only have websites we can block like we would be able to in DNS we're also able to inspect the type of traffic whether that's the port the TLs header the alpen which is the alpn application Level protocol negotiation which is part of TLS so if you're doing a secure transfer even on Port 443 it can still tell if it's not https like if you do like say secure IMAP or secure POP 3 on Port 443 it's still going to tell the server it wants to do IMAP and this can still detect that if we go down here like Network management we have all the big stuff that we would normally allow so like domain name resolution you probably don't want to be blocking that one but we have some other options too llmnr everyone's favorite mdns everyone's other favorite if your users keep doing vpns too you don't want that to happen we got you here so we got all the major VPN sites but then in addition to that we have the IPC protocol but if you're using IPC you could block that one if you're using mulad you could block them openvpn is again a protocol we could block openvpn Point too tunneling protocol tour who else do we got wire guard zero tier no need to block a tail scale that'll get caught by the wire guard filter and lastly web controls so web controls are a bit different from application controls application controls is more focused on large categories of sites specific sites specific Networks Network protocols vpns things like that web application is more based on content filtering so these are going to be where some organization and that's part of why you pay for Zen armor to get feeds of this kind of stuff but somebody has gone to large numbers of domains on the internet and tried to put a name on what category they belong to and so these are sites that may not be as major as the ones in the application side we're not blocking all of Google for example we can come here we could say no adult sites no tobacco go they also have some templates here for moderate control and high control depending on what your environment you're in you might just want to pick High control and be done with it so moderate control is going to block adult advertisement hate and violence drugs okay the really good stuff and then High control is going to add on the more mediocre stuff so this would be like blocked at work blocked at school pretty normal blocking stuff but not Sports we got to have our Sports can't block that one and last up the exclusions tab if you have something getting blocked by the filter accidentally you can exclude it here I personally haven't had to use this but uh I don't know I'm not that aggressive on what I'm blocking so now that we've taken a look at what we can configure in a policy let's go through the steps to set up a new policy for a student Network so over here I've got a Ubuntu VM this is going to represent my my student computer we're going to try to set up a new student policy add this device to that policy and see what we can block so coming over here to the policies tab again we're going to create a new policy for students so we're going to go here and edit this policy so because this is not the default policy we actually have a configuration tab now so there's a number of different items in the configuration tab we can configure from the device type the MAC address the IP address VLAN tags things like that all of these options are Ed together so if we say we want to be on VLAN 9 and the IP range and Mac address all of those have to fit the only exception to that is devices and Mac addresses are treated as an or because internally a device is a MAC address with a name in my experience most of the time you don't need to specify all of these things so most of the time you're going to be picking a network and then you're either going to use an IP range or you're going to use devices or Mac addresses not all of them at once so in my case I'm going to say I'm using ib1 that's the only interface I'm actually protecting with Zen armor I could add a v on need but I don't need to I can come down here and look at devices IPS or Mac addresses if I were actually trying to protect student networks I would probably have like separate subnets for them I could just put those interfaces in here be all done with it wouldn't have to specify individual devices but if I wanted I could go in here and pick individual devices so I could say so my VM is called Apple art VM I can add that as a device in theory you can add device categories too but they didn't work for me I have no idea why adding smart glasses should add the VM that is part of a smart glasses category but it didn't you can see here this is actually the MAC address of the VM so come here put the MAC address in or I could add an individual IP address things like that at the very bottom we have users and groups so Zen armor supports integration with open senses captive portal and also with active directory I'm normally not a Windows person I don't have active directory I use a Macbook and all of my servers run Linux no active directory in this house however the open sense capture portal could be useful and lastly we have time schedules we'll get to that one in a bit so my VM it actually adds the MAC address and so even if this gets new IPv6 addresses later it'll still catch it CU they all share the same Mac address of course your devices could change change their Mac address that's what student devices like to do so what you probably actually want to do is make the default your most restrictive so B everyone under default and then whoever you want to give less restriction to put them in a less restricted higher tier and exclude them if you try to go in an allinclusive you're going to be battling people change their Mac addresses all the time kids know how to get around blocks is what I'm saying so then we're going to enable this so that actually works and then come on over here and block ai go ahead caught Google bard soy to go Google bard we got an error but if we try to go to it keeps trying to redirect us to the Cure site that one's blocked so next up if we need to do any troubleshooting they have a log viewer that makes this very nice and handy to see who's going where so over here we go to live sessions so there's a lot of stuff going on but we're going to filter and this is one case where the device category does work so I'm going to pick smart glasses and there we go so here this device tried to go out to Google bard and it is a student policy and it got blocked so if you're having trouble things getting allow or blocked you can come here take a look see what policy got dumped on whether it was loud or blocked what went on there so now let's take a look at some of the analytics we get with Zen armor so last on my T Zen armor features we have the analytics if you've worked in it for a while you know that higher up people like to see pretty graphs even if they're completely meaningless that's why UniFi is so successful with their dream machine family lots of pretty graphs no function for them can Zen armor do better so here's what my main page looks like like here so it says I've detected detected some threats and blocked less of them so I guess it's insinuating I should fix my rules to block more things a lot of these are malform DNS packets and I'm not sure why it's flagging though so I guess have to look at that more closely this guy is our top host here it's probably my desktop top apps media streaming actually maybe this is a TV yeah could be could be my laptop I guess I don't know so we also have some basic status how things are going so I'm not using the cloud agent because I'm just using the local UI within open sense we're running mongodb we're using a whack ton of memory and our CPU is not the happiest with us but that's okay so next up we can hop onto the reports tab which is where the actually useful information is should also note the reports tab is kind of slow if you use mongodb presumably this would be better with elastic search there's a lot of data here it takes a little while to load it just doing a quick look so Amazon Instant Video is real popular today the last six hours and that's all by TV devices which makes sense so someone's streaming a crap ton on the Apple TV and it's these two Apple TVs which makees sense now I can also go up here to filter and I can add a whole bunch of good stuff here so let's say for example I want to see I can pick a specific device out of this so I pick you that' be my desktop let's see what my desktop has been up to secure web browsing Discord duck ducko quick Google Bing mazilla MSN who the hell uses MSN but yeah this is the detail of a specific host is obviously just the desktop because it's just one device um we are going to the firewall a lot which why do we go to the fire oh because I've been recording this video on the firewall yeah we've been doing a lot of data there next up we have the threats tab let's see what this is going to load for us so it has detected a lot of DNS over https and some proxies and we appear to be allowing DNS over htbs and blocking proxies mazilla Cloud oh yeah that's firefox's default of overriding your local DNS and iCloud mask appears to be being blocked do yeah this all looks a bit normal to me all the way down here top countries that's the center of the United States that is probably not the most geographically useful how about we increase that a bit that's um still the center of the we have the United States and we have the city of Chicago how beautiful not the most useful so similar to the threats tab the blocks tab has everything that's been blocked proxies Park domains the usual stuff hopefully this gives you a feel for what kind of data you can expect to find in Zen Arbor if you're looking at it for analytics data is certainly there depending on what you're looking at it might not go that far back historically if you're using mongodb they only recommend storing two days of data so if you're trying to look at a problem you're probably going to be looking at it in the short term and looking at long-term trends which probably makes sense cuz if you're using some sort of long-term analytic solution you'll probably bu using something like influx DB or Prometheus to store your data there's also no way to export your data Beyond mongodb or elastic search you can have it forward your data to remote elastic search server separate from the elastic search server you're using locally but there's no export to something like inflex DB or an API like that to a Time series database so you guys have come along in my tour of Zen armor I've been using it for about 2 months now as of the end of this video I started at about a month and I started making the video and I've learned a lot about how Zen armor Works what it's good at what it's not good at if it's useful for me or not so to answer your questions first of all am I going to be keeping Zen armor no that doesn't mean it's not a good product but I don't think it's useful for my home use case I am not particularly aggressive about filtering content of my users uh most of my users are adults that can manage themselves I'm not trying to block people from getting to their favorite websites on the internet I'm not running a business I mean I do YouTube but I'm not running a business with employees I'm not running a school I don't have users who I need to restrict their access to anything that's why I don't feel like Zen armor is going to be helpful for my personal use case that said if you're an administrator running a larger Network like that Zen armor may be a great solution for you so don't Direct ly work in school it but I do work with a school I'm a robotics coach and so I'm somewhat familiar with the challenges they face and trying to restrict student access and it's not even always that they necessarily want to but they're required to for certain contractual or legal reasons and so if you're in that sort of scenario as an IT admin you have to implement something Zen armor could certainly be a choice for you to implement now another topic that comes up a lot in nextg firewalls is TLS inspection that's something I am strongly opposed to so General if you're doing TLS inspection you're going to stop all TLS transactions at the firewall the next gen firewall you're going to inspect the full HTTP traffic then you're going to resign them with a um locally signed certificate for your clients all your clients are going to be forced to accept your locally signed certificate that's going to be generated on the Fly for each site and this breaks a lot of things so a lot of modern apps rely on the security of TLS and when you break that end end encryption your client knows something is up and you can tell Windows you can tell Mac OS to trust that your firewall is actually good but a lot of apps aren't going to believe it so get for example has its own trust store doesn't believe Windows is trust a lot of apps will do certificate pinning they'll check to make sure that the certificate is actually issued by them and not by someone else so a whole bunch of apps will break because you've broken this chain of trust between your users and their website between your software running on your user computers and their website so my opinion is that if you're worried about the sort of threats that he lesson would deal with you should just block those websites out right but again that's my thought also on a related note I did eventually find out that those 250 some devices that were all previous temporary IP addresses those don't count towards your license because they're not active they're just there clogging up the display so there's that um I don't think there's anything else to say about z armor but you have any questions I have it running still and you feel free to ask me in the comments I have a Discord server link down below if you want to chat with me about networking topics I'm always there always responding got a great Community um this video is not directly sponsored obviously they sent me the license but that is it so I'm making this open sense series on my own if you like to support me in the work I do I have a link to my Kofi down in the description below as well and as always I'll see you guys on the next adventure

Info

Channel: apalrd's adventures

Views: 9,806

Rating: undefined out of 5

Keywords:

Id: khC9TQ4pJqA

Channel Id: undefined

Length: 36min 25sec (2185 seconds)

Published: Mon Jan 22 2024