Hi. I use from many years routers with Tomato firmware. I love this soft, rock solid, and many killer features in easy form. Ok, now i have FTTH which need expensive hardware for Tomato to handle all speed.
So, i have a question. One from features Tomato is connection list like on attachments. I have full information - source/dest ip/port, bytes in/out per connection, i can sort it by any criteria. I can toggle visilility by ip, etc.
Next - great visualisation a transfer rates per IP. I can find who make high load or how big amount of data is transferred.
In OpnSense is possible make views like from this photos? I not find this on any router distro except Tomato. Yes, i can filter some info from console, but this is very uncomfortable, take a long time and i cannot get all set of data like from Tomato. In Tomato - few click and i know everything.
And thrid attachnment.
Yes:
Firewall, Log View - current states
Reporting, Insight - traffic total, by source and by protocol
Bart...
I start OpnSense on VM and yes, this look much better than in PfSense. But still, in Insight i have IP's, not names, Tomato automatically resolve it (local and remote), OpnSense can to do this too? This better fit for data from first two photos.
Thrid photo with data about transfer rates - Insight is not solution or i not see it. Where i click on local IP and get historical graph?
One more thing - QOS. In tomato i check Bandwich limiter, set IP/MAC and max transfer for it. Few clicks and ip is limited. In OpnSense i get few pages witch tons of options, not see easy solution, i must make queues, rules, pipes. Grrrr, i need only limit one ip! Or make priority for DNS/www/ftp/whatever - QOS -> source/destination -> port/L7 -> bandwith -> done. Easy and uderstable. Powerful options in easy and clear GUI.
In OpnSense we get extensive monitoring tools, each of which shows only a part of the necessary information. And there is no way to find something like that in Tomato. And it is precisely this type of charts with a minimum of redundant information that has caused that this firmware has been keeping its shape on the market for over 10 years. And no modern open source platform can even come close to that. Without tedious setting filters or breaking through hundreds of incomprehensible options. Click and after a few seconds you get a set of information - you can see if the computer has worms/rootkits, who occupies the whole band, etc. This is basic information about the network and should be available immediately in an understandable form. Why can't developers make it that simple in OpnSense for example?
And i still buy routers for Tomato for friends. Set and forgot - work like a charm. Problem - fast look in gui and i see where is problem.
Quote from: bynio00 on January 09, 2021, 03:22:53 PM
I start OpnSense on VM and yes, this look much better than in PfSense. But still, in Insight i have IP's, not names, Tomato automatically resolve it (local and remote), OpnSense can to do this too? This better fit for data from first two photos.
Thrid photo with data about transfer rates - Insight is not solution or i not see it. Where i click on local IP and get historical graph?
One more thing - QOS. In tomato i check Bandwich limiter, set IP/MAC and max transfer for it. Few clicks and ip is limited. In OpnSense i get few pages witch tons of options, not see easy solution, i must make queues, rules, pipes. Grrrr, i need only limit one ip! Or make priority for DNS/www/ftp/whatever - QOS -> source/destination -> port/L7 -> bandwith -> done. Easy and uderstable. Powerful options in easy and clear GUI.
In OpnSense we get extensive monitoring tools, each of which shows only a part of the necessary information. And there is no way to find something like that in Tomato. And it is precisely this type of charts with a minimum of redundant information that has caused that this firmware has been keeping its shape on the market for over 10 years. And no modern open source platform can even come close to that. Without tedious setting filters or breaking through hundreds of incomprehensible options. Click and after a few seconds you get a set of information - you can see if the computer has worms/rootkits, who occupies the whole band, etc. This is basic information about the network and should be available immediately in an understandable form. Why can't developers make it that simple in OpnSense for example?
And i still buy routers for Tomato for friends. Set and forgot - work like a charm. Problem - fast look in gui and i see where is problem.
Opnsense shows many things
And you can build your dashboard to fit your needs.
To see which device has malware isn't really possible because the OPNsense can't take a look on your system, but IDs alert will be shown (but you can't be 100% sure that your device isn't infected).
For an enterprise environment a Log management/monitoring software is necessary and that's good.
You can monitor other devices centralized and that's important to do.
The Documentation for Traffic shaping is good- so should be a easy set up but with more possibilities
Ok, thanks. Sorry, maybye my last post is too pompous.
But, i need simple solution which works. OpnSense works - but configuration is too problematic. When i test OpnSense i configured RouterOnAStick with one interface i cant find option to enter upstream dns server - basic option. Some time ago i need make 3-wan solution with failover/load balancing. I make config from tutorials - work terrible. Problems with sticky connections, login to banks or other sites almost always fail. Need make additional unlogic profiles, and other miracles. I buy cheap ER-X, set wizard config, set sticky connections and.... work without ANY issues.
So, i suggest make interface easier and condense options in logic places.
How i find worms? I have realtime connection lists, i can see connections to C&C, a upload do strange servers, or any other strange behavior. This is not perfect, but i always find problems with computers by this way. This is reason why i love this option. Or old internet radio have not working today time servers hardcoded. In connection list i find connections to port 123, make iptables rule to make destination, put it on custom firewall rules box - and work. Easy and fast.
Ok, maybye im too stupid for this solution. But please - use 2 days router with Tomato - You see what i talking about. Advanced options in easy Gui. Opn is like a Webmin - all available options is displayed - confuse level max, faster and easier is make config by CLI.
Quote from: bynio00 on January 09, 2021, 06:06:56 PM
Ok, thanks. Sorry, maybye my last post is too pompous.
But, i need simple solution which works. OpnSense works - but configuration is too problematic. When i test OpnSense i configured RouterOnAStick with one interface i cant find option to enter upstream dns server - basic option. Some time ago i need make 3-wan solution with failover/load balancing. I make config from tutorials - work terrible. Problems with sticky connections, login to banks or other sites almost always fail. Need make additional unlogic profiles, and other miracles. I buy cheap ER-X, set wizard config, set sticky connections and.... work without ANY issues.
So, i suggest make interface easier and condense options in logic places.
How i find worms? I have realtime connection lists, i can see connections to C&C, a upload do strange servers, or any other strange behavior. This is not perfect, but i always find problems with computers by this way. This is reason why i love this option. Or old internet radio have not working today time servers hardcoded. In connection list i find connections to port 123, make iptables rule to make destination, put it on custom firewall rules box - and work. Easy and fast.
Ok, maybye im too stupid for this solution. But please - use 2 days router with Tomato - You see what i talking about. Advanced options in easy Gui. Opn is like a Webmin - all available options is displayed - confuse level max, faster and easier is make config by CLI.
You can't compare a full Firewall with a simple Router OS like Tomato.
That are different things
When you look at the competitors to OPNsense (Sophos,Watchguard,...) you'll see that OPNsense is the easiest one to configure and has the better UI.
But with more functions you have more options...
The basic stuff is good reachable over Rules,NAT,...
Maybe openwrt or something like that is the way you have to look at - a router OS, not a enterprise level firewall
And securing a network by manually looking at the Connections is the wrong way.
Maybe you'll see some C&C servers
But when a normal public server is hacked and used as c&c youll not recognize it
Yes, Tou have right, but advanced IPS have problems too with it. This was only an example. I know what to expect this and I notice the irregularities. Clean and interactive connection list is useful in many situations. As so far it has saved my ass many times. Easy option, it would be nice to see it in this form in OpnSense.
Quote from: lfirewall1243 on January 09, 2021, 06:48:36 PM
Maybe openwrt or something like that is the way you have to look at - a router OS, not a enterprise level firewall
No, Openwrt is not suitable for any more than easy router with basic services. I have used it extensively, not stable, not feature rich, luci is very basic. Old dd-wrt can much more than modern Openwrt. But OpenWrt i can install almost ewrywhere, sometimes this is only option to make hardware live.
Quote from: lfirewall1243 on January 09, 2021, 06:48:36 PM
When you look at the competitors to OPNsense (Sophos,Watchguard,...) you'll see that OPNsense is the easiest one to configure and has the better UI.
But with more functions you have more options...
Ok, i agree, but what is preventing the solutions I am talking about? All in all, it is a matter of reorganizing the script, adding options to the gui. Do all advanced administrators feel better when it takes a few minutes to check a simple thing in the gui?
Quote from: bynio00 on January 09, 2021, 07:44:51 PM
Quote from: lfirewall1243 on January 09, 2021, 06:48:36 PM
When you look at the competitors to OPNsense (Sophos,Watchguard,...) you'll see that OPNsense is the easiest one to configure and has the better UI.
But with more functions you have more options...
Ok, i agree, but what is preventing the solutions I am talking about? All in all, it is a matter of reorganizing the script, adding options to the gui. Do all advanced administrators feel better when it takes a few minutes to check a simple thing in the gui?
But unter Firewall- Diagnoses->States... you see all active connections.
Is that the thing you are looking for ?
In one interface in VM i not see this. In home lab i cannot assign second interface or make vlan. I must install on HW and check how this look. Where i find something like from thrid screen?
Ok, i checked. 2 years ago when i tested OpnSense i not find this reporting options. Firewall -> Log view is most great tool which i see in opensource routers - diffrent like in Tomato but powerful and clear. Transfer rates in traffic reportings is even better like in Tomato - i see all ip in one time, in Tomato i must select one by one.
But where i find historical traffic usage data for lan ip?
And one more question. When i have media converter in ftth service i need enter VPI/VCI option in pppoe. Tomato not have this option, OpenWrt has, i not see this in pppoe cart in OpnSense. This is available option?
Quote from: bynio00 on January 10, 2021, 12:20:52 PM
And one more question. When i have media converter in ftth service i need enter VPI/VCI option in pppoe.
VPI and VCI are DSL settings and you shouldn't need them for a full fiber connection. When I used a VDSL modem for OPNsense, this was configured on the modem below the PPPoE layer.
Your media converter should just connect ethernet over optical to ethernet over copper.
Bart...
Orange require this parameter. Media converter change media, not make any other operations. Funbox make all other. I not want funbox.
I install OpnSense on server and make it as main router gateway. And - no, this is no replacement of Tomato. Tomato is much better, even without plugins. Is easier and have a powerful options in simple menu, not in thousands places to enable basic functions. Options which i show in first post not have equivalent in OPN. Yes - look similiar, but in Tomato works much, much better, page witch results is much more clean and powerfull.
So, i must buy powerful hardware for Tomato - no other way....
You can't really compare them
Tomato is a router not a firewall.
Is course the UI is easier because of less functions which are connected like in OPNsense
More functions = more options needed
It's liked comparing a Sophos/Watchguard/OPNsense, to a home router like Fritzbox, Huawei,...
Yes, You have right. I select OpnSense as better alternative. Other distros is or extremely low configurable, or unstable. OpnSense have a lots options, plugins can be "killer feature" but maybye worth think about gui? I know - PfSense is source, but maybye worth get essential solutions from PfSense and all other rewrite and make better and more intuitive? Monitoring is the most important function of the router/firewall, provided plugins or internal functions is still not really usable for fast finding problems with network. Maybye good idea is make submenu called "alternative menu" and make new look of menus which dubles original menu, but have logical grouped options, more logical than in PfSense. Really, i don't think opnsense is bad, but it can be improved a lot, especially since we have a model to follow. If this all can be done in software with size 10-20MB maybye this can be done even better in full sized distro. Tomato have own problems too, i cannot make all what i want, but if function is available then is easy configurable and works like a charm.
Next one. In Tomato is enough make ping to host from UI to showing mac/ip on devices list. Not dhcp, devices at all. I can click and make static entry to fast name devices in network. This option is from start Tomato, ~15years. In Opnsense i must make dhcp client to show ip in list, or manually find mac/ip entries. If i have much static IP-s in network - tedious work. Advanced admins liked work like this?
Even with plugins i cannot easy see network graphs per IP or percentage link utilization per IP. I can select one IP, but but not in relation to the whole. Cannot find clear table with transfer rates per all local IP-s in descending order. ~15 year Tomato have this from start. Advanced admins not liked easy graphs and tables to diagnose own networks?
Maybye worth buy cheap router with tomato to see how many great options can be imported to OpnSense to make them much, much more friendly and usable, even without crappy plugins.