OPNsense Forum

English Forums => General Discussion => Topic started by: clownschiff on March 17, 2022, 03:42:14 pm

Title: OPNcentral viable for MSP?
Post by: clownschiff on March 17, 2022, 03:42:14 pm

I would like to know if someone has enough experience with OPNcentral to tell me if it is viable for a Managed Service Provider scenario.

We have a bunch of customers with OPNsense firewalls that we manage. Now that OPNcentral is out of beta, we are considering to manage the customer firewalls with it. It would be enough to just trigger updates and see the general status of the firewall and the most important services. Configuration would still be made on the firewall itself.

There are two things that come to my mind, that could make it difficult for us:

• We don't want to establish a "management vpn" to our customers if this is necessary.
• Some of the clients don't have static WAN IPs.

Are these two points necessary or are there some other restrictions that could make problems?

Title: Re: OPNcentral viable for MSP?
Post by: Meik on May 01, 2022, 04:48:45 pm

Hi clownschiff,

For MSP, it's partly usable.
Best with a stand-alone instance (not using as Firewall only for managing / OPNcentral).

All or nothing from a category is the thing  :-\
For every OPNsense select from the Provision classes you want to deploy.
E.g. Aliases - create Aliases, all Aliases deployed on every selected OPNsense.

(Aliases, Auth Servers, Captive Portal, Certificates, Cron, DHCPD, DHCPDv6, DHCPv4: Relay, DHCPv6: Relay, Dashboard, Dnsmasq DNS, Firewall Categories, Firewall Groups, Firewall Log Templates, Firewall Rules, Firewall Schedules, IPsec, Intrusion Detection, Monit System Monitoring, NAT, Netflow / Insight, Network Time, OpenSSH, OpenVPN, Shaper, Static Routes, System Tunables, Unbound DNS, Users and Groups, Wake on LAN, Web GUI, Web Proxy, WireGuard)

- VPN is not necessary, access the Web Interface from the OPNcentral running Host must be given, every way is ok ;).
Create a Allow List for your static IPs where the OPNcentral is running, allow Access from WAN on the Client side.
- You can use DYNDNS-Address if no Static IP is available.

For Firmware overview it's ok, to central show the status of Services, and Resources this makes it easy for an overview.

Best Regards - ADI