OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: fabian on August 10, 2016, 05:10:09 pm
-
- migrate to PHP 7 and Phalcon 3
-
OTP
Make it configable when OTP is used (e.g. Login via WAN you need OTP, LAN you need no OTP)
OTP
Offer to enter the OTP in a extra field instead of before the "normal" password
GUI - Reporting
Use the given Interface name instead of the "technical" (e.g. opt7 is named as WAN 100Mbit but displayed in Reporting as opt7) (Reporting- Settings)
GUI- Debugging while vpn
make it more live in viewing logs while trying to make vpn connections for better understanding why its not working - or filtering logs for each connection to make it easier identify
VPN - SSL VPN (WEB-VPN)
take a look at https://service.tu-dortmund.de/ssl-vpn-web-vpn or https://www.barracuda.com/products/sslvpn?L=de for example
GUI - Console
a console in the GUI
GUI - Rework of the Interface Overview
The overview is better, but I think it can be better. For Example Status Color, direct links to edit
for example is the dashboard view for me really better than the special site for the overview
GUI - Reference to my Point GUI- Debugging while vpn
While working on the interface or the settings of things a popup with the live view of what happening to debug
GUI - OPENVPN
Adminstrable Settings to customize the Site for the normal clients to download when they log in to export their profiles
GUI - OPENVPN/Firewall
Customizable Profiles with specialed firewall settings. Make it possible to define for groups or user special firewall settings for user/groups.
SQUID Settings
for multiwan situation more customizing options in the squid config site
GUI - Firewall log
make it work that a click on the block button shows why the connection was blocked
perhaps make buttons to make a rule to allow the connection
GUI - Diagnostic
Make a new menu point with diagnostic tools
Apinger / Gateway Status
make it customizable (time between ping etc.)
THANKS FOR YOUR WORK
-
Uh, Phalcon 3 is out? Shiny.... 8)
Here are some of my items:
o FreeBSD 11
o Suricata and Squid as a plugin
o Single-slice nano with growfs
o Screen reader optimisations
-
PIE base is already done and PIE ports is nearing completion. Dogfooding PIE ports in HardenedBSD first. But wait! There's more! Also included will be RELRO + BIND_NOW. :)
-
@Andreas: The german forum has already a topic for SSL VPN: https://forum.opnsense.org/index.php?topic=1279.0
-
right @fabian
its a try to get it on the roadmap :D
-
- more customizing options on the squid.conf
- sarg or lightsquid features fully integrated
:)
-
- gui option for bandwidth throttling one or more domain
-
-
Change behaviour of opnsense so that answer packages on the WAN interface will be send to the originator in the same WAN subnet and not always to the (upstream) gateway,
-
fail2ban plugin - especially useful for those of use using it in a hosted VM and have to enable HTTPS WAN access. Currently I've moved the HTTPS port from 443 to keep script kiddies out, a configurable fail2ban would be useful to those testing to deploy on Linode/DO.
And it's a great plugin that's useful for almost every public facing network service.
-
@Strykar fail2ban like functionality for the webgui and ssh is enabled by default in OPNsense (https://github.com/opnsense/sshlockout_pf).
After 15 retries it locks the ip address using two aliases (sshlockout, webConfiguratorlockout).
-
Can you please take Captive Portal with Multi-WAN in this release?
-
@Strykar fail2ban like functionality for the webgui and ssh is enabled by default in OPNsense (https://github.com/opnsense/sshlockout_pf).
After 15 retries it locks the ip address using two aliases (sshlockout, webConfiguratorlockout).
Nice! Any chance this could be made port/application agnostic and configurable via the web interface? It could then be used for slowing down brute force attempts of any network facing services.
-
Add RADIUS support for IPsec authentication and accounting.
Currently IPsec supports just PSK and RSA, since we currently already support adding external RADIUS servers, let strongSwan forward authentication and accounting traffic to the same RADIUS server if selected.
FreeRADIUS and Microsoft NPS are tested as working by strongSwan and shouldn't be too much effort to integrate.
This would require strongswan be compiled with '--enable-eap-radius'. Specify the RADIUS server IP + auth and accounting port in '/usr/local/etc/strongswan.d/eap-radius.conf' and set 'rightauth=eap-radius'.
strongSwan also supports DAE with RADIUS.
'The Dynamic Authorization Extension allows a RADIUS backend to actively terminate a session using a Disconnect-Request, or change the timeout of a session using a Session-Timeout attribute in a CoA-Request. The extension is enabled using a dae section in the eap-radius configuration.'
See https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
-
@Strykar fail2ban like functionality for the webgui and ssh is enabled by default in OPNsense (https://github.com/opnsense/sshlockout_pf).
After 15 retries it locks the ip address using two aliases (sshlockout, webConfiguratorlockout).
Nice! Any chance this could be made port/application agnostic and configurable via the web interface? It could then be used for slowing down brute force attempts of any network facing services.
Not very likely, it monitors logs (using syslog) just like fail2ban does and triggers on messages but isn't pluggable like fail2ban is (it does the job and is lightweight).
In most situations the services/applications you would like to protect don't run on the firewall itself, which requires a fail2ban like solution on the machine behind the firewall if you want to protect for failed login attempts.
-
Add RADIUS support for IPsec authentication and accounting.
Currently IPsec supports just PSK and RSA, since we currently already support adding external RADIUS servers, let strongSwan forward authentication and accounting traffic to the same RADIUS server if selected.
FreeRADIUS and Microsoft NPS are tested as working by strongSwan and shouldn't be too much effort to integrate.
This would require strongswan be compiled with '--enable-eap-radius'. Specify the RADIUS server IP + auth and accounting port in '/usr/local/etc/strongswan.d/eap-radius.conf' and set 'rightauth=eap-radius'.
strongSwan also supports DAE with RADIUS.
'The Dynamic Authorization Extension allows a RADIUS backend to actively terminate a session using a Disconnect-Request, or change the timeout of a session using a Session-Timeout attribute in a CoA-Request. The extension is enabled using a dae section in the eap-radius configuration.'
See https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius
Our solution for RADIUS is different, because the authenticator in our setup doesn't have to know the technology behind it. This makes it harder to plugin specific features of a provider (like RADIUS accounting).
At the moment we use a custom patch (https://github.com/opnsense/ports/blob/4eab82ac4d2939d092e8e83dd80c69714e7220a7/security/strongswan/files/patch-src_libcharon_plugins_xauth__generic_xauth__generic.c (https://github.com/opnsense/ports/blob/4eab82ac4d2939d092e8e83dd80c69714e7220a7/security/strongswan/files/patch-src_libcharon_plugins_xauth__generic_xauth__generic.c)) to support this, eventually we plan to switch to pam
We'll keep the issue on GitHub open, you never know if someone has a good implementation idea and time to work on it. Given our limited time, it won't be realistic to put it on our roadmap.
-
Ipsec rsasigkey
Probably not as good as certs but much easier to implement/manage. Better than PSK.
-
The road map is now online: https://opnsense.org/about/road-map/
-
Mind blown, wow :)
-
Just started using OPNsense and looks awesome.
If we have following features would be nice..
Proxy report : should be able to view internet usage reports user and group wise, total download, upload, policy violation attempts, and drill down reports where you can see each and every websites that has been accessed by particular users. PFSense has package "lightsquid" for reporting.
Command line console: web based command line console to access and perform usual functions (ping/telnet/ssh/etc)
MTR :
Multiping: ping multiple nodes at the same time to analyze L2 and L3.
-
I'd like to see some substantially improved Wi-Fi driver and chipset support for all of the newer vastly improved M.2, PCI-E and USB3 Wi-Fi devices out there.
The current WI-FI support and development on both Opensense and Pfsense is atrocious really with regards to Wi-Fi. All you ever hear is buy a stand-alone access point; same old, same old.. :))
It's like we've been living in the stone ages whilst technology has been evolving a million miles an hour. Mean while even the cheapest routers out there are rocking far superior tech where Wi-Fi performance is concerned, so how about jump in on that action? ;D
Best place to start Dev is with the M.2 2230 Intel Dual Band Wireless AC 8260 so I can stop moaning. lol
-
Hi SOUK,
This is a fun topic. :)
From a full perspective it sucks and I agree. There are, however, multiple sides to this story:
1. BSDs have fragmented goals. FreeBSD focus clearly is enterprise storage. It's fast, shiny, but in terms of embedded hardware support including WiFi is not very good. NetBSD has the embedded hardware parts. OpenBSDis the network routing champion. All of them have the issue of newer hardware taking longer to integrate than Linux. None of them have the combined strength of the Linux kernel that is shared with the whole Linux community.
2. For *sense and other products it's not a core focus per se. Can try to be better than FreeBSD, but only to a limited amount, mainly for the hardware that is sold by the respective vendor and you have the typical appliance type business model. The appliance support is topped up, but only for the hardware at hand.
3. It requires at least a paid kernel driver hacker to get anywhere. We do not have this in OPNsense.
What we really need is multiple vendor interested in selling WiFi hardware (2) coupled with FreeBSD, who can do the work (3) to make the kernel better. We as OPNsense can carry patches as a staging environment for FreeBSD, ship these changes way faster than FreeBSD could, reaching the vendor's users in no time.
FWIW, FreeBSD 11.0 is around the corner for us, maybe that will help with the general state of WiFi hardware support a bit.
Cheers,
Franco
-
- Asterisk / VoIP / SIP gateway in GUI or as a good addon
ISDN is dying and providers and telefone companies switch all to VoIP solutions. Many router companies like AVM, Lancom, Vigor, Zyxel already have some VoIP capable solution but lack so many other things that many users now have a firewall like OPNsense, Sophos etc. in front and another router behind for their VoIP stuff. Would be nice to see a single OPNsense solution. :)
- Should be able to do SIP-Trunkung
-
@zeitkind
- Asterisk / VoIP / SIP gateway in GUI or as a good addon
yeah and this strong with second pppoe dial in for voice! ;D
-
hello,
i started to use opnsense some weeks ago and i appreciate the web interface and your development approach very much.
i think that the best improvement could be a new policy editor that can create rules with multi source, destination ip and ports.
Using aliases and nested aliases does the job but it is very inconvenient. Recently i also noted that sophos and endian has implemented this kind of feature.
If opnsense had a policy editor like this i think that could compete better with other commercial solutions.
-
Hi ryuken,
this does already exist - it is a port alias
-
Hi fabian,
i know that aliases can be used but rules are created/edited always with only one entry (for source, destination and ports) with alias or not.
My suggestion was related to the possibiliy to add multiple entries without using aliases (like commercial firewalls).