OPNsense Forum
English Forums => General Discussion => Topic started by: Supermule on June 06, 2015, 02:11:01 pm
-
Hi there
Currently testing OPNsense in a home environment to get familiar with it. When compared to pfsense, then I would like to suggest some improvements to OPNsense.
1: Packages. I need Snort, Squid, Lightsquid, Cron, Open VMtools and a file manager to easy edit files.
2: GUI. Themes and widescreen support. I scroll a lot in OPNsense compared to pfsense.
3: Widgets. Ability to move them around would be great. So would having System Log widget available.
More to come later :)
-
Totally agree with all of the above! I'll add to this -
Forgive my constant referencing of pfSense, as it is the only FREEBSD exposure I have ever had router-wise.
#1 - EDITABLE THEMES -
easily accessed and EASILY edited/customized. I don't care about re-branding, though obviously some would love that. I would like it more for general reasons. Example - the webconfig login screen will show the product is OPNsense. I would love to be able to easily 'vanilla' this with my own image and create a generic login page that does not give any clue as to the router OS. I have a client whose employee went to the login page of the pfSense gateway, saw that it was pfSense, and began Googling the various hacks to bypass it. And he did! When confronted (before he was fired) he admitted that the "login page gave it away". If the page had just a pretty picture that said WELCOME! Login: Password: and nothing more he would have been stumped. Security aside, maybe for goofy fun, I would like to put pictures of mountains or oceans or maybe a theme that allows me to use a router name/description (Router - 1st Floor - Library Building) so I know which one I just connected to without actually having to login. This shouldn't be hard or compromise performance or security so I cannot imagine why it could not easily be integrated.
#2 - DOCUMENTATION -
One thing pfSense seems to have dropped the ball on is proper documentation. Unless I am mistaken, you either have to pay $100 (GOLD STATUS) to get their book and keep paying every year for the regular updates or search and comb through myriads of unclear forum pages. Their online handbook is not a bad start and certainly helps a lot, but it still leaves much to be desired and is often left at generic boilerplate levels of detail with no case study or use examples. OPNsense should not make this mistake.
#3 - CRON JOB STORAGE -
One thing that frustrates me with pfSense is that I cannot store CRON jobs in a disabled state for later use. I can setup and store Firewall Rules and just set them as disabled. Couldn't the same be done for CRON jobs? Or just offer some kind of 'storage' for them and a simple CRON tab with an ADD/REMOVE section?
Currently I keep various CRON jobs in an Excel spreadsheet then copy/paste as needed. Sooooooo 1995! lol
#4 - AUTO RESET STATES -
pfSense seems hit or miss on this. You setup rules to throttle bandwidth or shut off internet access but someone doing something a bit meatier like a Skype session will remain connected LONG after the rule went into effect. So, you have to cron job to either reset all states or just reset for a certain ALIAS group. Why isn't that just automatically incorporated into a firewall rule and programmed to comply with the ALIAS of that rule only? Example - Terminate internet access at 11PM for alias - IP ADDRESS GROUP - then a state reset runs and only resets 'IP ADDRESS GROUP' and leaves everyone else untouched. Talk about making the life of an admin easier! High end firewalls terminate when told to terminate. I would think PF and OPN could do this too.
That is about all I can think of for now. Will add more if I think of any.
-
Hello, nice to have you two guys!
Every insightful suggestion and constructive critique is very well appreciated, you know other commercial companies spend millions on customer compliance and new ideas.
Now, we at OPNsense are not commercial and get it for free from you, a great thank you for that :)
Please keep in mind, that our OPNsense project just started and tries to shift from the legacy pfSense codebase up to a more FreeBSD alligned rock solid secure manageable code base. This all needs work and time and hands and a community. So our project needs helpful developers, editors, testers, and design critiques like the one from you guys as well ...
Again a warm wellcome to our project. We will do what we can to get a good free product out, promised!
-
We know :)
Trying our best to help.
We just need a more business oriented setup so the project can begin its journey.
I really dig the update function that works very well!
-
Please keep in mind, that our OPNsense project just started
No excuse! You should have started perfectly from day one! LOL :P
All kidding aside - I love to see people like you start these new projects! Competition is a wonderful thing. You are based in The Netherlands. I am from America and I have direct personal experience seeing what damage can come from a lack of it - mergers, acquisitions and monopolies - it is destroying growth and innovation here. As an example - in most states here, generally, there is no choice when it comes to broadband access. You can either choose the local cable company monopoly or the telco DSL service. That is not a choice and as un-American as it can get.
So, I always try to educate family, friends and clients about open source and projects like this one. It is wonderful to see new ideas and innovation! Icing on the cake? It's free! WOW!
-
All kidding aside - I love to see people like you start these new projects! Competition is a wonderful thing. You are based in The Netherlands. I am from America and I have direct personal experience seeing what damage can come from a lack of it - mergers, acquisitions and monopolies - it is destroying growth and innovation here. As an example - in most states here, generally, there is no choice when it comes to broadband access. You can either choose the local cable company monopoly or the telco DSL service. That is not a choice and as un-American as it can get.
Want to hear a secret? Listen good and come closer: There is a hidden conspirative plan why you have the socialist/europeanoid Canadians on one side and the penetrating Spaniards/Mexicans on the other side! lol ;)
-
We can have a lot of wishes, but the highest wish from me is a stable system, a system that do not crash when a power outage happens..
except from that i'll support all of the other suggestions.
-
Buy a UPS and the damn thing stays online when the power is gone and then does a graceful shutdown and voila ;)
-
Well Supermule That might be the easy fix.... BUT ...... USERS...... it is a router and most users just disconnect the power if they think that something is wrong, like if it was a netgear, cisco, asus og any other kind of router....
-
8)
Yes but its not a Cisco box. So you have to live with what you have and make the best use of it.
Maybe in the future it will be more hardened towards power failures, but a router OS shouldnt bug down like some of the SOHO routers out there.
-
no it is not a cisco box, but as far as i have read, the BSD 10.X have a problem with ufs and fsck that zfs do not have in the same extend.
or maby it is possible to have a double file system, one witch will be copied to active on boot, as i have seen it it is not the config file that gets corrupted but the OS.....
But But But..... i am NOT a developer i am just an idea person and as the subject suggest this is about wishes....
-
1: Packages. I need Snort, Squid, Lightsquid, Cron, Open VMtools and a file manager to easy edit files.
Will be back. The packages system needs a proper face lift, most of the old code is gone, including PBI. Squid is in the base installation, Suricata on the way, Open VM tools are available through pkg, file manager I really do not deem appropriate. Why risk editing files? It points to a different problem, namely rigidity of the implementation.
2: GUI. Themes and widescreen support. I scroll a lot in OPNsense compared to pfsense.
Agreed. Who'll be on point?
3: Widgets. Ability to move them around would be great. So would having System Log widget available.
Agreed:
https://github.com/opnsense/core/issues/210
https://github.com/opnsense/core/issues/211
The caveat: if there are no new contributors, this will progress at the current pace, which is probably not what one would expect. It's a lot of work.
-
I know Franco.
I paid a guy to do the widescreen theme before it got implemented in pfsense.
I use filemanager a lot to upload files very easily and edit them directly.
I am a bsd noob so I need some click and edit options :D
-
Supermule, what files do you want to manually edit then?
That's what the WebGUI is for.
-
files like loader.conf and currently some files belonging to the theme of pfsense to change the color since I hate the red one they use :D
-
As far as ZFS and OPNsense are concerned, actually it is sometimes not uninteresting to buy a book and read.
I bought me the new 2nd ed. of "The Design and Implementation of the FreeBSD Operating System". There, introductory page 24 has some interesting specs:
The Zettabyte filesystem is listed as having 256125 lines of code, which represent 16,2% of the machine-independent code of the 2015 FreeBSD kernel.
Out of a strict security viewpoint, this was a huge attack surface, isn't it?
Power failure: Did you have problems with the use of an embedded OPNsense version or with a full install? Seems to me, you're calling for a nanoBSD version at your site, with RAM disk and an external log server.
-
You actually go though the pain or changing the colour for the occasional (re)boot of the machine?
Damn...
-
No no it survives the reboot.
It doesnt survive an update to a newer version :D
-
I need some click and edit options :D
Maybe we can work out something better. Loader.conf should have a GUI like Tunables. We also want to bundle a colour picker for the themes eventually. Everything is SCSS so you can have branding colours throughout the GUI consistently. :)
chol: modern file system tend to grow considerably in LOC. It's a tradeoff between stability vs. complexity vs. features. Features and stability win for ZFS. Not sure about the volume of exploits against it, but I haven't seen many.
-
That would be awesome!
Currently using the file manager package in pfsense to do the editing.
-
I'm not sure whether this classifies as a wish for FreeBSD or OPNsense, but here it is - baby-jumbo frames (https://forum.openwrt.org/viewtopic.php?id=51326) in PPPoE.
-
What is the application for this? PPPoE is normally limitted by the operator to 14xx.
Gesendet von iPhone mit Tapatalk
-
Mostly found in FTTx(fibre) and in some cases (v)DSL. It's an extension to PPPoE that makes up for the PPPoE overhead & thus to have MTU like LAN - therefore less segmentation. This is assuming that the WAN port is gigabit capable because the MTU is set to 1508. It's prevalent in UK and rest of the world.
RFC 4638 - Accommodating a Maximum Transit Unit/Maximum Receive Unit (MTU/MRU) Greater Than 1492 in the Point-to-Point Protocol over Ethernet (PPPoE) (https://tools.ietf.org/html/rfc4638)
OpenBSD RFC 4638 support for pppoe (http://comments.gmane.org/gmane.os.openbsd.tech/27554)
-
How about DNSCrypt?
Currently using OpenWRT router with DNSCrypt package, and a few FreeBSD machines using dnscrypt-proxy pkg with Unbound. Apparently, there is discussion on the PFSense forum of people doing a "pkg install dnscrypt-proxy" from the terminal and getting it setup FreeBSD style, even though it is not currently a PFSense package, but on OPNSense the package is not found in the repository.
I am currently testing the OpenDNS functionality of OPNSense, but there are a lot of DNSCrypt enabled DNS servers out there, other than just OpenDNS, as seen here: https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv (https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv)
Just sharing my thoughts, for what it's worth... Great work, by the way.
-
Gratis, I have added dnscrypt-proxy to the package mirror: https://github.com/opnsense/tools/commit/2d415dbd9facf476d308746baceafad3a7913349
As soon as 15.1.12 is out tomorrow, it can be installed using the usual pkgng magic. If somebody works on getting GUI support going for OPNsense, we're more than happy to help polish it and pull it in.
-
Very nice. Thanks for the prompt response, and your efforts...
-
my Wish list includes Tor and polipo as a caching proxy for Tor. have not investigated whether squid could
be used in place of polipo.
both of these packages are available to FreeBSD 10.1.
i wouldnt mind helping with building the GUI for this add-ons once you get your plans finished up for
how the Add-ons will be integrated. i know some about bootstrap.
this would be awesome from the security point for people.
other one would be sixxs-aiccu for IPv6 Tunnel since my provider doesnt provide v6.
also willing to help on building the GUI for this one as well.
let me know what i can do to help and point me to any documentation on a starting point.
im pretty well versed on pkg and how it works.
-
Hi wild045,
I will take care of the packages requests soon: https://github.com/opnsense/tools/issues/12
As far as pkg and our new plugin infrastructure (what pfSense calls packages essentially) goes one doesn't need to care about pkg at all as the plugin build framework wraps everything already. What is barely working is the plugin plugin into the running system. It works by manually reloading the web server, typing the URL in the browser, but we want to have a dynamic menu and backend service as well to make sure the plugins deserve their name.
If anybody wonders why plugins are not named packages, well, FreeBSD already has designated terms for ports and packages and everything is already packaged in OPNsense (except base/kernel) so we thought plugins would be a more fitting term. Also, alliterations are neat. :)
Cheers,
Franco
-
Franco,
i understand the pkg system well. ive been a FreeBSD admin since before 4.x came out.
please dont forget the sixxs-aiccu package. for people that need the v6 tunnel to sixxs , its handy.
looking forward to seeing how you implement the dynamic framework in opnsense. and then i can get to
work, working on getting GUI's for the few packages i referenced.
in the meantime , im assuming i can just install the packages i referenced and edit the config files manually
and start the services correct?
-
Not all packages from the repository are installed by default. You can query the remote by:
# pkg rquery "%n: %c"
You'll notice sixxs-aiccu is already there waiting to be installed. :)
And, yes, you can configure /etc/rc.conf, but you'll have to run "service xxx start" manually for now. We have an automatic hook, but it needs to be replaced as it is not working very well, e.g. with open-vm-tools(-nox11).
-
Not all packages from the repository are installed by default. You can query the remote by:
# pkg rquery "%n: %c"
You'll notice sixxs-aiccu is already there waiting to be installed. :)
And, yes, you can configure /etc/rc.conf, but you'll have to run "service xxx start" manually for now. We have an automatic hook, but it needs to be replaced as it is not working very well, e.g. with open-vm-tools(-nox11).
Franco,
thank you for taking the time to respond.
nice to see that your listening to what packages/plugins us customers want/need.
does opnsense require the .sh script being created like pfsense does?
-
/etc/rc.conf modification or a drop-in file for /etc/rc.conf.d ought to be enough like you would configure it on FreeBSD, but was I said it sometimes does not work and does not take care of restart after upgrade and other assorted scenarios. Still trying to figure this out.
-
Added tor and polipo, which will be available with 15.7.4 (this week maybe depending on the state of software security) for manual installation. Have fun.
https://github.com/opnsense/tools/commit/d4628b332ebe6266d9505f4b6087d87fd68eaa38
-
In regard to polipo, I always have the small easy pdnsd for small dns caches etc. on the Linux based laptops of my family.
I am not sure if it makes any sense to try to disable/cut out bind from a smaller (so called SOHO) OPNsense install (like in the method lucifercipher posted elsewhere)?
Franco, could you give some light, why big BIND and why Unbound is in?
I really look enthusiastically towards our plugins ready with 16.1 release.
-
Christian, unbound is in FreeBSD base nowadays. There was a move from dnsmasq to unbound in pfSense most likely due to that reason, but that transition hasn't been completed, at least not in our code base.
Bind is in there for a single purpose: Dynamic DNS via RFC 2136. As far as I know there is no replacement. We tried to use bind-tools as a lightweight package but the way the port is designed it conflicts with bind910 installations which some people have asked for as well.
We can add more dns into the packages, but I believe the pressing work is cleaning up the intermittent state of resolver and forwarder and maybe tackling the bind-tools vs full bind packages in FreeBSD.
-
Christian, unbound is in FreeBSD base nowadays. There was a move from dnsmasq to unbound in pfSense most likely due to that reason, but that transition hasn't been completed, at least not in our code base.
Ah good to know that.
Bind is in there for a single purpose: Dynamic DNS via RFC 2136. As far as I know there is no replacement. We tried to use bind-tools as a lightweight package but the way the port is designed it conflicts with bind910 installations which some people have asked for as well.
You mentioned RFC2136, but now it's clear.
We can add more dns into the packages, but I believe the pressing work is cleaning up the intermittent state of resolver and forwarder and maybe tackling the bind-tools vs full bind packages in FreeBSD.
My full ACK!
-
It would be great if if_iwm could be used with opnsense but it was only ported to Freebsd 11. Maybe it is possible somehow ?!
-
FreeBSD is doing a substantial rework of the network driver APIs, which makes it very hard for us to backport new drivers on our own. Once we've reached FreeBSD 10.2, maybe we can look into an experimental build of FreeBSD 11.
(As far as 10.3 is concerned it doesn't look like iwm will ever be backported.)
-
I was afraid so. I looked into the mailing lists and at least it is available in Freebsd 11. But I will find another way around. Thanks any way
-
I would suggest to display only supported WLAN methods provided by the driver. I had a hard time to figure out, that iwn doesn't like hostap
ifconfig iwn0_wlan1 list caps
would give a hint about supported setups.
-
Right, we've had multiple reports that seem to originate from this problem. I've added a ticket: https://github.com/opnsense/core/issues/377
-
#377 will be fixed in 15.7.14.
-
OTP - one time password as higher security for administration
For example when config can be reachable from WAN/www
And otp as password for vpn
-
Vnstat2 would be useful for those who are on capped connections and need to keep a close eye on their data consumption.
-
A vnstat (the FreeBSD command line package can already be installed BTW) plugin is on the horizon, although I'm not sure if it will be "vnstat2" code exactly. See:
https://github.com/opnsense/plugins/issues/3
-
User Portal to download OPEN VPN Cerfticates and Config
User portal to download / see config for IPSEC Config
For each IPSEC Tunnel or OPENVPN a Firewall Setting
SSL Proxy
Proxy Configuration for Error Site etc.
-
i know snmp v3 is present in the base system, but can we get to use it from the UI?