OPNsense Forum
English Forums => General Discussion => Topic started by: ljm42 on October 26, 2017, 03:00:41 am
-
I thought I'd give some new user feedback on OPNsense in the hopes that it is helpful. This is based on OPNsense 17.7.6
Overall, I am very impressed. There is a lot going on here, but it mostly feels like cohesive system rather than a collection of parts. Nicely done :)
In terms of things that could be improved...
* I find myself continually clicking the "full help" button. Can this be persistent? So turn it on, and it stays on as you move throughout the site until you turn it off?
* Once you've chosen to use Unbound, can we remove the option for Dnsmasq? Similarly, is there a way to remove the IPsec VPN option if you only plan to use OpenVPN?
* It is strange to enable "DNS Rebinding Checks" under System -> Settings -> Administration, but then go to Services -> Unbound -> General -> Custom to put in exceptions:
server:
private-domain: "plex.direct"
private-domain: "unraid.net"
It would be more natural if you could add a list of exceptions (in the form of "plex.direct,unraid.net") right after enabling the check, and then have the Dnsmasq/Unbound plugins figure out what to do with the exceptions.
* When configuring NetFlow for use with Insight, what is the appropriate value for "Destinations"? The "full help" suggests an IP with port 2550 whereas the manual (https://wiki.opnsense.org/manual/how-tos/netflow_exporter.html) suggests 127.0.0.1:2056, but there is no indication of what sort of collector is at the destination and whether it is already installed as part of OPNsense. As a side topic, once you input 127.0.0.1:2056, the interface won't let you remove it.
* I setup FreeRADIUS per these instructions:
https://wiki.opnsense.org/manual/how-tos/freeradius.html
https://wiki.opnsense.org/manual/how-tos/user-radius.html
https://wiki.opnsense.org/manual/how-tos/user-local.html
but two key pieces of information were missing:
1. You need to setup the OPNsense router as a client on FreeRADIUS before you can use it.
2. After creating a user in FreeRADIUS, you need to create the same user in the local database (with a scrambled password) if you want to integrate with the rest of the system.
In terms of making a more cohesive system, I would really like to see the System -> Access -> Users page have an indicator of some sort specifying whether a given user has a FreeRADIUS account or not, and a link to create/edit one. And similarly, the Services -> FreeRADIUS -> User list should indicate whether the FreeRADIUS user has a corresponding local account and have a link to create/edit it.
Anyway, many thanks to the development team for all the work you've put into this project. I'm excited to see where it goes!
-
Hi,
regarding FreeRadius we should add to the docs that this package is completely separate from OPNsense itself.
There's no synchronisation it also should not be. That's why it's an optional package. With this in mind it's logic that you have to setup a localhost client to use it with OPNsense.
As said, a lack of documentation, I'll add it to my list.
Thanks! :)
-
Hi ljm,
Thanks and welcome. :)
If you think any of the following to be worthy of implementation please open tickets via: https://github.com/opnsense/core/issues
* I find myself continually clicking the "full help" button. Can this be persistent? So turn it on, and it stays on as you move throughout the site until you turn it off?
Not in a sane way for each small switch or page, no, but we could add a user setting for always expanding the help automatically for that particular user?
* Once you've chosen to use Unbound, can we remove the option for Dnsmasq? Similarly, is there a way to remove the IPsec VPN option if you only plan to use OpenVPN?
Dnsmasq is scheduled to be turned into a plugin, but there is a slight issue of upgrading where the plugin disappears in a puff of smoke even if it was being used so that needs to be dealt with first. The same goes for VPNs.
FWIW, having these components installed but not used has no effect on the system whatsoever.
* It is strange to enable "DNS Rebinding Checks" under System -> Settings -> Administration, but then go to Services -> Unbound -> General -> Custom to put in exceptions:
Organic growth of features... The rebind check is for the GUI itself and I thought it was enabled by default so ideally one only needs to pull up the DNS service config?
* When configuring NetFlow for use with Insight, what is the appropriate value for "Destinations"? The "full help" suggests an IP with port 2550 whereas the manual suggests 127.0.0.1:2056, but there is no indication of what sort of collector is at the destination and whether it is already installed as part of OPNsense. As a side topic, once you input 127.0.0.1:2056, the interface won't let you remove it.
For insight the checkbox "Capture local" takes care of the configuration, it inserts "127.0.0.1:2056", which is why you can't delete it. Other external destinations take whatever that server / product supports, it heavily depends. The help text isn't wrong, it's merely an indication of the format that needs to be inserted.
* In terms of making a more cohesive system, I would really like to see the System -> Access -> Users page have an indicator of some sort specifying whether a given user has a FreeRADIUS account or not, and a link to create/edit one. And similarly, the Services -> FreeRADIUS -> User list should indicate whether the FreeRADIUS user has a corresponding local account and have a link to create/edit it.
That's something we don't want for complexity reasons (more code, more bugs, more support). Therefore there is a clear separation between the local database, a local freeradius, external freeradius or LDAP or otherwise. The only exception is an LDAP user import, which is there for historic reasons.
Cheers,
Franco
-
Some core devs asked to glue Freeradius User to local ones, so I put it on my list after 18.1 :)
-
:o
-
Jos ;)
-
Alright, as long as we talk about sanity before implementing something like this...
-
Oh sorry, I didn't see any notifications that there were responses! Thank you very much for your time.
Thanks for explaining the NetFlow/Insight setting, makes much more sense now :)
Long term it would be great to remove the unused DNS/VPN options from the menu, but it isn't urgent.
If the DNS rebinding exceptions have to remain on the Unbound page, I'd still suggest that they be given a "proper" input box rather than being lumped in the custom area where you have to know the underlying syntax. But it works :) so it probably isn't the most important thing.
I've been reading more and more about the project and it continues to impress. Thanks again to everyone who is working on it!