OPNsense Forum

English Forums => General Discussion => Topic started by: CSylvain on October 30, 2017, 12:02:51 am

Title: pfSense takes a very bad turn, it's over!
Post by: CSylvain on October 30, 2017, 12:02:51 am
Hello everyone,
Loyal user of pfSense, for its wealth of captive portal and the management of users under FreeRadius, developers have decided to no longer share their source code Kernel, and therefore no longer customize for example make it compatible with Virtualbox.
I just experienced a ban from a certain Ivor, so who had advised me to open a ticket on their Redmine, indicating a very correct content, and that apparently did not suit him not, on the fact that it is itself announce a resumption of the sharing of the kernel on their deposit GIT, when they will be ready to do it, and who I think, does not remember even more of that!

In short, disgrace, I have to start all over again, on a long development of my captive portal.
I discover that can OPNsense, unfortunately with missing features on the management of users and the establishment of a rate limit, I hope to get around this very quickly.

Other people have recently been banished to their forum, I think you will have a real profit to recover all these users. 8)
Title: Re: pfSense takes a very bad turn, it's over!
Post by: mimugmail on October 30, 2017, 06:16:02 am
Hi,

no comment on the pfsense bash .. this is yours  :P
The Freeradius plugin relative young, I'm planning to integrate sqlite accounting for the next version. Lately we integrated certificate based authentication with OPNsense certificates, so there's a progress :)

When you are missing features just tell me and I'll try to implement them.
Title: Re: pfSense takes a very bad turn, it's over!
Post by: CSylvain on October 30, 2017, 07:44:36 am
Thank you for your proposal, it will be very useful because I lost too much time with them. :(

In fact, I use the captive portal with Freeradius, and file mode to archive users registered in the backup file XML (not very optimizing, but I did not find better to predict migrations), your proposal is therefore very interesting, if in addition we can make a backup of the file SQLite in the appropriate section !

In the captive portal, I can create a zone, assigning each a limit rate, I can also under a tab of the zone create, allow addresses MAC, with in the same form the setting of the rate limit, it is useful for quick interventions, which have the advantage of having a custom rate limit, and will not go through the captive portal login form.
Code: [Select]
Default download (Kbit/s)
Default upload (Kbit/s)
If this option is set, the captive portal will restrict each user who logs in to the specified default bandwidth. RADIUS can override the default settings. Leave empty for no limit.

In Freeradius, I can assign several options including :
Code: [Select]
Username
Password
Password Encryption
Number of Simultaneous Connections
Description
Expiration Date
Maximum Bandwidth Down
Maximum Bandwidth Up

For Expiration Date, I control it from a cron, which auto deletes the accounts after one year, and the Number of Simultaneous Connections is also control by my script PHP.
Otherwise, you can simplify this by adding a field like the one I already use :
Code: [Select]
Advanced Configuration
Additional RADIUS Attributes on the TOP of this entry
Additional RADIUS Attributes (CHECK-ITEM)
Additional RADIUS Attributes (REPLY-ITEM)

In the end, I can administer a list of users that is in the Freeradius section, and check those who log into the captive portal section.

I do not use, but we can also set a rate limit for each user, by creating or modifying the user in Freeradius, but I do not use this option, I attribute it directly to each user zone of ​​the captive portal.


I do not dare to do it, but I can print you screens, without displaying the logo of the OS ?

I would otherwise look at your documents, and I think I would not have much work to do because your solution works with an excellent API !
Title: Re: pfSense takes a very bad turn, it's over!
Post by: CSylvain on October 30, 2017, 07:54:28 am
EDIT: Sorry for the double post, I just found the Modified button.
Thinking about all these "HTML" fields, it might be easier to just make a field mark "Configuration Manually", and to add our options and value in it, one can in the same principle as a setting file PHP (php.ini). ;)
Title: Re: pfSense takes a very bad turn, it's over!
Post by: franco on October 30, 2017, 09:21:32 am
The captive portal and subsequently freeradius have been rewritten from scratch. You may find new things and missing functionality. We are, however, confident that useful features can be implemented and appreciate any help in ideas, code, review and otherwise. :)


Cheers,
Franco

PS: Welcome!
Title: Re: pfSense takes a very bad turn, it's over!
Post by: CSylvain on October 30, 2017, 10:25:33 pm
That's exactly what I told myself, it's completely different, and I remain confident that these missing features will be available on future releases, and will cause a determination to switch to your OS. 8)
Title: Re: pfSense takes a very bad turn, it's over!
Post by: MasterXBKC on October 31, 2017, 05:40:52 am
I just experienced a ban from a certain Ivor, so who had advised me to open a ticket on their Redmine, indicating a very correct content, and that apparently did not suit him not, on the fact that it is itself announce a resumption of the sharing of the kernel on their deposit GIT, when they will be ready to do it, and who I think, does not remember even more of that!

I too have been banned from their forums for reporting problems with 2.4 and exposing that they did not test any of it before they released it.  And it crashed many hundreds of firewalls, left others with strange problems/issues.

They only care to charge everyone for everything, and force people to pay premium for it or else.
Title: Re: pfSense takes a very bad turn, it's over!
Post by: mimugmail on October 31, 2017, 06:57:30 am
Can you tell me more about the usage of local user auth within the plugin?
Where do you configure Framed-IP-Address when a local user is used?

Seems to be fairly easy to fall through local auth if there's no user in users-file, but no idea how to reply radius attributes.
Title: Re: pfSense takes a very bad turn, it's over!
Post by: franco on October 31, 2017, 09:02:14 am
I would say it's easy to fall back to local auth from the captive portal, you can select multiple auth servers and the order matters so RADIUS first, then local auth, done?

PS: Would be best to change the topic to reflect a CP usage discussion :D
Title: Re: pfSense takes a very bad turn, it's over!
Post by: CSylvain on October 31, 2017, 01:59:06 pm
That's what I tried to do, but I gave up when I saw the absence of option, and that I had not managed to use FreeRADIUS locally, because I only want to use on the Captive Portal, and not for users of OPNsense.
I'm going to re-test this tonight, because I just saw that mimugmail did an update that partially fulfills my need, with the management of a rate limit: https://github.com/opnsense/plugins/pull/313

I will then return you to a new subject. ;)
Title: Re: pfSense takes a very bad turn, it's over!
Post by: mimugmail on October 31, 2017, 03:11:36 pm
The CP doesn't understand those attributes I believe, was a different user request.
Title: Re: pfSense takes a very bad turn, it's over!
Post by: CSylvain on November 07, 2017, 11:37:39 am
I give you an assessment of my various tests concerning the migration to OPNsense.
Regarding Freeradius, everything works very well, identification is good, in short, it's like pfS !

On the part Captive Portal, Traffic Shaper does the job perfectly, however and as I mentioned above, it lacks various features, we find the MAC addresses allowed, but nothing to block, or customize the bandwidth. I watched how pfS generates its rules, and here is the result with the name "test", and a bandwidth of 300Kbit :
Code: [Select]
table _pipe_mac delete any,08:00:27:00:00:00
table _pipe_mac delete 08:00:27:00:00:00,any
pipe delete 2000
pipe delete 2001
pipe 2000 config bw 300Kbit/s queue 100 buckets 16
pipe 2001 config bw 300Kbit/s queue 100 buckets 16
table test_pipe_mac add any,08:00:27:00:00:00 2000
table test_pipe_mac add 08:00:27:00:00:00,any 2001

Another missing feature, and useful for those who want to do external activations, is the Allowed Hostnames option. I looked at their source codes, and the function captiveportal_allowedip_configure_entry is all stupid, it uses the internal gethostbyname function of PHP to convert the hostname to IP, then generates its rules with also a bandwidth personalized.

To conclude, there is not much missing, for those who wish to make the leap to OPNsense, the integration of the bandwidth for each zone, and something quite possible, and fast enough to put in place. However, on comments from your GitHub repository, your architecture is totally different, and can not easily incorporate the same rules as pfS.
It is a challenge that I would have to take up, but between redoing my identification portal with registration form, plus the addition of working with tests, it is a job that would take me too much time to achieve.

I found so far the solution to virtualize under pfS, with Bhyve, a beautiful emulator that does not even require a graphical environment, because the framebuffer part does it in IP under VNC:
Code: [Select]
-s 7,fbuf,tcp=0.0.0.0:5900,w=1024,h=768,waithttps://www.ateamsystems.com/tech-blog/howto-windows-10-bhyve-w-freebsd-11/

I was able to install a Windows 10, and facilitate my testing of each VLAN linked to an area of ​​the captive portal, in the end, I do not need to have a second PC desktop to remotely test the result of my Wifi portals.

So I will stay for the moment under pfS, to catch up the delay that I cumulated during these last weeks, and to plan later the migration towards OPNsense.

Question: Will we ever have the opportunity to have these few missing features ?
If no certainty, do you advise me to make it under a plugin, or an agreement to do it on the core of OPNsense, and after validation on your part, you will add it on your deposit ?
Title: Re: pfSense takes a very bad turn, it's over!
Post by: mimugmail on November 07, 2017, 12:15:33 pm
I asked the core dev's for radius integration with CP, but it's only authentication and accounting.
I can try to push this for 18.8 but I cannot promise.

EDIT: If you deliver code that is acceptable by feature/design I don't think this would be rejected. But then you should open an issue at github to discuss this