OPNsense Forum
English Forums => General Discussion => Topic started by: waxhead on March 03, 2018, 11:02:26 am
-
Hi there,
I am an ex-pfsense that just migrated to OPNsense and I just feel like sharing some of my experience for whatever it's worth. Most of this is nitpick, but hey - it is always simpler to complain than to praise right?
Reason for migrating:
First of all I am just a SOHO user with some penguin powered boxes that are happily living in a 19" rack and I have a been using pfsense for years and have actually been quite happy with it. However there has always been some things that are difficult to understand and traffic shaping is absolutely one of the more non-intuitive things. Anyway, the reason for migrating to OPNsense is all the crappy comments all over the web and the last straw was the OPNsense.com fiasco. Of course both OPNsense and pfSense want to make money and both are advertising their project with lots of "big words", but for me the tipping point was the AES-NI requirement for pfSense as well as the reccomendations from the Monowall developer to check out OPNsense so here I am.
First impression installer:
Like others have pointed out here I do get the error 19 issue during installing. I used the i386 image on several usb memsticks, but it fails with error 19 when it tries to mount the root filesystem before installing. As far as I am able to understand it seems like FreeBSD shuts off the USB ports and therefore will not see the memstick anymore.
The way I solved this was to download the OPNsense nano image on my existing pfsense box that luckily have two disks , I dd'ed the image over to one of the disks , rebooted and voila!
First impression (and rants) on the webgui.
The webgui is laid out nice. It is easier to find things as they are better grouped and organized than pfsense. There is also mostly useful help text that is very handy at times. I especially like the full help option.
What I don't like is that the webgui have animations that can't be turned off (at least I have not found a way yet) and I especially don't like that the webgui do not have a compact version. The webgui follows the modern sickness of having tons of padding and unused space take up lots of valuable screen space. Luckily most browsers today allow you to zoom down the webpage (and remembers it) so I am able to bypass most of the annoyance this way.
I also dislike very much that the traffic graph widget starts over every time I visit the lobby page.
At times the webgui is awfully slow as well , and because some drop down boxes are expanded when you first load the page it is easy to "miss" a GUI element when you are clicking around.
It would have been nice if you could (like pfSense) add separators or group stuff like aliases, firewall rules etc, and some dropdown boxes does not allow you to see all of the content (the subnet mask selector) on the browser that I use at least (SeaMonkey).
I also really miss the NUT plugin (network ups tools) from pfSense and there is a few other things like the ClamAV engine that was not as easy as 1-2-3 to figure out, does it require a proxy or not??!
Praise: (and perhaps a bit of rant as well)
In general OPNsense for me works great and is not that different from pfSense , but a lot have absolutely been moving in the right direction so I think I will stay with this one for a while. Performance is actually (on the tests I did) BETTER than pfSense (2.3), but stuff like traffic shaping is hogging my CPU on a 40/40mbps fiber line so there does not seem to be a improvement there over pfSense. The captive portal was peanuts to set up as well, but I did not get any vouchers to work sadly.
I would also like to disable OpenDNS and remove it from the webgui , but that does not seem possible yet.
All in all OPNsense is for me is mostly intuitive, performs well and does whatever I need it do. It was a breeze to set up (once I got it running) and I am looking forward to keep using it and I hope for improvements as time moves on. I am also looking forward to the day I will replace my OPNsense box with a 64bit variant with perhaps a tad more crunching power. Keep up the good work!
-
I also really miss the NUT plugin (network ups tools) from pfSense and there is a few other things like the ClamAV engine that was not as easy as 1-2-3 to figure out, does it require a proxy or not??!
I already set up a NUT plugin but I need testers, best would be an experienced user with some CLI foo .. you can install via CLI with pkg install os-nut-devel.
We build ClamAV as an own plugin to keep it modular. With this not only Squid can use it, but also Postfix/rspamd can speak to clamd.
-
Hi there,
Thanks for your feedback and welcome. Let's see...
First impression installer:
Like others have pointed out here I do get the error 19 issue during installing. I used the i386 image on several usb memsticks, but it fails with error 19 when it tries to mount the root filesystem before installing. As far as I am able to understand it seems like FreeBSD shuts off the USB ports and therefore will not see the memstick anymore.
The way I solved this was to download the OPNsense nano image on my existing pfsense box that luckily have two disks , I dd'ed the image over to one of the disks , rebooted and voila!
It seems that FreeBSD is getting more and more hostile towards embedded and legacy hardware. We try to be as close to their stock settings as we can, but that has been increasingly difficult with boot panics and mount error. If anyone has an idea how to change that that would be great, because we neither have the time nor experience to start working in FreeBSD hardware support to avoid such problems in the future. :(
First impression (and rants) on the webgui.
What I don't like is that the webgui have animations that can't be turned off (at least I have not found a way yet) and I especially don't like that the webgui do not have a compact version. The webgui follows the modern sickness of having tons of padding and unused space take up lots of valuable screen space. Luckily most browsers today allow you to zoom down the webpage (and remembers it) so I am able to bypass most of the annoyance this way.
It used to be a lot worse with padding, but I understand what you mean. The animations to my knowledge are menu, tab fade in/out and the modal dialogs. They could be removed, or a theme without animations could be crafted? Are these the animations you talk about?
I also dislike very much that the traffic graph widget starts over every time I visit the lobby page.
I don't think that changed. Maybe the fact that it builds up until it has all the data in its window to slide forward is what gives you that impression?
At times the webgui is awfully slow as well , and because some drop down boxes are expanded when you first load the page it is easy to "miss" a GUI element when you are clicking around.
You said i386 so it could be a slow hardware issue. I've seen this with MVC pages that load its data via API, the devices can be slow to answer / fill the screen.
It would have been nice if you could (like pfSense) add separators or group stuff like aliases, firewall rules etc, and some dropdown boxes does not allow you to see all of the content (the subnet mask selector) on the browser that I use at least (SeaMonkey).
Separators are skeumorphic as they don't follow data modelling. Instead, we do have categories for firewall rules and starting with 18.1.3 these will be a bit more prominent with the selector in the top right corner.
https://github.com/opnsense/core/issues/2182
I also really miss the NUT plugin (network ups tools) from pfSense and there is a few other things like the ClamAV engine that was not as easy as 1-2-3 to figure out, does it require a proxy or not??!
You can help Michael with NUT plugin testing so it can finally be released. :)
I would also like to disable OpenDNS and remove it from the webgui , but that does not seem possible yet.
We could make it a plugin, but it's just a tiny page with no software dependencies. Maybe it can go the same route as Dynamic DNS -- move to plugins, but keep in the default install?
Cheers,
Franco
-
Hi there,
Thanks for your feedback and welcome. Let's see...
Thanks a bunch , I am hoping the switch was worth it so I hope to stay for a long time.
First impression installer:
Like others have pointed out here I do get the error 19 issue during installing. I used the i386 image on several usb memsticks, but it fails with error 19 when it tries to mount the root filesystem before installing. As far as I am able to understand it seems like FreeBSD shuts off the USB ports and therefore will not see the memstick anymore.
The way I solved this was to download the OPNsense nano image on my existing pfsense box that luckily have two disks , I dd'ed the image over to one of the disks , rebooted and voila!
It seems that FreeBSD is getting more and more hostile towards embedded and legacy hardware. We try to be as close to their stock settings as we can, but that has been increasingly difficult with boot panics and mount error. If anyone has an idea how to change that that would be great, because we neither have the time nor experience to start working in FreeBSD hardware support to avoid such problems in the future. :(
That's bad news, but this is more of a FreeBSD issue than OPNsense then.
First impression (and rants) on the webgui.
What I don't like is that the webgui have animations that can't be turned off (at least I have not found a way yet) and I especially don't like that the webgui do not have a compact version. The webgui follows the modern sickness of having tons of padding and unused space take up lots of valuable screen space. Luckily most browsers today allow you to zoom down the webpage (and remembers it) so I am able to bypass most of the annoyance this way.
It used to be a lot worse with padding, but I understand what you mean. The animations to my knowledge are menu, tab fade in/out and the modal dialogs. They could be removed, or a theme without animations could be crafted? Are these the animations you talk about?
Yes this is the animations I am talking about. Perhaps a bit off topic , but I am sick to death of all the "modern" GUI styles that do waste lots of pixels. I realize that this is a web interface, but usually animations should be a preferenece settings in the OS for those that want that. My suggestion is to color the main menu items a bit brighter than the submenus and indent properly. No need for animations as they only slows down things.
I also dislike very much that the traffic graph widget starts over every time I visit the lobby page.
I don't think that changed. Maybe the fact that it builds up until it has all the data in its window to slide forward is what gives you that impression?
What I meant was , when I go to the lobby page I instantly want to see CPU graph and traffic graph history for the last X minutes/hours or so because this is a lot more useful. Like it is now the graph restarts every time. And yes, you would have to store that data , but this can be done in memory and not necessarily on disk.
At times the webgui is awfully slow as well , and because some drop down boxes are expanded when you first load the page it is easy to "miss" a GUI element when you are clicking around.
You said i386 so it could be a slow hardware issue. I've seen this with MVC pages that load its data via API, the devices can be slow to answer / fill the screen.
it is a Xeon 2.4Ghz dual core processor , so while it may be a bit dated , GUI stuff should not be an issue I think.
It would have been nice if you could (like pfSense) add separators or group stuff like aliases, firewall rules etc, and some dropdown boxes does not allow you to see all of the content (the subnet mask selector) on the browser that I use at least (SeaMonkey).
Separators are skeumorphic as they don't follow data modelling. Instead, we do have categories for firewall rules and starting with 18.1.3 these will be a bit more prominent with the selector in the top right corner.
https://github.com/opnsense/core/issues/2182
Yes, I am aware of that. It is a matter of taste and I absolutely prefer pfSense's colored separators. Coloring rules (not necessarily the entire line) could be useful as well. You could "tag" lines with various colors to indiace red = block ,green = pass or whatever the user fees like.
I also really miss the NUT plugin (network ups tools) from pfSense and there is a few other things like the ClamAV engine that was not as easy as 1-2-3 to figure out, does it require a proxy or not??!
You can help Michael with NUT plugin testing so it can finally be released. :)
Yes I can. I plan to try it out soon - The thing is that I have been busy with sick relatives, but I will try to test it out. I might even install this today as a power outage is planned for tomorrow :)
I would also like to disable OpenDNS and remove it from the webgui , but that does not seem possible yet.
We could make it a plugin, but it's just a tiny page with no software dependencies. Maybe it can go the same route as Dynamic DNS -- move to plugins, but keep in the default install?
Agree, having things that you don't need removeable is a good thing.
For example I won't use high availabillity and opendns and the way it is right now it just clutters the GUI with stuff that I personally don't need. It is good to have options by default , but having the ability to hide menu items would be a good thing.
Keep up the good work :) Cheers for now!
-
I also really miss the NUT plugin (network ups tools) from pfSense and there is a few other things like the ClamAV engine that was not as easy as 1-2-3 to figure out, does it require a proxy or not??!
I already set up a NUT plugin but I need testers, best would be an experienced user with some CLI foo .. you can install via CLI with pkg install os-nut-devel.
I just installed the NUT plugin - I have a remove NUT server and the plugin does not allow me to configure the remote port, addr username and password. Hence I can't test it :)
-
You can follow the progress of the plugin here:
https://github.com/opnsense/plugins/issues/374
Then you'll see why there is only usbhid. If you send me all you configs in the issue (without passwords) I can try to add this for you.
-
I want to try NUT to gracefully shutdown the opnsense in case of a power outage. A NUT server is already running on my fileserver, so I want to link the local instance as a slave via network with the master on the fileserver.
So my question is, do the *-devel packages contain binaries, scripts etc. or only source code for compiling (like in traditional Linux repos)?
-
When 18.1.5 is installed you can install the plugin via CLI "pkg install os-nut-devel" .. then also slave support should be half working. Glad to have some testers now :)
-
Already tested the plugin? :)
-
Unfortunately not, I was out of office for a few days :).
But now it's time to update the system to release 18.1.5 and afterwards install the package for testing.
-
Now, NUT is in running in client mode with a synology diskstation as master. After some debugging NUT is communicating with the UPS daemon. I found out that spaces in the name input field (Nut -> UPS Type -> Netclient) breaks config file scheme.
When disrupting power the ups monitor correctly broadcasts its messages on the console (see below)
Broadcast Message from root@opnsense.fritz.box
(no tty) at 17:34 CEST...
UPS ups@x.x.x.x on battery
Broadcast Message from root@opnsense.fritz.box
(no tty) at 17:34 CEST...
UPS ups@x.x.x.x on line power
But, where can I configure additional parameters (voltage, timeout etc.) for tiggering events and what kind of events are supported beside powering down the machine?
-
Can you run some commands like upsc to retrieve some values? I need them to build a status tab.
Where did you configure these values in pf?
-
Follow ups realted to UPS and NUT, see here: https://forum.opnsense.org/index.php?topic=7759.msg35622#msg35622