Topics

We have a VPN connection that we need to match up to that sources from a Juniper device, and i know it used to be possible to disable PFS aka Perfect Forward Secrecy, which it is disabled on the other side.

How do we disable this when it will not allow us to change it lower than group 1?

So here is a bizarre one i have just discovered.

I have a opnsense vm on VMware ESXi, with a number of virtual machines behind it, it holds 2 wan ips.

I had a bunch of rules going to VM-A at 10.0.0.2, for ssh, http, https, etc.

So i needed the same rules for the new vm, which is VM-B, so i added the second IP as a virtual ip, and then cloned each of the nat rules and on each new copy swapped the wan address for the new virtual ip, and changed the redirect ip to 10.0.0.3.  Saved, and applied.

None of the nat rules worked, the VM was in-accessible from the wan side completely.  i re-verified all the settings several times, but all attempts to reach VM-B via the new virtual ip were refused.

So i deleted the rules and created them again the same way, and ended up in the same situation.

As a last ditch effort, i deleted all the rules for VM-B again, and instead of using the clone button, I created them all manually for VM-B, and now they all work the first time.

Something in the cloning of a NAT rule is not working properly....   But everything looks proper in the GUI.

Im making this thread as a documented way to keep track of the progress in getting this plugin published, either by way of a secondary repository for third party plugins, which i am happy to host myself, for others to submit to as well.   Or for it to be included into the normal repos.   Whichever direction does not matter to me, but it needs to make some progress.

The feedback i have gotten from opnsense thus far has been:
1.  We need to figure out how we want to handle third party, or commercial plugins.
|-Understandable, i have not been the most patient, but that is because this would correct a big pain point in my platform.  I have the infrastructure to setup an alternate repo yesterday.  I have ~12 TB spinning in the datacenter right now.   And the MSP i am the Sr Engineer for has another 70TB spinning that i built.

2. 

As for PFMonitor it is difficult for us to promote that as we are looking at our own central management development that includes extending the API (you can utilise this too when available for PFMonitor as the API extension is part of the open source OPNsense project).

The central management solution will be part of our open source business model so we can extend our team and increase the development effort.

This does not mean that there is no room for you and others to provide their own solution, just that we as Deciso are not interested in third party solutions at this point in time.

|-This is fine and dandy, i have no issue being in friendly competition, it drives excellence.   And this is an open-source platform is it not?   Thus by definition allowing for others to contribute their parts, ideas, etc.

3. 

I'm also very busy, but if you can provide me with an account to your solution and the necessary script files, I can see if I can try this myself.... but no promises.
You can reach me at (email-address).
Best regards

|-Thank you for your efforts, as always much appreciated!

4.  Franco has been an excellent help and person to bounce things off of, Even tho i probably annoy him to much, i am extremely appreciative of everything he has done.

Its also a pain point for my users, some of which are opnsense users, and others "want" to be opnsense users, but worry about the difficulty of getting plugins installed/updates on opnsense.

I will continue my promise, that if we can get this done, i will both, donate $100 to the project, as well as link to Deciso's site/hw page from within PFMonitor, and list their devices, as is only fair.

It is with your teams support and assistance that i have the complete and tested pfmonitor plugin.

I look forward to progress on this, behind the scenes, as well as in front of them, and to both of our continued success and excellence.

Im looking for info on how to setup my own repository for opnsense, so that i can upload my custom plugins to it, for use on my many units, and those of my clients.

I wouldnt mind it also hosting a complete copy of the regular repos so that it can be used for updates as well.

Is there any information for how i can do this?

See the screenshots, its up and working, just waiting for it to get pulled into the repos.

Is it normal for this process to take an exceedingly long time????

I have a quad core opnsense unit with 8GB RAM, and SSD storage, and its been grinding away for about 30 minutes now.  its not hung, and different stages keep cycling by slowly.  Running 18.1.2_2

it is the first time ive ever run the make plugins command if that matters.

I have compiled on linux before and except for large projects, i dont rememeber it normally taking so long is all....

You might want to renew this!

So at first i thought it was my code, or else a change that came down in PHP 7.1, but now im not so sure.

Ive begun seeing a log of 503 errors where the web admin becomes un-available, and remains so untill you use option 11 to restart the services.

Ive found a way to re-produce it also.

With my pfmontor checkin agent installed on the device, if i run it on the ssh shell it runs fine, but it seems that if any other process is using php or php-cgi at the same time as i run the script, it crashes the php-cgi background processes that the web admin uses.  or if they are running to quickly.

To reproduce the issue, all i have to do is run my php script in rapid succession from ssh using either of:
php pfmonitor.checkinopn.php
or
php-cgi pfmonitor.checkinopn.php

Up+Enter a few times and the web interface dies, and the php-cgi background processes all dissappear from ps aux.

All my script does is read some files, and post the contents to a external url using php curl at this point, i had commented out all the other functions.

running it once works fine, running it, then immediately again a few times, or if the opnsense itself or the web interface is also doing something at the same time, and bang, it crashes the php-cgi's.

like i said i thought it was my code at first, but now i dont think so.

I have a plugin that is pretty much done, but i need some assistance in finishing its packing, testing, and getting it published so that it appears on opnsenses plugin list for easy installation.

i estimate that it should only take 3-5 hours at maximum to get this up and running, and i am looking for the person to help with this.

You need to have at least basic to moderate PHP skills, understand opnsenses cron implementation, and have a strong understanding of the git/package/plugin system in opnsense.

Whos interested?

This is an urgent one for those running opnsense firewalls.

Block 163.172.112.193

It has scanned my IP space before(i have a lot), but mostly passively, then moves on to others, BUT today when it crossed my IP Space and found the new OPNSense i have up and running for development and testing for PFMonitor, it suddenly began brute forcing like crazy against SSH, The Web Config, and OpenVPN all simultaneously and rapidly.  When it ran into my pfSense unit it tried a few passwords then gave up, but the OPNSense it strangely targetted quite heavily and continuously for a while.

I Also have a Dell IDRAC6 Honeypot up and running and it hit that a few times as well, i log all of this of course to see what nasties are out and about scanning my territory online.

Just a safety warning.  Block that IP!

This is a spot i will share usefull random tidbits of code found or made from my development on opnsense.

How to get human friendly uptime from opnsense

Code Select Expand

uptime | awk -F'( |,|:)+' '{print $4,$5",",$6,"hours,",$7,"minutes."}'
4 days, 12 hours, 09 minutes.