16
Hardware and Performance / Re: Support for Intel Wireless-AC 9560
« on: April 11, 2023, 01:51:59 am »
is it supported today? 
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
17
23.1 Legacy Series / Migration from OPNsense 20.1.9-i386
« on: April 11, 2023, 01:46:25 am »
Hello!,
I have a 32bits Atom machine running OPNsense 20.1.9-i386 which I would like to migrate to OPNsense 23.1.5_4-amd64. Would it be possible to install 23.1 on a new machine and restore a 20.1.9 backup?, or I would need to deploy 20.1.9 on AMD64 to restore the backup and start an staged upgrade to 23.1.x?
I have a 32bits Atom machine running OPNsense 20.1.9-i386 which I would like to migrate to OPNsense 23.1.5_4-amd64. Would it be possible to install 23.1 on a new machine and restore a 20.1.9 backup?, or I would need to deploy 20.1.9 on AMD64 to restore the backup and start an staged upgrade to 23.1.x?
18
General Discussion / Automation of a firewall fleet
« on: April 08, 2023, 05:54:24 am »
Hello!,
What would be the recommended approach to automate the configuration of several OPNsense instances?.
I see there are some facilities built with Terraform, Ansible, Puppet.
Would need to automate configuration for:
- Zerotier
- BGP
- Firewall rules
- Firewall aliases
- QoS
- SNMP
- Interface assignment
What would be the recommended approach to automate the configuration of several OPNsense instances?.
I see there are some facilities built with Terraform, Ansible, Puppet.
Would need to automate configuration for:
- Zerotier
- BGP
- Firewall rules
- Firewall aliases
- QoS
- SNMP
- Interface assignment
19
Virtual private networks / Innernet
« on: March 24, 2023, 01:52:19 am »
Hello!, is there any way of running innernet client in OPNsense?
20
Hardware and Performance / Re: Inexpensive hardware options
« on: March 20, 2023, 05:57:07 pm »
Will do, thanks.
21
Hardware and Performance / Re: Inexpensive hardware options
« on: March 20, 2023, 04:44:16 pm »
I'm actually planning on something like this:
- Second hand rugged hardware + spares for the branch offices (~100) + OPNSense Business subscription. They can be had for around us$ 120.
- Deciso pair of rackmount appliances for main site + Business subscription
- Virtual appliance + Business subscription to cover IaaS workloads integration.
- Additional Virtual appliances + Business subscription for centralized management.
Main site + IaaS should not fail. Branch offices can be quickly brought back with spares.
Otherwise, budget won't cover the implementation.
- Second hand rugged hardware + spares for the branch offices (~100) + OPNSense Business subscription. They can be had for around us$ 120.
- Deciso pair of rackmount appliances for main site + Business subscription
- Virtual appliance + Business subscription to cover IaaS workloads integration.
- Additional Virtual appliances + Business subscription for centralized management.
Main site + IaaS should not fail. Branch offices can be quickly brought back with spares.
Otherwise, budget won't cover the implementation.
22
Hardware and Performance / Re: Inexpensive hardware options
« on: March 20, 2023, 04:22:18 pm »
Thanks for the feedback, and what about the Lanner NCA-1010B-ST1?, Lanner is known for their rugged appliances, although that machine is kind of dated.
23
Hardware and Performance / Inexpensive hardware options
« on: March 19, 2023, 11:31:38 pm »
Hello!, I'm looking for inexpensive options to deploy some kind of intelligence in some branch offices.
It would do basic forwarding and firewall filtering, plus zerotier or tailscale/headscale to two main sites.
I've seen some interesting options (new hardware) from Qotom & Deciso, but being into tight budget I wonder if machines like Lanner NCA-1010B-ST1 could still get the job done without melting down (hardware needs to be reliable)
It would do basic forwarding and firewall filtering, plus zerotier or tailscale/headscale to two main sites.
I've seen some interesting options (new hardware) from Qotom & Deciso, but being into tight budget I wonder if machines like Lanner NCA-1010B-ST1 could still get the job done without melting down (hardware needs to be reliable)
24
Virtual private networks / Re: Zerotier, CARP clusters & multisite
« on: March 16, 2023, 01:23:29 pm »
Hello!,
I've been looking for alternatives and would also like to hear from other SDWAN solutions that would play nice with OPNsense:
Tailscale/Headscale
Nebula
Netbird
Netmaker
I've been looking for alternatives and would also like to hear from other SDWAN solutions that would play nice with OPNsense:
Tailscale/Headscale
Nebula
Netbird
Netmaker
25
General Discussion / Firewall rules per user group
« on: March 15, 2023, 03:02:24 am »
Hello!,
Anybody ever tried to implement firewall rules per user group?. Defining rules just per machine IP is not practical for a large office installed base.
I was wondering if it could be implemented, for example, processing any user authentication service logs and mapping user to group to IP and modifying aliases to make permissions apply to the IP matched to the user.
If the alias member maximum is not too low, it could scale the addition to the list. On the other side, clean up could be an issue
Thoughts?
Anybody ever tried to implement firewall rules per user group?. Defining rules just per machine IP is not practical for a large office installed base.
I was wondering if it could be implemented, for example, processing any user authentication service logs and mapping user to group to IP and modifying aliases to make permissions apply to the IP matched to the user.
If the alias member maximum is not too low, it could scale the addition to the list. On the other side, clean up could be an issue
Thoughts?
26
General Discussion / Re: Full Disk Encryption
« on: March 09, 2023, 02:07:45 am »
How would you cover that case?, I would like to block attackers trying to steal openvpn or zerotier credentials from a stolen device.
I would need tk deploy several sites, many remote and mostly sale points with very basic physical security.
I would need tk deploy several sites, many remote and mostly sale points with very basic physical security.
27
Hardware and Performance / Re: Minimal x86 box for 1Gbps WAN
« on: March 09, 2023, 01:26:31 am »Pretty sure my 3040 has the nic attached via pcie. the z8300 machines i have use the via USB, i through this besides a small difference in boost clock was the difference between them?
Or is the usb for a second nic? You can just use vlan interfaces instead...
Interested in this too. Would be a nice branch office gateway paired with a switch.
28
Hardware and Performance / Re: Using OPNSense for WireGuard server on Dell Wyse 3040 - Intel Atom Z8350
« on: March 09, 2023, 01:24:40 am »
Did you ever implement that?
29
General Discussion / Managing firewalls at scale?
« on: March 09, 2023, 01:18:14 am »
Hello!,
What are currently the best practices to manage firewalls at scale?. Let's say I have 10-20 locations with a small firewall at each site, how do you handle configuration?, Replication?, Scripting?.
I saw some nice options around, but are SaaS and I prefer something I can control.
What are currently the best practices to manage firewalls at scale?. Let's say I have 10-20 locations with a small firewall at each site, how do you handle configuration?, Replication?, Scripting?.
I saw some nice options around, but are SaaS and I prefer something I can control.
30
Virtual private networks / Zerotier, CARP clusters & multisite
« on: March 09, 2023, 01:10:46 am »
Hello!
How are you doing?. I have an scenario and I wonder what's the most straightforward solution.
Having several sites to connect, I'm thinking about deploying OPNsense in a small box on remote site and a two node cluster at the main office with zerotier connecting everything.
Now regarding routing:
- should I use no routing on zerotier + BGP in OPNsense, or should I use the embedded routing of zerotier?
- static routing setup on ZT is centralized and simple, but won't cover CARP scenarios with a gateway failover.
Regarding filtering:
- should I allow everything between gateways and filter everything in OPNsense?
- should I allow everything in OPNsense and filter everything in Zerotier?
- so a mix?, Filtering different things in both?
How are you doing?. I have an scenario and I wonder what's the most straightforward solution.
Having several sites to connect, I'm thinking about deploying OPNsense in a small box on remote site and a two node cluster at the main office with zerotier connecting everything.
Now regarding routing:
- should I use no routing on zerotier + BGP in OPNsense, or should I use the embedded routing of zerotier?
- static routing setup on ZT is centralized and simple, but won't cover CARP scenarios with a gateway failover.
Regarding filtering:
- should I allow everything between gateways and filter everything in OPNsense?
- should I allow everything in OPNsense and filter everything in Zerotier?
- so a mix?, Filtering different things in both?