Messages

is it supported today? :)

Hello!,

I have a 32bits Atom machine running OPNsense 20.1.9-i386 which I would like to migrate to OPNsense 23.1.5_4-amd64. Would it be possible to install 23.1 on a new machine and restore a 20.1.9 backup?, or I would need to deploy 20.1.9 on AMD64 to restore the backup and start an staged upgrade to 23.1.x?

Hello!,

What would be the recommended approach to automate the configuration of several OPNsense instances?.

I see there are some facilities built with Terraform, Ansible, Puppet.

Would need to automate configuration for:
- Zerotier
- BGP
- Firewall rules
- Firewall aliases
- QoS
- SNMP
- Interface assignment

Hello!, is there any way of running innernet client in OPNsense?

Will do, thanks.

I'm actually planning on something like this:

- Second hand rugged hardware + spares for the branch offices (~100) + OPNSense Business subscription. They can be had for around us$ 120.
- Deciso pair of rackmount appliances for main site + Business subscription
- Virtual appliance + Business subscription to cover IaaS workloads integration.
- Additional Virtual appliances + Business subscription for centralized management.

Main site + IaaS should not fail. Branch offices can be quickly brought back with spares.

Otherwise, budget won't cover the implementation.

Thanks for the feedback, and what about the Lanner NCA-1010B-ST1?, Lanner is known for their rugged appliances, although that machine is kind of dated.

Hello!, I'm looking for inexpensive options to deploy some kind of intelligence in some branch offices.

It would do basic forwarding and firewall filtering, plus zerotier or tailscale/headscale to two main sites.

I've seen some interesting options (new hardware) from Qotom & Deciso, but being into tight budget I wonder if machines like Lanner NCA-1010B-ST1 could still get the job done without melting down (hardware needs to be reliable)

Hello!,

I've been looking for alternatives and would also like to hear from other SDWAN solutions that would play nice with OPNsense:

Tailscale/Headscale
Nebula
Netbird
Netmaker

Hello!,

Anybody ever tried to implement firewall rules per user group?. Defining rules just per machine IP is not practical for a large office installed base.

I was wondering if it could be implemented, for example, processing any user authentication service logs and mapping user to group to IP and modifying aliases to make permissions apply to the IP matched to the user.

If the alias member maximum is not too low, it could scale the addition to the list. On the other side, clean up could be an issue

Thoughts?

How would you cover that case?, I would like to block attackers trying to steal openvpn or zerotier credentials from a stolen device.

I would need tk deploy several sites, many remote and mostly sale points with very basic physical security.

Pretty sure my 3040 has the nic attached via pcie. the z8300 machines i have use the via USB, i through this besides a small difference in boost clock was the difference between them?

Or is the usb for a second nic? You can just use vlan interfaces instead...

Interested in this too. Would be a nice branch office gateway paired with a switch.

Did you ever implement that?

Hello!,

What are currently the best practices to manage firewalls at scale?. Let's say I have 10-20 locations with a small firewall at each site, how do you handle configuration?, Replication?, Scripting?.

I saw some nice options around, but are SaaS and I prefer something I can control.

Hello!

How are you doing?. I have an scenario and I wonder what's the most straightforward solution.

Having several sites to connect, I'm thinking about deploying OPNsense in a small box on remote site and a two node cluster at the main office with zerotier connecting everything.

Now regarding routing:

- should I use no routing on zerotier + BGP in OPNsense, or should I use the embedded routing of zerotier?
- static routing setup on ZT is centralized and simple, but won't cover CARP scenarios with a gateway failover.

Regarding filtering:
- should I allow everything between gateways and filter everything in OPNsense?
- should I allow everything in OPNsense and filter everything in Zerotier?
- so a mix?, Filtering different things in both?