Messages

1

20.7 Legacy Series / Re: firewall groups and interfaces

« on: July 31, 2020, 11:00:20 pm »

The grouped interfaces is not a big deal but in my currently 5 minutes works I felt a bit uncomforted so an opt-in/out would be great 

Then, for the pleasure of the discussion, my first "random thoughts" about the firewall group are ... 

1) Have a clear distinction between rules applied to a specific interface and rules applied to a bunch of interfaces
So a menu like: 
Firewall
- Groups <-- groups rules
- - grp1
- - grp1
- Rules
- - LAN
- - OPT1
- - OPTx
- - WAN
- Settings
- - Groups <-- groups creation page

2) (As in the previous post) Some references in the rules pages that indicate:
- Which groups are used on this interface (in Rules)
- Which interfaces are used this group (in Groups)

In my case I use the groups as group of rules and not as group of interfaces.
In the specific in I've a '"common rules" group applied to most of all the interfaces where I allow service like  ping / remote syslog / smtp / backup / and-so-on  and deny a few others ... then I add specific rules to specific interface.

I think this is more useful than a hierarchical side menu  … but as I told this is just my taste and the way I use this feature

Told this I've a doubt, never tried, about what happen if an interface is used in 2 or more groups ... in which order the rules are evaluated ?
 
Cheers
--
Fabio

2

20.7 Legacy Series / Re: firewall groups and interfaces

« on: July 31, 2020, 05:00:19 pm »

this it's fine
I'm using a group to manage "common rules" between various interfaces and you right it's a easy way.

So it  should be "more logic" see this aggregation under the "Firewall->Rules" tree and not in the "interfaces" one.

Probably for my taste the optimum would be to see a label (or something else) on the top of "Firewall->Rules->_interface_name_" page; an info that show which groups of rules are matched before the one listed in the page itself ... but this is just a thought and not really related to the "grouped interface menu".

3

20.7 Legacy Series / firewall groups and interfaces

« on: July 31, 2020, 03:42:17 pm »

First of all thanks for the great work
I’ve updated my lab firewall and all looks good.

Till now I just not understand the meaning of “use firewall groups to group interfaces menu accordingly"

I do not see a direct relation between a group of firewall rules and the interfaces menu
With the result to hide interfaces in sub-menus and possibly duplicate them if you use an interface in more than one group

I found it a bit confusing but maybe I’m missing something obvious;
can someone explain me the reason of this choice ... I’m curious to understand

Thanks again to all the developers and the community
--
Fabio

4

20.1 Legacy Series / Re: Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: March 28, 2020, 09:23:48 pm »

Thanks katamadone [CH]

looks like a very interesting workaround  ... next week I'll try it.

Thanks again for this suggestion
--
Fabio

5

20.1 Legacy Series / Re: Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: March 26, 2020, 09:22:26 am »

Unfortunately no valid solution till now.

--
Fabio

6

20.1 Legacy Series / Re: Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: February 18, 2020, 10:28:38 pm »

According to the manual https://docs.opnsense.org/manual/hacarp.html

To prevent issues spreading over both machines at the same time, we choose to only update on command (see the status page).

So yes, my sync works fine ... but, as you told, it's quite easy to forgot the status page push button.

This is my reason to have an external check to monitor the sync status of the 2 nodes.
I've tried to looking for a "configuration version" in the backup file and via SNMP, to be able to compare the 2 versions, but I didn’t found anything usable.


PS: I'm running 20.1 in test and a 19.7 in production

7

20.1 Legacy Series / Monitoring of "Configuration Synchronization (XMLRPC Sync)"

« on: February 17, 2020, 11:09:44 pm »

Hi All,

I've a couple of opnsense in HA and all works fine.

Now I need to check if the configuration of the 2 node are synced  ... so to be sure to "remember to update your backup server in System: High availablity: status"

Does someone know a sensible way to verify the configuration sync status ? any method/suggestion will be well accepted.

As general idea I would like implement a "nagios plugin" to monitor also this check with my icinga2 servers.

Thanks

8

19.7 Legacy Series / IPSec monitoring

« on: October 24, 2019, 09:26:26 am »

Hi All

I need to check the IPsec tunnel status from my monitoring system (icinga2) … in your opinion which is the “correct” way?
… with the opnsense API  (which is the call)
... via a script run by the “icinga agent” installed on the firewall
… something else

Has someone already impelmented this type of check  ?
I’ll be glade for any suggestion

Thanks
--
Fabio

9

19.1 Legacy Series / Re: HAProxy and Let's Encrypt OCSP stapling

« on: July 29, 2019, 03:17:42 pm »

Thanks

--
Fabio

10

19.1 Legacy Series / HAProxy and Let's Encrypt OCSP stapling

« on: June 05, 2019, 04:21:30 pm »

Hi All,

I would like to add OCSP stapling to my HAProxy + Let's Encrypt

Do you know any sensible method to implement it  ?

Thanks for any idea

11

19.1 Legacy Series / Re: frr configuration lost

« on: May 17, 2019, 04:42:17 pm »

I currently use frr6 without the web plugin installed

in my experience the wr vtysh command works fine and save all the configurations in the "right places"

Code: [Select]

# vtysh

Hello, this is FRRouting (version 6.0.2).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

opn1.home # wr
Note: this version of vtysh never writes vtysh.conf
Building Configuration...
Configuration saved to /usr/local/etc/frr/zebra.conf
Configuration saved to /usr/local/etc/frr/ospfd.conf
to start the service at boot I've used the script /usr/local/etc/rc.syshook.d/start/50-frr

Code: [Select]

#!/bin/sh

# XXX this should not be strictly needed
/usr/local/etc/rc.d/frr start
 
as in the os-frr package

12

18.7 Legacy Series / Re: OpenVPN DNS data not being sent over

« on: December 10, 2018, 04:37:57 pm »

To force my windows clients to use the DNS I added 

Code: [Select]

push "block-outside-dns"
to the Advanced field

13

18.7 Legacy Series / Re: BURP FreeBSD port

« on: November 23, 2018, 11:39:50 am »

Thanks

I'll open the issue and I'll have a look to BackupPC too

14

18.7 Legacy Series / Re: BURP FreeBSD port

« on: November 22, 2018, 09:11:36 pm »

Just to have a remote copy of the xml files in the same way used by all the other devices in my network

At the moment I've a cron script that copy the xml to a server and then backuped with burp ... so it would be nice have an unique method

15

18.7 Legacy Series / BURP FreeBSD port

« on: November 22, 2018, 02:38:48 pm »

Hi,
I started to use BURP (https://burp.grke.org/) as backup software.

Unfortunately the package is not currently available in opnsense but it's present in the FreeBSD ports under:

Code: [Select]

sysutils/burp
Is it possible add this package to our favorite firewall ?

Thanks
--
Fabio