Messages

I know the ARP table can be populated due to receiving an answer to an ARP request or via static entries however, I'm seeing intermittent instances of a given MAC showing up without receiving any ARP response.  With this in mind, can the ARP table be populated by merely receiving packets on a given interface?

If so, can this behavior be disabled or tuned at all?

Totally agreed on all points...folks here really shouldn't take offense re: any reference to pfSense.  Being different doesn't mean absolutely better in every area.  pfSense does do some things well but for the reasons discussed in the OPNsense docs, this platform has a lot of strong points and solid goals...

Hmmm not quite...the most common use is bulk IP black\whitelisting.  It also has DNSBL and GeoIP blocking.

As I mentioned, OPNsense has some of the core functionality but it's not nearly as easy to use given the UI.  If some key changes were made to the OPNsense UI, I can see close to functional parity.  At present, achieving the same functions is a definite headache in OPNsense...

Hello,

The UI in the Intrusion Detection section really needs some serious improvement.  I do note the roadmap specifies "UI layout improvements and consolidation" so I am wondering if this will include improvements in the IPS section and if so, an idea of what is being done.

Also, the Roadmap is only showing the Jan 2018 release - surely you folks have this thing scoped far beyond one release ahead so do you plan on posting more than just the next release on the roadmap?

Thanks.

You don't have to uderline pfBlocker in every post.

Wasn't aware there is a style book for OPNsense forums...besides, too much clarity never hurts... 8)

That said, the "better way" is probably a port of the functionality found in pfBlocker...why re-invent when it isn't broken?  Furthermore, the platform is part of the way there anyhow - most of the stuff I see missing is UI\UX...some operational things as well but not seeing how it would be terribly difficult to code given how far the platform is already...

I think I see the issue here...

In your OP, you stated outbound "port forwards".  When I read that I thought you meant Firewall --> NAT --> Port Forward.  That is the section where I was able to setup the port range.  In the actual "Outbound" section, I had to first setup an alias that had the port range and then use the alias as the source\destination ports in the NAT Outbound rule.

Did you see the image I posted?  Also, after selecting "(other)", you will have two fields that show up below "(other)" - one for "from" and the other for "to".  The attached image is taken just after selecting "(other)" and entering in the desired port range.

Like this?  If so, then you need to first select "Other" and then the port range...

To make a long story short pfSense does have most all the features I need but I found it not very intuitive and as such I had a difficult time setting it up. As you could guess I had to ask several questions in their forum. What I found was that several of the questions I asked went unanswered and when I did get an answer it was usually either condescending or unhelpful, sometimes both.

@tgoodrich,

That'a really unfortunate - that has not been my experience over there with the pFsense folks.  Sure, some users here and there can be less than civil but for the most part, I've had really good interactions especially when compared to something like IRC.

In terms of ease of use, things like basic FW functionality are pretty straight-forward and similar on either platform.  On the flip-side, the toughest thing I've encountered thus far was IPS tuning but that is more a function of the IPS, not pfSense or OPNsense.

Also, in terms of the pfBlocker functionality in OPNsense, you're just not gonna find parity here.  As I've posted elsewhere here on these forums, the pfBlocker package is very functional and while some of it is possible with OPNsense, you may be required to use a proxy, the FW rules can become challenging to manage, updates are limited in terms of frequency, etc.  Is it doable?  Sure - to a point - but again, you may need to use the proxy to get there and IMO, that's just shouldn't be necessary...

Don't get me wrong - OPNsense has strong points - much better traffic reporting, overall cleaner interface, much easier installation, code sanity check and rewrite, etc.  And of course, the support - these folks seem really eager to make this thing great and keep it true open-source which for me, is a huge thing...

While researching i found out about IPS and using "aliases" (https://forum.opnsense.org/index.php?topic=2137.msg6867#msg6867)

@dlaube

I saw that also but when I tried to configure it, it did not seem to offer anywhere near the same functionality that pfBlocker does.  Also, it doesn't employ the IPS - it utilizes the FW much like pfBlocker does except that the latter adds the FW rules automatically whereas with OPNsense, you need to manually add the FW rules.  Also, a few other deltas vs. pfBlocker:

• You must use the alias type URL Table (IPs)
• You cannot enter more than one list per alias whereas with pfB, you can add as many as you wish - This is a huge FW rule mgmt issue.
• You cannot disable a portion of your alias like you can in pfB.
• The minimum list update interval is 24h whereas with pfB, you can go from 1h up to 1 week.
• There are others mainly because pfBlocker is a very comprehensive package.

See this for more details: https://docs.opnsense.org/manual/how-tos/edrop.html?highlight=aliases

Also - FYI - I found another discussion relating to this where they utilize the proxy and blacklists.  I tried setting it up and it didn't work.  Probably an issue on my end but also, as you alluded to in your post, it still only works for ports 80\443 - far too narrow for what we want with pfB.  As I'm sure you already know, pfBlocker doesn't care about ports - just IPs and subnets - which makes it far more functional in this particular realm.  And that aside, we really shouldn't be required to employ a proxy just to get mass IP address\subnet filters.

I do like this platform and from what I've seen, the devTeam seems eager to get stuff built into it so here's hoping they will kick this around and add more pfB-esque functionality - or maybe even port pfB - to OPNsense.

In case you're curious, here is the link to the proxy method I mentioned above:

• https://forum.opnsense.org/index.php?topic=6169.0 - and then
• https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

Hello,

First - a suggestion - it might be good to have a dedicated forum for UI\UX topics.

Next, two features that I have used in the past that I think would be great additions to OPNsense:

• Have aliases show their contents via popup when hovering over them wherever they are configured - such as in FW rules.
• Add a new icon next to each enabled FW rule that shows state details via popup when hovering - info like eval, packets, bytes, states active, states created, etc.

Thanks.

Hello OPNsense folks,

Aside from the proxy method described here, I have read that this functionality can be accomplished using aliases.  However, even with that, there is a lot of pfBlocker functionality not present in OPNsesne that, if added, would be of great benefit to the platform.

With that in mind, are there any plans to provide a fully functional pfB port or similar to OPNsense? 

It is a very useful and powerful package as it offloads a lot of load and resource drain from the IPS and adds in other functionality as well.

Thanks.