Messages

Hi SHTECH,

Yes, I have several different Mini-PC HW, including the one you mentioned. Some others from a different brand. All of them use the same hardware/processor/NIC. I nefer had any problem with them.
Everything works really OK. Did you check your SSD and memory comb? Sometimes it's the hardware who have problems.

Regards
Fabricio.

in time, I wrote something about the same subject some time ago:

here--> https://forum.opnsense.org/index.php?topic=7573.0

Hi Fabian,
Sure. I am aware Squid has some great capabilities for ACL, but my only concern would be the size of the Blacklist loaded to memory. E2guardian and squidguard, for example, use a small database to enumerate the blacklist, making it reusable for different ACLs. Squid would have to load the blacklist file (sometimes several times) in memory to handle different ACLs. That may be a serious problem. (performance and memory usage)
Any thoughts?

Regards
Fabricio.

Hello Guys,
I believe HBROICH is trying to set different blacklists (or filters) for different groups of users (Which is possible using squidguard on that other firewall). This is something I am chasing as well.
Squidguard has an "LDAP search" option which check if the user is part (or not) of a certain usergroup.
Based on that, it applies the blacklist (or not), blocking the URL.

Question for Franco:
Do you intend to add some Content-Filter (like E2guardian/Squidguard,...) to OPNSENSE? I know OPNSense is using pure Squid with ACL, but you know it's missing some cool features because of that.

I am working to add E2Guardian to my OPNSENSE build. I will miss the PHP GUI at last.

Regards
Fabricio.

Hello Gentlemen,
I´ve been thinking about it... I am also working and looking on something like this.
I was wondering if the "web-proxy-useracl" plugin could be modified in order to match the Blacklists File/name.
Check pictures attached, please.
It would go like this:
1- You create groups on Active Directory (AD).
2- You capture the AD groups on OPNSense (Menu System-->Access-->Users/groups)
3- You download your preferred Blacklist file and give it a "Name"
4- From the "Proxy Menu --> Administration --> Forward Proxy --> Authentication Settings" you choose AD Authentication.
5- From the "Proxy Menu --> Groups and Users " where is "Name", you should input the  "AD group" you want to match the Blacklist. Where is "DOMAINS" you should add the Blacklist Name you previously configured on step 3.

That way, you will have, not only the same squidguard ACL-GROUPS functionalities, but  something Absolutelly better, since on squidguard you have to deal with ldap-search lines that are pretty confusing and here it would be all "Web/Icons/Objects based"
Additionally, (just a suggestion) it would be great to add an extra field to the "Authentication menu" with a "CUSTOM AUTHENTICATION" so we can add whatever authentication we want like the Winbind SSO/Kerberos/WMI, etc.

Since we would be working with "existing variables", how hard would it be to make such changes?

There is one thing I don't know: Since opnsense doesn't use squidguard, I am wondering the compatible commands on it, like we have on squidguard (ldapsearch) to match "groups and users" to Blacklists.
(What product  opnsense is using to replace squidguard by the way?)

I am not good with php/mvc , so I can help with Money/UAT/Test support.

Gentlemen, OPNsense is already an absolutelly wonderful product, but that would raise it to a new level, since you only see features like this on "expensive & commercial" products like BlueCoat/Cisco/Fortinet etc.

Please let me know if someone would be interested. I am on the boat.  :-)

Fabricio.

Hi Franco. 
Now I got the point!
I am trying this "or" that, during the day.

I am having great times, believe me. :-)
Once again, I really appreciate the help.

Fabricio.

Hi Franco.
Thanks Much! It's always clarifying to talk to you guys.

So, I am asking about bsdinstaller because the " OPNsense Installer" is still showing the original Welcome message, MOTD and hourglass logo, even after all the customizations. The only location I could see the "Welcome message and logo" was in the bsdinstaller folder.
That's why I have imagined the scripts are still calling/cloning the original opnsense repositories, not the forked one.
The interesting party is that all the other customizations are working really fine. just the "Installer" is still showing the original messages.

Appreciate the help!

Fabricio.

Hello Gentlemen,
Hmmm... trying to understand how to update bsdinstaller (only) without having to update other repos.
Any tip for that?
I already generated a DVD ISO, but I have found I missed some items and I had to change it later. Now I just want to update/clone the bsdinstaller only. after that I will try to re-generate the DVD with the updates.

Thanks!!
Fabricio.

Quick question:
once I have created my first dvd -image, is there a way to update the "bsdinstaller" contents only? or Do I have to update the whole thing? I didn't identify the "bsdinstaller" cloning process during the building.
I think it got the contents from the official opnsense repository, not the one I forked. the other branchs went really fine, it got from my fork.

I bet I commited a mistake during the process.   :-)

Thanks Much,
Fabricio.

Thanks Franco, Thanks MIMUGMAIL.

Really great information. I did a first try yesterday. It took no more than 5h:30 mins at all. (from scratch)
Today, I customized some items and added the winbind/samba scripts to the main menu, also a few cosmetic changes. I will only clone the tools again and try the  "make update", maybe it will download the "changed" info only, right? (delta)
I am enjoying this phase.  Really great.

Thanks Much
Fabricio.

Just curious... How long to build an image from scracth?
I am using a Hyper-V VM with 20 Cores and 12 GB mem, under a physical host with Dual Xeon E5 2667 family (24 Cores) with 32 GB Mem. So long, it took ~5 hours and couting...

I see the script is downloading additional packages in real-time, which takes soooo much time to complete. Wouldn't be the case to run a "portsnap fetch extract" before start the final  "make" ?

Regards
Fabricio

Thanks Franco, thanks Fabian.
I have responded to your e-mail Franco. Thanks a lot.

All right. Before I start trying to customize anything, I am following the link sent by Fabian (the way it is FIRST, so I can get familiar with the steps/processes) and here is what I got.
****************************************************
background OS-->  root@opnsource:/usr/tools # uname -a
FreeBSD opnsource 11.1-RELEASE-p9 FreeBSD 11.1-RELEASE-p9 #0: Tue Apr  3 16:59:16 UTC 2018     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Clang--> root@opnsource:/usr/tools # clang -v
FreeBSD clang version 4.0.0 (tags/RELEASE_400/final 297347) (based on LLVM 4.0.0)
Target: x86_64-unknown-freebsd11.1
Thread model: posix
InstalledDir: /usr/bin

******************************************
make update--> >>> Removing /usr/ports... rm: /usr/ports: Device busy
*** Error code 1
Stop.
make: stopped in /usr/tools
******************************************

I found out that I can't use ZFS. After rebuilding the BASE-server with UFS, everything went OK.

Now building the image.

Thanks Much!

Fabricio.

Hi Franco,
It's me who have to thank such warm message.
I will start working on it immediately. Probably will bring doubts later.
Let me know (in private if you prefer) on how to contribute with the project (financial and intellectually)

Thanks Much!
Fabricio.

Hello OPN family,
I am just starting here after several years and "frustrations" with the current situation at the "pfsense".
I think at this point I don't need to explain what happened. Everybody knows that it is NOT an opensource anymore.
After version 2.4.3 I can't even compile my own customized kernel anymore.
After all these years, contributing and supporting the product...
That's when a good friend advised me to forget about it and come to OPN family.
I accepted the challenge and here I am.
I have to confess...I am totally amazed with the things I see here. I didn't know the OPN was sooooooooo advanced.  W.O.W.
I was keeping a customized fork of pfs for years with proprietary authentication (winbind) and recently developing a new authentication mechanism using WMI (wmic - wmi client) since I have very good expertise and background over MS WMI queries/protocol. That's when I got SERIOUS problems with it. I got locked/stuck. I can't even compile my custom kernel (Yes, I need one to support my proprietary LCD based on Arduino - uchcom driver with NIS).
So, before I start shooting repetitive questions, here is a doub:
Is there a doc/how-to with steps on how to build OPNSense from the sources? I will probably have to fork the github and customize it according to my needs. Any help will be greatly appreciated.

Thanks Much!
Fabricio.