Messages

It would be very nice to have the possibility (via the GUI) to create TAP interfaces by adding a new section in Interfaces / other types / TAP

Right now, it's pretty straightforward to create them via the console, but they don't survive a reboot unless you have a method to recreate them at each boot.

It should be simple to add this, I mean, I bet a few hours of coding or less for opnsense devs.

looking forward to it

Hi
I think it would have been even better if the functionnality was added to the api. It's not very hard to do but I understand you have bigger things to think about. No problem here.

Anyway, I've never used pull request or git in general, so I don't know how to proceed.

I've made a simple new plugin called suspend2ram whose function as the name suggest is to put the machine under suspend to ram mode or S3. It use the already installed command acpiconf.

You can either go into suspend with the GUI (see the new option in power menu) or via the API by sending a POST http request. Exemple with curl from another network computer :

Code Select Expand


curl -XPOST -d '{}' -H "Content-Type: application/json" -k -u "your user api key":"your user api key" https://your_router_ip/api/suspend2ram/service/gosuspend

Personnaly, I use the excellent home automation server FHEM to automate tasks with other devices, so opnsense can now be easily put to sleep or wake up via wake on lan on specifics event, like presence detection in the house...

this is my first attempt to write a plugin for opnsense, so I may have missed things or there may be other ways to do this. Anyway, I thought it could serve other people, so feel free to use it if needed.

to install, put the file in your filesystem and :

Code Select Expand

pkg install os-suspend2ram-1.0.txz

hello there

I've an issue where if I power off opnsense machine with web gui or via the api, I can't switch it back on remotely with WAKE ON LAN packet. The hardware is capable and the bios is setup to switch on by WOL. Tested Windows and linux on the same machine, WOL works ok after regular power off.
As a side note, if (instead of powering it off) I put it to S3 sleep, it wake up nicely via WOL.
Unfortunately, acpi sleep (tested with command: acpiconf -s 3) is not available via the api, only poweroff is. May be it could be possible to add this option (s3sleep) in the api ? Can anyone could tell me how to do this ?

opnsense 18.7.6-amd64 on a zotac nano CI321

if you want to connect to your lan from the public internet, there is minimal precautions to setup like :
- change the default vpn port
- use udp tun
- use certificates
- follow some vpn setup guides based on security
- limit vpn users to some services you need, don't open the firewall to all ports
- you can also, like me, block vpn access from others country except yours
- use AES 256 cipher with 4096 bit
there is certainly others things I forgot, but keep in mind there is always a risk, all we can do is limit the penetration vectors.

General security measures :
As a rule of thumbs, don't trust apps blindly. Block all your outbound traffic and use a proxy (squid for exemple) with authentication for surfing the web dedicated to the browser, not system wide. That's why you should not use chrome or internet explorer or edge or any browser that doesn't have it's own proxy settings. I use firefox for this and won't change anytime soon (I know chrome can also use specific proxy via the launch parameters but it's well hidden to regulars users, plus it phone home google servers)

I've choosed an open firewall like opnsense to have full control of the settings, unfortunately, there is some settings hidden from us, which are available on regular pf firewall like for exemple the ability to control rules based on users running a service. I'm thinking of moving back to a regular freebsd for my internet facing firewall.

Hi franco

there is a misunderstanding I think. I would like to block internet access to some service I've added, not thoses running by default on opnsense. For example, I've added tvheadend (and some other software) and I want them to access lan only, not internet. For this, freebsd offer user filtering like linux with iptables. Is there a possibility to block thoses users, even if it needs to edit files ?

Code Select Expand

ps aux
...
tvheadend 40387   0.0  1.1   92508 44344  -  Ss   12:42      0:18.03 /usr/local/bin/tvheadend -f -p /var/run/tvheadend.pid -c /usr/local/etc/tvheadend -l /var/log/
...


How do I block outbound access of services running on the firewall itself ? With packet filter, I found that we can block a user with it's UID or name but I've haven't found this option in opnsense firewall settings. For exemple, using this rule

Code Select Expand

block out on em0 proto tcp from me to any port 80 user myuser
should block process running with uid myuser

How can I do it on opnsense ?

Anyone ???
how add a user to another group and keep it across reboot ?? it's so simple to do with regulars distro but opnsense doesn't store this simple setting   ???

thanks you franco.

I moved to pure-ftpd instead as it was easier to add / modify virtual ftp users afterwards since virtual users are managed outside of regular unix accounts. the ftp server is launched at each boot via /etc/rc.conf settings. Work well so far.

I also would like to know the proper way to add a specific user to another group which aren't visible in the gui, and thus, across reboots.
For now, I'm forced to run the command :

Code Select Expand

pw usermod tvheadend -G webcamd
each time I boot, because if not, tvheadend server could not access the tuner device. Could it be done within the gui ?

Hi there

I've compiled vsftpd server from ports because I need a ftp server running on my lan only. It was not straightforward, especially the part while configuring virtual users, but I succeded, somehow. Now, I rebooted my opnsense machine and the virtual account I just created (with command adduser -v) was gone. I don't really understand the mecanisms for opnsense users management, the gui doesn't show the system's groups and users. So, is there a preferred way to keep manually created users across reboots?

Is there plans to add an ftp server as a  service, I guess it would be very welcome for many people. I used to run tomato firmware on a consumer router and I miss many features of it since I've been running opnsense. That's too bad because, otherwise, opnsense have a nice base.

Another question : whats will happen to my compiled / customized programs in /usr/local/ when I'll make a firmware upgrade ? is it deleted ? If so, I guess I would have no other choice to stop upgrading the os.

yes I understand, but I asked here because I have bhyve on another machine running a freebsd distro (nas4free) and I don't have theses issues, so I thought it was specific to opnsense. Plus the fact that bhyve is installed by default, I believed that it would work OOTB.
I'll remove opnsense and install pfsense instead, may be I'll have more luck there.

nobody there ?

I really need to make this work guys, could anyone help me ?

Hi there

I'm trying to run a linux distro (debian 9.4.0 amd64) under bhyve but I'm facing very serious issues with keyboard. Many keys appear to be shifted or non existant, for example, I can't use certain numerical key, the dot (.) etc. Moreover, hitting specifics key return a completly different one, that's a killer feature but not a very safe nor usable one...
It seem's also that grub2-bhyve is not installed, nor available as a pkg ?

For now, I run this command to launch bhyve :

Code Select Expand

bhyve -c 1 -m 1024M -H -A -w \
  -s 0:0,hostbridge \
  -s 4:0,virtio-blk,./ubuntu-server.img \
  -s 5:0,virtio-net,tap10 \
  -s 29,fbuf,tcp=0.0.0.0:5900,w=1280,h=720,wait \
  -s 30,xhci,tablet \
  -s 31,lpc -l com1,stdio \
  -l bootrom,../uefi-firmware/BHYVE_UEFI.fd \
  ubuntu

It appear also that bhyve doesn't retain the boot order after installing an OS, I always get dropped the uefi shell, forcing me to boot from the file grubx64.efi at each boot.

Is bhyve completely broken or I'am missing something ?

For the keyboard issues, I tried the null modem way (-s 31,lpc -l com1,/dev/nmdm0A) but endup with error msgs like

Code Select Expand

bhyve error: no suitable video mode found. Booting in blind mode

and stuck there

Please help