Messages

Franco,
now that's exactly part of our problem. Your answer to everything (and yes I exaggerate) seems to be 'if you don't like it, contribute'. But you know as well as me that's not feasible. Your users / customers are not supposed to be coders, right? I'm not a coder, nor do I have any coders in the company I own. But if we consider buying or supporting a product, does that mean if we don't like something that WAS in there, we can't try to start a constructive discussion on it? Usually I feel that's one of the advantages of picking an open source product, as there's a community that is usually open minded. Opposed to for example MS who just makes choices for users no matter if they like them or not (Windows 10 update terror anyone? But even THEY gave in and reverse it, go figure).
It seems my company is not alone in missing this particular feature, but it's not about this one feature. It's about the general attitude. I really wanted to like OpnSense, and I do, but if this is how customers are treated and how discussions are ended, then that's certainly not the company I want to work with. I wish you the very best of luck with it. No hard feelings, but I'm pretty sure this way it'll cost you paying customers. It cost you at least one already.

Over the years we have had to make a choice: listen to the users that we have or listen to potential users who only miss this one feature X. We choose to listen to the former group as that is the one we can depend on. And we also like to build solutions for them, not only take things away.

I was an OPNsense user and I never saw a poll asking if I would be okay with losing countless alias item descriptions I had entered.  Had I seen such a poll here, I would have registered at the time to voice my objections.

I had blacklist aliases I developed to protect our servers, with descriptions that included type(s) of abuse, whether the entry was to be permanent or temporary, and what ISP/organization owned the IP block.  Without those descriptions, it became all-but-impossible to maintain those aliases.  That's why I went through the extremely time-consuming process of migrating back to pfSense.

Imagine if you updated to a later revision of your IDE (integrated development environment) and all of the comments were stripped out of your source code.  That's what it was like.  My well-documented aliases turned into the firewall equivalent of source code with all of the comments and line breaks stripped out.

This is one the reasons we did NOT make the move to OpnSense. There might be a reason for removing the descriptions, but it's a feature sorely missed. The fact that other vendors might not have it (most I've seen DO have it) should not be the reason to remove it. But more so, the attitude from the developers towards users or prospects made us scratch our heads.

The time is better spent elsewhere.

So are our bucks.

But hey, it's a free world, choose whatever suits you.

Ah, missed that reply, didn't enable notify (why isn't that enabled by default for threads you create youself by the way?). I finally tracked down the issue, which of course was another stupid thing. I went berserk on locking things down. I guess opnsense wasn't allowed access to DNS anymore, as I have a rule for that where the DNS machines are in an alias as well. However, I put them in as FQDN. Flushing all aliasses stopped it from having access to the DNS at all I guess, as obviously it couldn't resolve the FQDN with the DNS servers in it. That's probably why rebooting didn't help either. Of course it's stupid to put your DNS as FQDN, resulting in a circle you can't exit.

Fixed by putting the actual IP's in the 'DNS' alias, and within the alias-resolve-time all aliasses began populating again. Thanks!

Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.

I just re-read your post, and I can't see you state DMZ can actually send back. For test, what happens if you replace the Ali alias with the actual IP? Please check in firewall --> diagnostics --> pftables and select the ALI alias. Check if there's actually any hosts in there. Just to be sure, did you put IP's or FQDN's in the alias?

Anyone? I'm just testing, but in my test setup I've flushed a table by means of test, but after tens of reboots the tables still aren't repopulated.

Check firewall --> log files --> live view, if you want setup a filter to your DNS address, and connect again. Then you'll see whether opnsense blocks or something else is wrong. Is the DMZ host actually using opnsense as a gateway to get the traffic back?

I'm a peaceful person however as an enterprise user it amazes me the quantity of bashers and shills in this forum. (Almost same rethoric as pfsense decadent times)

First of all everyone is free to choose what is necessary to deliver the job.

Coming from Cisco and Dell background, spending 15000€ per device in useless hardware for many years because of the BIG brand and BIG things and the BIG names, still useless for the price TAG.

Second this is an open source, community fuelled project, actually one of the best projects in terms of performance and features globally available.

If one is hurt about these bugs, please open your wallet and buy the iPhone of firewalls, CISCO, PALO ALTO, Fortigate and so on and be happy.

No one can demand or snow flake around because there is a bug, I've been running enterprise hardware from Deciso moving away from Cisco and never once been disappointed. Franco helped many times fixed bugs, and as an active user contributed many times monetarily to the project and will continue to do so, because it pays the bills around here.

Also running dozens of virtual workloads, from time to time there is a bug here and there, however one is responsible for the R&D and as AD mentioned, also planning proper upgrade procedures and regressions is the user responsibility.

No serious enterprise company sysadmin cries around because there is a bug in this or that open source project, maybe is fine crying around when Cisco fails, or palo alto but not open source.

To conclude, this projects saved thousands of pounds to many organizations across the scene and this types of toxic comments undermine the project vision, so no point escalating it going further.

I totally agree on that. But I still feel some of the devs could be more professional in their communication as well. Of course, it's their project, but if you disagree on something you are immediately labeled a pain in the @ss, bullied away, 'feel free to use another software', 'we don't click', we don't get paid, we don't have hardware, get banned, or whatever has passed in the last days. It's their project, but that doesn't mean they need to act like a God or something. People say things in the heat, probably we all do. But especially the admins / devs could be a bit more open minded as well, they are more or less an advocate for the atmosphere on the forum. It's what killed so many open source projects before. Don't let that happen again.

Just my 2 cents.

[extremely]

2019-03-07_hbsd_11-stable_disc1-02.iso

Server 2019 Hyper-V:



W10 1809 Hyper-V (so pretty much same Windows base, but it does show different addresses):




spare HPe DL360 gen9 (Xeon E5-2630 v4 for what is matters) - UEFI boot (though iLO):



loads extremely slow for some reason, but boots perfectly fine.

If you want me to do specific tests on any of them, just ask.

Please check this updated document, yours is from 2016: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/supported-freebsd-virtual-machines-on-hyper-v
States gen2 is supported, as long you disable secure-boot. That's what I find with other FreeBSD installs on Hyper-V as well.

Honestely, I don't care how you feel about me. IIf you've made your image on me based on the 14 (count 'em!) posts I've made so far, that's tells me more about you than about me.

As stated, I tried to be constructive, as do other people. But hey, we don't click. So whatever I offer is probably not any good. Too bad, I can live with that. I can't contribute code-wise if its <> .NET or gwbasic. But if my car's engine blows out, I can't fix it either. That doesn't mean I shouldn't drive one.

Anyway, it seems I can't help at all fixing this issue. Sorry community, my bad, I tried.

Not sure what you are trying to achieve with your attitude. A few post back you replied to me that I should sponsor the project. I ask you how, and this is your response?

People offered machines (even if VPS) but that doesn't seem to be what you want either. No offence, but I said I tried to be constructive, and asked how I / we can help. Not what we can do NOT to help you. But alas. Take out the popcorn.

All fair enough, but I have to agree with peter008 here; this is quite some bug, killing opnSense for weeks on end now, which had quite easiliy be tracked or at least found before eol-ing 18.x. I'm just wondering (trying to be constructive again), what hardware do you test the builds on before putting them out on the street? I assume there's multiple devices tested, right? Of course it's obvious not all hardware can be tested, there's practically an unlimited number of different configurations out there. Still, this bug as far as I could distill from the fora is with UEFI machines, and maybe slightly related to Spectre / Meltdown patches (although disabling them didn't help me). That means pretty much any Intel based pc / laptop from the last.. 5 or 6 years? Testing on an ESX machine or Hyper-V which ships in every Windows 10 Pro on ots own is trivial. So really I'm trying to understand your point here.

You keep telling us to donate, which I might if I have enough confidence (we are still evaluating OPNSense in favour of our current pfSense setup) but I'm not sure what you'd want. You want my money? You want the most generic Windows 10 box or laptop? I've read a thread this morning were people offer a VPS to test this on as well. Sure, might be not ideal, but WHAT do you exactly need that you don't have right now? It's hard to believe you don't have a laptop running Windows 10? But please prove me wrong and tell me what you DO need.

For shits and giggles I created a Hyper-V gen1 VM, installed 19.1 and updated to the latest-as-of-yet 19.1.2, ran fine under gen1. Mounted the disk under a Gen2, and *poof*, still crash. So no, 19.1.2 didn't fix it, although we would have already known that.

While I totally understand the limited resources of the team (all respect for them!), it's getting hard for us to rely on this given that 18.x is now EOL (ie not secure in my book) but 19.x doesn't run at all.

Well, as stated by multiple people, any somehow Windows 10 Pro machine will do, as you can just enable Hyper-V and installing a Gen2 VM with OPNSense shows the same issue. While I expect the issue for Gen2 VM's the same as with UEFI enabled bare-metal hardware, I can't of course not sure of that. HAving said that, it's extremely easy to create an environment that manifestates the issue.

If the price is right, I will be looking to acquire a budget-friendly system on which to run Hyper-V. HardenedBSD's budget for this kind of thing would be $500 USD.

Just a quick reminder that HardenedBSD accepts donations, both monetary and hardware. We appreciate all contributions of any kind.

While you guys are probably running a *nix variant, any Windows 10 Pro machine (with a fairly recent Intel CPU) will do for testing. My old Intel 5i5RYH NUC, with a i5 5250u cpu suffers the same, with an OPNsense test-VM on Hyper-V, which is available in 10 pro. Server 2016 / 2019 more or less equals Windows 10 (resp. 1607 and 1809 builds). So you wouldn't need an expensive box to test.