Messages

Thanks Franco. The plugin is installed via the firmware UI. It's currently in on a custom repo, the plugin is the listed ready for installation, like the original plugins. But after installation it stays in the state of ,,misconfigured". Is this normal for plugins from custom repos?

I would like to add this plugin to the OPNsense plugin repo. What is needed to do so? Create a pull-request?

Kind regards,
Chris

Hi everyone,

I'm in the process of helping to develop a Netbird plugin for OPNsense.
It actually works quite well already, as you can read here: https://github.com/netbirdio/netbird/issues/2200#issuecomment-2600784609

The plugin os-netbird is reported as misconfigured in the plugin section.

I discovered that the plugin is not registering in the firmware section in the config.xml, i.e.:
    <firmware version="1.0.1">
      <mirror/>
      <flavour/>
      <plugins>os-qemu-guest-agent</plugins>
      <type/>
      <subscription/>
      <reboot/>
    </firmware>

When adding the os-netbird after os-qemu-guest-agent, it is reported as installed.

What is the problem?
The plugin code is here:
https://github.com/moserpjm/opnsense-plugins/tree/stable/24.7/net/netbird

I assume it's just a small issue.

Thank you!

+1

Are you using PPPoE to establish the connection? Linux has a far better implementation of PPPoE than BSD from my understanding. There are some threads about people complaining about slow uploads on PPPoE.

Why do you want to use a single VLAN?
You could just plug a switch to the LAN port and connect your client devices.

What's the goal of the VLAN 500?

As always: check the firewall live log and filter by interface. I assume that Zerotier address as source is not correct. I think this is an automatically created alias by OPNsense for the local interface address. Change it to any for a moment and check again. Always enable logging on your rules.

Did you use the getting-started script with podman, too? Or did you configure the management node manually?

We have some opnsense firewalls in the field.

It lacks some critical features for us to roll it out in a wider context.

For example:
- better firewall rule ui
- an easier way to import basic configuration, a cli would be great for that

To be honest, the firewall rule ui is one of the best I've seen. Don't like the FortiGate view. There are a couple of small things I would change and some annoyances but nothing deal breaking.

Which ui is better in your opinion?

The last FortiManager security flaw was really scary.

Firewall live log und dort entsprechend auf die Quelle filtern z.B.

Sadly, that's manager speech. There was the quote "Nobody gets fired for buying IBM" in the past. The same applies for products which are in the Gartner quadrant in the upper right. Open source products always struggle against common managers.
They calculate some funny total cost of ownership (TCO) and bring some "uncalculatable risk" on the open source side.
Good thing is that there is good commercial support for OPNsense.

The managers will still say that it's easier to find a technician for a Meraki/FortiGate/Palo and so on instead of someone who knows OPNsense.

My Netdata plugins also don't work anymore. Can't tell since which version. The version in the FreeBSD ports is sadly also very old. Maybe it's an option to install it in a different way?

Also was ich so gefunden habe, wäre das hier:
googlevideo.com
youtu.be
youtube-nocookie.com
youtube.com
youtube.googleapis.com
youtubei.googleapis.com
ytimg.com
ytimg.l.google.com

Die als Alias anlegen und dann als Destination nutzen. GW dann umbiegen auf den WG Tunnel.

Here it is how it looks for me:
Instance:
https://pasteboard.co/rlLuEvVx9qsq.png

Peer:
https://pasteboard.co/1cidmdokuhQM.png

Die Gegenseite hat:
10.4.3.30/26 als Tunnel Address
und 10.4.3.1/32,10.4.3.0/26 bei Allowed IPs

I would suggest to use the interface group feature:
https://docs.opnsense.org/manual/firewall_groups.html

Ich würde bei den Basics anfangen: siehst du denn die Pakete der jeweiligen anderen OPNsense im Live view der Firewall Logs? Setzt voraus, dass du für die Regel Logging eingeschaltet hast. Es gibt am WAN jeweils eine Regel, die Port 51820 (oder den Port, den du gewählt hast) zulässt?