Messages

Hi,

Once 26.1 comes out, legacy OpenVPN configs will be deprecated will there be a migration tool or script to move those configs to the new Instances section?  Or should I work on migrating that myself before that?

Same question for ISC DHCP over to Kea DHCP, but that might be more complicated -- OpenVPN is still OpenVPN, whereas ISC and Kea are totally separate.  Also, in the GUI at least, ISC doesn't say anything about going away.

Thanks all!  :-)

FWIW, I just noticed the box I ran the backup *from* is still on 23.1.11.  The purpose of the backup is actually to test out my config on newer hardware (Sophos XG105 instead of UTM220) -- but I'd like the historical vnstat data to come over as well.

If it's not included in the backup, obviously I can just stop vnstat and copy over /var/lib/vnstat/vnstat.db -- no biggie.

Hi, I have the VnStat plug-in -- great for monitoring usage against provider caps...

I ran a backup from System -> Configuration -> Backups, including the RRD's.  I'm not positive, but it doesn't *appear* that the VnStat data is included in the XML backup.  (* yes, I realize VnStat has its own data, not associated with RRD's -- I said "including RRD's" thinking that might change the behavior).

Can anyone confirm if that is the case?  If not, could that be a feature request?

Sensei policies are not that granular since you are limited to 3 policies on the paid home model. So basically allowing Facebook for 1 kid and blocking it for another you already wasted 2 of 3 policies.

It's the biggest flaw of sensei really and I'm forced to use one and the same policy for all my kids.

3 is probably not enough, unless I can enable it only for a specific interface...  I have a separate VLAN for kids, ostensibly because I don't want MY stuff going through the Circle.  :-)

OP, you dont give much information about whats wrong with the "it's not working". What exactly isnt working?
I'll take a wild guess and say that the mycircle isnt blocking the traffic like it is supposed to?

Have you done any troubleshooting? I would start to check the ARP table from a device on the kids vlan to see if the mycircle is doing it's MITM as it's supposed to. If it is you should see the mac of mycircle on the default gateway.

After factory reset of the device and the management app and repeating initial setup.  It gets as far as connecting the device to WIFI, and then the app can't find it, which has to happen before it can actually do anything.  The AP shows it connected, and DHCP is giving it an IP.  But the app can't find it.

Their support says it must be because the firewall is preventing arp spoofing.  I don't know how that could even happen, the firewall can't block arp packets at Layer-2...  The AP or switch potentially could, but those haven't changed in literally years (both are long-since out of support).  They said the product is designed for "simple home network", and won't work with "enterprise firewall".

They also say the device is old and support isn't guaranteed.  To which I replied, either support it or call it end-of-life and tell me to buy a new one!  And I received back pre-canned instructions to factory reset the device and the app, reboot my modem, and try again...  Which I've done several times...   :o

I'd be good with a replacement solution, but haven't found one I like.  I need easy app control over time limits (including extensions / rewards) on a per kid basis.  That's the most important at this point...

OPNsense already does child protection perfectly here, using Sensei. You can even pay for it (which I did because it's worth it).

Unless there's something I don't understand, and that very well may be the case, Sensei is security and threat-prevention, which is great, and brings OPNsense up to part with the big commercial players.  But it's not parental controls.  I need to enforce off-time for specific users (which I can pre-define by MAC address), with an easy way to grant additional time.  I need to enforce basic content filters, again for specific users (so one kid can use facebook, but the other can't).  The Circle device accomplishes both of these and more, beautifully -- until it quit working  >:(

Since ARP spoofing is an attack in L2, OPNsense would behave correctly perfectly by preventing it (if it does).

That should imho not be supported. If you want to filter the client traffic, you can do so on OPNsense itself.

I get it.  Generally you don't want arp spoofing happening on the network.  But it's a fact of life in a public WI-FI -- someone at a Starbucks should assume their packets are being intercepted, and must rely on universal end-to-end encryption.  There's really no other option.

In my case, this is arp spoofing by design.

Hi--

I have a Mycircle device.  It's a parental controls device -- it connects to WIFI, and then uses arp spoofing to "become" the default route so it can see who's talking to who.  Based on client MAC (which can be grouped up under profiles -- in our case per kid, so the teenager has different filters than the 9 year old), it can filter access to specific sites, or block all access, and it's controlled by a simple app.   ((as an aside, I absolutely hate this device -- I would love it if OPNsense did this, I'd even pay for it))  I have a separate "Kids" VLAN that has the Circle, the regular VLAN doesn't...

The device hasn't been working, and support is saying it isn't their fault, it must be the firewall preventing arp spoofing.  They say it's designed to work with a normal network, not an enterprise network (their words).

I haven't changed anything on the firewall in a long time, but I *HAVE* kept up on firmware updates.  In fact I just upgraded to 21.7.2.

My question is...  Did something change in the last, lets say, 6 months, that would affect this?  Is OPNsense now able to detect an arp spoofing / IP takeover, and somehow prevent it?  Can I disable that on a per interface basis?

Many thanks,

-msturtz-

Sweet, thank you! 8)

Hi, I found something about this in a very old (2017) pfsense forum post, but I'm not finding it here.  I wanted to find a way to keep track of how much bandwidth *transfer* has occurred, month by month -- my provider has a data cap, and it would be nice to know how close I am to it, and how closely my statistics match theirs, along with some historical data to compare with.

Is there an easy way to run a report that shows transfer, rather than throughput?  Seems like this would be a popular feature.