Messages

Same problem here, same solution works. No idea why. On another firewall with haproxy, it works.

I pay 12 cents Canadian per kWh (8 cents USD, 7 Eurocents, 6 pence) so my router would have to be using a truly biblical amount of power before I'd consider changing it to something else.

Well, I pay 27 cents european.

IMO the power bills are too high with hardware like that. Better buy a cheap N100 system or something similar. Or at least that was true before the techbros bought all the RAM.

Ich verstehe es nicht... Wenn die GUA sich ändert (welche?), dann passiert was?

Wenn die Public IP von der Firewall sich ändert, auf die ja das SNAT passiert, dann muss die Firewall nicht nur die IP ändern sondern auch die SNAT Regel entsprechend mitnehmen auf die neue IP.
Das hat bei mir mit v6 nicht zuverlässig funktioniert, dann ist alle paar Tage das v6 ausgefallen. Ich halte das für einen Bug, aber das ist halt auch ein extrem selten genutztes Feature.

[Or at least scale the frame to the full height that is available?]

I know you're helping Patrick but it doesn't make things easier here. This is the first post:

Maybe we can get rid of the scrolling subframe? Or at least scale the frame to the full height that is available?

On my screen the firewall rules window uses about half of the available height, but I can scroll way down

This is the commit in 26.1.6:

https://github.com/opnsense/core/commit/0e999cc5a

OP asked for it but did not acknowledge its existence.

One of the reasons we ask for actionable tickets is so the requester can confirm that is what they wanted (or not).

Everybody else adding related context in this forum thread doesn't help progress the initial request anymore.


Cheers,
Franco

Yes, I did not catch that. It is true that this particular bug is fixed, thank you.

Still, the general problem of poor space usage remains. So I completely agree with Patrick on that matter.

I'm not sure what you want exactly. If something as clear as "there is too much empty space, please use it more efficiently" from the perspective of an end user is not good enough, you should probably document it somewhere.

Can we, perhaps, all acknowledge that the complaints of especially the long time users and/or contributors are reasonable and deserve to be heard and discussed in good faith?

Coming back to the general issue of modern UIs - there is a general trend to waste space. I don't think that is something one should accept as normal and reasonable.
The reason that I attach so much importance to this is that this is the central problem of managing firewalls - keeping track of a potentially large
amount of rules.

The answers to that I read in the linked issue do not convince me - like "you should use categories heavily and select only one at a time".
The situation on the ground is that I come into setups I have not built myself and need the be able to work with them. Literally everything is possible, it's like the wild west, and I have never yet taken over a well configured firewall.

That means it is absolutely crucial to be able to get a good overview over a considerable amount of rules just by looking at that firewall rule table.

So those perhaps 20% of wasted vertical space do matter.

Size-shaming us now, eh? 😂

Less my intention, more saying that the kind of hardware you need to push past sustained 10Gbit/s is immense, even 25Gbit/s (stateful firewall performance) is already quite a challenge for a small company.

If you ever played Factorio, it's the difference between launching your first rocket, to launching it sustained with no breaks.

A small raspberry Pi or N100 is just not the target audience for this kind of sustained load, you need a big server and switches that can handle it etc... and these are all well beyond homelab or small business budgets.

And in these environments, admins who know the likes of Juniper, also know about BSD like systems (Junos is FreeBSD based, just as an example).

Having worked in those circles for 15 years, I doubt a junos admin knows BSD.

Anyway, if we're talking that kind of hardware, Cisco switches are widely used, for routers, of course Cisco, if you want to go european, probably Nokia. I'm not so sure about firewalls, Fortinet is very popular, if you want to go european, maybe Sophos?
For switches, I don't see any good options for open source. Nor for routers. Firewalls is a bit better, but beyond opnsense there's not much either.

So, to summarize, I doubt they'll go FOSS for the networking stuff.

As to the sustained load thing, I don't see any problems with N100 or something like that, there's many a cisco router that struggles to do 100MBit out there.

Not sure what linux firewall that would be, I don't know of any that is actually on the level of opnsense.

Also I don't know if the network infrastructure will also be open source.

The main question for me is the future of freebsd, I'm fairly sure that linux is more of a long term thing.
Additionally, what I read in the other thread about the way freebsd is managed, does not fill me with confidence.

This Firewall hat bei mir immer funktioniert - vielleicht mal mit pfctl -s auf der CLI nachschauen, was da genau wie konfiguriert wurde.

That looks quite interesting, except for the price.

With the background of the various freebsd controversies, this does not seem like such a far fetched idea as it did years ago.

Thanks, that worked.

So I have several openvpn interfaces on the firewall in question, let's say

ovpnc1 10.172.192.3/24 (the address being pushed by the server)
ovpns2 172.28.1.1/30 (being chosen by me)

So no I have the necessity to do SNAT on ovpnc1, because there is not necessarily a return route on the other side, but the only interface I can choose is "openvpn" and the only mode it goes to is:

nat on openvpn inet from any to <SOME NETWORK> -> (openvpn:0) port 1024:65535 round-robin

That means it chooses the 172.28.1.1 address in 50% of cases, so it works half of the time. I can statically SNAT this, but there is no guarantee the address I'm being pushed is static.

Surely there's some way to do this I haven't found?