Messages

You should be able to do NPTv6 on the secondary interface. You will probably have to decide which uplink is the primary and use the GUA addresses from that one, then NPTv6 on the other uplink.

You are absolutely right. See https://blog.ipspace.net/2023/01/dc-ipv6-small-site-multihoming/ .

If you have more than one IP, you can always bind the services to individual IPs, which is possible with nginx (or with haproxy).

Not sure where the hate for yubikeys comes from. I like the suggestion, and do remember that webauthn is not a feature exclusive to yubikeys, so this request really isn't about yubikeys at all.
Is there a chance for OIDC to filter down to the community edition at some point?

This is not really only a problem in the firewall ui, many of the views, for example ipsec logs, leave too little space for what you actually want to see while having quite a bit of free space around them.

Doesn't matter that much. You can use NAT and just bind to random ports no other service uses.

That way you let PF decide which interface can forward traffic to the webserver.

It's always better to bind to the ANY interface since the service will always reliably start.

That may well be the case, but I would like to have the choice - see for example nginx, the default is 0.0.0.0:<port>, but you have the option to use a specific IP.
That's pretty much the main reason I use haproxy, where I can bind to an ip.

TURN ist eigentlich ein NAT Bohrer, das solltest du intern nicht brauchen.
Was die Konfiguration angeht, da gibt es normal keine, aber die Ports müssen halt offen sein.

Maybe we can get rid of the scrolling subframe? Or at least scale the frame to the full height that is available?

On my screen the firewall rules window uses about half of the available height, but I can scroll way down.

Has anyone seen https://knocknoc.io/ ?

It is a tool to orchestrate a ZTNA like setup locally by changing firewall aliases depending on user authorization.

Should be easy to connect to opnsense with the firewall automation API.

I'd be interested in opinions on the product and the general idea.

Ich kann bestätigen, dass der Beelink EQ12 nicht leise ist. Bei mir egal, weil im Keller.

Unbound würde ich nicht ersetzen.
Zenarmor + adguard - warum nicht.

Ansonsten, so eine Firewall und Netzdesign Best Practices Dokumentation gibt es meines Wissens nach nicht, es wäre aber mal spannend, zu sehen, was jeder einzelne so davon denkt.

I also don't see the point. If you need obfuscated internet access for legitimate reasons, you'd better use TOR.

Just fyi:

https://docs.opnsense.org/vendor/deciso/opnwaf.html

It's almost the same apache configuration and web application features as in UTM, and we support it fully in business support (if you ever need it).

If you want to stay mostly in community scope HA proxy is also fine.

For that to be useful, it would need to be capable of binding to a specific IP:port of the device, not only a port on all IPs.

We've had terrible experiences with professional Netgear switches regarding port speeds and compatibilities.

Even if it works, for the homeuser Netgear switches the interface is terrible.

Any chance you remember the exact models ?

That was some 24 Port I believe 10G model.

It's one of their weirdest products ever :
- € 200 for the Switch
- € 90 for the adapter

If you can get by with a PoE injector as Patrick suggested, then the non-PoE version of the same switch is the better deal.  But at that point the Mikrotik with its 8x 2.5GbE ports is practically begging, even with the fan.

And add to that Netgear and HPE switches.

I haven't tried the professional Netgear switches and I do expect better of them, but I had a terrible experience with a cheaper Netgear smart switch and had to return it.  It was leaking RAs across the VLANs.

We've had terrible experiences with professional Netgear switches regarding port speeds and compatibilities. Even if it works, for the homeuser Netgear switches the interface is terrible.

HPE Aruba might be on the expensive side.