OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of spyderdyne »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - spyderdyne

Pages: [1]
1
20.7 Legacy Series / Re: DHCPv4 and multiple subnets
« on: October 23, 2021, 03:00:50 pm »
Quote from: mimugmail on November 06, 2020, 05:47:20 am
You have to Install Freeradius Plugin an use the DHCP service there (prior disable the other one)

<pre> Boo... Hiss...</pre>

Been installing an Ubuntu MaaS Region controller and a pair MaaS Rack Controllers for this instead.  You can just run the Rack nodes as LXC container hypervisor VMs.  Make sure to set up a Bridge interface first and resume it in <pre>lxd init</pre> and you should be able to keep your lonely little physical interface DHCP4 server for untagged stuff.  MaaS will see it, and you will have to decide which rack controller you want to use to manage that "fabric", or you can also dump the basic interface-locked DHCP server as well.  I used an older Intel NUC i5 w/16GB RAM for rack + region and then added a LXD container rack controller container inside until I am ready to add the other NUCs to the cluster.  R-Pi 4B will also work fine for Maas-Rack, is passable for Rack+Region, and a Model 3B isnt going to blow you away performance-wise, but can run a single rack controller w/o too much trouble.

You don't need to import Images to the region controller(s), but I have some Dell R720s with NVidia Grid (16GB NVRAM EACH!!!) cards that I have been dying to rack and automate PXE on so I can do a Prometheus > Rundeck > Chef > MaaS > LXD > Rancher K3S > Docker thing that I made to fire up crypto-toys whenever resource utilization drops below 45%

It's pretty idiotic, but maybe free money.  Who knows.

Since the PF network stack is so jacked, how do you feel about another crappy Ubuntu distro named something cool like "Open-Scarecrow" or something?  It would just add NGINX and a CGI like PHP/Node/Grails, a little PostGREs DB for persistence, all the RRDTool stuff, port a few BSD IDS/IPS/Firewall toys over, and drops in an automated rules builder that drops in the faves, and actually attempts to configure your firewall rules across logical boundaries between hops instead of physical hardware?

InterfaceName = Wireless
Is the network ZoneType = Private/Public/Shared
Are devices on this network able to see sensitive data or machines with sensitive data without requiring a login? IF yes GOTO Would you like to require password protection for users attempting to access these devices? IF YES GOTO Captive Portal config...
Do you use this network for secure traffic?  (banking/shopping/protected work content or networks/etc.)
Does this network attach to unsecured devices? (firestick/smart tv/voice assistant)
RAISE WARNING => be sure to always use encrypted connections when conducting business over shared-use network zones! <link to docs>

As I continue to catch firewall blocks and passes in the live log, it occurs to me that I shouldn't have to create rule after rule to chase down an automagically generated block rule that I'm not allowed to turn off, because I have a WLAN VLAN subnet and its not technically a LAN, or an unsecured post-apocalyptic hellscape of evil hacker gangs but I would still like to have IP addresses or be able to cast a video to another device sometimes...

Over the past few years I got to see whats hiding behind the curtain at these massive household institutions that hold all our money and identities and proof of who we are, what we have done, and whether we own something or not.  It wasn't reassuring at all, and my suspicions that the 20 year veteran in cyber-security is even more clueless (didn't think it possible) than the 20 year veteran in enterprise infrastructure when it comes to staying up to date on current (even the past 5 years...) technology, how threat vectors actually work and how to effectively mitigate them (homeland security successfully gets dummy bombs onto airplanes at an 85% rate still, so why did you have to remove your shoes?) leadership is just playing the numbers game, most of the money we spend is just wasted on things that are no more effective than printing the word security and hanging it on the wall...

I digress.  Looking like an epic derailing actually. LOL

Im just very disappointed in the immature state of Open Source security tooling maybe, but vendors with funding are really blatant about bending us over and ramming it in for an annual license on a mid-range firewall to activate the firewall portion, or paying 12 cents more for a network ASIC and charging 3X to 5X more than the adjacent model for it because current "wirespeed technology" is 10Gbps now.  Even crippling devices so I have to pay $700 for 2GB of RAM thats slower than what came in the cell phone I just replaced...

Feel free to bump.  Not what I intended to post initially, but I don't have to lie down and take it.  Neither should you...

I won't accuse anybody of sucking.  Just expressing a motive to challenge others to do better? ;)

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2