Messages

This is why your firewall should always use open source BIOS like core boot or libreboot. UEFI is just too much hassle and insecure.

I would agree that using coreboot is an excellent option, particularly where the hardware vendor officially supports it. I find the Protectli boxen are very good on that point, and any of those which run OPNsense for me are indeed using coreboot.

...which boots using UEFI.

Older FW series from Protectli boot into legacy mode.

This is why your firewall should always use open source BIOS like core boot or libreboot. UEFI is just too much hassle and insecure.

Services > Kea > Subnets > edit your subnet and remove that check mark:

Sry to hijack this thread but, are these client identifiers unique for each device? Can this feature of kea enhance security in a sense that if someone spoofs the mac address of device, he still wont be able to connect and receive ip address from dhcp server because the client identifier doesnt match ? Assuming of course that dhcp static mapping is in full use.

[right away]

I also do not understand why people become angry so easy.

Because they dont understand that using opnsense is a privilege. The fact that opnsense offers so much for free is not enough for them. No. They want opnsense developers to respond to their emails or posts right away and fix bugs or implement features that they want immediately because product X or product Y already has those features. They literally act like a entitled spoiled brats. If their wishes are not fulfilled in timely matter, they either start bashing developers for being lazy and irresponsible or they "threat" that they will switch to alternative solution X or Y.

God forbid they make a donation or buy Deciso hardware when opnsense is working as expected.

When the community version support is not enough for one, go bui a business licence and escalate this on the support side.

Exactly. Or go use something else.

There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.

Exactly. Im thankful for this wonderful piece of free software.

Who's getting angry? The only person in this discussion insulting others is @alex303.

Im getting angry. However, im not insulting anyone. Im sorry if you somehow recognized yourself in what i wrote.

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Can we please go back, my life would be SO much more simple!

On a serious note, people have become so spoiled, nitpicky and entitled. They are impossible to please because "everything is broken and everything can be exploited". Sometimes when i read forums i wish opnsense team goes fully closed source and switch to subscription model only with hefty prices.

Layers <3

https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395

But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.

Leave the IT space and go do something else. 

[might]

A VPN might expose a root RCE with more or less the same probability as SSH.

It might. World war 3 might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.

And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD

Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.

E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay

Well. By that logic, lets not use computers at all. Lets get back to stone age.

VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.

Its about layers of protection not X vs Y.

If you have SSH open from outside, you're doing something wrong.

Exactly. SSH from outside should always be accessed via VPN. In fact, everything from outside should go through VPN.

I dont understand this freebsd vs linux craze lately. People dont seem to understand how much work is required to do something like that. Not to mention security implications that linux kernel introduces. There is a reason why both opnsense and pfsense are running freebsd under the hood. If you want linux based firewall, go use openwrt, untangle, vyos... or whatever. Im not ready to sacrifice security just to get better hardware support.

We are considering the addition of a default dark theme in order to avoid theme developers playing catch-up with the changes, but not before all of 24.7 is out.

Cheers,
Franco

Please do it.

Your OPNSense device or LAN card on your PC are faulty.

On newer systems with support for UEFI and IOMMU, you can do ACPI Thermal Sensor pass through directly into your VM. This will allow OPNSense to read your CPU thermal diode directly and allow you to see your temperatures. On old system like yours, as Patrick said, you read your CPU temps from your hypervisor.

[not running]

If you are stuck on OpenWRT, then you might as well buy a computer that can hold several network cards and build your own software defined LAN.

Stuck on what ? What are you talking about ? Im using OPNSense on my servers just like everyone in here. I am not running OpenWRT on my switch nor im advising anyone to do so. My post was directed to Patrick M. Hausen as a proof of how open D-Link enterprise switches are. You dont care about opensource, but we do.

I have a couple Mikrotik CRS level of switches, they are decent and cheap. I'm not bothered by open source or die. I also have several old Cisco 2960s and some new Extreme 5420 and 1 Netgear M4250. Pick your battles based on what you need to do or what you can afford. Work gets expensive stuff, home lab gets what I can find on ebay. All of it works within the limits of it's software at the time of purchase, some gets regular updates.

You make this post about you and what you use rather than helping TS make a right choice. Nobody cares about your proprietary overpriced closed source Cisco, Netgear and MikroTik garbage. But i do agree with your statement that you should get what you can afford. With that said...

If you dont need PoE, go get D-Link DGS-1210-10 for 99$
If you need PoE, go get D-Link DGS-1210-10P for 160 $

Stick to the topic.

MikroTik is not open source.

But D-Link is?

Yes.

You can even run OpenWRT on it.

https://openwrt.org/toh/d-link/dgs-1210