Messages

I wrote a script to convert the ISC mappings to DnsMasq CSV file, hopefully someone finds that useful:

https://gist.github.com/wrobelda/403fe4e7ff542ce14a4bba9a06e40777

Thank you for this, it was very useful to me.

I suspect this is a real corner-case situation, but I'm curious as to why it's not possible.

I've been testing OPNcentral, and as part of that I built an OPNcentral VM. Not knowing at the time how OPNcentral works I created the VM with only a WAN interface because it's a dedicated management device that doesn't need any other interfaces.

Unfortunately to be able to sync firewall rules to my managed firewalls the OPNcentral device needs to have the same interfaces as all the managed firewalls, so I started adding them.

I found there is no way to add a LAN interface via the WebGUI. The only way to do it is via the initial setup menus, but doing that breaks the WAN interface.

Am I missing something that would allow me to create the LAN interface without disrupting the WAN interface, or is this just not possible because who in their right mind would set up a firewall with only one interface?

Thank you Eric.

Sorry for the reply lag, I failed to turn on notifications for this topic.

I can use the configuration history to see the changes. Even though reading the XML isn't ideal, it'll do.

It's unfortunate that one can't easily discard changes or 'Apply' a rolled-back config without rebooting the whole box. That's quite painful for an enterprise firewall.

It seems like some things, like firewall categories do change immediately when the configuration is rolled back. For rules, they show up back in the UI list but the "Apply" button isn't there.

Toggling a trivial change, like whether a rule logs or not, does make the Apply button appear though, and clicking that will apply the whole ruleset as seen in the UI. It's not a great user experience, but it does seem to work.

Thanks for pointing me in the right direction.

Thank you. I'll email you now.

Having manually installed the Zabbix Agent plugin, it turns out OPNcentral can't configure it anyway :(

OPNcentral can do firwmare upgrades on managed firewalls, but I can't see any way to get it to install plugins that are missing.

If I've got something like Zabbix Agent config on my OPNcentral device and I sync that to a managed firewall it just doesn't work because the plugin isn't there, and it doesn't seem to attempt to install the plugin.

Given how cumbersome it is to install multiple plugins, and how slow the post-install update is on Business Edition after every plugin install, this makes the process of building a new firewall quite painful.

I was really hoping I'd be able to install the base system, a license, and just enough config to get OPNcentral talking to it and do the rest from there.

Am I missing something, or can OPNcentral not do plugin installs for managed firewalls?

Thanks.

I'm testing OPNcentral to manage office firewalls.

So far it has promise but is missing some really critical features to be usable across an enterprise fleet.

One thing I cannot get to work at all is syncing WebGUI config and user config without breaking OPNcentral's access to the firewall it is configuring. I'm not sure if I'm doing something wrong, or if OPNcentral just isn't intended to be used to sync those things.

The situation I have is that the managed firewalls have a hostname that is in our internal DNS and not resolveable over the Internet. They have Caddy set up to reverse proxy the management interface (with appropriate ACLs) and handle TLS certificates. There is a publicly resolveable domain set up in Caddy, and that is the URL set up for the firewall in OPNcentral.

Because OPNcentral connects to the managed firewalls on this public URL, which is different (by policy) from the hostname of the device, they need to have 'Alternate Hostnames' configured under System -> Settings -> Administration. Disabling the DNS Rebind Check is not an option.

The problem is that whenever the OPNcentral machine configures WebGUI it overwrites the Alternate Hostnames, which immediately breaks its ability to manage the firewall.

The only way around this seems to be to either not sync WebGUI settings at all, and risk having them drift; or to set every Alternate Hostname in OPNcentral and have it set all of them on all of the managed firewalls.

Neither option is great. Technically I could get around this by getting rid of Caddy and setting up a VPN between the OPNcentral instance and the managed firewalls, but that gets me into exactly the same situation where VPN configuration is one of the big things I want to be able to manage centrally. Given the issues I'm having here, I doubt that is actually possible.


The other issue I'm having is that every time I sync users and groups, OPNcentral deletes the API key for the user it is using to access the device, which immediately breaks the rest of the sync.

I don't know what I'm missing here, but I can't see a way to sync users and groups to my managed firewalls (which is one of our key requirements) without having the API key generated on teh OPNcentral box and therefore be the same across all of the managed firewalls, which is not an option for us.

Am I missing something here, or is OPNcentral really just for making exact clones of itself and not for actually manging firewalls that may have configuration differences?

This seems to come back to a couple of critical missing capabilities in OPNcentral - namely the ability to selectively apply things to different firewalls so you can e.g. sync users except the user bound to the API key OPNcentral is using; and the ability to have some kind of macro or variable expansion configured per managed device so you can do things like push different Alternate Hostnames, or have different domains in Caddy configuration, etc.

Are these things solveable, or am I expecting too much out of OPNcentral?

Thank you, that worked for me. It also exposed a bunch of other limitations in the HA configuration :( but those are separate problems.

Is there a way to see what changes will be applied to firewalls from the web GUI?

I can do it by diffing the config.xml and the most recent backup, but that's kind of ugly.

Same with cancelling the changes.

At the moment the big "Apply Changes" button can appear in the firewall rules section without any obvious cause. Clicking the "disable log" button and re-enabling it makes it appear just as much as adding a "pass any/any in on WAN" rule does, and there's no way to review the changes without SSH'ing in and diffing the XML.

This is quite a big issue for production environments.

Thanks.

Please note: This is NOT a question about using OPNcentral to manage HA firewall clusters.

Is it possible to have an HA build for OPNcentral itself?

I have a dedicated VM for the controller, but it would be good in our environment to have a synchronised HA pair. Preferrably in different DCs but different cluster nodes in the same DC would be better than nothing.

I can't see anything about this in the documentation, nor doing a search here, and I don't know enough about the internals to know if it's feasible or not.

If anyone can suggest a starting point I'd appreciate it.

Thanks.

OPNSense refuses to allow plugin or package installation if there is an update available.

Code Select Expand

***GOT REQUEST TO INSTALL***
Currently running OPNsense 23.7.10_1 at Wed Jan 17 15:08:10 NZDT 2024
Installation out of date. The update to opnsense-23.7.12 is required.
***DONE***

This is incredibly infuriating when the update requires a reboot and therefore extended change control and I'm stuck unable to implement something else until I've updated and rebooted.

Why is it like this?

Thank you. Apologies, I don't know how I missed that when I searched for answers.

I'll try export-and-reboot later tonight.

I've added a second zpool to my install and migrated /var to it. That part has worked fine, but when I reboot the second pool isn't being imported.

I can manually import the pool and mount everything on it, it's just not happening automatically at boot, even if the pool was imported and the filesystems mounted when the system was shutdown.

I don't know OPNsense's startup process all that well, but from what I can see, these lines in /etc/rc.d/zpool should do the trick (but they aren't).

Code Select Expand


for cachefile in /etc/zfs/zpool.cache /boot/zfs/zpool.cache; do
  if [ -r $cachefile ]; then
    zpool import -c $cachefile -a -N && break
  fi
done


Can someone please tell me what I'm missing?

Thanks