Messages

Seriously not meaning to bash. But I am direct...that comes from being Dutch and I try to tone it down as best I can but, clearly, I am still a bit of a brick.  :-[


I think it is important to remember that my posts are not:

   
• Bashing - I'm not out to hurt anyone, my comments are not mindless, unconstructive, nor in my opinion unfair. If the UI was more user friendly who would complain? Feedback from users can be valuable in seeing the application and the use cases from a different perspective!
• Targeted at anyone in particular - Yes, I refer to WG a lot...it's what I have spent most of my time on and it was a pain. It is what it is. I can also provide feedback on the traffic shaper and firewall aliases but others have already done this and there is no point adding to that...WG though I did not see much feedback.
• A sign that I am unappreciative of the fact that the software is free - One shouldn't look a gift horse in the mouth but that doesn't mean that one may not have an opinion on it...and if voicing that opinion results in a better experience for all then what is the problem?
• Pointless (hopefully) - The developers are clearly passionate and no doubt they want to deliver excellence - why else spend so much time forking pfSense? I'm passionate too - that's why I've left pfSense! I cannot code to save myself, my talents lay elsewhere, and include a considerable amount of UX design of late. There are users who will post on the subtleties of the static route configuration...whereas I post on the user experience. It's no less valid.

I do get the sense though that such feedback is not always welcomed and that's a pity. I had not expected such a high level of defensiveness...but it seems that some forum users are more interested in shooting the messengers than hearing the messages as I'm not the only one to have mentioned the UI and potential opportunities to improve various aspects. They two didn't get very far...


If I could, I would code and PR what are likely to be relatively trivial UI tweaks...but I can't...so I guess I might just have no option but to spin in the vortex of despair....


:-\

I've heard this argument before...and I know that adding to a product increases the maintenance overhead - I do some SQL development so this is not a foreign concept. However I don't really buy the the argument of "If we add it then person X will be happy but person Y will be sad".

For starters we're talking about adding a configuration option, not hardcoding a feature. We can also have the default as the status quo with the opt-in being to change the appearance of an element. Those who want to hide extraneous information can and will, those who don't won't.

Furthermore OPNsense is full of features I don't use or don't need....on my part you can get rid of OpenVPN and IPsec I don't use these, I have have no idea who asked for them, so dump them already! Except that I know that *others* live and die by those features...so fine, no worries, they are there, I can simply not use them. Maybe in the future I will and then I'll be glad that they're there....  UI enhancements and filters etc are the same...:-)

Being able to filter the dashboard so you can not get lost in the weeds is simply a good design principle - Ideally everything you need will fit on a single page (on a HD screen) - today I cannot achieve this and I end up scrolling. With pfSense (I know I know) I could do this. I log into any of my FW, glance at the screen - all is well or X is broken....instantly. OPNsense can totally do this too....but not without making the modules slightly easier to tweak.

And this, as I've posted previously, is all over the place - the WireGuard module for example is really poorly designed from a UX perspective....and the widget is no exception - why does the public key need to be displayed in the widget? Like, seriously, WHY? Does anyone seriously go "Oh, it looks like /mgdTRoYwoRPdwLlqbO4pQWObI827Af2j6mwwlw6DrfC4sU7 is stale as the handshake is a bit old....I'd better call Steve to get him to take a look at [/size][/font]/mgdTRoYwoRPdwLlqbO4pQWObI827Af2j6mwwlw6DrfC4sU7 because we specifically set up /mgdTRoYwoRPdwLlqbO4pQWObI827Af2j6mwwlw6DrfC4sU7 as a back up connection in case 0HNSrxrpdh8WLXnIeHvuLQyrP0HiZkyZwRvAOHRqpfacEcCSOJf1g went down....so right now we're on n instead of n-1."  Personally I don't think this belongs on the dashboard *at all*, but if others want to see it that's fine, just give the rest of us an option to hide it...then everyone can be happy.

Similarly the widget doesn't show you how long since the last handshake, it only gives the you time of the last handshake - which means you need to know the time to know if the handshake is super current or getting a bit old - "Hmm, last hand shake was at 07:23....what the time now? Oh right, about 3 minutes ago, give or take". So not only is this the least efficient way of communicating the key fact, it's also greedy in terms of real estate because returning "2023-05-03 07:52:33+12:00" takes up more column width than just "01:35" (being one minute 35 seconds since last handshake). And yes, the WG Status tab actually reports a sensible value for last handshake...in minutes and seconds....so why doesn't the widget?

If I ever want to see something at a glance it's the dashboard...that why it exists. If I want more detail I'll click on the dashboard header and jump to the module so I can dig around....

I'm truly not bashing, but I get the overwhelming sense that UX is an afterthought and it shouldn't be....users should love (or at least like) the experience of interacting with OPNsense (or any product for that matter) and I just find myself tolerating it. And that really irks me because OPNsense is truly good and my experience has been pretty good so far but the UI is suboptimal.

Want another example? Sure - Wireguard, again - a double banger for you: If your WireGuard tunnels stall you need to restart the tunnel or Wireguard service. It turns out there is a CRON job to do this:

   
• The CRON job is called "Renew DNS for WireGuard of stale connections" - this might be technically correct, but not as intuitive as "Attempt to recover stalled WireGuard connections"
• The CRON job doesn't appear to be mentioned in the documentation
• There is an option to renew ACME certificates in the ACME module that enables a CRON job automatically, but *NOT* for WireGuard - you have to know that the CRON job exists and then you have to manually enable it. Why is there no option to under Wireguard > General to automatically enable recovery?

Anyway, enough from me. I really do appreciate OPNsense and your work (I see you post on here like a rabid hamster on acid) - I just hate to see a good job done suboptimally. ;-)

So if it is smart enough to put the "total" as the first row then surely it can't be that hard to set an option to return only the first row, or all rows?

Similarly each chunk of data is returned in its own row for all the other elements in the
System Information widget - again an option to enable/disable each row would be kind of neat - I'm not sure I'm getting much value from always seeing that my CPU is "12th Gen Intel(R) Core(TM) i3-1215U (6 cores, 8 threads)" because I already know that, and it's never going to change.

I guess I just wish it was more configurable so I can hide what doesn't matter and surface what does...  :-(

Cheers!
[/size]
[/size]EDIT: Fixed font

Well now that's interesting! I've turned that on and we'll see how we go. Once again I'm saddened that there is a nice (I assume) solution and yet it's not plumbed into the GUI for the service. I posted on the poor UI design previously (and a few people took exception to the fact that I though that usability and UX should be a key consideration) so this is another example where the goodness is there but is obfuscated and hidden.


For example with ACME certificates you can tick the box to keep your certs updated and a CRON job is added - no effort needed! But with WG the same could be achieved - a simple tick box that says "Attempt to restart stalled tunnels automatically" - this would be a worthy feature that looks great to an admin (who doesn't like a tick box that implies it fixes everything) but in reality it only really turns on a CRON job. I find it hard to believe that the UI for OPNsense is so bad that something like this would require more effort than it is worth....


Everything just seems unnecessarily hard.


I've now completed my OPNsense migrations, but I'm not going to lie, I sorely miss pfSense, the UI was *****SO****** much better to use. I just don't like their dodgy practices, I've got no confidence their free edition will stay free, and the CE version didn't include the drivers I needed for my newest hardware....but.....sigh......their sweet sweet UI is missed.....  :-(

So this happened to me last night - two Wireguard tunnels - both stopped within seconds of each other. I suspect it's just WG grinding to a halt - there were no errors or warnings....one moment it was working, the next I get an alert from monit that the remote ping to one of the end points is down. While looking at it the second connection went down.


I restarted the WireGuard service and everything came back as expected. I suspect we can use monit to trigger a wireguard restart, the trick however is to get it to restart only when the problem is on our end - if the tunnel goes down because a remote end is down we don't need/want to restart everything on our side (thereby breaking working connections, and possibly starting a restart loop as the tunnel would stay down until the remote end it back up).


In my case I'd trigger on *both* remote tunnels being down at the same time - which is really unlikely to be coincidental....the only issue is that I'm not nearly smart enough to configure that without guidance. And Wireguard is not easy to work with, so there's no easy option to set links to be monitored for restart....so I think scripts needed....which is a pain if you're a GUI kinda user....  :-(


But at least you know you're not alone!

Hi,


Is there a way of refining what is displayed in the Interface Statistics widget? I know I can enable/disable interfaces, but I want to enable/disable columns - for example I want to turn off the packet count as this isn't really adding any value, but in a matter of days becomes a freaking enormous number. If it was gone the rest of the table would have some room to spread out and my Bytes In/Out wouldn't need to wrap onto a new line (which result in even more space being lost).


Thanks!

Hi,

Just wondering how I can filter the System Information widget on the Lobby Dashboard? Of particular annoyance is the disk usage section which shows a whole pile of categorised usage meters...all of which are 0%.

Disk usage   
1% / [zfs] (1.1G/207G)
1% /boot/efi [msdosfs] (1.8M/260M)
0% /tmp [zfs] (596K/206G)
0% /usr/src [zfs] (96K/206G)
0% /usr/home [zfs] (96K/206G)
0% /zroot [zfs] (96K/206G)
0% /usr/ports [zfs] (96K/206G)
0% /var/audit [zfs] (96K/206G)
0% /var/crash [zfs] (96K/206G)
0% /var/mail [zfs] (104K/206G)
0% /var/log [zfs] (7.5M/206G)
0% /var/tmp [zfs] (96K/206G)
0% /var/log [tmpfs] (3.9M/2.0G)
0% /tmp [tmpfs] (1.7M/2.0G)

All I really want is an overall disk consumption figure (which I have at the top of the list - showing 1%) - the rest might be useful for super duper power users, but I don't care as long as my disk is still got a lot of free space...when it gets past 50% I might go and look to see what's gobbling space....so until then I'd like to hide all the extra detail and save on screen real estate - I could fit the Thermal, SMART, and NTP widgets in the space occupied by all the lines of 0% for the disk usage.

There is a pencil at the top of the widget, but it is not enabled....?

Help?

Thanks!

Hi,

Have just installed my third OPNsense firewall in the month - bye bye pfSense!

I've noticed though that on two of my firewalls the SMART plugin shows da0 = "unknown". The main drive shows up fine, but because I'm not using da0 on these devices it just has an undefined state. I want to hide these...

I've seen a couple of posts and here and there suggesting to tune the PHP for the smart_widget or to use system tunables....but I've not found anything that I can actually use....for example the post regarding the php editing was for an old version of the widget so this is no longer possible as the code that needed to be changed is long since gone....

How can I hide this?  It seems to me there should really be an option screen or a setting on the widget itself where you can filter the drives that are displayed.

Thanks!

Maybe. The alternative could be a tick box that when selected would generate a PSK and display it in a read-only field once you hit the save button. The primary objective in any UX design should be to minimise screen hopping - a bad layout or a clunky process is still better than jumping from module to module and back again to do a simple task.

And, as a complete aside, if the GUI isn't that flexible then switching that out for a better presentation framework should be an overall priority as in terms of broad appeal any product is going to live or die by the quality and usability of the GUI. There might be diehards who'll take whatever is on offer, but for the unwashed masses eye-candy is king. The market for OPNsense is such that we don't need to go all-in on Apple-type UI design, but doing a half decent job is definitely a requirement. :)

I'm not here to set anything on fire, and I've been told I'm a delight to work with because the development I do (almost all in SQL) is always tailored to user requirements and is built in such a way to be as painless as possible. I find that it takes a little more effort to get it simple but that the reduction in support calls I get is totally worth it! I also prepare detailed release notes, and I update a user support wiki as I go - again, a lot of effort, but it makes the user experience so much nicer that they actually look forward to new releases so see what's been cooking in the kitchen!

Perhaps that's why I find the OPNsense UI so chaffing? I totally get that this work is 99% volunteer driven and that it's a thankless task, but if a job is worth doing it's worth doing WELL. I'd love to tell my colleagues to dump pfSense and go OPNsense too, but I know some of them will not make a jump when things are still a little rough around the edges. The irony here of course is that there are rubbish products out there with great GUIs that people love, and there there's a great product like OPNsense and really the GUI is what's holding it back - I found (one way or another) a way to do everything I did in pfSense, and yet it is always 'smoother' and 'easier' in pfSense.

There's nothing wrong with providing some feedback to the effect, and I don't think there's any need to take offense as none was intended. However, in my experience the best feedback is that which is honest and actionable - otherwise it is just a moan. I tried to be clear and specific, and I wish I write some updates and PR them, but I know my limits and this is not my space. That doesn't mean I can't be passionate about UX....and with a bit of polish the WG module can go from "workable" to "awesome"....it's not even a lot of work as it is only UI....and everything you need is already there!

How can we help?

Hi Folks,

Been playing more with WG and I have to say that I don't know why much of it has been implemented in the worst possible way - the only possible explanation is that it's designed by someone who doesn't use the GUI and simply spend their whole life in the CLI. Kudos to them, I'm too dumb to CLI stuff, so I need to do my best in the GUI....but OMG it is a shocker.

Set up a local connection - Give it a name and generate some keys, save
Set up a peer - Give it a name, jump to the CLI, generate a PSK, do some other stuff, save

Now you think you'd want to be able to check the status of this somewhere - like check for Connection X + Peer Y? But oh no!

That would be simple and logical! We know you defined your connections as RAS_Admin, RAS_WWW, Tunnel_1, Tunnel_2, and Tunnel_3, but in the status screen you can *ONLY* reference local connection via the Interface ID, BECAUSE THATS THE HARDEST WAY POSSBLE, so best you know whether you're looking for WG1, WG2, WG3, WG4, or WG5. So go back and look it up, OK - we're looking for WG3. Phew....now let's check the peer status.

Oh yes, you might have given it a name like "Steve_Laptop" but you going to have to find the peer by looking for the PUBLIC KEY identifier because THAT'S THE HARDEST WAY POSSIBLE.

Alternatively, we can also use the status screen - that will give you a nice compact view:

wg1   8EvPut6AL+j/LudefUj65Nv1rk9egA9V99UJyITuGkuH4=   1681440860
wg1   0NSrxaadh8WLXnIeHvq5frGPlqqK7jmCliBzugIq112w=   1681286855
wg1   +yORIHYTEDK8DJ*djd83jdM01KCFa9foRqH1gQGaAE=   0
wg2   /mgdTRoYwoRPdwLlqbGL1HO5yATBL+L3YngzQjdiARI=   0

Gosh. That's informative. Not.

I'm a sparrow's fart away from tossing it in and running back to pfSense - I hate to be there but while I feel the need to shower after using it to get the smell off my hands, at least I don't have the urge to stab myself in the eyeballs with a blunt pencil.

OPNsense has so much potential but if it can't be made user friendly then what's the point? It's not just WG either, this seems to be the general approach to the UX - put the top menu bar as a side bar, high fives all around as we're not different and modern, then to hell with the rest of it! I keep hitting these sorts of usability issues where something simple is just plain hard for no reason other than the fact that someone CHOSE to make it obnoxiously difficult or obscure....

It is making me question my decision to migrate....because everything is unnecessarily painful. Seriously dying on the inside here...took days of effort to move everything over and now that I've over it is still an ongoing source of pain. :'(

Hi,

I missed this too! I set up a bunch of connections and then there is a step I have to do from the console....not even console-via-GUI, but freaking "Go get the puTTy app to connect to the console..." Ugh!

Personally I don't want to this be implemented as a separate tool - it should simply be a button on the peer form so you can click and generate when you are setting up a connection - I don't want to be jumping from screen to screen.

pfSense might have had a messy Wireguard implementation but at least the GUI for that module was pretty smooth and logical from a workflow/usability perspective. I've just setup a set of site-to-site tunnels and 8 road warrior connections and the pfsense experience doing this was much better than when I just did it on OPNsense (sorry).

OPNsense is free, and one shouldn't look a gift horse in the mouth, but it would be nice if the UX philosophy was  "GUI-is-king" versus "GUI/CLI-its-all-the-same-to-me".....   ;)

So I've just migrated from pfSense and one of the hardest parts of it was manually re-doing the configuration. The biggest pain was that after copying and pasting data OPNsense would straight away 'lock' the data into those little 'data blocks' so you cannot edit what you've just pasted, you can only click 'Save' or press 'x' on the little data blocks to delete them.

The problem I had is that my source data had spaces and commas:

192.68.1.234, 192.168.1.235, 192.168.1.236

OPNsense slaps that straight into these data blocks:

"192.168.1.234" " 192.168.1.235" " 192.168.1.236"

When you save the data is rejected as spaces have been put into the second and third IP addresses. It annoyingly does this everywhere where the data blocks are used and it meant I had to first paste my data in a text editor, strip the spaces, re-copy, then paste to OPNsense. An extra miserable step in an otherwise unnecessarily painful process.

If the UI is going to 'smart' then it should also be clever enough to TRIM the input before it converts to the block format.

As an aside I cannot believe that there is no pfSense config importer given many new users will be pfSense refugees. The data format is similar *AND* it is the OPNsense end that has all the extra lines of metadata in the XML. At a minimum something to import the FW aliases and DHCP reservations would have helped because loading them was pretty tedious (even though I did it by munging my pfSense config to look like an OPNsense export).  :(

:-(