Messages

This was quite enlightening the answers I got here.

I never knew that there where 2 versions of OPNsense.

I always thought you could buy a business support subscription on top of the version you can download from the main opnsense.org website.

The website gives the impression that there is only one version of OPNsense.

So if I understand correctly:

One is the default version that is not stable/reliable and production ripe you can find on the main page of https://www.opnsense.org/

And the other version is a stable version called the business version which is more stable because it only gets save updates and upgrades that won't break anything I guess.

The one you can download from the main opnsense.org website I consider that unstable and I even want to slap a testing label on it when you compare it to how other BSD like and Linux distributions handle it all.

This should be expressed on the main website that this is a testing branch rather than a stable branch version to keep users from big surprises that there firewall, there main gate to the internet, is at risk of breaking down due to updates and or upgrades.

Calling it "production¨ isn't that a bit misleading?

You can name it like that because its constant work in progress, but at least tell your users that it is a testing/unstable branch and that they should expect bugs that might break your firewall/internet gateway on a regular basis and that it should be considered as unreliable.

The name production means (to me) being stable, reliable, code mature, ripe for live production environments.
 

Is it stable or not? Is it really production safe or not?

So what's our point of reference.

A system that is stable and reliable enough that you can count on not to break every month due to updates/upgrades?

And on what part of your network you want stability and reliability? Right, your gateway to the internet!

Now I am a (sometimes grumpy) old fart and have seen and used lots of distributions through the years since the 90's. But when the other distributions call something stable and reliable they mean it and you can expect that the code is mature enough to be used live in production situations and relied on.

[We encourage everyone to install this version in a test environment before using it in production.]

Years ago I switched from m0nowall to OPNsense and I love it.

It's, Dutch / European, I love it and I never want to change to something else anymore.

But through the years of using OPNsense there is something that makes me wonder:

Is it stable or not? Is it really production safe or not?

So much updates and a couple of times in the past I ended up with a weird working firewall/router or not connecting any more to the internet. This all with vanilla installs, nothing added.

Every time there is an update I now completely expect the worse and sometimes just delay updates/upgrades just to be safe.

Now again with the production release of 21.1.3 I see posts here on the forum and on the net of stuff breaking due to the updates/upgrades.

Even the latest release notes say: "We encourage everyone to install this version in a test environment before using it in production. As usual, please have a look at the plugin changes[1] and report bugs on GitHub."

Wait what? In a test environment? And we need to report bugs on GitHub?

What does "production" even mean? Not stable? Unstable?

Is it an rolling testing distribution like Fedora and Tumbleweed is?

I have never seen Deciso appliances in the wild, but don't companies want a stable operating system with low maintenance and safe update cycles with stuff that won't break?

Sorry if this comes on a bit to harsh for the devs, but this is something I really don't like of the distribution for a long time now  :-\

I had my cable modem in bridge mode for a long time and used Dynamic DNS service of Namecheap without worries.

Now I changed my setup a bit and now the bridge mode is not handy for me right now. The OPNsense router is put in via the modem in DMZ. This works great, except of course when the provider changes the external modem IP then I am lost and can't get into the network any more, this has not happened yet but will eventually.

Is there something I can do with OPNsense and a external service like DYNDNS or Namecheap that can detect my external modem IP and update that to a dns record?

A couple of years back I asked if it was possible to disable the web gui and only use ssh/console to be more secure.

The answer I got back then was: "We don't understand the user case" :o

So again, can this feature please be created ?

Just a simple switch after console login Enable/Disable web gui, that's all.

Hello all,

I am trying to login into OPNsense 19.1.4-amd64 box with an ssh-key but it keeps failing me.

I can ssh login with a created user or as root for that mater with a password but not with a ssh-key.

Checked that .ssh in home folder has 700 and authorized_keys has 600.

Client on Windows 10 pro gets:
me@host: Permission denied (publickey).

This is the native ssh client that now is standard on Windows 10. Other (Linux) hosts work without problem with the key.

And from the /var/log/system.log I get:
Apr  1 18:21:35 host sshd[79752]: error: PAM: authentication error for me from host
Apr  1 18:21:35 host sshd[79752]: Connection reset by authenticating user me host port 53028 [preauth]

Anybody got clue what is going on?

Hello all,

Currently I am using a well know brand modem from my provider. It does the public IPv4 Subnet thing so I can use my public IP addresses in my servers to play with and it makes me possible to watch IPTV with it.

Tonight I was wondering can OPNsense do the same thing if I put the modem into BRIDGE mode and put OPNsense behind it?

Will it work and will I still be able to watch IPTV?

So changing your root passwd while your are holding your baby son in your arms isnt the best idea in the world  :-[

Two days later, erhmz, what did I changed it into?  :-\

Tried booting into single user mode -> mount -o rw / -> passwd -> reboot. But the passwd wont stick after the reboot.

Is there anything other I need to do (besides not forgetting the root pass) to make the passwd stick after reboot?

I got the earlier mentioned UPS working with APCUPSD package, thanks  :D

I am thinking about buying a UPS for the OPNsense box and what not.

Looking at:
https://tweakers.net/pricewatch/261492/apc-back-ups-es-700va-din.html (Link is in Dutch language)

This one has good reviews and can be connected via USB.

Will this work with OPNsense out of the box or does it need a extra packages installed. -If an extra package need to be installed, will that stick after a OPNsense update?

What kind of hardware issues where you having? Just curious.

It works great for blocking ads on Android and what not.

YouTube ads still come in Csmall, but anything else gets blocked. Probably its just (hopefully) adding a ad host of YouTube to the blocked list. If that doesn't work anymore then Google has found new ways to irritate there YouTube clients :(

Hi Fabian,

Thanks! 8)

I got it working on OPNsense 17.1.5.

Will this stick between the upgrades?

Hi all,

I want to try to setup a simpel DNS adblock for my clients in my network with yoyo.org and dnsmasq. I have a running working configuration on Debian with dnsmasq but I have no clue how to do this with OPNsense.

I don't want to go the web proxy way, I want to block ad networks on the DNS level where it should be blocked.

Is there away to achieve this on OPNsense? It would be nice to let OPNsense handle this task.

Its been a long time, thought I give OPNsense a try again. Looks very good and works great! :D

Did nobody else notice yet? Curl and Bind are vulnerable.

Code Select Expand


***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.53.1 is vulnerable:
cURL -- out of buffer read
CVE: CVE-2017-7407
WWW: https://vuxml.FreeBSD.org/freebsd/04f29189-1a05-11e7-bc6e-b499baebfeaf.html

bind911-9.11.0P3 is vulnerable:
BIND -- multiple vulnerabilities
CVE: CVE-2017-3138
CVE: CVE-2017-3137
CVE: CVE-2017-3136
WWW: https://vuxml.FreeBSD.org/freebsd/c6861494-1ffb-11e7-934d-d05099c0ae8c.html

2 problem(s) in the installed packages found.
***DONE***


If I just kill lighttpd process can I get away with it or does the webgui need to be run for OPNsense to work okay?

Same here. All good :D