Messages

1

20.1 Production Series / Re: ZFS Installer Test Help

« on: March 08, 2020, 08:39:24 am »

Hi mimugmail, those are really great news definitely.

I will be happy to test that Alpha release on my hardware instead.

Regards

2

20.1 Production Series / ZFS Installer Test Help

« on: March 08, 2020, 07:43:58 am »

Hello, In response to this now old thread

I've been a bit busy lately hence can't responded in time on the previous old thread.

However had some time and made a "fast draft" update to the opnsense.sh developed by franco in hope to get some feedback about the ZFS installation process/functionality, it currently supports ISO files only as the source media in this test installer, but will fully support USB installers as well based on the testing feedback.

I've currently tested only on GPT/UFS and GPT/ZFS and seems to work well here, though I've only focused in the ZFS filesystem and more testing is much welcome.

Small video showing bsdinstaller working HERE

Testing sources can be found HERE

The current proposal does copy the files freshly from the source media, and does not requires for the live media to carry the base.txt etc. tarballs files, keeping the same size for convenience.

P.S. Note that the file copying process does not have a percentage gauge yet. 

Regards

3

19.7 Legacy Series / OPNsense built-in ZFS Installer Ideas

« on: December 07, 2019, 10:25:53 pm »

Hello, I'm really sorry for posting a another thread about this topic, however since I posted in an already Legacy product thread, it may worth to just point for it instead of duplicating.

Here are some ideas, test files for a simple built-in OPNsense ZFS installer, actually the "bsdinstall" route is the best approach in my personal opinion, though there are several ways to accomplish this eventually.

Regards

4

19.1 Legacy Series / Re: 19.1.4 ISO - ZFS install option missing?

« on: December 03, 2019, 06:55:27 pm »

Hello, I also use here the bootstrap installer for OPNsense ZFS install and is working just fine. 
However looks like there's still many users requesting for a built-in ZFS installer, especially newcomers and/or users afraid of the command line, or simply an online installation is not possible.

Short story:
I was also thinking on doing something similar for NAS4Free/XigmaNAS few years ago, adding the bsdinstall, but since its main Embedded roots don't have much of acceptance, so I created a very simple ZFS installer single script solution(already added in base) to keep a small footprint and file count as minimum as possible, yet its process is based from latest bsdinstall with Boot Environments compliant which is a must.

Simple single script method:
Here is a small video showing how it works in OPNsense with very small edit, the little script does offers to install in ZFS Stripe, Mirror and RAID10, as well as for Swap geli encryption option, currently supports MBR, GPT, UEFI and GPT+UEFI install options during its dialog driven installation.

I would be happy enough to contribute the ZFS installer to the OPNsense devs so they can update/modify/adapt as needed. 

Datasets creation process by the installer(same as bsdinstall):

Code: [Select]

zfs create -o mountpoint=none "zroot/ROOT"
zfs create -o mountpoint=/ "zroot/ROOT/default"
zfs create -o mountpoint=/tmp -o exec=on -o setuid=off "zroot/tmp"
zfs create -o mountpoint=/usr -o canmount=off "zroot/usr"
zfs create -o setuid=off "zroot/usr/ports"
zfs create -o mountpoint=/var -o canmount=off "zroot/var"
zfs create -o exec=off -o setuid=off "zroot/var/audit"
zfs create -o exec=off -o setuid=off "zroot/var/crash"
zfs create -o exec=off -o setuid=off "zroot/var/log"
zfs create -o atime=on "zroot/var/mail"
zfs create -o setuid=off "zroot/var/tmp"
Here is the Disk usage widget after new install boot:


P.S. Please fast forward the video during Unbound DNS after reboot to see the zpool/disk gpart layouts.

The BSDINSTALL method:
Here is a small video showing a very simple install progress using the "bsdinstall" approach, it just need for the distfiles to be placed in "/usr/freebsd-dist" with a sane MANIFEST generated file, then explicitly add the mandatory files under bsdinstall/auto to only show optionals in the dialog if any such debug/extras dist files, additionally place customs in the bsdinstall/config to properly generate/append to config files.

One drawback is that this method required for the OPNsense distfiles to be included in the distribution as expected, however a small edit in the bsdinstall can take the files already present in the ISO and copy them to the target media like in the previous single script method, though I still prefer the bsdinstall personally and follow standards whenever possible.

Here is the test examples for reference.

Regards

5

19.7 Legacy Series / Re: Smart status now yellow "unknown"

« on: August 19, 2019, 12:59:35 pm »

If you haven't already done so, please add your comments or subscribe to the Github issue submitted here: https://github.com/opnsense/plugins/issues/1415

done :-)

Thanks, after manually applying the fix, "SMART Status" widget start working correctly with an "OK" on my healthy SATA disk.

Regards

6

General Discussion / Re: LDAP groups

« on: July 29, 2018, 05:51:13 am »

I agree with post #3, perhaps as an outboard plugin as usual, so is up to the user to add risky and/or unrelated to firewall functionality, plus avoid bloatware.

7

General Discussion / Re: ZFS

« on: July 06, 2018, 01:36:13 pm »

Sorry to poke here again, I just wanted to post my latest simple beadm TUI wrapper, it now supports full Boot Environments replication to .xz compressed files, this creates a replica(zfs send) of your last saved Boot Environment/Snapshot(I use zfsnap for rolling snapshots), then piped to xz regardless of the ZFS RAIDX used.

This can be later restored if you lost your boot drive(s) or simply want to replicate pre-configured setups to alternate hardware/VM's for convenience, note that this tool can backups your BE's to same boot drive as well(I use a 2.5" 250GB HDD w/o issue) and later exported to whatever location or even your desktop with simple tools like FileZilla/WinSCP through SSH, but is not limited to, you can edit the tool and save BE's to a network location as well.

This might help someone with PHP skills to make a similar(optional) plugin I think, Bemanager at GitHub.

Images and sample config file HERE

Regards

8

General Discussion / Re: OPNsense versus pfSense

« on: June 27, 2018, 09:05:15 pm »

Just to add, while already experienced with this kind of appliances, and with a relatively very simple home network, after looking/testing some consumer routers with DD-WRT, m0n0wall, pfSense, and OPNsense, I rapidly felt a huge stability and responsiveness with OPNsense myself with my rather old E7600 and 4GB RAM, setting things up is a breeze and it just works, no frills at all here also BSD licese.

Currently running ClamAV, Traffic Shaper, SSH, PF, Suricata/IDS, DNS etc. and the CPU mostly sitting at 5% with some random 25~35% peaks sometimes, and 35% RAM usage after a while.

Note that I'm running OPNsense 18.1.10-amd64 RootOnZFS with Boot Environments hence abit more RAM due the ZFS ARC usage which is expected, still don't feel the need to add more RAM though.

Overall a pretty solid product, an easy and functional clean interface, did I mentioned the BSD license.

Regards

9

General Discussion / Re: Port forward behind ISP Router

« on: June 27, 2018, 04:23:18 pm »

I think I found a quick working solution to workaround this Locked ISP/Carrier Grade NAT issues, is a no install required service called Serveo, an SSH server remote port forwarding, while may not fit every solution, home/soho can benefit from it I think.

I just created a script to fit my needs with a heartbeat loop to auto reconnect upon remote host possible disconnections/target machine availability, and is working great so far from OPNsense appliance itself since its 24/7.

Maybe a very simple plugin supporting this and similar services could be useful, will take a look into it by the way.

Regards

10

General Discussion / Re: Port forward behind ISP Router

« on: June 27, 2018, 10:20:23 am »

Hello, again I'm really sorry for this rather repetitive and messy type of post, however since I'm in this same boat unfortunately, and cannot access my ISP Router/NAT, I just give up on it, and will try alternate solutions like in the previously posted link above, since switching from ISP is not an option by the moment.

Regards

11

General Discussion / [Solved]Port forward behind ISP Router

« on: June 26, 2018, 07:34:28 pm »

Hi, since I've tried numerous how-to also can't search for solution yet, I decided to starting a new thread in hope someone in the same boat with solution can bring some light.

I'm having a very hard time trying to get a simple web server to be accessible outside my network(for testing purposes) through No-IP/Port forward, I will post brief setup of my current network in hope to get some advice if I am doing something wrong on my end, before I consider to call my ISP in which is very slow wen it comes to customer support unfortunately.

Lets start with my setup and what I'm trying to accomplish for reference, my setup is as follow:

           ISP/Locked                        Router/DHCP                WiFi/AP/Bridge            Switch/Unmanaged            Wired
[Ubiquiti Wireless Radio]----->[OPNsense 18.1.10]----->[Netis WF2419]----->[ PowerConnect 2808]----->[Clients]

HERE is an image of the above network setup/diagram.

My Web server in question is a simple Apache server running on my FreeBSD file server and currently accessible locally with the IP: 192.168.1.xxx:8080, OPNsense is handling all the Unbound DNS, DHCP and DDNS with my No-IP account, the DynDNS plugin is currently working and cached my outside WAN IP address and is reflected in the No-IP website as expected, now the odds are coming.

I configured port forwarding for the Apache IP/port as follows:

<Source>
[IF=WAN]--[Proto=TCP]--[Address=*]--[Ports=*]

<Destination>
[Address=LAN Address]--[Ports=*]

<NAT>
[NAT=192.168.1.xxx]--[Ports=8080]

My DNS Servers are as follow:
#1: 208.67.222.222
#2: 208.67.220.220
#3: 192.168.1.1

Allow DNS server list to be overridden = Unchecked
Do not use the DNS Forwarder/Resolver = Unchecked

A further test I performed under Windows "nslookup" returned also the following:
> myhostname.ddns.net
Server:  opnsense.localdomain
Address:  192.168.1.1

Non-authoritative answer:
Name:    myhostname.ddns.net
Address:  104.238.xxx.xxx (WAN IP)
>

Overall with this setup, I can access my specified "myhostname.ddns.net" and I'm redirected to external WAN which is working fine, but the port forward is not redirecting to internal Apache target IP/port for some reasons, in either default port 80 nor with 8080 etc, additionally every port tester I've used say Port not open and others say Connection refused. 

I really apologize for my rather messy post and I hope to get some advice from experienced OPNsense users regarding port forward behind a locked ISP router, oh and really sorry for my English.

Regards

12

General Discussion / Re: ZFS

« on: June 23, 2018, 02:35:19 pm »

That would be great, I will be up for any testing when it's time though, for now I'm more than happy that my  hardware is working exceptionally well with OPNsense/ZFS.

Regards

13

General Discussion / Re: ZFS

« on: June 22, 2018, 01:53:37 pm »

Hello, this may seems a bit redundant for many as "beadm" commands are extremely simple, but I've created a cdialog driven little tool to help mostly newbies to work with Boot environments from a TUI manager for convenience.

I posted brief install instructions HERE though, I'm also currently using it on OPNsense.

Regards

14

General Discussion / Re: ZFS

« on: June 20, 2018, 04:33:34 pm »

Hello, I just wanted to add that this is epic, OPNsense + ZFS + Boot Environments(beadm).

I'm really happy this solution is working as expected on top of vanilla FreeBSD 11.1, brings me peace of mind that I'm backed by Boot Environments before upgrades/system wide changes.

Regards

15

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: January 07, 2017, 11:44:45 am »

First, I want to thanks the OPNsense team for such great and very responsive firewall software, very happy user here.

Wanted to post in this thread since already related to the OP issue and could be informative to some with similar legacy AMD hardware.

After running OPNsense 16.7.x for a while with outstanding performance results for my relatively old hardware (AMD Athlon 64 X2 5600+, 4GB DDR2, IDE HDD) at home, I decided to start using IPS and followed documentation and only enabled all the "abuse.ch" to start being familiarized with, they were working almost for a week with lots of alerts, until I started reading more about and enabled some "Emerging Threats", after applying the selected ET the service(suricata) started crashing withing seconds after apply and/or restarts.

After struggling with the logs and the "exited on signal 4 (core dumped)" almost for a day, I found this thread and followed post #13 and locked the package from being overwritten as previously denoted and my frustration just ended with a smile,  keep up the good work.

Best regards