Messages

We have a VPN connection that we need to match up to that sources from a Juniper device, and i know it used to be possible to disable PFS aka Perfect Forward Secrecy, which it is disabled on the other side.

How do we disable this when it will not allow us to change it lower than group 1?

any news?

So here is a bizarre one i have just discovered.

I have a opnsense vm on VMware ESXi, with a number of virtual machines behind it, it holds 2 wan ips.

I had a bunch of rules going to VM-A at 10.0.0.2, for ssh, http, https, etc.

So i needed the same rules for the new vm, which is VM-B, so i added the second IP as a virtual ip, and then cloned each of the nat rules and on each new copy swapped the wan address for the new virtual ip, and changed the redirect ip to 10.0.0.3.  Saved, and applied.

None of the nat rules worked, the VM was in-accessible from the wan side completely.  i re-verified all the settings several times, but all attempts to reach VM-B via the new virtual ip were refused.

So i deleted the rules and created them again the same way, and ended up in the same situation.

As a last ditch effort, i deleted all the rules for VM-B again, and instead of using the clone button, I created them all manually for VM-B, and now they all work the first time.

Something in the cloning of a NAT rule is not working properly....   But everything looks proper in the GUI.

Franco i am very gratefull for your assistance, and i appologize in full for any stress i have caused you and the team, as this again was never my intent.

And i do feel like you deserve compensation for the efforts you made on my behalf, and i have offered to pay you, and i am offering again, that i would be happy to send you $100 bucks, go have a night on the town on me, take out Mrs Franco if there is one.   ;)    At the least it should buy you a good meal and some strong drinks at your favorite venue.   And thats not to ensure that you help me in the future, it is for your help so far, no strings attached.

Alternatively, if you feel you do not need this compensation, i will spend it as a donation to the project, because while i could Fork opnsense, and do my own thing with it....

I dont see that need, you guys have done a fabulous job with it, and i mean that.   We have ceased our usage of pfsense in all new projects, and migrated about 50% of them over to opnsense now.   I would be re-inventing the wheel, just so i could put my small little mark(plugin) on it.

And i honestly feel some guilt for the friction that has occurred here, i really do, and i dont want it to be that way going forward.

I formally apologize for any friction i have caused.

Whats that old saying, Why fight when we can shine together baby.

Im making this thread as a documented way to keep track of the progress in getting this plugin published, either by way of a secondary repository for third party plugins, which i am happy to host myself, for others to submit to as well.   Or for it to be included into the normal repos.   Whichever direction does not matter to me, but it needs to make some progress.

The feedback i have gotten from opnsense thus far has been:
1.  We need to figure out how we want to handle third party, or commercial plugins.
|-Understandable, i have not been the most patient, but that is because this would correct a big pain point in my platform.  I have the infrastructure to setup an alternate repo yesterday.  I have ~12 TB spinning in the datacenter right now.   And the MSP i am the Sr Engineer for has another 70TB spinning that i built.

2. 

As for PFMonitor it is difficult for us to promote that as we are looking at our own central management development that includes extending the API (you can utilise this too when available for PFMonitor as the API extension is part of the open source OPNsense project).

The central management solution will be part of our open source business model so we can extend our team and increase the development effort.

This does not mean that there is no room for you and others to provide their own solution, just that we as Deciso are not interested in third party solutions at this point in time.

|-This is fine and dandy, i have no issue being in friendly competition, it drives excellence.   And this is an open-source platform is it not?   Thus by definition allowing for others to contribute their parts, ideas, etc.

3. 

I'm also very busy, but if you can provide me with an account to your solution and the necessary script files, I can see if I can try this myself.... but no promises.
You can reach me at (email-address).
Best regards

|-Thank you for your efforts, as always much appreciated!

4.  Franco has been an excellent help and person to bounce things off of, Even tho i probably annoy him to much, i am extremely appreciative of everything he has done.

Its also a pain point for my users, some of which are opnsense users, and others "want" to be opnsense users, but worry about the difficulty of getting plugins installed/updates on opnsense.

I will continue my promise, that if we can get this done, i will both, donate $100 to the project, as well as link to Deciso's site/hw page from within PFMonitor, and list their devices, as is only fair.

It is with your teams support and assistance that i have the complete and tested pfmonitor plugin.

I look forward to progress on this, behind the scenes, as well as in front of them, and to both of our continued success and excellence.

Im looking for info on how to setup my own repository for opnsense, so that i can upload my custom plugins to it, for use on my many units, and those of my clients.

I wouldnt mind it also hosting a complete copy of the regular repos so that it can be used for updates as well.

Is there any information for how i can do this?

You mis-understand, it was not that i had issue with its functionality, i had issue with storing the code of servers i dont have control of.

TY  ;D

For my code projects i have my own repository arrangement in my cloud system and it backs up to google drive, so i have never needed to use git, nor did i really trust putting my source code there, but i do see the advantages of github despite that.

im doing this on the github website, i dont quite see these options.

i have re-published the pfmonitor plugin without the nmap, im trying to figure out how to do a seperate upload for the nmap still, it keeps trying to lump them in togeather.

If you will agree for my pfmonitor plugin to pull, i will happily go in right now, and re-publish the code, with zero obfuscation.

One step in the right direction, but reviewing and merging it will help mostly yourself. I'm being reluctant and you know this. But I have helped as time permits and will help again when time at my day job is not taking most of my day.

Yes it will help me largely, but i have 78 users on my platform, whom it would also benefit immensely, as a number of them, like myself, are very fed up with pfsense support price hikes, hardware price hikes, and their elimination of their 2220 cheaper end units, etc, im sure other reasons as well.   They want to move over to opnsense with a lot of their units, but do not want to give up the remote management and monitoring, and the reporting that my pfmonitor platform offers.    As of now the process to install my plugin for it is cumbersome, and requires ssh, etc.    This would ease their migration path greatly, by reducing the amount of time it takes to get the plugin loaded.   I myself work for a MSP and we have already been re-loading our pfSense devices with opnsense as we get onsite to them at their various sites.   That company which i work for would also be among those benefitted, including the other staff of said company.

If not for getting the plugin loaded into the repos, at the least a upload/browse button to more easily load custom plugins would also be acceptable.

Is this acceptable?  It is the same code i sent you before, but with the update function removed, as the package manager now handles that, and with 2-3 lines fixed for compatibility.  other than that its 100% the same skeleton you sent me before.

No, because it raises the review and beneficiary question mentioned above. I don't want to merge something we don't have a policy for. It's not a "no" for a merge, it's a "no, we really don't know" and from the core team we don't appreciate being pushed into this position instead of naturally easing into it by asking the right questions and discussing it with the community. If the community is silent, that then only means a decision must be made in the best interest, not necessarily in the voiced interest.

I can completely understand that you need policies for things, i am an open book, either with helping for the policy, providing input for it, whatever you need, just ask.

And while im at it, do i need to re-fork, so i can do a pull request just of pfmonitor, without the nmap, remember im not a git expert.

You can create separate branches for both plugins. Since they reside in separate directories, that won't be a problem.

Thank you, this explains how i screwed up the PR.

Also, im not sure what use the api will have for nmap functionality....

Why are you not sure? Can you explain?

i meant that the nmap plugin would not have much use in api form, expressing opinion thats all.

Separate question here:
Also, for the api itself, are you expecting everyone who wants to use it, to expose their web interfaces to the open internet?

No, it's for local scripting and UI flexibility. You don't like the current way the UI does things? Build a better UI on top of the API as a plugin, or combine them.... scan via nmap, do reverse DNS lookups, write firewall rules.. all in one plugin... eventually. Possibilities are endless, practially only limited by imagination.  ;)

I should hope not.   Would be a large security surface to worry about.

I am not trying to be difficult about this, i am very fond of this project, but please understand my frustration in this, that getting 1 little plugin added to a list, would help so much, and reduce the number of constant emails i get from people who do not know how to get SSH enabled, and how to SFTP the files to the opnsense device, and execute proper commands to get them loaded.

I fully apologize for the impressions from my above posts, but please guys, whatever i need to do to get this done, either with the plugin getting published, or even just an easy upload button to load a custom plugin, either one would solve the problem at least in short term.

If you will agree for my pfmonitor plugin to pull, i will happily go in right now, and re-publish the code, with zero obfuscation.

Is this acceptable?  It is the same code i sent you before, but with the update function removed, as the package manager now handles that, and with 2-3 lines fixed for compatibility.  other than that its 100% the same skeleton you sent me before.

And while im at it, do i need to re-fork, so i can do a pull request just of pfmonitor, without the nmap, remember im not a git expert.

Also, im not sure what use the api will have for nmap functionality....

Separate question here:
Also, for the api itself, are you expecting everyone who wants to use it, to expose their web interfaces to the open internet?

i fixed all the pertinent issues in the nmap plugin, not counting its staticness, and re-uploaded.

Very likely not going to be merged as it looks now.

Fabian i read thru yours comments on the code in github, and heres some thoughts of my own:
For your claim of my static colors breaking themes, i only colored a few individual words from results output for clarity, the pages retain the original theming from the plugin i borrowed code from.

For translations, i only speak english so i cant help you there.

I didnt see a reason to color on a host being down, since no usable information is actually output.

You seem to like your escapeshellarg, but if you actually test my preg replace regex code, its setup so you can use dns names, IPv4, IPv6, as well as hyphens, and slashes for use in CIDRs.   and to dump any other characters that do not belong.   Think of it like a character white list.

Then the section of CASE statements, you said were all the same make them dry....
There not all the same, they have minor differences in their layout and output vars.  Similar is not identical.

The no smart devices part, was a snipped i apparently missed trimming off, or else copied in without realizing, and it just needs AXEd.

REQUEST vs POST and GET, i didnt want $_COOKIE data getting lumped in too, i code from a standpoint of letting in as little information as possible, for security.   if i dont need data coming in all three holes, why even open all three holes???(GET, POST, COOKIE)

I took the stupidly basic smart plugin, and used it to make an nmap plugin, if you didnt gather that already.

As for the pfmonitor code being obfuscated, i have sent its original source to both franco and adsch, and i can even provide the obfuscator i used so the code can be verified.    HELL, if its such a big issue ill just upload the un-obfuscated version if it will save the headaches im trying to save by having that plugin available for one click install for my clients, which would save hours and hours for me playing tech support for users who are not familiar with ssh and linux/unix trying to install my plugin manually.

The pfmonitor plugin does send information to my server, cpu model, cpu usage, ram usage, load, and other stuff like this, it is for remote monitoring.   And i DO NOT want to have people openning their web interfaces to the outside world needlessly exposing them to brute forcing, when this plugin can just post it to my server, which does not need any open ports, or access to the opnsense api, its safer.

and sorry for the early morning animosity, i havent got any coffee yet.