Topics

I'm trying to setup a routed subnet that is routed towards my WAN IPv4 to be used for multiple purposes. This is a relatively small subnet, a /29, and I'd like to:

- Have 2 addresses used for 2 LAN networks, they would have their own outbound NAT each
- Have 2 more used for 2 separate networks that run their own firewall on their own public IP

The problem is that with such a small subnet you can't really split it off into multiple subnets and have a public interface consuming 4 addresses (well, 2 addresses one network address and one broadcast address).

One "solution" might be a /31, but that would still waste addresses. Maybe a PPPoE connection would make it possible to use a private IPv4 on the OpnSense side and supply one of the routed IPs on the external firewall side?

Drawing to go with this story:

Code Select Expand


                                                              ┌────────────────┐
                                                              │                │
                                                              │ incoming fiber │
                                                              │                │
                                                              └────────┬───────┘
                                                                       │
                                                                       │
                                                                       │
                                                                       │
                                                                       │
                                                                       │
           OPNsense                                                    │
                                                                       │
┌───────────────────────────────────────┬────────────┐                 │
│                                       │            │    WAN          │
│       ┌───────────────────────────────┤            │                 │
│       │                               │  igb0      ◄─────────────────┘
│       │                               │            │
│       │                               │            │                        ┌───────────────────────────────┐
│       │             ┌─────────────────┼────────────┤                        │                               │
│       │             │                 │            │                        │  A subnet with DHCP, NAT etc  │
│       │             │ NAT             │            ├────────────────────────►                               │
│       ├─────────────►                 │  igb1      │                        │                               │
│       │             │                 │            │                        └───────────────────────────────┘
│       │             ├─────────────────┼────────────┤
│       │             │                 │            │
│       │             │                 │            │                        ┌───────────────────────────────┐
│       ├─────────────► NAT             │  igb2      │                        │                               │
│       │             │                 │            ├────────────────────────►                               │
│       │             │                 │            │                        │ A subnet with DHCP, NAT etc   │
│       │             └─────────────────┼────────────┤                        │                               │
│       │                               │            │                        └───────────────────────────────┘
│       │  one of the routed IPs        │ igb3       │
│       ├───────────────────────────────►            ├─────────────────┐        ┌────────────────────────┐
│       │                               │            │                 │        │                        │
│       │                               ├────────────┤                 └────────►  external firewall     │
│       │                               │            │                          │                        │
│       │   one of the routed IPs       │            │                          └────────────────────────┘
│       └───────────────────────────────► igb4       │
│                                       │            ├──────────────┐           ┌────────────────────────┐
│                                       │            │              │           │                        │
│                                       ├────────────┤              └───────────► external firewall      │
│                                       │            │                          │                        │
│                                       │            │                          └────────────────────────┘
│                                       │            │
│                (spare)────────────────┤ igb5       │
│                                       │            │
│                                       │            │
└───────────────────────────────────────┴────────────┘


I was looking at the DHCP leases page to see if there was an easy way to improve it to filter and sort (for example on Interface or by IP or by MAC), but it looks like this is one of the pages and services that is still in the legacy format, is that correct?

It looks like it's possible to add some JavaScript in there and tack it on to the old style mixed front-end, but this seems like a prime candidate for a refactoring to Phalcon. Is this something that is already being looked at, or is this, being a core service, not currently something to be messed with.

Has anyone had any luck with LED control, GPIO control or I2C control on Atom C3000 systems?
I'm mostly looking into tuning the hardware watchdog, thermal configuration, front-panel LED and SFP configuration (LEDs for the network ports run via a CPLD that is configured over I2C at boot - I already have the parameters but I don't have access to any I2C bus :( )

[Preamble]

Preamble
I've been running OPNSense on a number of refurbished/retargeted hardware devices that are slowly trickling down from the high-end NFV enterprise boxes down to us mortals, and ONIE availability has been coming in more frequently over the past few years.

For example, a relatively large amount of Dell VEP devices is becoming available due to their enterprise lifecycle nearing the end of the first support phase, those boxes generally come with multicore C3000 series SoCs, 4+ GB of RAM and some combination of eMMC and mSATA or M.2 SSDs with a number of high quality network interfaces (some via the C3000 embedded interfaces, some i3xx series). Due to the low cost and relatively high reliability and performance this makes for a very neat platform to run a variety of network functions on top of.

One of the features of a lot of uCPE and NFV hardware devices have is ONIE support. This is essentially an embedded Linux environment that serves to install/update/replace the main OS. It doesn't need to target a Linux OS, examples (commercial mostly) running NetBSD and even VxWorks are in use at scale. The benefit is that you get integrated support for recovery methods, as well as embedded diagnostics, and device-specific information about the ports, locations, naming, and other chassis features. It's not quite as 'fat' or complex as a BMC or SPS but more comparable to an extension of a DTB.

The actual idea
Wouldn't it be great if we could package an OPNSense installation into a format that can be 'installed' and 'recovered' using ONIE? This way, we can run on a variety of network hardware while only adding a single installation option. It is similar to developing an AMI for AWS or a CF image for x86 devices with no VGA. As far as I can tell, this boils down to a package with a disk image, a deployment script so whatever bootloader the device comes with can chainload BTX, and an addition to that disk image that reads the configuration ONIE parks in a known spot so it can boot up and know what interfaces exist ahead of time.

I am by no means a BSD installer specialist, but looking at the scripts for the ARM build and AWS AMI build it should be feasible to prepare an architecture-specific image that can at least run without additional installation, and then inject a process or rc script to read a base configuration when a fresh install/image is detected.

I don't know if anyone else has thought of this or if this was attempted at an earlier time but some feedback on this idea would be neat.

I'm getting an odd issue where `System: Access: Users download` doesn't work (Could not connect to the LDAP server. Please check your LDAP configuration.) but `System: Access: Servers / Authentication containers` works and so does `System: Access: Tester`

The server is available and works fine, but it seems the code path for system_usermanager_import_ldap.php isn't using the same settings as the configuration or testing pages?

FreeBSD 11.1-RELEASE-p17  bf74bfa8a63(stable/18.7) amd64
OPNsense 18.7.9 068523882
LibreSSL 2.7.4
PHP 7.1.25

Code Select Expand



[04-Jan-2019 02:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0
[04-Jan-2019 03:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0
[04-Jan-2019 04:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0
[04-Jan-2019 05:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0
[04-Jan-2019 06:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0
[04-Jan-2019 07:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0
[04-Jan-2019 08:05:00 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20160303/ldap.so' - Shared object "libdl.so.1" not found, required by "libsasl2.so.3" in Unknown on line 0



Is this a missing dependency check somewhere?

I already posted it as an issue: https://github.com/opnsense/core/issues/2550

But since resources are probably limited and use cases not very broad, I was thinking I might implement this myself. As far as I can see, Unbound is not MVC-integrated yet, so a good first step would be upgrading that so it's MVC based. Next, I could add a switch or toggle to override entries to select between stub-zone and forward-zone (maybe call it "Authorative server" and "Any server" or something like that), and have the config output print forward-zone and stub-zone depending on the selection.

Looking at the build system and sources, it seems that the PHP (and Python if I need to do something in configd) parts are not that hard to update, but rebuilding a whole image is a lot of work (since it's pretty much building the entire ports tree?) I can spin up a FreeBSD vm for development, but it seems rather overkill for something so small. Is this the only way to develop this? And how would one start with this, just convert some pages, or does it have to be the whole module at once?

I was wondering if it would be helpful to create a HCL-type Wiki like OpenWRT/LEDE, coreboot, and one of those hackintosh project pages have. I know it can be a pain to maintain, but with correct versioning and reporting on the staleness/freshness of the entry it would be a very helpful resource. One of the ways this could be filtered might be a Sphinx/GitHub based solution where you need to submit a PR with the data to get it on the page.

Hi, is there an option to add a wider theme to SMF, or perhaps a bootstrapified theme that grows with window size?