Messages

6646

Tutorials and FAQs / Re: HOWTO: Install ICAPrb::Server on OPNsense

« on: August 14, 2017, 04:14:07 pm »

Clamav and c-icap will be in master in a few days.
To get into stable it will take some time, perhaps 17.7.2 or 17.7.3?

6647

General Discussion / Re: Radius Accounting & Nas Identifier

« on: August 11, 2017, 06:20:09 am »

If they don't rely on accounting it should be very easy.
Just post a list of reply attributes.

6648

General Discussion / Re: Radius Accounting & Nas Identifier

« on: August 10, 2017, 02:15:21 pm »

Hi,

Accounting is currently not implemented within FreeRADIUS plugin.
I'll have a look at it the next weeks since there are more people asking for it

6649

17.7 Legacy Series / Re: Intrusion Detection issue

« on: August 08, 2017, 05:48:39 am »

It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance

6650

Development and Code Review / Re: IPsec Failover project...

« on: August 07, 2017, 06:42:08 am »

@franco: I'll have a look, thanks

@jorge: Would you open an issue?

6651

Development and Code Review / Re: IPsec Failover project...

« on: August 07, 2017, 06:05:58 am »

@franco:

- Second dropdown list for "Interface backup" (in P1)
- Second dropdown list for "Remote backup gateway" (in P1)
- Adding a P1 remote X automatically creates a "far gateway" which is monitored via apinger
- IF locale gateway of Interface (WAN primary) is down, change templating to IP of backup interface "left"
- IF far gateway is down leave left as is but change templating for "right"

I could imagine this is not too hard to setup .. but not sure if apinger works this way

6652

17.7 Legacy Series / Re: 802.3ad link aggregation support?

« on: August 05, 2017, 11:32:56 am »

Interfaces - Other types - LAGG

Choose your interfaces and LACP

Interfaces - Assignments

Assign your interface

6653

17.7 Legacy Series / Re: [SOLVED] Ipsec between two FW

« on: August 03, 2017, 11:30:39 am »

If you feel more comfortable with OpenVPN, stick to it. Only if you see a lack of performance try IPSEC, but I think you should be very fine now.

6654

17.7 Legacy Series / Re: Freeradius service not starting.

« on: August 02, 2017, 10:09:17 pm »

Can you switch to OpenSSL just for testing?

6655

17.1 Legacy Series / Re: OPNsense vs. pfSense article - any thoughts on that?

« on: August 02, 2017, 08:22:36 pm »

Hi sthames42,

let me tell my story:

I was searching for a open source firewall with support for BGP and OSPF. I tried to find a solution using pfSense here: https://forum.pfsense.org/index.php?topic=126842.0

I stumbled upon OPNsense after and the solution to just use the package without GUI, so I looked at the project and there was fabianfrz just building a new version for a quagga plugin. Via Github I tried to contribute my ideas and knowledge of BGP and after some time also code, but I'm way no developer. Only some bash skills, nothing more.

After some time you'll see that the MVC code is always mostly the same, just like blocks you copy for your stuff and edit the model. When you're finished you create a template via jinja which is quite easy to read when you can do basic bash stuff.

And that's it, create a pull request and you get your source in. If you have a good idea the chance it get's in is really high, and the OPN guys are really fast

6656

17.7 Legacy Series / Re: Multi IPSEC tunnels

« on: August 02, 2017, 06:21:45 pm »

Sure, just install the tunnels and check that your networks doesn't overlap

6657

Development and Code Review / Re: IPsec Failover project...

« on: July 31, 2017, 10:10:44 pm »

I see this one timely more realistic (OPN to OPN):
https://github.com/opnsense/core/issues/952

6658

Development and Code Review / Re: IPsec Failover project...

« on: July 31, 2017, 09:51:36 pm »

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

Libreswan has it's own interface support (software), and FreeBSD introduced with 11.0 if_ipsec (OS). Don't know how exactly Sophos does it, they also use strongswan, but the old version 4 (no IKEv2!!!). Also ASA e.g. introduced route based VPN very late.

6659

Development and Code Review / Re: IPsec Failover project...

« on: July 31, 2017, 09:44:53 pm »

Ok, but this means we have to use if_ipsec which is currently not supported.

I know.
But this functionality is not specific to StrongSwan, it does not have failover, we can read in its documentation.
This is a functionality implemented in the specific part of each product. Each one implements its logic and works together with Strongswan, Libreswan...

For each client with dynamic IP you set an own P1 with 0.0.0.0 as remote IP. Then you can separate with key-id, DN , whatever client supports.

6660

Development and Code Review / Re: IPsec Failover project...

« on: July 31, 2017, 08:10:16 pm »

Ok, but this means we have to use if_ipsec which is currently not supported.