Messages

I enjoy this topic. I see a lot of people say they hate the idea actually. Hate and fear mostly. However, I think it's a cool idea and could be a natural fit for services such as spam filters, etc. In fact, IDS/IPS, proxy, routing, VPN with AD auth, are are separate services that this firewall is capable of. Even the LDAP integration to Directory services (like AD) are available on firewalls. So we are ok with these features being on our favorite firewall right?

The real question is, where does the fear stem from?  Don't let the systemic change confuse our judgements. Is it security and reliability or both maybe? I can see a case for all 3 sides, but my views and thoughts are not strong enough to justify dropping the idea all together. We all have opinions, but there are reasons for there existence. Anyone interested in exploring, I'm up for it.

That said, I'm a veteran at this stuff too, I remember a day when all these services were on separate metal devices in Lans and DMZs. There can be a strange comparison to component stereo systems and compact ghetto blasters :) one last point, small biz cannot afford component stereo systems, they buy the compact ones.

No,  I just made 1 rule for each country and chose block for action,  you will also see the block logs in the alert tab, along with any alerts.

The alerts tab show the log. I set this up a few days ago to stop India from sending me cryptolocker .js

It works great and super easy to setup.

Are you asking me or informing me of that :)

Imagine, maybe it can be a hypervisor with a extremely cool firewall.  The performance is definitely there for BSD's new virtulization software:

https://b3n.org/vmware-vs-bhyve-performance-comparison/


I get your point, truly I do.  Everyone will say, NO, you can't do that!  A firewall should never take these types of roles.  However, they are being sold as routers and switches with layer 1,2,3,4 and more of the OSI everyday being jammed into residential and commercial products everyday. So the tradition is fading a bit.  Haha,  lets do it man. 

OR why not have opnsense act as the hypervisor? :) 

Well,  thats a cool idea man!

Here is some more info on that:  https://forum.opnsense.org/index.php?topic=5.msg4245#msg4245

You can do it with the squid file and add to the GUI if desired.  We can work together and try to make it official if you would like to.

I have found that before and beat it to death. I found the answer finally. It's only Xenserver (maybe Xen too). Common FreeBSD 10 and above issue. I found in pfsense the exact same thing.   Here is a thread that explains more. I switched hypervisors due to this. Works on others (VMware/hyperv/virtualbox etc.).

https://forum.pfsense.org/index.php?topic=88467.0

Yes,  I upgraded to 15.7.23-amd64 and it worked!  thank you so much for your hard work!   

:)  I am going to give it a shot,  Ill report back.

ok,  I tried it again.  We are still not able to auth to the confirmed ldap connection.  We see in the logs that it is trying:
Dec 18 23:04:21   squid: user 'dave' could not authenticate.
Dec 18 23:04:21   squid: user 'dave' could not authenticate.
Dec 18 23:04:11   squid: user 'test' could not authenticate.
Dec 18 23:04:11   squid: user 'test' could not authenticate.

It seems to only work on the local db.  The AD LDAP connection is working and allows us to add users.  I also gave the permission "proxy login" to a group and added them to that in the users section.

Yes,  I checked: the auth app is inserted like that word for word.  Also,  I have not defined any ACL's yet.

I went ahead and started with a fresh copy of OPNsense 15.7.22-amd64.  I configured LDAP successfully and diag tested out fine.  All the same steps as before.  Enabling squid, etc.  However,  I cannot get a popup asking for me to authenticate.  All traffic is passing through squid according to the logs.  Also,  It allows normal traffic without the proxy.  Not sure whats going on,  is there anything I can help with?

thank you so much.  I will check this out in 2 days and report back.

I edit the 3 files and restarted squid,  but did not have good results.  The problem I am having now is complete opposite.  Before I could not authenticate,  now the authentication pop up in the browser is not launching (as if maybe set to none or no authentication).  But I have both local database and the LDAP connection selected in the new gui interface.  Processes are running fine, my http request are logged fine as well.  However,  the syslog shows no attempt at authentication like before.  Hmmm :)