Recent posts

#1

General Discussion / Re: Port OPNsense to Linux?

Last post by drosophila - Today at 02:26:44 PM

AVM's Fritzbox

I hate those things! :(

I know ISPs in Germany have flooded the country with them and some Dutch ISPs use them too, but still : Can we please get rid of those things ?!?!

What's so bad about these boxes? In comparison to the other ISP-provided devices, they are among the most flexible, most configurable and generally most "prosumer" I've seen. Of course they're not Open WRT and not close to OPNsense but that's not what they're meant to be, and they're good at what they do, update support is also better than most ISP-provided boxes. However, the flexibility is also being dumbed-down in the name of "Clean UI and pleasant user experience", making simple tasks unnecessarily complicated (like the removal of the "disable WLAN" option, which now you can only do by disabling every transmit band individually, and you can't disable ISDN/S0 at all), so now you need a FAQ for what used to be self-explanatory. Also, I think at some point ion the past they had firewall logs that seem to have vanished, or hidden extremely well. But what annoys me most about FritzOS is that they'll forward you to some AVM site from within their UI without so much as notifying you. This is, to me, a security hazard, the UI of an appliance must be entirely self-contained without external links unless these are explicitly declared.
OK, the OS is AFAIK not FOSS so you can't mod it like you could with at least some Telekom-provided boxes, the last I know is that AVM cracked down on the modding scene with restricting their lab versions somehow.

#2

Hardware and Performance / Re: RISC-V port could be an id...

Last post by Patrick M. Hausen - Today at 02:14:53 PM

BTW: FreeBSD is on the leading edge as far as RISC V is concerned due to the efforts at the Uni of Cambridge and the CHERI project.

#3

Hardware and Performance / Re: RISC-V port could be an id...

Last post by MrWizard - Today at 01:53:33 PM

To all  and

How long did it take Linux to really get rolling on x86? RISC-V is fairly new still.

The thing is that back then, we in EUrope (& China) bought into the x86 chips and its US tech monopoly dominated ecosystems, from mobile devices, tablets, laptops to servers, datacenters, to high performance computing (HPC) eg what we used to call supercomputers, grew to become massive parallel 86 machines with GPUs to match. ARM & BSD has taken some market share, mostly via Apple, but UK left the EU & ARM is 90% owned by Softbank, a Japanese tech fund. Now, China has been decoupling from the US tech dominance for some time, and Chinese gov buying US x86 CPUs is forbidden, as it wants them to buy Chinese RISC-V and run Chinese Linux on them, there by helping its own (state-owned) industry to decouple from the US dependency. While slower, India is also moving to FOSS & RISC-V eg away from US tech dominance.

https://www.european-processor-initiative.eu/

"EPI vision:
-High Performance Computing needs for Exascale machines
-Low power CPU needs for Servers, Cloud and Edge
-Other markets under exploration"

So the EU Processor Initiative redirected its efforts to also target RISC-V also for HPC and to the edge, and with all the digital decoupling that is happening, this is a smart move. Not only in the hardware, but in the full stack. The US Cloud Act has also helped, as it gives the US gov access to all data hosted on US cloud service providers. Airbus has thrown 50m€s to change to EU owned and EU based cloud, so their information does not end up in the hands of some people in Seattle, who also happens to run a competing US airframe manufacturer.

The ppl behind, are also the Barcelona Center for Supercomputing. So beside the CHIPs, one of the smart things is that you can run almost the same code on RV microchip and server RISCV. So investing in porting EUs software to this, like in the automotive industry, is also the lure. As its open, you are not tied to this or that ecosystem.

While there is not so much to see on the surface, 3 bn cores or 30% of the market last year was RV, but likely microcontrollers and in automotive, so not consumer or servers yet. Also, as more move to Linux in EU, then shifting from x86 to a ARM or RISC-V cpu is already possible today. They don't have to wait for the US tech companies.

So the situation is in my view very different. There is a pre-new-geopolitical-reality and a post-new-geopolitical-reality and those two are very different. Also when EU gov push.

But perhaps a different option and better is not to port OPNsense, but to offer a Linux variant, so tapping into its CPU and hardware support, as the userbase there esp in EU is growing.

#4

German - Deutsch / Business [os-OPNWAF] - Modsecu...

Last post by rushstone - Today at 01:52:28 PM

Hallo,

in der Webanwendung vermisse ich eine granulare Einstellungen für Sicherheitsregel-Ausnahmen.
Einen Feature-Request würde ich später erstellen und dann auf dieses Topic verweisen.

Habe hierzu einfach mal ein Modal optisch erstellt, wie ich mir das ungefähr vorstelle.
Im Grund geht es darum, dass man für einen Virtuellen Server eine Ausnahme erstellen kann basierend auf:
- bestimmten Client IPs
- und/oder bestimmten URIs
- und/oder bestimmte Formularfelder

Beispielsweise möchte bzw. sollte man z.B. nur bei einem bestimmten Formularfeld eine bestimmte Regel deaktivieren (und nicht direkt für den ganzen V-Server).
Oder generell Admin-Client-PCs whitelisten.

Das Modal soll auch nur grob widerspiegeln, wie ich mir das vorgestellt habe. Vielleicht gibt es da bessere Umsetzungsmöglichkeiten.


Gruß rushstone

#5

German - Deutsch / Re: OPNsense mit Caddy, VLans ...

Last post by ATL - Today at 01:43:33 PM

Macht das Sinn?

Wenn die Dienste von außen erreichbar sein sollen, dann sicherlich. Ich nutze den HAProxy in der OPNsense dafür. Der regelt den Zugriff auf die intern definierten Dienste.

Und noch viel wichtiger, ist es dann überhaupt sicherer?

"Sicherer" als was? VPN? Nein.

#6

German - Deutsch / Verständnisfrage: WAN-Interfac...

Last post by ATL - Today at 01:10:15 PM

Hallo,

ich habe bei meiner OPNsense-Firewall IPv6 konfiguriert. Die WAN IPv6 bekomme ich via 6RD aus der DHCPv4 Lease. Das System erzeugt dann ein wan_stf-Device. Jetzt frage ich mich, was als WAN-Interface für IPv6 in den Firewall-Regeln zu verwenden ist?

• Ist das nach wie vor das Interface "WAN (wan)"?
• Oder sollte ich dem Device "wan_stf" ein Interface zu ordnen (z.B. WAN_6RD) und dieses verwenden?

You cannot view this attachment.

#7

Tutorials and FAQs / Re: IPv6 Control Plane with FQ...

Last post by Seimus - Today at 11:28:44 AM

This is my method too, but now she just blames me automatically even when it's not my fault :)

Hard life of the homelabber :D

Regarding the Household test on the LibreQoS site, I asked ChatGPT what the test looks for and it gave an interesting response.  It said that the houshold test falls down quickly when using FQ_CoDel because it cannot distinguish between flows.  All traffic has equal priority so things like gaming, VoIP, etc. can get impacted quickly when there is traffic from multiple clients.

This is not true.

FQ_Codel, can and does distinguish packets into different flows. It does uses 5-tuple to create hashes to hash packets into different slots (flows/queues).
https://datatracker.ietf.org/doc/html/rfc8290#section-1.3

These slots (flows) are within the scheduler e.g "schedulers queues". And are separate from the "Shaper Queues".
In FQ_C the default allowed number of Flows is 1000 but you can increase it in order to avoid having different flows being hashed into same slot.

Flows in FQ_C are one of its core components, because FQ_C does per packet per flow "sojourn time" tracking.

FQ_C is set properly should serve all flows equally, while consistently tracking the packet sojourn time in each flow. Thus meaning One single flow should not starve others for BW but as well processing time.

As it's not available on FreeBSD, the best we can do is prioritize into queues.  I guess for that to work with FQ_CoDel we would need multiple pipes right?  Or maybe one pipe with no scheduler and instead use CoDel within priority queues?

Codel is a queue discipline
FQ is a scheduler algorithm
FQ_CoDel is officially an AQM scheduler algorithm where the queue management is done in Flows the moment packet is moved into the scheduler.

If you want to do priority, yes, than you need to divide the traffic into separate pipes, classifying each service.
If you would use Codel in the Queues you would still use a Scheduler (default WFQ+). Here the queuing would be done in the Queues.

The FUN part of all of this is you actually do not need a PRIO queue/flow. The PRIO was back in the time a fix for RTP, Real time traffic. Because back in the past there was no AQM/SQM. Without the PRIO the packet could stall in a queue where once full TAIL drop happened but the packets in the queue stalled so even if delivered they were already out of sync. So in order to have usable VOIP or VIDEO, PRIO queue was used to manage latency.

AQMs such as FQ_C fixed it as they introduced per packet per flow "sojourn time" tracking.

Here is an overview of the FQ_CoDel algorithm that performs these tasks in parallel:

1. Separate every traffic flow's arriving packets into their own queue.

2. Remove a small batch of packets from a queue, round-robin style, and transmit that batch through the (slow) bottleneck link to the ISP. When each batch has been fully sent, retrieve a batch from the next queue, and so on.

3. Offer back pressure to flows that are sending "more than their share" of data.

This last step is the heart of the FQ_CoDel algorithm. It measures the time that a packet remains in a queue (its "sojourn time"). That's how it determines that a flow is using more than its share. If packets have been in a queue "too long" (that is, if their sojourn times exceed the target setting for longer than the interval), FQ_CoDel begins to mark or drop some of those packets to cause the sender to slow down.

I would be tempted to try this but I don't know how to match the traffic accurately.  For example, how do we use rules to distinguish video streaming from regular downloads (both using HTTPS)?  Are we supposed to match by destination, e.g. all YouTube.com -> send to high prio queue?

Basically by any means, but you are right here. You would have to know the specifications of the service such as, IP, Port, Protocol. And surgically categorize it. 

If someone has a guide for that in OPNsense it would be great.  I'm sometimes getting an 'F' on that test.

I know this was already asked on the forum, and I provided step-by-step, but cant remember which topic it was.

Regards,
S.

[Not]

#8

General Discussion / Re: Port OPNsense to Linux?

Last post by meyergru - Today at 09:39:05 AM

There is soo much already out there so what do you need exactly that they can not offer ?!

They could offer a decent UI with more limited features, but aimed at what most clueless people who come in here think a firewall should do. There are countless examples of voicing that, the last of which was this one.

That is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.

It is very hard to down-size an existing appliance like OpnSense that has grown over the years and adapted many tools and plugins. The decline of FreeBSD poses a chance to start from scratch, with a specific clientele in mind.

What the Fritzbox does not is better in the direction of simplicity, but worse in the way of flexibility, e.g. you cannot have DNS aliases, making the use of name-based reverse proxies or having several services on one IP very difficult. Also, it lacks something like Adguard Home or Pi-Hole.

While IPfire and other Linux-based firewalls may have the correct feature-set, they suck even more on the "complexity" side for such users than OpnSense.

P.S.: To be clear: I like OpnSense for what it is. But, as I often said, it is not suited for the average Joe who does want "a little bit more" than what consumer routers offer. There are more of those these days with IoT and homelabbing. Such users just want the benefits, but are unable or unwilling to grasp the underlying concepts and need a stringent UI, which OpnSense does not offer.

So, this is a growing market that is neither met by Fritzboxes, IPfire, OpenWRT, OpnSense and all the others. Yet, I think that despite there being a lot of people who would love to have it, they are also the same people who do not want to pay for that luxury.

#9

26.1 Series / Re: Source NAT vs Outbound ?

Last post by alex402 - Today at 08:35:10 AM

Dear Franco,

I noticed that the invert exclamation mark is not showing in the destination address in Source NAT.

I apologize if this has already been discussed. If not, this needs to be fixed in future releases.

I use the version 26.1.5.

Thank you for your work.

#10

German - Deutsch / Re: OPNsense mit Caddy, VLans ...

Last post by spooner.arthur - Today at 06:37:16 AM

Ach so, noch ein Hinweis:
alle Server / Dienste laufen auf einem Proxmox Host