Few Questions for a temp Install

[dpsguard]

Hi All,

First off, thanks to community and developers for this awesome product. Just discovered it last night. I will for sure make good donations over the weekend.

I plan to setup a temp (for just one weekend) installation in near future for a community event, wherein there could be close to 2000 users. School where this will happen, has a 2.5Gbps internet connection and we will be able to utilize that connection outside their firewall and hence outside their network. We have two Supermicro servers with 12GB of RAM and 3GHz quad Core Xenon CPUs. These servers also have 2 port 10Gig card in addition to 2x1G ports. I already installed latest OS on one box last night and tested the basics of it. I will actually set up an HA with two boxes utilizing CARP using one of the Gig port on each box, while one 10G will be used for WAN and second 10G will be used for LAN. second 1G I will use for management. This way all Guest traffic goes over 10G LAN. I will have suitable firewall rules to isolate Guest traffic from management access.

I also tested quickly captive portal by downloading the template and making minor changes in HTML for a simple terms acceptance click thru button. All looks good.

Questions I have and need some help from members please:

1. Can I assume that supermicro configuration I have is good enough? I believe so but will like to have thoughts from others. I will also not have any port forwardings or IDS / IPS or other security items to slow down the CPU or consume memory. Just a NAT outgoing.

2. Does OPNsense OS has limitations or optimizations needed to ensure that a large number of simultaneously connecting users can get the splash page served? I can expect up to 100 users trying to connect at the same time as they come in to the wi-fi coverage of the area. A webserver should not have issues in serving this small number of Requests per second, but there could be other issues. If there are any tunable items, please advise.

3. Any recommended or sample code for screen size responsive page for Logo picture and text please?

Thank you and keep doing great work.

[franco]

Hi and welcome

1. Looks ok at first glance.

2. I'm not aware of anything that needs to be tuned out of the box to make it work. Of course the workload for you is likely unique so a bit unpredictable if issues arise. That is generally speaking, not serving the captive portal login page.

3. Have to pass on this one.


Cheers,
Franco

[dpsguard]

Thank you so much Franco for looking into this and your advice. I will figure out on the captive portal with some minor HTML changes to the default template.

With no CPU or memory intensive features turned on, the boxes should be good and hopefully captive portal splash page will also not be an issue.

I guess last question I could have is on the best recommended OS version. Is 23.1 golden image for now?

[franco]

Only the last one is supported as in receiving actual updates. You could use the latest 22.7.x for "extra" stability at the price of no minor updates and some security issues (CVE-wise) but there are deployments where this is acceptable/managable.

There is also a business edition which is a bit more conservative than 23.1.x but largely the same and up-to-date security-wise.


Cheers,
Franco

[dpsguard]

Thanks again Franco for your great support. I will pitch in some donations over the weekend for the project and then more later when I actually use it (it will be short time community use, but great product to learn and also use at home).

[franco]

Thanks, highly appreciated. Let us know how it went.


Cheers,
Franco

[dpsguard]

Hi Franco,

Just donated CAD100 for now. Will donate some more in near future when I will get chance to use the product. And then will donate once in a while as I start using it for my home projects etc.

I had a splash page for some other product for Guest Wi-Fi that is responsive to screen size. I simply uploaded that into the OPNsense firewall and it was served to the connecting device. But of course the script that was on the splash page form other product (and it was all a small / single file with any scripts / CSS all in one), does not trigger the action that we needed for OPNsense to recognize the click on the Sign in button. I have very limited HTML or styling or scripting knowledge, but I could see from default template page of OPNsense, when I use inspector tool on the page that it points to a script file that is contained in the template bundle. I need to somehow copy that script into the HTML template from other product that works thru OPNSense. I just need to have the action triggered. Any document that can help me with that please?

Thanks

[dpsguard]

Hi @franco,

Hope you are doing well. While I still have not much luck with the nicer portal page, other than using default template and uploading a logo and adding some text for terms of service. I will like to change the color of the button, but unable to find where exactly that needs to be done. If you can please advise, that will be helpful.

Meanwhile with Qty 2 of low depth SuperMicro server with 10Gig 2 port card, I have setup a cluster of two for HA and that works great. Kept 10G LAN port without any VLANs, so it is meant for Guests only. I had 2 x 1G ports on the box, I used one for pfsync between the boxes and second as management port on a separate subnet. This way, this port can be used to login with suitable ruleset to allow access, and Guest port disabled for management access (with rule not allowing access to firewall as destination). Also changed GUI and SSH ports to some very high port numbers.

I had unexpected TLS clientHello noise filling up VGA console an I was afraid that will impact performance, so I changed it to serial console under settings / administration and these messages then don't go to serial console.

I also edited the file /var/etc/lighttpd-cp.zone-0.conf to server.max-worker =4 and uncommented the lines for server.max-fds and server.max-connections and splash page them is prompt to be services to devices (testing it all in lab).

Under Interfaces / settings / advanced, unchecked all offload boxes to allow NIC offloading.

Under System / settings / Misc,  Swap file, added 2GB (I have 12GB RAM)

Also under Misc, Power savings, I have Use PowerD enabled with on AC , set to Maximum. Hardware acceleration is default None (no VPN use here). 

Under Firewall / settings/advanced, increased firewall maximum states to double. Default is calculated at 100K per GB of RAM.

For HA, I am running CARP on 10G WAN and 10G LAN interfaces.

I think I asked earlier on another post / thread, but I did not hear back. Is one Business license permitted for an HA setup, especially when only one box will be active? With short duration use case, I don't have budget to buy two licenses. I already donated CAD $100 and will donate another $200 when it all works fine, so will like to stick with community edition if 23.1 is good enough. And I will then also donate an extra $100 for the project later when I will setup opnsense firewall at home. Today I am using TPlink ER7206.

Thanks