Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Best practice for giving local staff a router status page
« previous
next »
Print
Pages: [
1
]
Author
Topic: Best practice for giving local staff a router status page (Read 486 times)
OmnomBánhmì
Newbie
Posts: 20
Karma: 2
Best practice for giving local staff a router status page
«
on:
March 22, 2024, 04:53:55 pm »
So with a handful of branch offices, on each site's OPNsense router we have a locked down user role that enables local staff to check things like failover status, WAN details and such. Read only for configuration, few menu items, and with "reboot" enabled among very few action options.
Now the Effective Privileges don't seem to exclude, or I haven't found or understood it, a way to lock down this user, dashboard-wise. So, ocassionally I find widgets changed or content added. Trying not to be paranoid, but if users can upload their own animated GIF file to the Pictures widget.. cat memes or not, I won't think that is a good idea and plan to change this setup. So I'll no longer holding it wrong.
If you have a similar model, enabling local staff to interact with OPNsense, how do you do a (mostly read-only) status page?
Logged
johnmcallister
Newbie
Posts: 41
Karma: 5
Re: Best practice for giving local staff a router status page
«
Reply #1 on:
March 23, 2024, 01:03:54 am »
If I had to publish a read-only status page for a router or other security-senstive device on a LAN, I would not expose any part of the actual device's web interface to end users.
I'd write a script running on a bastion host or similarly-purposed separate device to collect the router's status info using curl or perhaps even an API call to the router, & then reformat & republish the collected info on a separate web server. (Not hosted on the router itself.)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Best practice for giving local staff a router status page