Central management

[Tech By Andrew]

I'm a small MSP with alot of smaller clients that do not have static IP addresses. I use unifi for wireless but have been using pfsense for firewalls and just now checking out Opnsense. The issue I run into with pfsense is the lack of central management like unifi has. My customers often have static IP addresses and I am often in different locations and different IP's as well. Is there or are there any plans for a centralized management system for Opnsense, either cloud hosted or self hosted would be fine.

[Gauss23]

Based on what I’ve seen there is no such feature planned. There is an API which can be used for a limited set of features.

Why don’t you have VPN tunnels (either roadwarrior or site2site from your office) to your clients?
Most of the time I even open the WebGui on the WAN side for 2-3 static ip-addresses in case there is something wrong with the VPN access.

[mimugmail]

There's a central management withing Business Edition:
https://shop.opnsense.com/product/opnsense-business-edition/

Or from my employer:
https://www.max-it.de/loesungen/opnsense-firewall/plugins/

Both only offer an overview which firewall is connected, a button to jump on UI and central upgrade management.

Since franco is now employed by Deciso I believe the business edition may get more features soon.

[Patrick M. Hausen]

The Deciso offer is a steal for any commercial use. I will definitely buy this once we start migrating from Sidewinder to OPNsense for real. Thanks for the pointer.

[Gauss23]

There's a central management withing Business Edition:
https://shop.opnsense.com/product/opnsense-business-edition/

Or from my employer:
https://www.max-it.de/loesungen/opnsense-firewall/plugins/

Both only offer an overview which firewall is connected, a button to jump on UI and central upgrade management.

Since franco is now employed by Deciso I believe the business edition may get more features soon.

Thank you @mimugmail.

Interesting. Are those tools self-hosted or cloud-based? Getting the status of all firewalls will be an API call, I think. But how is the connection to the WebGui made?

P.S.: just ordered the Deciso OPNsense Business Edition.

[franco]

It's a sort of decentralised approach... Well, you need an OPNsense to run the management plugin but that's it.


Cheers,
Franco

[Gauss23]

It's a sort of decentralised approach... Well, you need an OPNsense to run the management plugin but that's it.


Cheers,
Franco

Do I need one license per OPNsense or is one license enough for all of my OPNsense boxes?

[SimpleRezo]

We are managing more than 50+ OPNsense here, all around the world

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!

[franco]

Do I need one license per OPNsense or is one license enough for all of my OPNsense boxes?

Business edition for all managed devices.


Cheers,
Franco

[Tech By Andrew]

Do I need one license per OPNsense or is one license enough for all of my OPNsense boxes?

Business edition for all managed devices.


Cheers,
Franco

Just to clarify because I am not clear. If I have 5 OPNsense boxes I want to centrally managed. Do I need 5 Business licenses or 1 business license?

[franco]

5


Cheers,
Franco

[Tech By Andrew]

We are managing more than 50+ OPNsense here, all around the world

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!

I would be interested in learning more about this. Sent you a PM

[KlausP]

How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?

[olest]

We are managing more than 50+ OPNsense here, all around the world

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!

I have sent you a PM

[olest]

How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?

I need that information too.
Can central administration be done without a public ip at the clients?