Central management

Started by Tech By Andrew, January 19, 2021, 03:51:38 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
January 19, 2021, 03:51:38 AM
I'm a small MSP with alot of smaller clients that do not have static IP addresses. I use unifi for wireless but have been using pfsense for firewalls and just now checking out Opnsense. The issue I run into with pfsense is the lack of central management like unifi has. My customers often have static IP addresses and I am often in different locations and different IP's as well. Is there or are there any plans for a centralized management system for Opnsense, either cloud hosted or self hosted would be fine.
January 19, 2021, 08:07:08 AM #1
Based on what I've seen there is no such feature planned. There is an API which can be used for a limited set of features.

Why don't you have VPN tunnels (either roadwarrior or site2site from your office) to your clients?
Most of the time I even open the WebGui on the WAN side for 2-3 static ip-addresses in case there is something wrong with the VPN access.
,,The S in IoT stands for Security!" :)
January 19, 2021, 08:56:21 AM #2
There's a central management withing Business Edition:
https://shop.opnsense.com/product/opnsense-business-edition/

Or from my employer:
https://www.max-it.de/loesungen/opnsense-firewall/plugins/

Both only offer an overview which firewall is connected, a button to jump on UI and central upgrade management.

Since franco is now employed by Deciso I believe the business edition may get more features soon.
January 19, 2021, 09:51:01 AM #3
The Deciso offer is a steal for any commercial use. I will definitely buy this once we start migrating from Sidewinder to OPNsense for real. Thanks for the pointer.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 19, 2021, 09:56:07 AM #4 Last Edit: January 19, 2021, 10:01:03 AM by Gauss23
Quote from: mimugmail on January 19, 2021, 08:56:21 AM
There's a central management withing Business Edition:
https://shop.opnsense.com/product/opnsense-business-edition/

Or from my employer:
https://www.max-it.de/loesungen/opnsense-firewall/plugins/

Both only offer an overview which firewall is connected, a button to jump on UI and central upgrade management.

Since franco is now employed by Deciso I believe the business edition may get more features soon.

Thank you @mimugmail.

Interesting. Are those tools self-hosted or cloud-based? Getting the status of all firewalls will be an API call, I think. But how is the connection to the WebGui made?

P.S.: just ordered the Deciso OPNsense Business Edition.
,,The S in IoT stands for Security!" :)
January 19, 2021, 09:59:53 AM #5
It's a sort of decentralised approach... Well, you need an OPNsense to run the management plugin but that's it.


Cheers,
Franco
January 19, 2021, 10:05:51 AM #6
Quote from: franco on January 19, 2021, 09:59:53 AM
It's a sort of decentralised approach... Well, you need an OPNsense to run the management plugin but that's it.


Cheers,
Franco

Do I need one license per OPNsense or is one license enough for all of my OPNsense boxes?
,,The S in IoT stands for Security!" :)
January 19, 2021, 11:18:55 AM #7
We are managing more than 50+ OPNsense here, all around the world ;)

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!
Clément - SimpleRezo
RMM for OPNsense: https://srbox.simplerezo.com/
January 19, 2021, 12:34:59 PM #8
Quote from: Gauss23 on January 19, 2021, 10:05:51 AMDo I need one license per OPNsense or is one license enough for all of my OPNsense boxes?

Business edition for all managed devices.


Cheers,
Franco
January 19, 2021, 07:24:53 PM #9
Quote from: franco on January 19, 2021, 12:34:59 PM
Quote from: Gauss23 on January 19, 2021, 10:05:51 AMDo I need one license per OPNsense or is one license enough for all of my OPNsense boxes?

Business edition for all managed devices.


Cheers,
Franco

Just to clarify because I am not clear. If I have 5 OPNsense boxes I want to centrally managed. Do I need 5 Business licenses or 1 business license?
January 19, 2021, 07:46:53 PM #10
5


Cheers,
Franco
January 19, 2021, 09:39:01 PM #11
Quote from: SimpleRezo on January 19, 2021, 11:18:55 AM
We are managing more than 50+ OPNsense here, all around the world ;)

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!

I would be interested in learning more about this. Sent you a PM
January 26, 2021, 09:28:15 AM #12
How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?
April 23, 2021, 07:11:23 AM #13
Quote from: SimpleRezo on January 19, 2021, 11:18:55 AM
We are managing more than 50+ OPNsense here, all around the world ;)

So we have developped:
  - a central management solution (cloud)
  - a plugin (with some API extensions)
  - a Zabbix template

So with this, OPNSense is provisionned from our CMS:
  - custom settings (hostname, dns, plugins...)
  - authentication
  - firewall rules
  - autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
  - full supervision by Zabbix (including running services)
  - configuration/status (DHCP leases) access directly from our CMS
  - remote upgrade, with scheduling
  - alerts by email / slack : gateway status, services...
  - daily XML backuping

This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!

I have sent you a PM
April 23, 2021, 07:12:39 AM #14
Quote from: KlausP on January 26, 2021, 09:28:15 AM
How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?

I need that information too.
Can central administration be done without a public ip at the clients?
Print
Go Up Pages1 2
User actions