Idea(s) for the road map

[AdSchellevis]

@Strykar fail2ban like functionality for the webgui and ssh is enabled by default in OPNsense (https://github.com/opnsense/sshlockout_pf).
After 15 retries it locks the ip address using two aliases (sshlockout, webConfiguratorlockout).

Nice! Any chance this could be made port/application agnostic and configurable via the web interface? It could then be used for slowing down brute force attempts of any network facing services.

Not very likely, it monitors logs (using syslog) just like fail2ban does and triggers on messages but isn't pluggable like fail2ban is (it does the job and is lightweight).
In most situations the services/applications you would like to protect don't run on the firewall itself, which requires a fail2ban like solution on the machine behind the firewall if you want to protect for failed login attempts.

[AdSchellevis]

Add RADIUS support for IPsec authentication and accounting.

Currently IPsec supports just PSK and RSA, since we currently already support adding external RADIUS servers, let strongSwan forward authentication and accounting traffic to the same RADIUS server if selected.
FreeRADIUS and Microsoft NPS are tested as working by strongSwan and shouldn't be too much effort to integrate.

This would require strongswan be compiled with '--enable-eap-radius'. Specify the RADIUS server IP + auth and accounting port in '/usr/local/etc/strongswan.d/eap-radius.conf' and set 'rightauth=eap-radius'.

strongSwan also supports DAE with RADIUS.
'The Dynamic Authorization Extension allows a RADIUS backend to actively terminate a session using a Disconnect-Request, or change the timeout of a session using a Session-Timeout attribute in a CoA-Request. The extension is enabled using a dae section in the eap-radius configuration.'

See https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius

Our solution for RADIUS is different, because the authenticator in our setup doesn't have to know the technology behind it. This makes it harder to plugin specific features of a provider (like RADIUS accounting).
At the moment we use a custom patch (https://github.com/opnsense/ports/blob/4eab82ac4d2939d092e8e83dd80c69714e7220a7/security/strongswan/files/patch-src_libcharon_plugins_xauth__generic_xauth__generic.c) to support this, eventually we plan to switch to pam

We'll keep the issue on GitHub open, you never know if someone has a good implementation idea and time to work on it. Given our limited time, it won't be realistic to put it on our roadmap.

[reep]

Ipsec rsasigkey

Probably not as good as certs but much easier to implement/manage. Better than PSK.

[fabian]

The road map is now online: https://opnsense.org/about/road-map/

[cdburgess75]

Mind blown,  wow

[tm.shyam]

Just started using OPNsense and looks awesome.

If we have following features would be nice..

Proxy report :  should be able to view internet usage reports user and group wise, total download, upload, policy violation attempts, and drill down reports where you can see each and every websites that has been accessed by particular users. PFSense has package "lightsquid" for reporting.

Command line console: web based command line console to access and perform usual functions (ping/telnet/ssh/etc)

MTR :

Multiping: ping multiple nodes at the same time to analyze L2 and L3.

[SOUK]

I'd like to see some substantially improved Wi-Fi driver and chipset support for all of the newer vastly improved M.2, PCI-E and USB3 Wi-Fi devices out there. 

The current WI-FI support and development on both Opensense and Pfsense is atrocious really with regards to Wi-Fi.  All you ever hear is buy a stand-alone access point; same old, same old..

It's like we've been living in the stone ages whilst technology has been evolving a million miles an hour.  Mean while even the cheapest routers out there are rocking far superior tech where Wi-Fi performance is concerned, so how about jump in on that action?   

Best place to start Dev is with the M.2 2230 Intel Dual Band Wireless AC 8260 so I can stop moaning. lol

[franco]

Hi SOUK,

This is a fun topic.

From a full perspective it sucks and I agree. There are, however, multiple sides to this story:

1. BSDs have fragmented goals. FreeBSD focus clearly is enterprise storage. It's fast, shiny, but in terms of embedded hardware support including WiFi is not very good. NetBSD has the embedded hardware parts. OpenBSDis the network routing champion. All of them have the issue of newer hardware taking longer to integrate than Linux. None of them have the combined strength of the Linux kernel that is shared with the whole Linux community.

2. For *sense and other products it's not a core focus per se. Can try to be better than FreeBSD, but only to a limited amount, mainly for the hardware that is sold by the respective vendor and you have the typical appliance type business model. The appliance support is topped up, but only for the hardware at hand.

3. It requires at least a paid kernel driver hacker to get anywhere. We do not have this in OPNsense.

What we really need is multiple vendor interested in selling WiFi hardware (2) coupled with FreeBSD, who can do the work (3) to make the kernel better. We as OPNsense can carry patches as a staging environment for FreeBSD, ship these changes way faster than FreeBSD could, reaching the vendor's users in no time.

FWIW, FreeBSD 11.0 is around the corner for us, maybe that will help with the general state of WiFi hardware support a bit.


Cheers,
Franco

[Zeitkind]

- Asterisk / VoIP / SIP gateway in GUI or as a good addon
ISDN is dying and providers and telefone companies switch all to VoIP solutions. Many router companies like AVM, Lancom, Vigor, Zyxel already have some VoIP capable solution but lack so many other things that many users now have a firewall like OPNsense, Sophos etc. in front and another router behind for their VoIP stuff. Would be nice to see a single OPNsense solution.
- Should be able to do SIP-Trunkung

[tillsense]

@zeitkind

- Asterisk / VoIP / SIP gateway in GUI or as a good addon

yeah and this strong with second pppoe dial in for voice! 

[ryuken]

hello,
i started to use opnsense some weeks ago and i appreciate the web interface and your development approach very much.
i think that the best improvement could be a new policy editor that can create rules with multi source, destination ip and ports.
Using aliases and nested aliases does the job but it is very inconvenient. Recently i also noted that sophos and endian has implemented this kind of feature.
If opnsense had a policy editor like this i think that could compete better with other commercial solutions.

[fabian]

Hi ryuken,

this does already exist - it is a port alias

[ryuken]

Hi fabian,
i know that aliases can be used but rules are created/edited always with only one entry (for source, destination and ports) with alias or not.
My suggestion was related to the possibiliy to add multiple entries without using aliases (like commercial firewalls).