OPNsense 23.1.11 released (forum.opnsense.org)
system: add RADIUS authentication support for MSCHAPv2 using Crypt_CHAP_MSv2()...
winterschon, "login shell for this non-admin user is not active for security reasons."
Congrats on breaking all of my staging bastions w/the 24.x upgrade!
The excuse, "it is what it is" from Franco: https://forum.opnsense.org/index.php?topic=38665.0 :blobfoxangrylaugh:
Bastions restricting SSH to only allow non-{root/admin} users is proper security, yet Franco thinks only root level accounts should get SSH? 🙄
Goodbye #OPNsense. Migrating bastions to a custom BSD-RP image w/ proper security
tux, German Eure Meinung ist gefragt:
Folgender grober Netzwerkaufbau:
VF-Kabelmodem --> FritzBox (Internettelefonie) --> OPNsense --> LAN und DMZFrage:
In der #FritzBox die #OPNSense als Exposed Host eintragen oder lieber doch einzelne Portfreigaben auf die OPNSense definieren auf dieser dann die gleichen für die jeweiligen Zielhosts existieren?Bin mir da unschlüssig, ob durch den Exposed Host auf der FritzBox nicht irgendwelche Nachteile existieren. Auf der einen Seite habe ich ja dahinter die OPNSense als #Firewall, die den weiteren Netzwerkverkehr regelt.
Was meint ihr?
#followerpower #FragDieFediverse #askfedi @askfedi_de #exposedhost
JeGr, German @tux @askfedi_de liest man gegenläufig gern in Foren oder Blogs mit "blabla aber Doppel NAT ist böse, darum einfach in *sense NAT abschalten, Fritte macht das ja eh". Ja gut. Und sind alle Geräte im Home View der Fritte. Bei ISP Box kann also im dümmsten Fall der ISP die kompletten lokalen Geräte auf der Fritte begutachten. Eh no. Nope. Never.
Daher sauberer Exposed Host -> alles läuft zur *sense -> dort filtern, wo der Filter auch den Namen wert ist. Da exp.Host auch kein großes 2-NAT Problem.
tux, German Danke @JeGr für die ausführlichen Infos. 👍
jan, I'm just going straight for good luck with #opnsense
thomas, I would like to get a notification email when my OpnSense firewall registers too much traffic (current bandwith or total traffic per month).
Are there any plugins to implement such a traffic warning?
unixtippse, @thomas Benutzt du die OPNsense zufällig mit Dual WAN? Ich bin so bisschen auf dem Absprung von meinem mit drölfzig Scripts handgerollten Linux Policy-NAT.
thomas, @unixtippse nein, nur single WAN.
motoridersd, Oh looks like the #OPNSense integration for #HomeAssistant finally got an update to fix what broke with OPNsense 24.1
James, @motoridersd I love seeing all of the Home Assistant integrations people are using that had never even crossed my mind. While I'm not using opnsense, it looks like someone has made a custom pfsense integration too!
adds to growing list of integrations I need to set up
simon, If anyone is looking and in the UK, someone on #ebay is selling #HP #T730 thin client computers for a decent price. Need storage. I've bought a couple and I'm planning to turn one into an #opnsense router. https://www.ebay.co.uk/itm/196104490290
botvolution, @simon
hmm yes you might be right, I skimmed it a bit quickly.
simon, @mxtthxw @botvolution These turned up today and they're 8GB RAM. No storage as described but they take a standard length M.2 SSD so I've ordered a couple of 256GB ones. Some reviews suggest they were locked but I've booted them with a USB and they run that OK.
rince,
rince, Leider kann der Switch (TL-SG3424V2) nur veraltete Cryptoverfahren, auch auf ssh-ebene. Das ist schade und ich finde kene aktuellere Firmware als eine von 2015. Und nur deshalb einen neuen Switch kaufen sehe ich nicht ein... (nein, die Switche sind nicht aus dem Internet erreichbar ;)
globalc, German @rince Fuer browserzugriff laesst sich das vielleicht mit einer Proxy software loesen..
hrw, #OPNsense is based on #FreeBSD. Which means my router (with 4 #igb cards) is hit by https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203856 bug.
Went with suggestions from 11th comment there:
net.isr.numthreads: 4
net.isr.maxthreads: 4
net.isr.dispatch: deferredAnd it is no longer 300/300 like it was 2 years ago when I last tried. It is 470/300 now. The problem is that link is 1000/300 :(
Going back to #OpenWRT.
Slowly thinking of running Debian or Fedora on my router (again).
hrw, @feld Yep, hardware limit as card knows how to handle standard TCP/IP packages but not much else.
Will check tomorrow after rebooting to OpenWRT.
philpem, Either I'm an idiot or #OPNsense (and #PFsense too?) can't filter devices into DHCP pools based on their DHCP vendorclass.
That's annoying if true, because it'll make it pretty hard to use for the IP Phone VLAN.
Someone please prove me wrong... I like just about everything else about it, including being able to use it as an nginx reverse-proxy.
Tvorsk, @philpem @ret Ahh, the joys of open source project documentation.
The x86 page seems to have most examples tied into the 2019 stable release.
Startng from 2022 there's the "new better" sysupgrade and the examples on the page are literally taken from x86... though maybe that's just because it was safer to grab them off a VM, rather than because it now works better.
https://openwrt.org/docs/guide-user/installation/attended.sysupgrade
philpem,
andreab, Installing #opnsense
andreab, @hl Still, I managed to bring my network up in 30 minutes, including ACLs migration, routing reconfiguration, port-channel to the switch, GeoIP blocking, SSH cert authentication and so on.
hl, @andreab That's cool. I don't really understand much about networking and firewalls, and will only dipping my toes in. Mostly I want a Pi-Hole like DNS sinkhole for ads, and to figure out a way that my young kids can start using some internet enabled devices, but make sure they stay safe.
ipsi, Here''s something that I've been having a bit of trouble googling an answer for:
My #OpnSense Firewall is protected with HTTPS & a self-signed certificate (or maybe LE). Viewing it on my phone, it shows a page saying it's not trusted and giving me the option to continue anyway, as usual and all is good. On my #iPad, on the other hand, the page title is "This connection is not private" but the page is completely blank...
linuxnews, German Warum #OPNsense bald keine gute Wahl mehr ist (als Firma). Mehr dazu hier 👉🏻 https://linuxnews.de/verschlimmbessertes-vpn-ein-wort-der-warnung-zu-opnsense-deciso/
nblr, German @adorfer @linuxnews Ja. Die gleiche dummarrogante Selbstsicherheit wie in den verlinkten Tweets. Das gegenüber erst mal kategorisch für unzurechnungsfähig befinden, statt die Möglichkeit in Erwägung zu ziehen, dass man selbst falsch liegt. Unnötig. Deren Hardware ist durchaus interessant.
linuxnews, German
Tekchip, I tried #opnsense way back shortly after it came out and it was rough. I have been hearing good things about it lately though.
I'm just not sure I can bring myself to do the work to take down the network for some time, re-install opnsense, then try to re-create my configuration.
Is there some easy way to migrate? A backup converter or something I could just restore to opnsense?
Tekchip, @rune this is good to hear. I know I need to do it just trying to work out the best way how. I've got a bunch of funky configs to force ad blocking (damned Roku TVs), traffic shaping etc that sound like they might be a pain.
rune, @Tekchip
If I recall correctly, there are some minor feature loss between pf and OPN, nothing that impacted me.I redirect all outbound 53 tcp/udp to my adguard via a NAT rule, it's fairly clean.
All the UI and menus are a bit different, so it's a bit hard on the muscle memory, but I like the OPNsense UI a bit better in the end.
Traffic shaping is still just as obtuse as pf.
I've done a couple updates without issue.
benbe, German Und wieder einmal Code angeschaut und sofort nen Security Issue reporten müssen … #OPNsense
swetland, Anyone out there using opnsense as a firewall/router with failover between two different WAN networks setup?
No matter what I do (using gateway groups or default gateways and priorities) it is round-robin-ing between AT&T and Comcast when they're both up. Baffling.
system: add RADIUS authentication support for MSCHAPv2 using Crypt_CHAP_MSv2()...
5am, #OPNsense has now become a prized part of my home network and probably my favourite discovery of the last few years. #Firewall + #Unbound #DNS + DNS filtering + #IDPS + VLANs, it all runs great on a repurposed x86 box, and the many hours of tinkering have been valuable learning experiences.
#networking #cybersecurity
hl,
Widowild1, French OPNsense : Block malicious IPs https://slash-root.fr/opnsense-block-malicious-ips/ #blocklist #firewall #opnsense #parefeu