opnsense / core Goto Github PK

scripting uses su to start and stop service, but that does not work in our current setup as su gets served with a menu screen..

PS! I've tested this set up on pfSense, and it works there. I've tested with the same config file.

I've tried to set up a VLAN on the WAN interface to use as an admin interface. I have a fixed IP on the VLAN, and have added firewall rules for remote admin on that interface. The VLAN is tagged on the switch port. Also tried with trunking. This firewall is behind a FortiGate firewall, where the VLAN is defined.
I've uploaded a test config file, which I haven't actually tested yet, but it's a similar setup as the one I had problems with.
https://dl.dropboxusercontent.com/u/4412405/config-OPNsense.localdomain-20150220000819-VLAN-problems.xml
PS! There is, of course, no DHCP server set up on this VLAN.

For IPsec some option are listed that are not valid in current setup.
Remove: AES-GCM until tested and functional
Change: IKE, charon supports setting to ike or ikev2 IKE supports both IKEv2 and IKEv1 according to documentation. Option needs to be auto or ikev2 not ikev1.

Old code prevent sorting, needs cleanup and conversion to bootstrap/jquery

While trying to connect to an IPSec-server via OS X's built in VPN client these errors occur:
Feb 11 20:55:47 charon: 03[NET] sending packet: from [server-ip][500] to [client-ip][500](36 bytes)
Feb 11 20:55:47 charon: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
Feb 11 20:55:44 charon: 03[NET] received unsupported IKE version 1.0 from [client-ip], sending INVALID_MAJOR_VERSION
Feb 11 20:55:44 charon: 03[NET] sending packet: from [server-ip][500] to [client-ip][500](36 bytes)
Feb 11 20:55:44 charon: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
Feb 11 20:55:41 charon: 03[NET] received unsupported IKE version 1.0 from [client-ip], sending INVALID_MAJOR_VERSION
Feb 11 20:55:41 charon: 03[NET] sending packet: from [server-ip][500] to [client-ip][500](36 bytes)

While this may not be the most-requested feature, I'd like to start this discussion early while OPNsense source code is still being refactored.

I'd like to see unattended installations of OPNsense. I've created a rather hackish proof-of-concept for pfSense some time ago, which integrates nicely with Foreman:

• https://github.com/fraenki/foreman-pfsense
• https://forum.pfsense.org/index.php?topic=81267.0
• https://www.youtube.com/watch?v=iqIR0pjkdRc

This is based on the approach Foreman takes to do unattended installations of FreeBSD (10.x):

• http://projects.theforeman.org/projects/foreman/wiki/FreeBSD

Of course, I'd love to see a native solution in OPNsense similar to kickstart (RedHat) or preseed (Debian). Maybe it's possible to use FreeBSD's native tools.

this revolves around the initial apinger setup. via @TimelessP (Twitter)

Just noticed that while checking OpenVPN in the status pages, it says Network Time Protocol Status instead.

Just FYI!

thank you!

The initial wizard sets WAN to static but fils static ip with dhcp, this is not wanted. Set default to dhcp and leave ip blank.

see https://forum.pfsense.org/index.php?topic=86146.0 via @deZillium (twitter)

system_routes.php needs code cleanup at least for icons.

Every time I uncheck 'Disable password login for Secure Shell' on the advanced admin config page and click on the save button the next time (after more than 20 seconds) I change an option on this site and press save the following message appears:

Fatal error: Cannot unset string offsets in /usr/local/www/system_advanced_admin.php on line 189

If I reselect this SSH-option again the site works as expected.

Everyone should always prefer ssh-keys so I think this is a bug and a feature at the same time ;)

We have pulled in openssh-protable from ports, which works. :) Next step is WITHOUT_OPENSSH=1 in base so that we end up with different types of systems for different versions. To make the switch easier, refactor and rewrite the launcher to cope with both types and to make it easier to maintain in the future.

Add support for AES-GCM and reintroduce it to the GUI, also see #11.

Also interesting for factory reset. We should prompt for a new password in those cases via @TimelessP (twitter)

The tabs for static routes and gateway groups are missing.

Hello,
could you please tell me what is the OPNsense® pfSense® features, functionalities comparison?
Does OPNsense® has more features then pfSense® and why should I use opnsense instead of pfsense???

regards, Heather

When opening the 'Services: UPnP & NAT-PMP ' page the menu auto-colapses
http://i.imgur.com/iazrHdr.png

Is IPv6 currently working on OPNSense? I have my WAN set w/DHCP6, but I don't see it running.

When trying to start it manually, I found /var/etc/dhcp6c_wan.conf references /var/etc/dhcp6c_wan_script.sh which tries to start /usr/local/etc/rc.newwanipv6 via fcgicli

Related to https://redmine.pfsense.org/issues/4403

If anybody has a crash report I'd be delighted.

http://duckdns.org/

via https://forum.opnsense.org/index.php?topic=62

With em0 and em1 present the config currently skips interface assignment. Want to deploy a better way of doing that consistently. Also, initial IP assignment is missing. Workarounds like the LiveCD exist, but are a little too inconvenient on first glance. via @TimelessP (twitter)

When changing WAN interface to a static IPv4 WAN and apply a default gateway then no default route is created.

remove unused javascripts and includes in gui code

Would be great if the user clicks "Test SMTP" (System:Advanced:Notifications) get a response if the test was successful. Goes to the log file instead.

When running pkg upgrades from System->Firmware the packages will be updates without problems. Unfortunately the OPNsense appliance does not refresh the update list and keeps telling me that an update is available (actually the same update as before: pkg 1.4.3 -> 1.4.4).

Maybe OPNsense should clear the update list if the pkg upgrade completed successfully.

System: fresh install of OPNsense 15.1 amd64

I think it would greatly ease migration to OPNsense if it would be possible to import a pfSense configuration. I don't care for the RRDs, but only the configuration.

This would make it easier for people to test OPNsense with their real-world configuration and possibly attract more people to try OPNsense.

Maybe this should be implemented alongside the OPNsense config backup/import feature (to allow OPNsense to diverge more from pfSense over time). Well, I guess it would be OK to support only the stable version of pfSense (not every old release).

Code in question has probably been broken for quite a while... via @TimelessP (twitter)

If I try to use SVG images in the portal page file as a CSS background image, the SVG file isn't displayed. E.g. this example CSS doesn't work:
input.auth_user {
background-image: url(captiveportal-user-icon.svg);
}
To fix this I had to edit this file:
/usr/local/etc/inc/system.inc
And add this to the mimetype.assign var:
".svg" => "image/svg+xml",
after doing this the SVG images are shown.
(PS! the same bug also exists in pfSense)

OpenVPN user authentication fails due to /usr/local/sbin/ovpn_auth_verify trying to execute php scripts using fcgicli.

I've noticed that filterlog will occasionally flood the console with block messages:

Is this intended or a defect? This seems to occur shortly after and during system boot and possibly after configuration changes.

@c0urier writes in to ask if this could be achieved. Will do the research in any case. If anybody has any thoughts on this, please comment.

Captive portal problems:
PS! I've tested the same config file on pfSense, and everything is working under pfSense.
For this test I have used the IP 192.168.2.105 for the WAN and the IP 10.13.37.1 for the LAN

I have activated the captive portal on the LAN interface, with local user and voucher authentication.

• Captive portal doesn't work at all. All clients gets connected to the internet, without the captive portal showing up. If I manually try to enter http://10.13.37.1:8002/?redirurl=http://example.com the portal page is shown as usual, and redirects correctly after a successful login.
• Unable to upload custom "Portal page contents". If I select a file with "Browse" and click "Save", the changes aren't saved.
• I tried chaning the "Portal page contents" by editing the config file, with the ... generated by a pfSense install, so now I see a custom page. But still unable to reupload a new file.
• The link for the "View current page" in the "Portal pages contents" area is wrong, the port number is 2 instead of 8002, like this:
  http://192.168.2.105:2/ instead of this http://192.168.2.105:8002/
  A copy of the test config file is located here:
  https://dl.dropboxusercontent.com/u/4412405/config-OPNsense.localdomain-20150219230819.xml

PS! I've tested this on OPNsense 15.1.5 and pfSense 2.2.

Implement proxy feature into OPNsense

In console menu option 12 Upgrade from console is not working.

The general idea implemented previously is okay, but inconsistent. /conf may be a symlink, although /cf should really have a complete directory mirror, so each time we want to write we force the prefix /cf and be done with it. Might also involve renaming /cf to /rw for clarity. This approach works for normal installations, too. No reason to have an if else mess in the code. Feedback welcome! :)

Softcoding is generally a good idea, except when system paths must be static as in the case of most of the ports (/usr/local). Sometimes the path is parsed by shell scripts using crude hacks. Sometimes the softcoding is not consistent. Most of the time it's harder to find softcoded paths. Discuss!

Rework and add alias popups in several gui pages.

I am trying to use outbound nat, but the firewall seems to be ignoring my rule.

On m0n0wall, an unchecked WAN option Block private Networks automatically adds a pass rule for WAN, while the default is having this item checked.

On the page services_dhcp_edit.php the copy my mac button does not work.

Create a base structure for using Phalcon as frontend for new components and integrate this with the current codebase. This gives us the opportunity to keep new components clean and provide a transition to a better codebase.

initial wizard - at the last screen the reload features does not redirect to right page or hangs.

One of the main goals for OPNsense is to create a cleaner codebase which is easier to maintain. This feature detaches frontend and backend for template generation and provides a cleaner approach for handling configuration files.
Rename check_reload_status.py to a more sensible name. (as it is the backend service for configuring the firewall)

I know that it was a common practice for ISC DHCP being used within other distributions to not allow static assignments within the DHCP pool, however, it defeats the purpose of allow said static assignments.

would like to request the removal of the restriction in the GUI and also update the wording in the GUI with the warning that it can cause issues blah blah blah, but allow us to assign static DHCP leases within the pool.

Thank you!

After adding a static route a toute change is applied, but in no route exists this does not work..

error
/system_routes.php: The command '/sbin/route change -inet

possible solution
delete route first, if any exists
re-add route

This way the route can always be added.

system_routes_edit.php needs some code cleanup and inline gateway table needs to be converted to bootstrap alternative.

I created some aliases and started creating Port Forward NAT-rules (Firewall->NAT) using said aliases. In the rules-list the alias gets prefixed with Array (ie. when I created a Port Forward NAT for my mailhost I see 'Arraymailports' as Dest. ports, 'Arraymailhost' as NAT IP, 'Arraymailports' as NAT Ports).

The rules auto-created in Firewall->Rules are not prefixed with Array.

via https://forum.opnsense.org/index.php?topic=55.msg154#msg154

system_gateway_groups_edit.php needs cleanup.

When the DNS forwarder service is active and you add a Host Override, it will ask you to reload. When performing a reload, the service is stopped and disabled.