opnsense / core Goto Github PK
View Code? Open in Web Editor NEWOPNsense GUI, API and systems backend
Home Page: https://opnsense.org/
License: BSD 2-Clause "Simplified" License
OPNsense GUI, API and systems backend
Home Page: https://opnsense.org/
License: BSD 2-Clause "Simplified" License
scripting uses su to start and stop service, but that does not work in our current setup as su gets served with a menu screen..
PS! I've tested this set up on pfSense, and it works there. I've tested with the same config file.
I've tried to set up a VLAN on the WAN interface to use as an admin interface. I have a fixed IP on the VLAN, and have added firewall rules for remote admin on that interface. The VLAN is tagged on the switch port. Also tried with trunking. This firewall is behind a FortiGate firewall, where the VLAN is defined.
I've uploaded a test config file, which I haven't actually tested yet, but it's a similar setup as the one I had problems with.
https://dl.dropboxusercontent.com/u/4412405/config-OPNsense.localdomain-20150220000819-VLAN-problems.xml
PS! There is, of course, no DHCP server set up on this VLAN.
For IPsec some option are listed that are not valid in current setup.
Remove: AES-GCM until tested and functional
Change: IKE, charon supports setting to ike or ikev2 IKE supports both IKEv2 and IKEv1 according to documentation. Option needs to be auto or ikev2 not ikev1.
Old code prevent sorting, needs cleanup and conversion to bootstrap/jquery
While trying to connect to an IPSec-server via OS X's built in VPN client these errors occur:
Feb 11 20:55:47 charon: 03[NET] sending packet: from [server-ip][500] to [client-ip][500](36 bytes)
Feb 11 20:55:47 charon: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
Feb 11 20:55:44 charon: 03[NET] received unsupported IKE version 1.0 from [client-ip], sending INVALID_MAJOR_VERSION
Feb 11 20:55:44 charon: 03[NET] sending packet: from [server-ip][500] to [client-ip][500](36 bytes)
Feb 11 20:55:44 charon: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
Feb 11 20:55:41 charon: 03[NET] received unsupported IKE version 1.0 from [client-ip], sending INVALID_MAJOR_VERSION
Feb 11 20:55:41 charon: 03[NET] sending packet: from [server-ip][500] to [client-ip][500](36 bytes)
While this may not be the most-requested feature, I'd like to start this discussion early while OPNsense source code is still being refactored.
I'd like to see unattended installations of OPNsense. I've created a rather hackish proof-of-concept for pfSense some time ago, which integrates nicely with Foreman:
This is based on the approach Foreman takes to do unattended installations of FreeBSD (10.x):
Of course, I'd love to see a native solution in OPNsense similar to kickstart (RedHat) or preseed (Debian). Maybe it's possible to use FreeBSD's native tools.
this revolves around the initial apinger setup. via @TimelessP (Twitter)
Just noticed that while checking OpenVPN in the status pages, it says Network Time Protocol Status instead.
Just FYI!
thank you!
The initial wizard sets WAN to static but fils static ip with dhcp, this is not wanted. Set default to dhcp and leave ip blank.
see https://forum.pfsense.org/index.php?topic=86146.0 via @deZillium (twitter)
system_routes.php needs code cleanup at least for icons.
Every time I uncheck 'Disable password login for Secure Shell' on the advanced admin config page and click on the save button the next time (after more than 20 seconds) I change an option on this site and press save the following message appears:
Fatal error: Cannot unset string offsets in /usr/local/www/system_advanced_admin.php on line 189
If I reselect this SSH-option again the site works as expected.
Everyone should always prefer ssh-keys so I think this is a bug and a feature at the same time ;)
We have pulled in openssh-protable from ports, which works. :) Next step is WITHOUT_OPENSSH=1 in base so that we end up with different types of systems for different versions. To make the switch easier, refactor and rewrite the launcher to cope with both types and to make it easier to maintain in the future.
Add support for AES-GCM and reintroduce it to the GUI, also see #11.
Also interesting for factory reset. We should prompt for a new password in those cases via @TimelessP (twitter)
The tabs for static routes and gateway groups are missing.
Hello,
could you please tell me what is the OPNsense® pfSense® features, functionalities comparison?
Does OPNsense® has more features then pfSense® and why should I use opnsense instead of pfsense???
regards, Heather
When opening the 'Services: UPnP & NAT-PMP ' page the menu auto-colapses
http://i.imgur.com/iazrHdr.png
Is IPv6 currently working on OPNSense? I have my WAN set w/DHCP6, but I don't see it running.
When trying to start it manually, I found /var/etc/dhcp6c_wan.conf references /var/etc/dhcp6c_wan_script.sh which tries to start /usr/local/etc/rc.newwanipv6 via fcgicli
Related to https://redmine.pfsense.org/issues/4403
If anybody has a crash report I'd be delighted.
With em0 and em1 present the config currently skips interface assignment. Want to deploy a better way of doing that consistently. Also, initial IP assignment is missing. Workarounds like the LiveCD exist, but are a little too inconvenient on first glance. via @TimelessP (twitter)
When changing WAN interface to a static IPv4 WAN and apply a default gateway then no default route is created.
remove unused javascripts and includes in gui code
Would be great if the user clicks "Test SMTP" (System:Advanced:Notifications) get a response if the test was successful. Goes to the log file instead.
When running pkg upgrades from System->Firmware the packages will be updates without problems. Unfortunately the OPNsense appliance does not refresh the update list and keeps telling me that an update is available (actually the same update as before: pkg 1.4.3 -> 1.4.4).
Maybe OPNsense should clear the update list if the pkg upgrade completed successfully.
System: fresh install of OPNsense 15.1 amd64
I think it would greatly ease migration to OPNsense if it would be possible to import a pfSense configuration. I don't care for the RRDs, but only the configuration.
This would make it easier for people to test OPNsense with their real-world configuration and possibly attract more people to try OPNsense.
Maybe this should be implemented alongside the OPNsense config backup/import feature (to allow OPNsense to diverge more from pfSense over time). Well, I guess it would be OK to support only the stable version of pfSense (not every old release).
Code in question has probably been broken for quite a while... via @TimelessP (twitter)
If I try to use SVG images in the portal page file as a CSS background image, the SVG file isn't displayed. E.g. this example CSS doesn't work:
input.auth_user {
background-image: url(captiveportal-user-icon.svg);
}
To fix this I had to edit this file:
/usr/local/etc/inc/system.inc
And add this to the mimetype.assign var:
".svg" => "image/svg+xml",
after doing this the SVG images are shown.
(PS! the same bug also exists in pfSense)
OpenVPN user authentication fails due to /usr/local/sbin/ovpn_auth_verify trying to execute php scripts using fcgicli.
@c0urier writes in to ask if this could be achieved. Will do the research in any case. If anybody has any thoughts on this, please comment.
Captive portal problems:
PS! I've tested the same config file on pfSense, and everything is working under pfSense.
For this test I have used the IP 192.168.2.105 for the WAN and the IP 10.13.37.1 for the LAN
I have activated the captive portal on the LAN interface, with local user and voucher authentication.
PS! I've tested this on OPNsense 15.1.5 and pfSense 2.2.
Implement proxy feature into OPNsense
The general idea implemented previously is okay, but inconsistent. /conf may be a symlink, although /cf should really have a complete directory mirror, so each time we want to write we force the prefix /cf and be done with it. Might also involve renaming /cf to /rw for clarity. This approach works for normal installations, too. No reason to have an if else mess in the code. Feedback welcome! :)
Softcoding is generally a good idea, except when system paths must be static as in the case of most of the ports (/usr/local). Sometimes the path is parsed by shell scripts using crude hacks. Sometimes the softcoding is not consistent. Most of the time it's harder to find softcoded paths. Discuss!
Rework and add alias popups in several gui pages.
On m0n0wall, an unchecked WAN option Block private Networks automatically adds a pass rule for WAN, while the default is having this item checked.
On the page services_dhcp_edit.php the copy my mac button does not work.
Create a base structure for using Phalcon as frontend for new components and integrate this with the current codebase. This gives us the opportunity to keep new components clean and provide a transition to a better codebase.
initial wizard - at the last screen the reload features does not redirect to right page or hangs.
One of the main goals for OPNsense is to create a cleaner codebase which is easier to maintain. This feature detaches frontend and backend for template generation and provides a cleaner approach for handling configuration files.
Rename check_reload_status.py to a more sensible name. (as it is the backend service for configuring the firewall)
I know that it was a common practice for ISC DHCP being used within other distributions to not allow static assignments within the DHCP pool, however, it defeats the purpose of allow said static assignments.
would like to request the removal of the restriction in the GUI and also update the wording in the GUI with the warning that it can cause issues blah blah blah, but allow us to assign static DHCP leases within the pool.
Thank you!
After adding a static route a toute change is applied, but in no route exists this does not work..
error
/system_routes.php: The command '/sbin/route change -inet
possible solution
delete route first, if any exists
re-add route
This way the route can always be added.
system_routes_edit.php needs some code cleanup and inline gateway table needs to be converted to bootstrap alternative.
I created some aliases and started creating Port Forward NAT-rules (Firewall->NAT) using said aliases. In the rules-list the alias gets prefixed with Array (ie. when I created a Port Forward NAT for my mailhost I see 'Arraymailports' as Dest. ports, 'Arraymailhost' as NAT IP, 'Arraymailports' as NAT Ports).
The rules auto-created in Firewall->Rules are not prefixed with Array.
via https://forum.opnsense.org/index.php?topic=55.msg154#msg154
system_gateway_groups_edit.php needs cleanup.
When the DNS forwarder service is active and you add a Host Override, it will ask you to reload. When performing a reload, the service is stopped and disabled.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.