It was found out that the OPNsense has some minor and major problems. See section: Early Expirience
I knew that sometime it should happen. And the time has come. The pfSense 2.4 will no longer support i386 based machines.
Maybe someone would say: It is now 2017! Who will even use the i386 processors those days.
Yes, but what should I and people like me do when there were so many Atom based (i.e Intel(R) CPU N270) passive cooling boxes installed and still working without any faults not making a lot of noise. All of them do not have 64-bit instructions set. This means the pfSense 2.4 release will not work at all, without manuall patching the kernel and userland, which is obviously waste of time.
The official reason why the pfSense has dropped i386 support is: ... something about old hardware. Is the reason a big deal now? I don't think so. However the SG-1000 ARM-based system was added, so it seems the project is moving towards the ARM, which is great, but those ARM boxes is quite hard to order especially if you are located in the eastern Europe.
What to do now?
Ok, (talking about only Atom 32 bit boxes) upgrading the 15 Atom boxes will cost around 100 EUR per box for 64bit compatiable CPU with silent cooling. In total, it is needed 1500 EUR to upgrade the hardware which is utilises the CPU on 60-75% in peaks. This is not our way!
There is other ways:
- Install OpenBSD or FreeBSD or HardenedBSD and setup evrything manually.
- Install Linux based distro (less likely)
- Install some less known firewall distros.
The first option is possible, but less experienced administrator or user will face the problems. And too lasy and disadvantageously. The second option is also possible, but some distros has also dropped i386 or will not boot with (maybe?) 1G or RAM (I have checked and it failed during OS booting) The third option is possible and less problematic, but danger.
I have selected third one, but I recomend to select first or second, if you have a lot of time and maybe it is your main job which is paid well.
Searching the web I found a lot of alternatives, but shortly saying, I have picked the pfSense fork the OPNsense.
Running it in the VM as a guest to test the most basec configuration, it was found out that it boots fine with 1G of RAM. The Web UI is fast and responsive. All necessary packages are available like dnscrypt-proxy which on pfSense is not available without manual installation. OPNsense is based on HardenedBSD kernel so some additional security features are available, but on the available CPU it will not benefit a lot.
The installation is simple:
- Storing the pfSense configuration file and dumping the pfSense filesystem to the extrnal storage. The configuration file is not compatiable with OPNsense, so don't try to import it.
- Downloading and burning img or iso to the DVD, usb memstick or booting over the LAN.
>(Linux)dd if=./OPNsense-17.X-OpenSSL-vga-i386.img of=/dev/sdX bs=4M & sync >(FreeBSD) dd if=./OPNsense-17.X-OpenSSL-vga-i386.img of=/dev/daX bs=4M & sync
- Booting from the flashdrive. Logging in as a user: installer and password: opnsense. If you are not sure, you can run it directly from memory stick to test it it works fine with the installed hardware.
- Installing it to the disk.
- Setting everything up in Web UI.
- (Optionally) Then, SSH to server and install necessary packages manually. The snort is available and can be installed from pkgs. Installing dnscrypt-proxy and modyfing the rc.d startup sript to the following Run dnscrypt-proxy multiple instances. The rc.d exaple:
dnscrypt_proxy_enable="YES" dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3 dnscrypt_proxy_4" dnscrypt_proxy_1_resolver="ipredator" dnscrypt_proxy_1_flags="-a 127.0.0.1:50000" dnscrypt_proxy_2_resolver="dnscrypt.nl-ns0" dnscrypt_proxy_2_flags="-a 127.0.0.1:50001" ...
The system is ready. You might also want to add a VRT rules to the suricata. It seems not that easy, and maybe later I will write the post about it but at the moment I have a hint how to do it manually: THis link can be used as a starting point
Running OPNsense for sometime has revealed some minor and major issues.
- The largest one is suricata.
- By default (in OPNsense), Suricata is not working with Snort VRT rules.
- Suricata requires less RAM but more CPU. The problem is that, for instance, on Intel(R) CPU N270 with 1GB of RAM, when running git clone of some large repository and simultaniously watching some online video stream in HD quality loads router's CPU on 95%-102% and drops the download speed to 400kB/s. Without Suriata 10Mb/s. When this router was running Snort with AC-BNFA-Q with Snort VRT + emerging threats the maximum download speed was 4-5Mb/s.
- To install snort, you need to install it via pkg utility. Also install barnyard and pulledpork and configure it manually.
- The firewall (pf) rules web interface is inconvinient and less functional. After adding the non-floating rules to the firewall configuration, it does not make the trick.
- dnsmasq is ignoring strick-order option and queries only latest nameserver which was left as backup in case of the dnscrypt-proxy falure.