OpenSense on SG-2100
-
@JonathanLee Do they even have an Arm version? They don't list it on their download page.
-
@SteveITS yeah but it's essentially a fork of PfSense who's a fork of MoNowall. I don't think they have an Arm version.
-
@JonathanLee
To steves point, if this was an x86 to x86 conversion i would say test it out but there might be driver incompability.
But considering the 2100 is an ARM processer and OPNsense doesnt state that they support ARM im not sure its going to work. May want to ask the devs over on the forums over there. -
Absolutely no way an x86/AMD64 software version is going to work on ARM hardware. The CPUs use completely different binary op-codes. It wouldn't even start to boot! The codes for the CPU hardware instructions are completely different.
OPNsense does not have an official ARM version. I lurk on their forums to keep tabs on anything Suricata-related, but I did stumble across a thread over there where a user (not affiliated with OPNsense officially) was attempting a migration to ARM hardware. Don't know what the status of that effort is now. Doing something like requires taking all the FreeBSD kernel source code from the OPNsense firewall distro FreeBSD source and recompiling it from scratch in a proper builder. That's the part that is hardware dependent. The GUI PHP code not so much.
-
I want the web cache support for Squid is what I am after. I am going to be stuck in 23.05.01 land until the end of time.
-
@JonathanLee said in OpenSense on SG-2100:
I want the web cache support for Squid is what I am after.
Just out of curiosity, how many hits do you have in your proxy's cache ?
304 is the code you are looking for.
200 is a miss, so that doesn't count. -
@JonathanLee said in OpenSense on SG-2100:
I want the web cache support for Squid
Why? What is your Internet speed? The cache was really only of value eons ago when speeds were dial-up level. And a fair amount of stuff today from the web is dynamic and may well have the "no-cache" tag embedded in it anyway.
-
I still use DSL I have tons of hits, pages of them plus ClamAV blocks https items all the time for me. You can set the no cache tag to ignore in squid also if needed. Dynamic cache of Windows updates also.
-
@JonathanLee said in OpenSense on SG-2100:
You can set the no cache tag to ignore in squid also if needed.
But usually web sites set that "no-cache" tag for a valid reason, and the most common is some dynamic content on the page relies on a fresh copy of said content. So overrriding the "no-cache" tag can result in a non-functional or otherwise broken web page-- including some not-so-obvious breakage that might be significant.
Squid is generally considered as a technology whose time came and went about 10 years ago. And some argue it's even farther back than that. Go read some of the posts and debate in the Squid vulnerability thread over on the OPNsense forum.
-
If you absolutely have to have a proxy, you should setup a local proxy VM or system (or even a docker container) on a dedicated device instead of running it on your edge/firewall. You can still redirect traffic to it or configure clients to use it directly. I'd be surprised if it was doing as much for you as you think, especially on a 2100.
-
@bmeeks I think a value-add to the package is the MITM aspect. Unfortenly most if not all of the blocklists that were used for Squid are no longer or just not good when compared to commercial products.
Im of two minds about it.
Squid is an oldie but a goodie. It can still have some relevance today for page blocking or content control albeit in limited scope.If you have a proxy in the path, you cant bypass at all. DoH is a game of wack-a-mole. Easy to do but can be easily bypassed. -
@jimp
This was suggested on Reddit and i think its a good idea if one has the resources.
Squid with the unresolved CVEs is probably best sitting behind a firewall . I dunno. Just a thought. -
@JonathanLee said in OpenSense on SG-2100:
I want the web cache support for Squid is what I am after. I am going to be stuck in 23.05.01 land until the end of time.
23.09 includes Squid per the blog post.
re: cache, SSD is recommended for the disk writes on eMMC...
https://www.netgate.com/supported-pfsense-plus-packages
https://docs.netgate.com/pfsense/en/latest/troubleshooting/disk-lifetime.html -
SSD
@JonathanLee I see from one of your other posts you have a Max so never mind this comment. I like to post it when it comes up since many don't know about the recommendation list (which would help if it was in the docs, or linked from the docs; AFAIK it isn't).
-
Indeed Squid is in 23.09. I agree though, running a separate internal proxy is probably a better option.
-
@stephenw10
To be fair, commercial solutions like Cisco Umbrella or Zorus do a really better job at this whole proxy thing.
I know there isnβt a home lab or SMB pricing that makes sense which is really the pain point here for mostly everyone.
Also Iβm not aware of any commercial proxy to be used internally. Is BlueCoat still a thing? -
@michmoor what is bluecoat? I have Squid 6.6 running great in 24 minor issue the status page changed to non squidclient based. But other than that it has a lot of the CVEs fixed I am told itβs the latest and greatest.
-
If you want to proxy and filter all the traffic from/to a small country you call Bluecoat.
-
@stephenw10
SWG are the future. Its been the future? Its here now :)https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/
-
'SWG' seems like another acronym for what has been around for years. Maybe with a shinier front end glued onto it.