Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenSense on SG-2100

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    23 Posts 8 Posters 3.2k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ Offline
      JonathanLee
      last edited by

      Hello

      Has anyone attempted to install OpenSense on a SG-2100 to play around with?

      Make sure to upvote

      NollipfSenseN S 2 Replies Last reply Reply Quote 1
      • NollipfSenseN Offline
        NollipfSense @JonathanLee
        last edited by

        @JonathanLee That's like wanting to install MacOS on a Windows-based PC...frown upon; however, hope someone with actual experience respond.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • S Offline
          SteveITS Galactic Empire @JonathanLee
          last edited by

          @JonathanLee Do they even have an Arm version? They don't list it on their download page.

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
          Upvote πŸ‘ helpful posts!

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ Offline
            JonathanLee @SteveITS
            last edited by

            @SteveITS yeah but it's essentially a fork of PfSense who's a fork of MoNowall. I don't think they have an Arm version.

            Make sure to upvote

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              michmoor LAYER 8 Rebel Alliance @JonathanLee
              last edited by

              @JonathanLee
              To steves point, if this was an x86 to x86 conversion i would say test it out but there might be driver incompability.
              But considering the 2100 is an ARM processer and OPNsense doesnt state that they support ARM im not sure its going to work. May want to ask the devs over on the forums over there.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 1
              • bmeeksB Online
                bmeeks
                last edited by bmeeks

                Absolutely no way an x86/AMD64 software version is going to work on ARM hardware. The CPUs use completely different binary op-codes. It wouldn't even start to boot! The codes for the CPU hardware instructions are completely different.

                OPNsense does not have an official ARM version. I lurk on their forums to keep tabs on anything Suricata-related, but I did stumble across a thread over there where a user (not affiliated with OPNsense officially) was attempting a migration to ARM hardware. Don't know what the status of that effort is now. Doing something like requires taking all the FreeBSD kernel source code from the OPNsense firewall distro FreeBSD source and recompiling it from scratch in a proper builder. That's the part that is hardware dependent. The GUI PHP code not so much.

                1 Reply Last reply Reply Quote 1
                • JonathanLeeJ Offline
                  JonathanLee
                  last edited by JonathanLee

                  I want the web cache support for Squid is what I am after. I am going to be stuck in 23.05.01 land until the end of time.

                  th.jpeg

                  Make sure to upvote

                  M bmeeksB S 3 Replies Last reply Reply Quote 0
                  • M Offline
                    mcury Rebel Alliance @JonathanLee
                    last edited by

                    @JonathanLee said in OpenSense on SG-2100:

                    I want the web cache support for Squid is what I am after.

                    Just out of curiosity, how many hits do you have in your proxy's cache ?

                    304 is the code you are looking for.
                    200 is a miss, so that doesn't count.

                    dead on arrival, nowhere to be found.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB Online
                      bmeeks @JonathanLee
                      last edited by

                      @JonathanLee said in OpenSense on SG-2100:

                      I want the web cache support for Squid

                      Why? What is your Internet speed? The cache was really only of value eons ago when speeds were dial-up level. And a fair amount of stuff today from the web is dynamic and may well have the "no-cache" tag embedded in it anyway.

                      M 1 Reply Last reply Reply Quote 1
                      • JonathanLeeJ Offline
                        JonathanLee
                        last edited by JonathanLee

                        I still use DSL I have tons of hits, pages of them plus ClamAV blocks https items all the time for me. πŸ‘ You can set the no cache tag to ignore in squid also if needed. Dynamic cache of Windows updates also.

                        Make sure to upvote

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB Online
                          bmeeks @JonathanLee
                          last edited by bmeeks

                          @JonathanLee said in OpenSense on SG-2100:

                          You can set the no cache tag to ignore in squid also if needed.

                          But usually web sites set that "no-cache" tag for a valid reason, and the most common is some dynamic content on the page relies on a fresh copy of said content. So overrriding the "no-cache" tag can result in a non-functional or otherwise broken web page-- including some not-so-obvious breakage that might be significant.

                          Squid is generally considered as a technology whose time came and went about 10 years ago. And some argue it's even farther back than that. Go read some of the posts and debate in the Squid vulnerability thread over on the OPNsense forum.

                          1 Reply Last reply Reply Quote 1
                          • jimpJ Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by jimp

                            If you absolutely have to have a proxy, you should setup a local proxy VM or system (or even a docker container) on a dedicated device instead of running it on your edge/firewall. You can still redirect traffic to it or configure clients to use it directly. I'd be surprised if it was doing as much for you as you think, especially on a 2100.

                            Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            M 1 Reply Last reply Reply Quote 2
                            • M Offline
                              michmoor LAYER 8 Rebel Alliance @bmeeks
                              last edited by

                              @bmeeks I think a value-add to the package is the MITM aspect. Unfortenly most if not all of the blocklists that were used for Squid are no longer or just not good when compared to commercial products.
                              Im of two minds about it.
                              Squid is an oldie but a goodie. It can still have some relevance today for page blocking or content control albeit in limited scope.If you have a proxy in the path, you cant bypass at all. DoH is a game of wack-a-mole. Easy to do but can be easily bypassed.

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              1 Reply Last reply Reply Quote 0
                              • M Offline
                                michmoor LAYER 8 Rebel Alliance @jimp
                                last edited by

                                @jimp
                                This was suggested on Reddit and i think its a good idea if one has the resources.
                                Squid with the unresolved CVEs is probably best sitting behind a firewall . I dunno. Just a thought.

                                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                Routing: Juniper, Arista, Cisco
                                Switching: Juniper, Arista, Cisco
                                Wireless: Unifi, Aruba IAP
                                JNCIP,CCNP Enterprise

                                1 Reply Last reply Reply Quote 1
                                • S Offline
                                  SteveITS Galactic Empire @JonathanLee
                                  last edited by

                                  @JonathanLee said in OpenSense on SG-2100:

                                  I want the web cache support for Squid is what I am after. I am going to be stuck in 23.05.01 land until the end of time.

                                  23.09 includes Squid per the blog post.

                                  re: cache, SSD is recommended for the disk writes on eMMC...
                                  https://www.netgate.com/supported-pfsense-plus-packages
                                  https://docs.netgate.com/pfsense/en/latest/troubleshooting/disk-lifetime.html

                                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                                  Upvote πŸ‘ helpful posts!

                                  S 1 Reply Last reply Reply Quote 2
                                  • S Offline
                                    SteveITS Galactic Empire @SteveITS
                                    last edited by

                                    SSD

                                    @JonathanLee I see from one of your other posts you have a Max so never mind this comment. I like to post it when it comes up since many don't know about the recommendation list (which would help if it was in the docs, or linked from the docs; AFAIK it isn't).

                                    Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                    When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                                    Upvote πŸ‘ helpful posts!

                                    1 Reply Last reply Reply Quote 1
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Indeed Squid is in 23.09. I agree though, running a separate internal proxy is probably a better option.

                                      M 1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        michmoor LAYER 8 Rebel Alliance @stephenw10
                                        last edited by michmoor

                                        @stephenw10
                                        To be fair, commercial solutions like Cisco Umbrella or Zorus do a really better job at this whole proxy thing.
                                        I know there isn’t a home lab or SMB pricing that makes sense which is really the pain point here for mostly everyone.
                                        Also I’m not aware of any commercial proxy to be used internally. Is BlueCoat still a thing?

                                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                        Routing: Juniper, Arista, Cisco
                                        Switching: Juniper, Arista, Cisco
                                        Wireless: Unifi, Aruba IAP
                                        JNCIP,CCNP Enterprise

                                        JonathanLeeJ 1 Reply Last reply Reply Quote 0
                                        • JonathanLeeJ Offline
                                          JonathanLee @michmoor
                                          last edited by

                                          @michmoor what is bluecoat? I have Squid 6.6 running great in 24 minor issue the status page changed to non squidclient based. But other than that it has a lot of the CVEs fixed I am told it’s the latest and greatest.

                                          Make sure to upvote

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S Offline
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            If you want to proxy and filter all the traffic from/to a small country you call Bluecoat. πŸ˜‰

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.