I think this is fundamentally where we differ. Open Source shouldn’t necessarily be free as in beer. I think that if something provides economic value, then value should be provided in kind.
I disagree that we differ here. but perhaps we do. I believe in praxeology. Would you like to reconsider your question?
(653) Praxeology 101 - Lesson 1 - Introduction - YouTube
I think we are running into a left/right american political bias problem right now? I’m in neither camp I am a misfit and I like to celebrate other misfits.
My political opinions are usually colored in technology - pretty much everyone here has a common political ground. I just finished last week’s Level1 News. However, I usually try to take a middle ground stance on things.
One of those things is that I believe open source software should be paid. And not in the terrible SaaS way that companies like Adobe use - although I rather like the SaaS implementation that JetBrains employs; it’s a nice middle ground. I am neither democrat nor republican, either. I don’t know anything about praxeology other than the first 1:45 that I watched of the first video in that playlist. I do know economics though, both on a macro and a micro scale. So I trust in the economic systems we have today. That wasn’t always the case for me, though.
@wendell hows this?
Future Router OS Blueprint
I actually think the “router OS” market is ripe for disruption. Forget everything you know about routers. What matters is:
Manage your internet connection – devices, flows, rate limits/rules.
Manage devices behind your connection with special handling for media devices, access points, etc.
Manage SNMP
PiHole/DNS/security filtering (< opportunity for subscription model)
IDS/IPS type thing possible.
T-pot GitHub - telekom-security/tpotce: T-Pot - The All In One Honeypot Platform lan monitoring (hey, your LG tv was surreptitiously scanning open network shares. Yes, this is a thing that actually happened!)
Deploy Endpoint: Rather than point-to-point vpn, just give it some api creds to linode and blam wireguard or tailscale endpoint.
point-n-click self-hosted service manager. Endpoints can be forwards from linode or tailscale; CG nat isn’t a problem in this scenario. Much of this can be simplified for the user, but still exposed for power users.
device collection management: your phone, desktop(s), laptop(s), server(s) can all always talk to each other a la tailscale, or automated tailscale/headscale. This would greatly simplify redundant/multiple internet connections. the linode thing also makes it more trivial to do multi-path TCP to linode, then trad. tcp from there out. So you could have something more awesome than failover or route-based multi-wan…
like I say…ripe for disruption
Lets break this out into layers and refactor.
- Core Management Layer
This is the foundational layer that handles the basic functions of the router OS.
1.1. Internet Connection Management
- Device Management: Identify and manage all devices connected to the network. Apply rate limits and rules based on device type or user preference.
- Flow Management: Monitor and control the flow of internet traffic, with the ability to prioritize or restrict certain types of traffic.
1.2. Local Network Device Management
- Media Device Special Handling: Recognize and optimize the network for media devices, ensuring smooth streaming and low latency.
- Access Point Management: Control and configure additional access points to extend the network’s reach.
1.3. SNMP (Simple Network Management Protocol)
- Network Monitoring: Utilize SNMP for monitoring the health and performance of network devices.
- Configuration Management: Allow for remote configuration of network devices via SNMP.
2. Security and Monitoring Layer
This layer focuses on safeguarding the network and monitoring for any suspicious activity.
2.1. Packet Fence, the other pf. The irony that this remains layer 2, even when view from a completely atypical point of view. I don’t believe in coincidence.
2.2. PiHole/DNS/Security Filtering. NXFilter is cool, too.
- Ad Blocking and Security: Implement PiHole for network-wide ad blocking and security filtering.
- Subscription Model: Provide advanced security features and filters as part of a subscription service.
2.3. IDS/IPS (Intrusion Detection System/Intrusion Prevention System)
- Network Monitoring: Continuously monitor network traffic for signs of malicious activity.
- Incident Response: Take predefined actions to block or mitigate threats when detected
3.0. Centralized Logging and Documentation
Gravwell’s great.
Competitors exist and are good.
##4.0 IPAM and better documentation tools.
phpipam is great.
Competitors exist and are good.
Fuzzy matching should be CORE/INTEGRAL to the design. So should a common “design language.” There’s art in a UI that speaks to its codebase but still effectively illustrates the general weight or value the programmer might have felt about any individual component. This will yield interesting new outcomes. Not sure how to package these all up. Whats in scope?
A better firewall is simple yet modular.
m0n0wall was a really simple idea that spawned many project spin offs. Thats why its descendants ultimately had more success than ipfire?
Looking at pfsense, it should be designed more modularly. I really like how iXsystems designed TrueNAS. There should be a middlewared equivalent in pfSense so a proper API can be developed and used.
At the end of the day, everything is available for free and without the cloud, you just have to assemble and create it yourself.
All these “NGFW” are simply an extensive Frontend for commonly available things…
IPFire
The cloud is just someone elses computer. Screw the cloud. More options needed for us who hold that to be true. This is a universal truth for the future of mankind. Cloud last, not cloud first. Cloud exists, but should not be prioritized.
I am re-reading @wendell’s post for the 4th or 5th time. There’s so much wisdom to be had in that post…
I would like to see something that is 100% manageable through SSH or APIs instead of having a web control panel. Something that by default just runs a basic system for association. Appliances being as dumb as possible.
Configuration for the whole site is done through some declarative language maybe like Nix, pushing the whole configuration to associated devices. Capable of using modern stuff like keyvaults and small golang agents like prometheus or telegraf. Management itself being something standalone like Terraform to avoid bullshit like running some tomcat+mongdb or PHP monstrosity to manage one access point. You just propagate the changes telling the network designs and pointing where it should grab secrets, how and where send metrics etc.
Don’t care about underlying OS. I suspect neither of you should unless you are Netflix.
Kill it with acid and fire so it won’t come back again as v4.
You mostly described VyOS, especially since there is an Ansible collection for it with the very redundant name Vyos.Vyos. No support for keyvaults but it does have Telegraf. The config style is very similar to Juniper’s Junos. They just recently finished their Perl to Python migration too so they should really be able to crank out additional features compared to before.
There’s already NextDNS for DNS filtering. I actually do not set up Pi Hole on my LAN. Though PFSense is very useful for having more control over who my DNS provider is because the Google Fiber router is stupidly simple - it’s user interface is very Gnomish.
Many of you guys probably do more with your setups than I do. My primary setup consists of Wireguard and PFSense’s default firewall security pretty much. Wireguard singlehandedly eliminates my need for opening many ports on my home network. Pretty much all I need to open are video game ports and Wireguard itself.
I have tried Snort once, but I didn’t know what I was doing and ended up getting rid of it because of CPU utilization and false positives. Although Lawrence systems recent video was useful in educating me in what I did wrong, I don’t think I will try it again.
What kind of special handling do you do for these things. I know I don’t use PFSense to its full potential, so I am very interested in all the things I can do with it. That being said, I do like having control over my LAN’s DHCP server and resolver - which I feel is nonexistent or very obtuse on consumer hardware.
I think netgates reaction was positive and good. Let’s continue hoping for the best.
In the mean time, we should consider continuing the level 1 community router project. Should we get a thread going?
P.S. I currently have my AP set up as a dumb AP for simplicity, but I would like to isolate it and its hosts from other LAN devices for security.
It took me too long to resolve that we should just consider starting to build a new firewall. I think, if anyone can crowd source a firewall it’s Level1Techs.
This is Just like the guy who’s crowd sourcing a damn server chassis for fun. Or Wendell making the kvm. We can do it better.
I want to be a part of this
I guess being slow paid off. I kept meaning to look into PFSENSE+ and was just too busy, and now I don’t have to!
Though, I still need to upgrade to 2.7…
Cool. I’ve heard about it but had no idea it had such features. Would be nice if not only the router but also other network equipment like APs and switches. Think bare metal switches with enough memory to run busybox and some programs.
I wonder why infrastructure as code style configuration is not a big thing in network plumbing.
I’d link to throw my name in the thread that we form PFSENSE, I think regardless of direction it is now RIPE to do so.
Let’s be honnest opnsense and pfsense are great fw’s but basic. In the old days it was good but today in the days of NGFW’s they are lack luster and missing features. Therefore I think now is the time to fork and start getting the features up to par. PFSENSE has brought us great features sure like wireguard and tailscale but that isn’t what is needed right now.
I kinda disagree? I like the “greybeard” aspect of pfsense. There are a lot of folks that say they want “gee whiz” features but netgate is actually putting in the (tireless/thankless) work. They Are Actually Logging The Hours. They are seen, and if nothing else, I appreciate the work they are doing. It is a lot of work that is upstreammed back into bsd, too.
Were “right now” we to do “something else” that is needed, I have not seen another team pop up that is gray-beardy enough to get it done, but forward thinking enough to also be “gee-whiz” … those folks fortunately, or unfortunately, are elsewhere pulling down 6 figure salaries. Sure we’re all pining for the fjords but… got bills to pay.
That’s the missing community aspect. If you had an inspirational community leader, with the chops, the greybeards might get on board and start helping build the cool stuff. With healthy skepticism at first, I’m sure. The smartest of those leaders let graybeards in on it and together they convince the juniors to do the gruntwork. Then once the greybeards see the promise in the new gee-whiz generation… that’s when the magic happens.
…at ubiquiti making shiny rack AR apps and cloud this-and-that while their big honking routers are hamstrung by poor software and bloated controllers that even a novice would consider necessary in a network appliance
there’s just something to be said for the greybeard it just works approach. it ain’t pretty but it works.