Why avoid using the firewall? Which issues did you have with it? What could be improved?
1 Like
Hi Markus
There are a few reasons for that suggestion…
- It’s never a bad idea, if your network get’s bigger and more complex, to put in a dedicated firewall/box.
- Maybe the bigger reason: I personally need more experience with the NethServer Firewall, if I’m to give the same level of Know-How as you do to help others…
This also has to do with my professional level - most of my clients are clients, a few are friends.
Well: See the box AWR7-PVE-4 (Proxmox with NO guests running…) below? That’s my home Sandbox for testing. I’ve already installed an OPNsense in there, next is a NethServer to be installed, to use as firewall with up to 3 NICs…
All to advance my own Know-How & Experience, so I can advice others here with your level. I am fully aware that this is a NethServer forum, and not an OPNsense… 
I also want Patrick above to have a GOOD experience with NethServer, and not move away to something else after all the errors / missconfigurations he’s had so far.
With NethServer as your firewall and acting AD, if people test out stuff like Wireshark, there’s bound to be problems, as the firewall doesn’t really know how and what rules to set for Wireshark (It’s not part of NethServer so far, but CAN be installed).
OPNsense does have WireShark on board, not Standard, but as an Add-In module. Playing with that separate Box or VM will NOT affect your AD on NethServer, running on LAN (Green). If you’re on a separate LAN / WLan of your Firewall, the problem is there, and not with AD…
I’m not “bitcjhing” about using NethServer’s firewall - I’ve always said NethServer “can” handle the specific issue (And dumped the problem on your desk…), but I couldn’t really help with firewall issues. I want to change that!
My 2 cents
Andy
1 Like
Hello guys,
Having issues with a new technology when you don’t know it very well is something that happens. Also, that software has bugs, that happens as well. When a problem arise, the only way you can move on and make it better is to report it and engage with the community and that is something that I’m very happy to see happens, unlike many others.
That being said, Nethserver so far has been great. Relatively easy to install and configure. There have been some weird issues however that led me to reinstall the entire box, issues that couldn’t be reproduced. I believe it was Stephane, who believes my problems could be because of the user I created during the installation. In the graphical installation, you are asked at one point to select a root password and to create a new user. Once my system was installed, I proceeded to secure the box by adding SSH keys for root and my created user. First I wanted to add them globally in /etc/ssh but then realized that if I changed the SSH config from the cockpit, it would override anything I placed in sshd_config. So, I moved the authorized_keys to each user’s .ssh folders under /home/{user}. I only had 2 users still at that point. Then I created a LDAP directory and this is when I started to see the first issues. For some reason my tessierp was showing up in there and SSH logins would no longer work for that user. I proceeded to delete the user and recreate, nothing happened. Then I remembered what I did during the installation, creating that user. So I deleted the user again and proceeded to remove the user in /home by login in as root and appropriately deleting the user with “userdel”. Then I decided to remove LDAP and try the AD. No matter what I did, by placed the authorized_keys for users under /var/lib/nethserver/home/{user}/.ssh, nothing would work. Only the root with the authorizez_keys I placed under root’s home in the .ssh directory. And then people suggested I remove the AD to go back to what I had before and that is when I noticed my NIC was bridged and couldn’t change anything, couldn’t even see the information by clicking on more info under network in the cockpit. At that point, I couldn’t change anything until I tried the network reset procedure in the documentation for just that interface which worked. Since then, I proceeded to reinstall everything and I had some backups but the restore didn’t work well, I had to reconfigure everything from scratch.
Here are a few recommendations :
-
I installed ClearOS in a VM 2 days ago just to experiment and compare. They use the basic installer and they tweaked it a little. They removed the part where you are offered to create a user, asking just for the root password. Perhaps this is something that could be done with Nethserver’s installation. Both ClearOS and Nethserver are using CentOS installer. Anyways, it could possibly help not having the same issues I had.
-
When installing the AD, I wonder if there could be a better strategy than binding my interface. At least, if I remove the AD, checks should be performed to see if the bridge can be removed and to perform the procedure for the user which would be a lot simpler and less of a headache.
I had use Zentyal before Nethserver, I think at the time it was Zentyal 4.0, that was in 2014 more or less. I used it for a good year or two. Two times I has issues because of unfiltered updates that would screw up my config and I had to restart from scratch. I did config backups yes but that didn’t work 100%. At the time, I didn’t have all the appropriate tools to restore everything smoothly and easily and coming from a Windows world, I had a lot to learn. I’m also primarily a developer. I’ve done C++ back in the days and now have been doing years of C# and really enjoying the new Open Source tools. But I like to learn and there is a huge advantage to knowing all these technologies. Zentyal’s community isn’t very helpful. But Nethserver’s community is AMAZING!
I haven’t used the full potential and power of Nethserver yet. I did checkout OPNSense and like Andy was saying it is really specialized for one very specific thing. So specialized in fact that I got a little lost but could manage to eventually figure it out. I haven’t decided to replace Nethserver for it just yet. Besides I am not ready and don’t have the hardware and would like to concentrate on one thing at a time because with Proxmox coming in down the pipe and possibly trying to virtualize UNRAID in the Proxmox box, I will have my hands full.
Nethserver has been great so far. There have been issues but the community has been responsive and that is, like I said, very valuable!
2 Likes
That’s right but Nethserver aims to be a firewall too. For sure less flexible/complex with less firewall-specific addons than OPNsense but a good, easy-to-use firewall based on shorewall with a nice cockpit UI.
You may split up Nethserver in firewall/gateway and server(s). Then you can safely use wireshark on the firewall without disturbing the AD.
I know and I appreciate it when you share your broad experience with different systems/networks. But the “avoid the Neth firewall” was too hard for me. 
I fully agree with you about using a “specialist” software for any goal to reach but it has disadvantages too. You need to learn and maintain a lot of different systems and troubleshooting gets harder.
Yes, please try it. I’d really be interested if you miss some basic function you need for your networks.
2 Likes