How we saddled OPNsense
Hello, habrovchane!
Until the holivars on the subject diminish, whether it is immoral or not to use free platforms for creating commercial products, we have done it on the sly. And do not hesitate to take money from customers, because they wrote a really cool thing on the basis of free code - a universal hardware security gateway. We used to have a commercially successful firewall, but for Microsoft Windows. A stormy stream of ideas at some point came out of the shores of the "Windows", and the question arose - what next? And then - Linux or Net / Open / Free BSD. Our gurus got together, smoked and decided to use OPNsense instead of inventing their own bicycle. This article will help those who want to do something similar.
')
First, OPNsense is a fork of the open UTM system pfSense, which is considered one of the best solutions of this class based on FreeBSD. We studied the OPNsense code and we liked its quality, as well as the approach to the implementation of functionality. Here, modern design principles are actively used, and above all - the MVC model, when data is stored in one place, and the display is done using a special subsystem of templates. There are controllers for each module, normal WebAPI is implemented across all the functionality, the code is well structured, and the project leaders pay a lot of attention to the programming style. This facilitates our development and support, the division of functionality into individual modules, the allocation of plug-ins and other programmer routine. Among other things, the BSD license is ideally suited to the creators of a commercial product - it does not contain related to the so-called. "Copyleft" restrictions. The last one is on the list, but not the least important reason - earlier our developers had already used FreeBSD in their projects. The experience and skills in any case can not be discounted.
Cooperation with the OPNsense team began with the creation of the Russian localization for the main branch of the project. It was expensive, professional translators worked for several months to Russify a huge number of interface elements, system messages and reference information with a large number of special terms - all this we still maintain up to date. By the way, when we encounter errors in OPNsense, we offer fixes, improvements and improvements to the product, which are available to everyone for free, so that the “bailouts who profit from free software” contributed to the development of free code.
The guys from OPNsense were ready to cooperate. When we make any changes, the key project developers respond promptly and immediately give feedback. If we give the new functionality to the main branch of the basic project, we have to maintain it ourselves, but the search for errors and testing is seriously simplified. There are times that are hard for us to live with, but we have to put up with them - the advantages of free software outweigh the disadvantages.
If we do refactoring affecting a large amount of code, OPNsense developers are not always able to quickly digest the changes. They simply do not have enough resources for this, so functions that are still not available in the basic version are already available in Traffic Inspector Next Generation. In OPNsense, standard syslog is used, but we switched to syslog-ng a long time ago - it allows, for example, to write logs to the database. The logging system affects a lot of things, the volume of changes was huge. To port the code to OPNsense, we tried to break it into several iterations, but the process is not yet complete.
The second point is related to changes in the web interface. In OPNsense, the MVC model is far from being used everywhere, the inherited code stretches there from pfSense and we were offered to transfer it to new “rails”. We started the rework from the page with certificates, but when OPNsense figured out the amount of work required for the adoption of the new code, their hair stood on end.
Although we are the official distributors of OPNsense, this does not give elevated privileges to change the code of a free product. The community controls its own economy, the project developers themselves should test and accept our changes. We can only offer them to redo some solutions to facilitate the passage of changes.
Accumulating differences with the main product code is a serious problem. We try to build our work in such a way as to facilitate the update process as much as possible. When the OPNsense update is transferred to Traffic Inspector Next Generation, our functionality should not break and it, in turn, should not break new OPNsense functionality. It is important to understand that Traffic Inspector Next Generation is not an independently evolving fork - the interaction of products occurs constantly and it is difficult to keep them in a non-conflicting state. The amount of work is crazy, but you have to live with it. It will not be possible to just stick your logo and take for the product for money, although some clever people try to do it.
We deal with the problems as follows: if there is an opportunity to add functionality by the plugin, we do so. OPNsense has a well-thought-out API for embedding plug-ins, it rarely changes and developers pay enough attention to backward compatibility issues. When the new version of OPNsense comes out, we also raise the new version of Traffic Inspector Next Generation and update the code base without a headache, although it is impossible to do without a headache.
Another interesting point, not all of our achievements, we give to OPNsense. Some of them are needed only on the Russian market, while proprietary modules have licensing restrictions. In our country there is a law that obliges, for example, a cafe with a Wi-Fi access point to identify the client. In Traffic Inspector Next Generation, this is done via SMS, but the local Russian cuisine is not interesting to anyone abroad.
We can mention Kaspersky Anti-Virus - for it we have compiled a package using the Kaspersky Lab libraries. You cannot integrate such a package into the main branch. There is also a Russian resource filter in NetPolice categories, which implies a subscription to the service, and, of course, things related to the certification of the FSTEC. Such, for example, as checking the integrity of the system and notifying administrators of its violations.
The division of functionality into modules and the active use of plug-ins allowed us to effectively separate flies from cutlets, but there was a lot of difference between the two products. In addition to those already mentioned, you can call the traffic reporting module and the single Control Center for working with several Traffic Inspector Next Generation devices. There is also a plug-in for integration with Microsoft Active Directory, a system for restricting access to network resources by IP and MAC addresses, and NTLM authentication. Some of these goodies will sooner or later appear in OPNsense, but many will never be there.
The most important difference: Traffic Inspector Next Generation is a hardware and software complex, i.e. packaged solution. We take the hardware of the leading manufacturers of server hardware, create software for it and sell everything that is called, in one piece. The advantages are obvious: the customer receives a product that does not require complex configuration without problems with software compatibility. At the same time, he has a limited warranty and, of course, free technical support by phone and email.
The creators of free software can not test all hardware platforms and offer to use the software at your own risk. From support, they have only documentation and forums, which we also have (moreover, Russian-speaking). Add to this additional functionality that we have already described, and you will get Russified OPNsense on steroids along with ready-to-eat iron - you can pay for it. Moreover, there are configurations with FSTEC certificate on sale and OPNsense will not offer you this one for objective reasons.
The use of free products as a basis for commercial decisions requires an integrated approach and a trained team. A large community of developers quickly notices and corrects errors, and also tracks changes made. In our case, double control is obtained: we check the OPNsense code, and other project participants inspect our open code. As a result, the quality increases and the reliability of both products increases. It is difficult not to notice the cost reduction: we do not need to pay for licenses for the operating system, development tools and modules implementing UTM functionality. This does not mean that we got everything for free. The developers of the Smart-Soft team have devoted many years to creating solutions for the FreeBSD platform. Our experience is a significant component of the cost of creating Traffic Inspector Next Generation, and there are also a lot of direct financial costs. Developing solutions based on open source software is not a free pleasure, and if you miss this moment, you will not be able to do something worthy.
Until the holivars on the subject diminish, whether it is immoral or not to use free platforms for creating commercial products, we have done it on the sly. And do not hesitate to take money from customers, because they wrote a really cool thing on the basis of free code - a universal hardware security gateway. We used to have a commercially successful firewall, but for Microsoft Windows. A stormy stream of ideas at some point came out of the shores of the "Windows", and the question arose - what next? And then - Linux or Net / Open / Free BSD. Our gurus got together, smoked and decided to use OPNsense instead of inventing their own bicycle. This article will help those who want to do something similar.
')
Why OPNsense?
First, OPNsense is a fork of the open UTM system pfSense, which is considered one of the best solutions of this class based on FreeBSD. We studied the OPNsense code and we liked its quality, as well as the approach to the implementation of functionality. Here, modern design principles are actively used, and above all - the MVC model, when data is stored in one place, and the display is done using a special subsystem of templates. There are controllers for each module, normal WebAPI is implemented across all the functionality, the code is well structured, and the project leaders pay a lot of attention to the programming style. This facilitates our development and support, the division of functionality into individual modules, the allocation of plug-ins and other programmer routine. Among other things, the BSD license is ideally suited to the creators of a commercial product - it does not contain related to the so-called. "Copyleft" restrictions. The last one is on the list, but not the least important reason - earlier our developers had already used FreeBSD in their projects. The experience and skills in any case can not be discounted.
Beginning of work
Cooperation with the OPNsense team began with the creation of the Russian localization for the main branch of the project. It was expensive, professional translators worked for several months to Russify a huge number of interface elements, system messages and reference information with a large number of special terms - all this we still maintain up to date. By the way, when we encounter errors in OPNsense, we offer fixes, improvements and improvements to the product, which are available to everyone for free, so that the “bailouts who profit from free software” contributed to the development of free code.
Joining the mainstream
The guys from OPNsense were ready to cooperate. When we make any changes, the key project developers respond promptly and immediately give feedback. If we give the new functionality to the main branch of the basic project, we have to maintain it ourselves, but the search for errors and testing is seriously simplified. There are times that are hard for us to live with, but we have to put up with them - the advantages of free software outweigh the disadvantages.
If we do refactoring affecting a large amount of code, OPNsense developers are not always able to quickly digest the changes. They simply do not have enough resources for this, so functions that are still not available in the basic version are already available in Traffic Inspector Next Generation. In OPNsense, standard syslog is used, but we switched to syslog-ng a long time ago - it allows, for example, to write logs to the database. The logging system affects a lot of things, the volume of changes was huge. To port the code to OPNsense, we tried to break it into several iterations, but the process is not yet complete.
The second point is related to changes in the web interface. In OPNsense, the MVC model is far from being used everywhere, the inherited code stretches there from pfSense and we were offered to transfer it to new “rails”. We started the rework from the page with certificates, but when OPNsense figured out the amount of work required for the adoption of the new code, their hair stood on end.
Problems…
Although we are the official distributors of OPNsense, this does not give elevated privileges to change the code of a free product. The community controls its own economy, the project developers themselves should test and accept our changes. We can only offer them to redo some solutions to facilitate the passage of changes.
Accumulating differences with the main product code is a serious problem. We try to build our work in such a way as to facilitate the update process as much as possible. When the OPNsense update is transferred to Traffic Inspector Next Generation, our functionality should not break and it, in turn, should not break new OPNsense functionality. It is important to understand that Traffic Inspector Next Generation is not an independently evolving fork - the interaction of products occurs constantly and it is difficult to keep them in a non-conflicting state. The amount of work is crazy, but you have to live with it. It will not be possible to just stick your logo and take for the product for money, although some clever people try to do it.
... and solutions
We deal with the problems as follows: if there is an opportunity to add functionality by the plugin, we do so. OPNsense has a well-thought-out API for embedding plug-ins, it rarely changes and developers pay enough attention to backward compatibility issues. When the new version of OPNsense comes out, we also raise the new version of Traffic Inspector Next Generation and update the code base without a headache, although it is impossible to do without a headache.
Another interesting point, not all of our achievements, we give to OPNsense. Some of them are needed only on the Russian market, while proprietary modules have licensing restrictions. In our country there is a law that obliges, for example, a cafe with a Wi-Fi access point to identify the client. In Traffic Inspector Next Generation, this is done via SMS, but the local Russian cuisine is not interesting to anyone abroad.
We can mention Kaspersky Anti-Virus - for it we have compiled a package using the Kaspersky Lab libraries. You cannot integrate such a package into the main branch. There is also a Russian resource filter in NetPolice categories, which implies a subscription to the service, and, of course, things related to the certification of the FSTEC. Such, for example, as checking the integrity of the system and notifying administrators of its violations.
The division of functionality into modules and the active use of plug-ins allowed us to effectively separate flies from cutlets, but there was a lot of difference between the two products. In addition to those already mentioned, you can call the traffic reporting module and the single Control Center for working with several Traffic Inspector Next Generation devices. There is also a plug-in for integration with Microsoft Active Directory, a system for restricting access to network resources by IP and MAC addresses, and NTLM authentication. Some of these goodies will sooner or later appear in OPNsense, but many will never be there.
Machine differences
The most important difference: Traffic Inspector Next Generation is a hardware and software complex, i.e. packaged solution. We take the hardware of the leading manufacturers of server hardware, create software for it and sell everything that is called, in one piece. The advantages are obvious: the customer receives a product that does not require complex configuration without problems with software compatibility. At the same time, he has a limited warranty and, of course, free technical support by phone and email.
The creators of free software can not test all hardware platforms and offer to use the software at your own risk. From support, they have only documentation and forums, which we also have (moreover, Russian-speaking). Add to this additional functionality that we have already described, and you will get Russified OPNsense on steroids along with ready-to-eat iron - you can pay for it. Moreover, there are configurations with FSTEC certificate on sale and OPNsense will not offer you this one for objective reasons.
Conclusion: free free
The use of free products as a basis for commercial decisions requires an integrated approach and a trained team. A large community of developers quickly notices and corrects errors, and also tracks changes made. In our case, double control is obtained: we check the OPNsense code, and other project participants inspect our open code. As a result, the quality increases and the reliability of both products increases. It is difficult not to notice the cost reduction: we do not need to pay for licenses for the operating system, development tools and modules implementing UTM functionality. This does not mean that we got everything for free. The developers of the Smart-Soft team have devoted many years to creating solutions for the FreeBSD platform. Our experience is a significant component of the cost of creating Traffic Inspector Next Generation, and there are also a lot of direct financial costs. Developing solutions based on open source software is not a free pleasure, and if you miss this moment, you will not be able to do something worthy.
Source: https://habr.com/ru/post/350964/
All Articles