20250429 push notes

projects/OPNsense/STANDARDS/Feature-Capability.md

@@ -0,0 +1,113 @@
+# OPNsense Feature Capability Overview (Industry Use)
+
+This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments.
+
+---
+
+## ✅ Stable / Industry-Proven Core Features
+
+These features are well-supported, reliable, and commonly used in production deployments.
+
+### 🔧 Core Networking & Routing
+- VLANs (tagged, untagged)
+- Static and dynamic routing (OSPF, BGP via FRR plugin)
+- Multi-WAN with load balancing / failover
+- NAT (1:1, port forward, outbound NAT)
+- DHCP/DHCPv6 Server & Relay
+- DNS Resolver (Unbound) with DoT, conditional forwarding
+- NTP Server
+
+### 🔐 Firewall & Security
+- Stateful firewall with alias system
+- Schedule-based rules
+- GeoIP blocking
+- Packet logging and rule hit counters
+
+### 👥 Authentication
+- Local user DB
+- LDAP / Active Directory (GPO support)
+- Two-Factor Authentication (TOTP)
+- Captive Portal with LDAP/RADIUS integration
+
+### 🌍 VPN Services
+- OpenVPN (with client export)
+- IPsec (strongSwan)
+- WireGuard (kernel module; fast & stable)
+
+### 🔐 SSL Certificates
+- ACME/Let's Encrypt support
+- DNS-01, HTTP-01
+- Auto-renewal + deploy to services
+
+### 💾 Backup & Management
+- Local and remote encrypted backup
+- OPNcentral for multi-firewall config, update, backup
+- High Availability (CARP-based)
+
+---
+
+## ⚠️ Moderately Reliable / Needs Case-by-Case Testing
+
+These features are usable but require testing or tuning to ensure stability.
+
+### 🛡️ Intrusion Detection / Prevention
+- Suricata (IDS/IPS)
+  - Can impact performance on low-RAM systems (≥8GB recommended)
+  - Inline mode works but may be unstable with certain NICs
+  - Regular ruleset updates supported
+
+### 🌐 Web Filtering / Proxy
+- Squid Proxy + ICAP/ClamAV
+  - SSL inspection fragile; requires CA deployment to clients
+  - Transparent mode unstable on some NICs
+  - Basic caching stable; filtering can be unreliable
+  - ICAP antivirus adds CPU load
+
+### 🔄 Dynamic DNS
+- DDNS client with broad provider support
+- Stable and scriptable
+
+### ☁️ Remote Backups
+- Supported to Google Drive, Git, Nextcloud (via plugin/scripting)
+- Manual testing of restore process recommended
+
+---
+
+## ❌ Experimental / Immature Features
+
+Avoid these for now in production or industrial deployments.
+
+### 📬 Mail Gateway / Relay
+- Basic Postfix relay plugin
+- No spam filtering or advanced mail security
+- Not recommended for secure mail handling
+
+### 🌐 Web Application Firewall (WAF)
+- Nginx WAF plugin exists
+- No full ModSecurity/OWASP integration
+- Better to isolate on a dedicated reverse proxy
+
+### 📦 OPNProxy Plugin
+- Adds fine-grained Squid-based user/group URL access control
+- Inherits Squid’s instability
+- Use with caution or for testing only
+
+---
+
+## Summary Table
+
+| **Feature**                    | **Production Readiness** | **Notes**                                                   |
+|-------------------------------|---------------------------|-------------------------------------------------------------|
+| Core firewall, routing        | ✅ Yes                    | Fully stable                                                |
+| VPN (OpenVPN, WireGuard)      | ✅ Yes                    | Strong support and maturity                                 |
+| Suricata                      | ⚠️ With caution           | Test on hardware; monitor CPU/RAM                           |
+| Web Proxy / Filtering         | ❌ Avoid or isolate        | Only basic use; SSL filtering often unstable                |
+| Antivirus (clamav)            | ⚠️ Optional               | High CPU use; best supplemented by endpoint AV              |
+| DNS & DHCP                    | ✅ Yes                    | Mature and reliable                                         |
+| Mail Relay                    | ❌ No                      | Lacks required filtering and logging for industrial use     |
+| WAF (nginx)                   | ❌ No                      | Too limited for meaningful protection                       |
+| DDNS, Backups, Certs          | ✅ Yes                    | Useful and stable                                           |
+
+---
+
+_This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._

projects/OPNsense/STANDARDS/Monthly-Time.md

@@ -0,0 +1,22 @@
+## OPNsense Firewall Monthly Maintenance Estimate (Per Firewall)
+
+### Typical Monthly Tasks
+
+| **Task**                               | **Description**                                                                 | **Estimated Time** |
+|----------------------------------------|----------------------------------------------------------------------------------|---------------------|
+| **Firmware & Plugin Updates**          | Centralized via OPNcentral; all firewalls updated simultaneously.               | 1 hour              |
+| **Routine Configuration Changes**      | Adjusting existing settings, rules, or features (not new plugins).              | 1 hour              |
+| **VPN Client Configuration**           | Exporting client configs for OpenVPN/IPsec users.                               | 0.5 hour            |
+| **Monitoring & Alert Response**        | Reviewing OPNcentral alerts and responding to system warnings.                  | 0.5 hour            |
+| **Unexpected Issues / Tickets**        | Troubleshooting user reports or production issues.                              | 1 hour              |
+|                                        |                                                                                  |                     |
+| **Total (typical month)**              |                                                                                  | **~4 hours**        |
+
+---
+
+### Additional (Occasional) Tasks
+
+| **Task**                               | **Frequency**            | **Estimated Time**        |
+|----------------------------------------|--------------------------|----------------------------|
+| **New Plugin Integration**             | 1–2 times per year       | 1–3 days (one-time effort) |
+| **Firewall Policy Audit & Cleanup**    | Quarterly or Biannually  | 1–2 hours per audit        |

projects/OPNsense/STANDARDS/possible-impovements.md

@@ -0,0 +1,93 @@
+# OPNsense Recommended Plugins & Features (Industrial / Office Use)
+
+This list outlines reliable, useful, and practical plugins and features for deploying OPNsense firewalls in professional and industrial environments. Features are grouped by purpose and marked by their trust level.
+
+---
+
+## 🔍 Monitoring & Logging
+
+### ✅ Telegraf Plugin
+- **Purpose:** Exports system metrics (CPU, RAM, interfaces) for external monitoring.
+- **Integration:** Grafana, InfluxDB, Prometheus.
+- **Notes:** Lightweight and reliable.
+
+### ✅ Netflow / Insight (built-in)
+- **Purpose:** Provides traffic flow analytics, top talkers, and interface usage.
+- **Use Case:** Bandwidth monitoring and anomaly detection.
+- **Notes:** Data can be archived for audit purposes.
+
+### ✅ Zabbix Agent
+- **Purpose:** Integrates OPNsense into existing Zabbix NMS environments.
+- **Notes:** Trusted in enterprise and industrial networks.
+
+---
+
+## 🔐 Access Control & Identity
+
+### ⚠️ FreeRADIUS Plugin
+- **Purpose:** Local RADIUS server for VPN, 802.1X WiFi, or Captive Portal.
+- **Notes:** Complex to configure; powerful in the right hands.
+
+### ✅ TOTP / 2FA for Web GUI
+- **Purpose:** Adds two-factor authentication for admin access.
+- **Notes:** Uses Google Authenticator or similar apps.
+
+---
+
+## 🛠️ Configuration & Deployment
+
+### ✅ Shellcmd Plugin
+- **Purpose:** Runs custom shell scripts/commands at boot or service start.
+- **Use Case:** Advanced sysctl, cron jobs, or plugin fixes.
+- **Notes:** Excellent for hotfixes or automation in production.
+
+### ✅ Smart Plugin (S.M.A.R.T. Monitoring)
+- **Purpose:** Monitors local disk health if firewall is installed on SSD/HDD.
+- **Notes:** Essential for long-term reliability.
+
+---
+
+## 🧱 Firewall Enhancements
+
+### ⚠️ GeoIP Aliases
+- **Purpose:** Block/allow traffic by country.
+- **Notes:** Requires MaxMind license (free with registration).
+
+### ✅ Policy-Based Routing
+- **Purpose:** Custom WAN selection per VLAN/service/source.
+- **Notes:** Use for traffic shaping, failover, or VoIP priority.
+
+---
+
+## 📡 Edge / Optional Features
+
+### ✅ NTP Daemon
+- **Purpose:** Acts as internal time server for LAN devices.
+- **Use Case:** Environments without external NTP access.
+- **Notes:** Stable and lightweight.
+
+### ✅ mDNS Repeater
+- **Purpose:** Repeats multicast DNS between VLANs (Bonjour/AirPrint).
+- **Use Case:** Offices with Apple devices or smart printers.
+- **Notes:** Requires proper VLAN firewall rules.
+
+---
+
+## ✅ Recommended Baseline Set for Industrial Use
+
+| **Category**       | **Feature**            | **Plugin**        | **Trust Level** |
+|--------------------|------------------------|-------------------|-----------------|
+| Monitoring         | Telegraf, Netflow      | `telegraf`        | ✅ Stable       |
+| Logging/NMS        | Zabbix Agent           | `os-zabbix-agent` | ✅ Stable       |
+| Automation         | Boot Scripting         | `shellcmd`        | ✅ Stable       |
+| Identity/VPN       | FreeRADIUS (optional)  | `freeradius`      | ⚠️ Moderate     |
+| Access Security    | TOTP 2FA               | Built-in          | ✅ Stable       |
+| Routing Control    | Policy Routing         | Built-in          | ✅ Stable       |
+| Geo Restrictions   | GeoIP Aliases          | MaxMind required  | ⚠️ Moderate     |
+| Time Sync          | NTP Server             | Built-in          | ✅ Stable       |
+| Edge VLAN Utility  | mDNS Repeater          | `mdns-repeater`   | ✅ Stable       |
+
+---
+
+_This list is curated for environments that require high uptime, low maintenance, and avoid fragile or poorly maintained features like Squid or Zenarmor._
+