I am a heavy user of the PC eninges apu/alix boards as routers/firewalls and was using them until now with the Voyage Linux (http://linux.voyage.hk/) debian-based distribution. I have built a central management platform to deploy configs (with ansible) and to have a central VPN management (for OpenVPN) and am using Sensu for monitoring. So far that worked well, but I am looking into a more advanced router/firewall platform and have found IPfire as it is linux based (not like pfSense/OpenSense).
Has somebody already build some kind of central mangement platform for IPFire? I have ~300 devices running and am looking for a long-term solution to grow that device-base. e.g. can IPFire be managed via ansible or simliar configuration management tool?
Looking forward to hear some feedback from experienced IPFire users and happy to work on extending IPFire!
Thanks @anon79392304.
Yes, I know that IPFire is maanged via a WebUI, but I am asking if there is a way to manage it (in addition) centrally. E.g. apply settings to “all” IPFire devices that I will deploy, or make mass upgrades, or fetch backups of the configurations etc.
I must admit I haven’t checked if there is a restAPI or similiar in the WebUI that would make such a thing possible too.
I hope this clarifies what I am looking for. I am sure I am not the only person that will use/uses IPFire on more than a handful devices that can be “manually” managed.
I didn’t know ansible so far and read a little about it.
As it looks - it is only possible by accessing ssh from WAN which breaks security guidelines?!
Mitigated by firewall rules from single groups of source IP’s.
Is it possible that clients/satellites collect orders(update, backup, log cleanup, install tasks) from server/master by cron? Why? Not all customer firewalls are reachable on static IP or ddns-hostname.
Additionally, we assume that you have either a static IP for your Red interface, or if you do not, we assume that you have an automatically updated dynamic DNS hostname.
OpenVPN Net-to-Net requires 2 “static destinations” too. Client-to-Net configuration is only for IPFire as server not as a client AFAIK.
As mentioned I have ~300 alix/apu devices running. All of them are connected to a central server with OpenVPN (= “calling home”, static IP on the server, no static IP needed on the client/device, whereas I think it should even work with a dynamic IP on the server, as long as you use a ddns-hostname… but as you get nowadays a VM at e.g. amazon for almost free, that shouldn’t be an issue). I am pushing the changes via ansible to the devices. Whereas you can use ansible also in a pull-like manner by e.g. distributing the configuration via a git/svn repository.
So I am looking into a simliar approach on managing IPfire devices… I will work on this in the next couple weeks…
The selling point of IPFire is the GUI but as you manage a sizable number of devices you probably won’t spend much time in the GUI. If you plan to manage your devices with Ansible, IPFire will just get in your way.
Wouldn’t it be easier to start from a plain Debian and use the existing Ansible roles to manage iptables, routes, OpenVPN, etc?