Central management

Hi

I am a heavy user of the PC eninges apu/alix boards as routers/firewalls and was using them until now with the Voyage Linux (http://linux.voyage.hk/) debian-based distribution. I have built a central management platform to deploy configs (with ansible) and to have a central VPN management (for OpenVPN) and am using Sensu for monitoring. So far that worked well, but I am looking into a more advanced router/firewall platform and have found IPfire as it is linux based (not like pfSense/OpenSense).

Has somebody already build some kind of central mangement platform for IPFire? I have ~300 devices running and am looking for a long-term solution to grow that device-base. e.g. can IPFire be managed via ansible or simliar configuration management tool?

Looking forward to hear some feedback from experienced IPFire users and happy to work on extending IPFire!

KoS

No idea what you want. IPFire is completely managed via a WebGUI.
Have you ever watched the documentary?

Btw: Welcome to the forum

Thanks @anon79392304.
Yes, I know that IPFire is maanged via a WebUI, but I am asking if there is a way to manage it (in addition) centrally. E.g. apply settings to “all” IPFire devices that I will deploy, or make mass upgrades, or fetch backups of the configurations etc.
I must admit I haven’t checked if there is a restAPI or similiar in the WebUI that would make such a thing possible too.
I hope this clarifies what I am looking for. I am sure I am not the only person that will use/uses IPFire on more than a handful devices that can be “manually” managed.

Hi @kosli

you can try SNMP Under IPFire : Pakfire > netsnmpd

Hello KoS,

unfortunately there is no central management solution available right now.

In theory you could write your own ansible playbook, but you would start from scratch here.

I didn’t know ansible so far and read a little about it.
As it looks - it is only possible by accessing ssh from WAN which breaks security guidelines?!
Mitigated by firewall rules from single groups of source IP’s.

Is it possible that clients/satellites collect orders(update, backup, log cleanup, install tasks) from server/master by cron? Why? Not all customer firewalls are reachable on static IP or ddns-hostname.

AFAIK absible is push only.

And you should simply setup a VPN for this.

Sure but VPN is depending a static IP/ddns-Hostname too? Is’nt it?

https://wiki.ipfire.org/configuration/services/ipsec

Additionally, we assume that you have either a static IP for your Red interface, or if you do not, we assume that you have an automatically updated dynamic DNS hostname.

OpenVPN Net-to-Net requires 2 “static destinations” too. Client-to-Net configuration is only for IPFire as server not as a client AFAIK.

Thanks for all your feedbacks.

As mentioned I have ~300 alix/apu devices running. All of them are connected to a central server with OpenVPN (= “calling home”, static IP on the server, no static IP needed on the client/device, whereas I think it should even work with a dynamic IP on the server, as long as you use a ddns-hostname… but as you get nowadays a VM at e.g. amazon for almost free, that shouldn’t be an issue). I am pushing the changes via ansible to the devices. Whereas you can use ansible also in a pull-like manner by e.g. distributing the configuration via a git/svn repository.

So I am looking into a simliar approach on managing IPfire devices… I will work on this in the next couple weeks…

KoS

The selling point of IPFire is the GUI but as you manage a sizable number of devices you probably won’t spend much time in the GUI. If you plan to manage your devices with Ansible, IPFire will just get in your way.

Wouldn’t it be easier to start from a plain Debian and use the existing Ansible roles to manage iptables, routes, OpenVPN, etc?