OPNsense Forum
English Forums => General Discussion => Topic started by: mimugmail on January 09, 2021, 10:39:06 am
-
Dear all,
Within the last weeks I started a new project: OPNsense community repository
What is it all about?
A couple of packages don't really make sense on a Firewall platform like Java or MySQL DB, but may be important for some individuals trying to achieve own goals.
It starts with hosting Unifi Controller on the Firewall itself cause of missing extra device and goes over to InfluxDB and Grafana on the local system.
Since these dependencies like JDK are too big or may be only distributed via binary blob there is no way they will find their way into core and makes totally sense.
To overcome this quality assurance you can now load an external repository which will also allow the addition of plugins also with custom fields.
But finally this will have a couple of drawbacks like OpenSSL-only and limited time to test every update.
If you still feel brave and want to join you can go over here and start on:
https://www.routerperformance.net/opnsense-repo/
Hav fun :)
-
"Unifi Controller"
This guy know me very well.
Off course we need a plugin for Unify, it's awesome!!! :D
InfluxDB, Grafana?
Nice! I will try the OPNsense dashboard i have publish on my github :)
If you are adding Elasticsearch, this can be awesome!
But we are starting to put too many things on a Firewall.... or it's going to be a Firewall ++++++ x'D.
Be crazy, add Docker x'D... (Good luck with Hardened BSD ahah), maybe a Jail will be better :)
Anyway, thank you very much for Sharing this!
I guess you didn't fill your repo with your plugins yet here ? https://github.com/mimugmail/opn-repo
-
No, the GitHub repo is only to track bugs, issues and feature requests. Elastic shouldnt be a problem, just add a feature request :)
-
Good job mimugmail.
This community repo idea has great potential imho.
-
@mimugmail: how about adding the latest ntopng 4.3 (from ntop.org) into the repo?
-
I already had a look but we have to see how ofter they update the pkg's as this are development builds. It may be more unreliabe than the usual plugin
-
Perhaps we could differentiate stable and development packages? Unifi controller could have stable and development branch too...
-
I added a plugin for Zeek right now :)
-
I am voting to add a plugin for nprobe so we could forward the information to an external ntopng
-
@mimugmail - great stuff!
-
I am voting to add a plugin for nprobe so we could forward the information to an external ntopng
Can you open an issue via my GitHub repo?
-
Thanks for your work on this. I have your Adguard package installed (although I have to run it manually for the time being as it looks like there are some startup issues with it). I didn't realize that this runs natively on FreeBSD so I'm looking forward to being able to move DNS services to opnsense and remove a server (dedicated linux Adguard [formerly pi-hole] server) off the network.
Any thoughts of incorporating static DHCP names into the DNS Rewrites section of Adguard? I have a few static DHCP entries on my network so to resolve these names, I have unbound running on a different port (which maps these names) and then have Adguard running on port 53 that forwards to this unbound service.
If the static name entries could be added directly into adguard, I could remove the unbound service from running entirely and forward directly to something upstream.
Thanks again!
-
AdGuardHome needs more love, I still work in it
-
I finally got AdGuardHome working as an opnsense plugin. Grab it from here: https://www.routerperformance.net/opnsense-repo/
It's still lacking status view, but after install and enabling it's available via port 3000 (if no other service listens to it).
-
Looks like the service started up just fine after it was enabled. Turned down my old, physical pi-hole device yesterday. Thank you for your work on this!
-
Looks like the service started up just fine after it was enabled. Turned down my old, physical pi-hole device yesterday. Thank you for your work on this!
Nice 8)
-
I finally got AdGuardHome working as an opnsense plugin. Grab it from here: https://www.routerperformance.net/opnsense-repo/
It's still lacking status view, but after install and enabling it's available via port 3000 (if no other service listens to it).
Good work. Been running it as first-in-chain dns on client subnet for a couple of days now.
Not sure if you're aware but the plugin does not seem to run on boot. I presume this is related to the service status which is not working as well.
Could you propose a workaround or do you suspect it might be caused by my environment?
dmesg.boot:
---<>---
Copyright (c) 2013-2019 The HardenedBSD Project.
Copyright (c) 1992-2019 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 12.1-RELEASE-p12-HBSD #0 0857355c1c2(stable/20.7)-dirty: Mon Jan 18 18:12:55 CET 2021
root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP amd64
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1)
VT(vga): text 80x25
HardenedBSD: initialize and check features (__HardenedBSD_version 1200059 __FreeBSD_version 1201000).
CPU: Intel(R) Celeron(R) CPU 3865U @ 1.80GHz (1799.99-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x806e9 Family=0x6 Model=0x8e Stepping=9
Features=0x1f83fbff
Features2=0xcffaa223
AMD Features=0x2c100800
AMD Features2=0x121
Structured Extended Features=0x944683
Structured Extended Features2=0x4
Structured Extended Features3=0xac000400
XSAVE Features=0xf
IA32_ARCH_CAPS=0x48
AMD Extended Feature Extensions ID EBX=0x1001000
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
Hypervisor: Origin = "KVMKVMKVM"
real memory = 3264217088 (3113 MB)
avail memory = 3125776384 (2980 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table:
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
random: unblocking device.
ioapic0 irqs 0-23 on motherboard
Launching APs: 1
wlan: mac acl policy registered
random: entropy device external interface
kbd1 at kbdmux0
module_register_init: MOD_LOAD (vesa, 0xffffffff8128e7c0, 0) error 19
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
000.000052 [4336] netmap_init netmap: loaded module
[ath_hal] loaded
nexus0
vtvga0: on motherboard
cryptosoft0: on motherboard
acpi0: on motherboard
acpi0: Power Button (fixed)
cpu0: on acpi0
atrtc0: port 0x70-0x71,0x72-0x77 irq 8 on acpi0
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x608-0x60b on acpi0
pcib0: port 0xcf8-0xcff on acpi0
pci0: on pcib0
isab0: at device 1.0 on pci0
isa0: on isab0
atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xc1e0-0xc1ef at device 1.1 on pci0
ata0: at channel 0 on atapci0
ata1: at channel 1 on atapci0
pci0: at device 1.3 (no driver attached)
vgapci0: mem 0xfd000000-0xfdffffff,0xfebd0000-0xfebd0fff at device 2.0 on pci0
vgapci0: Boot video device
virtio_pci0: port 0xc0c0-0xc0df mem 0xfebd1000-0xfebd1fff,0xfe000000-0xfe003fff irq 11 at device 3.0 on pci0
vtnet0: on virtio_pci0
vtnet0: Ethernet address: 52:54:00:a7:1b:68
vtnet0: netmap queues/slots: TX 1/256, RX 1/128
000.000760 [ 447] vtnet_netmap_attach vtnet attached txq=1, txd=256 rxq=1, rxd=128
uhci0: port 0xc0e0-0xc0ff irq 11 at device 4.0 on pci0
usbus0 on uhci0
usbus0: 12Mbps Full Speed USB v1.0
uhci1: port 0xc100-0xc11f irq 10 at device 4.1 on pci0
usbus1 on uhci1
usbus1: 12Mbps Full Speed USB v1.0
uhci2: port 0xc120-0xc13f irq 10 at device 4.2 on pci0
usbus2 on uhci2
usbus2: 12Mbps Full Speed USB v1.0
ehci0: mem 0xfebd2000-0xfebd2fff irq 11 at device 4.7 on pci0
usbus3: EHCI version 1.0
usbus3 on ehci0
usbus3: 480Mbps High Speed USB v2.0
virtio_pci1: port 0xc080-0xc0bf mem 0xfebd3000-0xfebd3fff,0xfe004000-0xfe007fff irq 10 at device 5.0 on pci0
virtio_pci2: port 0xc000-0xc07f mem 0xfebd4000-0xfebd4fff,0xfe008000-0xfe00bfff irq 10 at device 6.0 on pci0
vtblk0: on virtio_pci2
vtblk0: 16384MB (33554432 512 byte sectors)
virtio_pci3: port 0xc140-0xc15f mem 0xfe00c000-0xfe00ffff irq 11 at device 7.0 on pci0
vtballoon0: on virtio_pci3
virtio_pci4: port 0xc160-0xc17f mem 0xfebd5000-0xfebd5fff,0xfe010000-0xfe013fff irq 11 at device 8.0 on pci0
vtnet1: on virtio_pci4
vtnet1: Ethernet address: 52:54:00:43:a3:2f
vtnet1: netmap queues/slots: TX 1/256, RX 1/128
000.001313 [ 447] vtnet_netmap_attach vtnet attached txq=1, txd=256 rxq=1, rxd=128
virtio_pci5: port 0xc180-0xc19f mem 0xfebd6000-0xfebd6fff,0xfe014000-0xfe017fff irq 10 at device 9.0 on pci0
vtnet2: on virtio_pci5
vtnet2: Ethernet address: 52:54:00:f0:0d:26
vtnet2: netmap queues/slots: TX 1/256, RX 1/128
000.001314 [ 447] vtnet_netmap_attach vtnet attached txq=1, txd=256 rxq=1, rxd=128
virtio_pci6: port 0xc1a0-0xc1bf mem 0xfebd7000-0xfebd7fff,0xfe018000-0xfe01bfff irq 10 at device 10.0 on pci0
vtnet3: on virtio_pci6
vtnet3: Ethernet address: 52:54:00:54:7f:5f
vtnet3: netmap queues/slots: TX 1/256, RX 1/128
000.001315 [ 447] vtnet_netmap_attach vtnet attached txq=1, txd=256 rxq=1, rxd=128
ahci0: port 0xc1c0-0xc1df mem 0xfebd8000-0xfebd8fff irq 11 at device 11.0 on pci0
ahci0: AHCI v1.00 with 6 1.5Gbps ports, Port Multiplier not supported
ahcich0: at channel 0 on ahci0
ahcich1: at channel 1 on ahci0
ahcich2: at channel 2 on ahci0
ahcich3: at channel 3 on ahci0
ahcich4: at channel 4 on ahci0
ahcich5: at channel 5 on ahci0
acpi_syscontainer0: on acpi0
acpi_syscontainer1: port 0xaf00-0xaf0b on acpi0
acpi_syscontainer2: port 0xafe0-0xafe3 on acpi0
acpi_syscontainer3: port 0xae00-0xae13 on acpi0
atkbdc0: port 0x60,0x64 irq 1 on acpi0
atkbd0: irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model IntelliMouse Explorer, device ID 4
fdc0: port 0x3f2-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: does not respond
device_attach: fdc0 attach returned 6
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (9600,n,8,1)
orm0: at iomem 0xe8000-0xeffff pnpid ORM0000 on isa0
vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff pnpid PNP0900 on isa0
attimer0: at port 0x40 on isa0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
fdc0: No FDOUT register!
Timecounters tick every 10.000 msec
ugen2.1: at usbus2
ugen3.1: at usbus3
uhub0: on usbus2
ugen0.1: at usbus0
uhub1: on usbus3
ugen1.1: at usbus1
uhub2: on usbus0
uhub3: on usbus1
Trying to mount root from ufs:/dev/ufs/OPNsense [rw,noatime]...
uhub0: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub3: 2 ports with 2 removable, self powered
-
I will have a look, thx
-
I have the same issue. Plugin will not start AdguardHome at boot, have to start it manually.
-
Please check for updates again. I updated to 1.3 with full service control
-
Thank you so much for the quick response, MiggityMuggity. Will try this update when I get back home later.
-
Please check for updates again. I updated to 1.3 with full service control
I can confirm that both the service status and starting on boot is solved with this new release.
Your quick response and action is very much appreciated!
-
If anyone would like to test if AGH works with LibreSSL tool, I'd be very thankful :)
-
If anyone would like to test if AGH works with LibreSSL tool, I'd be very thankful :)
I'm running it on LibreSSL ;)
-
Hooray for boobies .. eh .. go-lang :)
-
Beer & Boobies for mimugmail
-
I added plugins for Elasticsearch and Kibana now.
-
Nice work Michael! Kudos!!
Can you share the steps that you followed to build a plugins-only repository ?
-
pkg repo /folder/of/plugins
Or what do you mean?
-
Simple as that?? :-)
I tried, but doesn't be like the poudriere repo dir structure.
Am I missing something?
-
Hello Michael! I got realized how it works!! Thank you very much!
I was struggling with poudriere to make it work!
Many thanks!
-
This is very cool and hope to try out soon! Great work!
-
Howdy, OPNsense noob here. I am using Pop OS and I am getting this error:
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Command 'fetch' not found, did you mean:
command 'efetch' from deb acedb-other (4.9.39+dfsg.02-4build1)
command 'efetch' from deb ncbi-entrez-direct (13.7.20200713+dfsg-1)
command 'sfetch' from deb biosquid (1.9g+cvs20050121-12)
command 'afetch' from deb biosquid (1.9g+cvs20050121-12)
command 'ifetch' from deb ifetch-tools (0.18.2-1)
Try: sudo apt install <deb name>
I am obviously missing something simple. Thanks for help!
-
@oompa `fetch` is a FreeBSD command line tool that is more or less the equivalent of Linux' `wget`.
You are supposed to enter this command on your OPNsense firewall.
-
Ha! I was pretty sure I successfully SSH'd into the router but upon checking, it never established connection (and I used SSH only once before), hence the error. All good now.
It seems like the install went through just fine, but I can't see Adguard Home in services. Is it supposed to show up there or somewhere else?
Thanks!
Edit: I checked a bit later and Adguard Home finally showed up in services. I enabled it.
Can you please provide easy to follow instructions on how to configure it?
I (a noob to remind everyone) tried accessing my router address with 3000 port, lets say 192.168.1.1:3000 and nothing happens.
-
OK, quick update. I am in the middle of setting a Wireguard client with Mullvad and for some reason I can now access the 3000 port on my router leading to AGH config page.
Is there a guide on how to set it up?
I am coming from Brume, which had an excellent AGH app, with easy to import blacklists. It was working great (with Wireguard, AGH and packet inspection) until it wasn't (lots of hangups probably due to the overheating because of high CPU load) so I returned it and now I am trying OPNsense on HP T730.
Thanks!
-
I am using AdGuard from this repo. Installation and set-up all fine. I can resolve from my "normal" networks. But I do not get DNS resolution from my client connected through Wireguard.
Before with unbound on port 53 it was working. No other change I did than installing AdGuard on port 53 and switched off Unbound.
Any idea where to search?
-
unbounddns > access list, I guess you didn't add your WireGuard network there...
-
unbounddns > access list, I guess you didn't add your WireGuard network there...
Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.
With my unbound set-up before, Wireguard was working. After change to AdGuard DNS, Wireguard was not working any more. On the AdGuard configuration page, the Wireguard network was listed as listening.
But it is solved now. It was any kind of UDP routing issue. The DNS setting on Wiregurd client was not pointing to the Wireguard interface IP. It was pointing to another network on OPNsense. With Unbound this worked. With AdGuard UDP access was not working. By using a test tool and TCP port it also worked. After I changed the DNS IP on Wireguard client to the Wireguard interface IP it also worked with AdGuard.
-
Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.
Sorry I should have read your post twice before trying to answer... missed the fact that it does not work with AdGuard...
-
Is anyone using Adguardhome as a DHCP server? I cannot get it to respond to dhcp requests. The service does start up and it's listening on the port as I've disabled the dhcp server within OPNsense.
root@OPNsense:/usr/local/AdGuardHome # lsof -i :67
lsof: WARNING: compiled for FreeBSD release 12.2-RELEASE-p3; this is 12.1-RELEASE-p13-HBSD.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
AdGuardHo 35588 root 11u IPv4 0xfffff801181f8ac0 0t0 UDP *:bootps
But it's not responding to dhcp client requests:
root@OPNsense:/usr/local/AdGuardHome # tcpdump -i igb1 port bootps
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:56:50.074579 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:56:51.651994 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:56:51.987743 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 74:83:c2:bf:18:b5 (oui Unknown), length 302
11:56:54.047915 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:56:58.008635 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:62:6e:53:ae:22 (oui Unknown), length 277
DNS on adguardhome runs fine as I've disabled unbound but cannot get DHCP services to work.
-
When you disable the local DHCP service you have to allow DHCP packets as these auto rules are removed
-
When you disable the local DHCP service you have to allow DHCP packets as these auto rules are removed
Thanks for the quick reply mimugmail. I didn't realize about the auto rules and went ahead and created them manually for the Adguard dhcp server. This still didn't resolve the issue.
I see the requests coming through from the client but no replies:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:24:35.356678 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 74:83:c2:bf:18:b5 (oui Unknown), length 302
11:24:39.550372 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:24:40.623400 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:24:43.004900 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:24:47.879591 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
There are no drops in the firewall logs for DHPC traffic.
I'm uploading my firewall rule lists for DHCP which I copied from the auto rules.
-
Just a guess, but does the AdGuard server have the privilege and the code to put the LAN interface in promiscuous mode on FreeBSD?
@tusc, if you look with ifconfig, you should see a "promisc" for the network interface in question. If that is missing, you can configure that manually with e.g. ifconfig igb0 promisc.
HTH,
Patrick
-
@tusc, if you look with ifconfig, you should see a "promisc" for the network interface in question. If that is missing, you can configure that manually with e.g. ifconfig igb0 promisc.
HTH,
Patrick
Thanks for the idea Patrick. I checked and the LAN interface settings remain the same after I disable the OPNsense dhcp server. It doesn't appear that promiscious mode is disabled. I assume because I'm also running Sensei and NetFlow/Insight?
igb1: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
-
You can also ask the Guys from AdGuardHome via GitHub If its even supported on BSD. We use their stock binary
-
Thanks for this. I am having an issue with the UniFi Controller software though. The UniFi Controller GUI is inaccessible after a fresh install.
I actually had it working fine on a test install on a different device, but with permanent device I tried fresh install of it and even with rebooting OPNsense, restarting and stopping service and daemon over and over, I cannot access the GUI at either 8080 or 8443 at all. I don't see any issues in logs, service appears started in status. Port scan shows 8080 in use.
-
Via cli:
sockstat -4
-
Thanks. After doing that, I just checked to see if I could access before going further and it started working, so not sure why after several days it just worked, but it's good. WebRTC cloud access says 'connection failed" though, but I am used to seeing that on Windows based controller installs if 64-bit Java isn't installed, so perhaps this plugin is missing something that requires that to work, but I can work around that if need be.
-
Firstly, thank you for the repo and plugins, great idea.
I'm struggling to get Adguard working.
I'm on opnsense 21.1.3
I have:
- Added the custom repo
- Installed the plugin: os-adguardhome-maxit (misconfigured)
- Enabled the plugin
When I browse to https://192.168.1.1:3000/ I get nothing. Any tips for things to check?
Thanks
-
Via cli:
sockstat -4 | grep 3000
-
Firstly, thank you for the repo and plugins, great idea.
I'm struggling to get Adguard working.
I'm on opnsense 21.1.3
I have:
- Added the custom repo
- Installed the plugin: os-adguardhome-maxit (misconfigured)
- Enabled the plugin
When I browse to https://192.168.1.1:3000/ I get nothing. Any tips for things to check?
Thanks
Remove the S in HTTPS.
-
First of all, thx for the good work, i also owe you boobs and beer :)
I also have a problem with unifi. I guess in my case is because i use Sensei with Mongodb backend. After Unifi installation neither Sensei or Unifi works. I guess i will need more memory to install Sensei with Elasticsearch...
-
Hm, I'd guess Sensei uses a different Mongo Version than unifi requires. Did I list Sensei as a limitation on my page?
-
I can't see such limitation on https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)
Anyway. Without Sensei i still can't access https://192.168.48.1:8080/ or http://192.168.48.1:8080/ either.
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 53839 4 tcp4 192.168.48.1:22 192.168.48.10:3039
root ntpd 6828 21 udp4 *:123 *:*
root ntpd 6828 22 udp4 192.168.48.1:123 *:*
root ntpd 6828 25 udp4 127.0.0.1:123 *:*
root lighttpd 57208 4 tcp4 127.0.0.1:43580 *:*
_flowd flowd 96034 3 udp4 127.0.0.1:2056 *:*
mongodb mongod 45710 11 tcp4 127.0.0.1:27017 *:*
nobody samplicate 8023 3 udp4 127.0.0.1:2055 *:*
nobody samplicate 8023 4 udp4 *:38383 *:*
unifi java 73302 146 tcp46 *:8080 *:*
unifi java 73302 150 tcp46 *:8880 *:*
unifi java 73302 157 tcp4 127.0.0.1:37396 127.0.0.1:27117
unifi java 73302 158 tcp4 127.0.0.1:35726 127.0.0.1:27117
unifi java 73302 159 tcp4 127.0.0.1:12523 127.0.0.1:27117
unifi java 73302 160 tcp4 127.0.0.1:20690 127.0.0.1:27117
unifi java 73302 161 tcp4 127.0.0.1:14841 127.0.0.1:27117
unifi java 73302 162 tcp4 127.0.0.1:18784 127.0.0.1:27117
unbound unbound 44697 3 udp4 *:53 *:*
unbound unbound 44697 4 tcp4 *:53 *:*
unbound unbound 44697 5 udp4 *:53 *:*
unbound unbound 44697 6 tcp4 *:53 *:*
unbound unbound 44697 7 udp4 *:53 *:*
unbound unbound 44697 8 tcp4 *:53 *:*
unbound unbound 44697 9 udp4 *:53 *:*
unbound unbound 44697 10 tcp4 *:53 *:*
unbound unbound 44697 11 tcp4 127.0.0.1:953 *:*
root miniupnpd 26603 7 tcp4 *:2189 *:*
root miniupnpd 26603 8 udp4 *:1900 *:*
root miniupnpd 26603 9 udp4 192.168.48.1:47200 *:*
root miniupnpd 26603 11 udp4 192.168.48.1:5351 *:*
dhcpd dhcpd 72841 9 udp4 *:67 *:*
root lighttpd 84624 5 tcp4 127.0.0.1:443 *:*
root lighttpd 84624 7 tcp4 192.168.48.1:443 *:*
root lighttpd 84624 8 tcp4 127.0.0.1:80 *:*
root lighttpd 84624 10 tcp4 192.168.48.1:80 *:*
root sshd 74266 4 tcp4 127.0.0.1:22 *:*
root sshd 74266 5 tcp4 192.168.48.1:22 *:*
? ? ? ? udp4 127.0.0.1:4671 127.0.0.1:2055
? ? ? ? udp4 127.0.0.1:60588 127.0.0.1:2055
? ? ? ? tcp4 192.168.48.1:8080 192.168.48.10:3046
? ? ? ? tcp4 192.168.48.1:8080 192.168.48.10:3078
How can i help further?
-
As you can see the port is open and running. Did you allow access via Firewall rules?
-
Just added them, but i think the default rule that allows LAN to LAN address solves this by default. Still no go.
-
Via cli:
sockstat -4
root AdGuardHom 11694 8 tcp46 *:3000 *:*
OKAAAAAY! I just understood. I needed to open a firewall rule to allow access from the LAN. I know that seems basic to you, but I'm still learning!
A line explaining that (with an example rule) in your installation instructions would help beginners like me.
Thank you!
-
Via cli:
sockstat -4
root AdGuardHom 11694 8 tcp46 *:3000 *:*
OKAAAAAY! I just understood. I needed to open a firewall rule to allow access from the LAN. I know that seems basic to you, but I'm still learning!
A line explaining that (with an example rule) in your installation instructions would help beginners like me.
Thank you!
By default, there is no rule required to access it. Access any LAN covers that. I've never had to make any rule to access anything on a default setup LAN.
-
Can someone help me with the best/most correct way to get AdGuard to serve DNS?
Is there a good setup guide somewhere to show how to link it correctly?
-
@N0_Klu3, I've set it up where Adguard listens on port 53 and point the upstream DNS to the Unbound DNS server on OPNSense. You just need to change the port Unbound is listening on (e.g. 7553) and update Adguard upstream section accordingly.
This way local IP addresses have name resolution since the DHCP server on OPNsense registers all addresses and returned by Unbound. Hope this helps.
-
@tusc, ye thats what I'm looking for.
Can you give me more info? Or some screenshots?
Right now I just put my AdGuard IP as DNS in General, and then told Unbound to forward requests instead.
This works for the most part but I am seeing some issues.
-
Not not on the first try, but on another machine when I try to assign a different port on unbound, the system updater couldn't find any updates, so I had to put unbound back to Port 53 and then use a port forwarding rule to direct traffic to the different port that I put adguard home on.
-
AdGuard needs an upstream DNS anyway, because it is not a fully functional recursive resolver. Therefore instead of letting AdGuard forward to Cloudflare, Google, what-have-you ... I would (and I do) have AdGuard listen to port 53 on all interfaces and then forward to either Unbound or BIND configured to listen on some high port.
To reconfigure AdGuard's listening address you need to edit its config file, no UI for that yet. It's /usr/local/AdGuardHome/AdGuardHome.yaml:dns:
bind_host: 0.0.0.0
port: 53
[...]
upstream_dns:
- 127.0.0.1:53530
127.0.0.1:53530 is my BIND. You can configure Unbound to do the same.
-
I created this guide for AdGuard home.
https://forum.opnsense.org/index.php?topic=22162
Please review and scrutinise, I am more than happy to be corrected and get a better solution for all.
-
To reconfigure AdGuard's listening address you need to edit its config file, no UI for that yet. It's /usr/local/AdGuardHome/AdGuardHome.yaml:dns:
bind_host: 0.0.0.0
port: 53
[...]
upstream_dns:
- 127.0.0.1:53530
127.0.0.1:53530 is my BIND. You can configure Unbound to do the same.
It seems to me with Unbound you cannot select a 'custom' IP address...
-
Just a quick question regarding AdGuard. I installed it, poked around with it, and now I want to start fresh. However, upon reinstall, my settings still exist. Where can I wipe these and/or reset to defaults?
Thanks!
~Spritz
-
/usr/local/AdGuardHome
-
/usr/local/AdGuardHome
ugh, thanks for that. For some reason the first time I deleted that directory, it didn't seem to do anything. I even went so far as to do a locate on AdGuard and delete all mention of it (to no avail). That said, the second time I removed that directory, it worked fine.
Thanks again for your help!
~Spritz
-
Still loving the AdGuardHome plugin and that it works flawlessly on the same device as my opnsense installation.
I noticed from "System -> Firmware -> Plugins" that it shows up now as:
os-adguardhome-maxit (misconfigured)
It doesn't seem to affect things, but I did try deleting and reinstalling the software to see if it would go away and it doesn't? The console also displayed something about the metadata in /usr/local/opnsense/version/adguardhome-maxit being invalid or something?
-
I'll roll out a new batch fixing it. My build plattform was missing some commits
-
Firstly, thank you mimugmail for providing this repository, it's very useful.
Secondly, and this is not a complaint!.. AdGuard has had an update available for about a week (v0.106.3) but I'm seeing no update on the repository. Has the packaging and uploading of updates to the repository been automated? Could it be?
-
You can always Update via AdGuardHome UI, this works too. Next Plugin update will be 0.107
-
Thanks for the repo!
Is there a way to automate or change how often/when speedtest-cli runs via the GUI?
Update: Nevermind, Schedule in cron, and add server ID as a param... got it.
-
Is the Maltrail plugin still maintained and updated?
-
Sure, whats Up?
-
I installed the os-speedtest-community plugin, but it will not install either of the plugins to allow a test to be ran. It seems to act like it will, but it just keeps offering and says fetching for servers but never finds any.
-
https://github.com/mimugmail/opn-repo/issues/67
-
Thanks.
-
WebRTC cloud access says 'connection failed" though, but I am used to seeing that on Windows based controller installs if 64-bit Java isn't installed, so perhaps this plugin is missing something that requires that to work, but I can work around that if need be.
WebRTC access does not work for me either. This is a bummer because this means that cloud access does not work.
The only thing that jumps out a bit in the logs is "[2021-10-26T22:27:18,075] <launcher> WARN system - cannot load native lib - ubnt_webrtc_jni" but I've not been able to go from here.
-
Strange, must be something new with 6.4
-
Strange, must be something new with 6.4
It did not work on 6.2.26 either. Does Unifi cloud access work for you? Am I perhaps missing a critical step or misconfiguring something?
-
I dont use Unifi for myself, sorry :)
-
I never got it to work with web RTC either. I just resorted to forwarding ports. Can still use it via the cloud, just not using web RTC specifically.
-
@mimugmail JNI is for loading native code. My guess is that it tries to load a Linux so file on FreeBSD. This shared object is likely somewhere in a jar file.
-
Some more searching seems to indicate that WebRTC is not implemented correctly in FreeBSD.
Too bad :(
-
Some more searching seems to indicate that WebRTC is not implemented correctly in FreeBSD.
Too bad :(
Do you have a link here? I switched from poudriere build to OPNsense tools so there might a dependency missing
-
Thanks a lot for creating these!
I'm pretty new to OPNsense. I installed the InfluxDB plugin, enabled it under Services, then I'm not sure what to do next :-[
I went to http://192.168.0.1:8086 (My OPNsense IP with InfluxDB port) but just see '404 page not found'.
If I go to System > Firmware > Plugins it says misconfigured.
Any help on what to do next would be greatly appreciated :)
-
Influx does not have a web UI. It's a time series database. You pump metrics into it, e.g. with Telegraf, and then read them back out again for graphical presentation with e.g. Grafana.
-
Influx does not have a web UI. It's a time series database. You pump metrics into it, e.g. with Telegraf, and then read them back out again for graphical presentation with e.g. Grafana.
Oh! I use it it in a Docker container, and that has a web UI, I thought this one did too :D
-
Maybe Influx2 has one, or the container also ships Grafana
-
Hello,
Due to log4j. Is it possible to Upgrade Unifi Controller to 6.5.54?
-
Sure, I need to check if its already in ports tree
-
It's now on 6.5.54
-
Bump
Also, I thought the point of Grafana stack was to get away from ELK?? ELK is very advanced for home usage, and even anything but large businesses. If you don't use comparative searches you don't need ELK its a resource hog. Ive ran it at home and its nice but expensive to keep up.
That said, why do we need a full ELK stack just to import opnsense logs? Can't we pull directly from influx into grafana, or have a grafana/loki setup? If you are going to the trouble of setting up ELK just use the K as you don't need kibana and grafana at the same time really, its just waste. Just my 2cents :)
Thanks!
-
Today I added a plugin called "opn-arp" which simulates what arpwatch does in a very easy way, including IPv6 support. :)
-
Today I added a plugin called "opn-arp" which simulates what arpwatch does in a very easy way, including IPv6 support. :)
Do you have an example monit-alert rule at hand?
Thanks for your work!!
-
https://docs.opnsense.org/manual/monit.html?highlight=monit
If you take example 3, you follow /var/log/system/latest.log (you have to disable circular log in System : Settings : Logging) and search for "MAC pair", should be sufficient.
-
Thanks, I will try that.
My problem now is that opn-arp does not want to start.
Where can I find the logs?
When I run it (as root) on the shell, I get
/usr/local/bin/opn-arp.sh: Permission denied.
-
put a "bash" infront of it :)
-
put a "bash" infront of it :)
Is "bash" part of the basic OPNsense installation? At least I don't have it ;)
-
Did you install the plugin the usual way? It should be a dependency
-
Did you install the plugin the usual way? It should be a dependency
I clicked on the "+" in the Plugin list after I had added your repository as described on your website. So yes, I would call this "the normal way" :) I reinstalled once, but it didnt help.
I did not use your repo before, so I did it just because of this Plugin.
-
I did a fresh install on a test system, same problem here.
bash is not installed as a dependency and not part of the standard installation. So the OPN-Arp plugin (which sounds cool), can't run.
I saw that the script itself is rather simple, no? Wouldn't it be possible to re-write it so it can be run inside the default shell (or even PHP if you like)? Just a thought...
-
Please type in console:
pkg install bash
I did a typo which doesn't recognize this, will release an update this week.
-
If you take example 3, you follow /var/log/system/latest.log (you have to disable circular log in System : Settings : Logging) and search for "MAC pair", should be sufficient.
I did this but I still don't have a "latest.log". The checkbox is set for "disable circular log".
I saw the "MAC pair" log written to the file "system_20220112.log" but this will be difficult to monitor.
Do you have a hint what I need to change in order to have this "latest.log"?
Thanks!
-
It will pop up on 22.1, sorry .. you need to wait 2 weeks. Otherwise it's not possible via monit
-
No problem, thank you!
It works in my testing environment so far, so I will probably put it on production.
Thanks for your effort!
-
https://docs.opnsense.org/manual/monit.html?highlight=monit
If you take example 3, you follow /var/log/system/latest.log (you have to disable circular log in System : Settings : Logging) and search for "MAC pair", should be sufficient.
Running 22.1 Having trouble getting the Monit rule setup, I can't get the settings to apply. Any help is appreciated:
Service Tests Settings
Name: opn-arp
Condition: MAC pair
Action: Alert
Service settings
Name: opnarp_alert
Type: File
Path: /var/log/system/latest.log
Start:
Stop:
Tests: opn-arp
Depends:
Description: ARP Alerts
-
Test-Condition:
content = "MAC pair"
-
Can someone who's using the AdGuard plugin with the new 22.1 release confirm that it works properly.
I saw some changes to Unbound in the release notes.
TY
-
Works here. But I don't use Unbound. I don't see how AdGuard Home would be dependent on Unbound in any way.
-
works over here also. adguard home on #53 and Bootstrap DNS servers + Private reverse DNS servers unbound #5353
The update even fixed my old problem that when rebooting the opnsense box, adguard did not come up automatically.
Now all starts at booting opnsense as should. really loving 22.1
-
Can someone who's using the AdGuard plugin with the new 22.1 release confirm that it works properly.
I saw some changes to Unbound in the release notes.
TY
AG home works. Installation is straight forward if you don't use ubound. just install the plugin, head to port 3000 of your firewall to finish the installation and you are done. You might want to change the port of the Adguard web front end to another one. For this you need a console on the FW and change /usr/local/AdGuardHome/AdGuardHome.yaml with a text editor (chage the bind port which is set to 80 as default).
If you have unbound running, first log into the FW, change the port ubound runs (service tab -> ubound), eg. to port 5335 and restart ubound. Then install Adguard like mentioned above and put 127.0.0.1:5335 as upstream DNS server into the Adguard section.
-
Is this still being updated?
Just noticed Tailscale is still on version 1.20.3, pkg update shows repo up to date
Thanks in advance
-
No idea if it can be implemented, but powerd++ ( https://github.com/lonkamikaze/powerdxx ) might be interesting. It offers a better way to adjust the speen and power consumption of a cpu than powerd which ships with opnsense, and with hardware running 24/7/365 even a small improvement in conserving energy is worth the work to implement it.
-
Is this still being updated?
Just noticed Tailscale is still on version 1.20.3, pkg update shows repo up to date
Thanks in advance
From time to time, yes. I can update it the next days
-
Is this still being updated?
Just noticed Tailscale is still on version 1.20.3, pkg update shows repo up to date
Thanks in advance
From time to time, yes. I can update it the next days
Brilliant, thank you!
-
Is this still being updated?
Just noticed Tailscale is still on version 1.20.3, pkg update shows repo up to date
Thanks in advance
From time to time, yes. I can update it the next days
Brilliant, thank you!
Do you use tailscale in production?
-
In a commercial environment no, i use it to access my servers at home as well as a couple I have hosted elsewhere :)
I see you've updated the package, thanks again for that!
-
I just upgraded opnsense to 22.1.7, checked the plugin page and found "os-adguardhome-maxit (orphaned)". Does this mean the package is no longer available, or is it discontinued and I either have to find a way on how to install Adguard home on opnsense or do I have to install it on a second machine now to keep it up to date?
-
No, I will take care of it
-
Everything should be in place now
-
@mimugmail when we install tailscale from package via your community repo, what if anything gets backed up in system => config => backups => download configuration ?
-
Nothing, because its not a plugin
-
Maybe it's been asked already so I apologize if so. I noticed that Caddy and other reverse proxies are available but I do not see NPM or Nginx Proxy Manager. Is this something planned for this repo?
-
Imho they are not available in FreeBSD ports
-
Their only method of deployment is as a docker container - so there ...
Better explore caddy - reputedly one of the best reverse proxy solutions around with Letsencrypt builtin.
-
(OT) -- what's wrong with haproxy if I may ask?
-
(OT) -- what's wrong with haproxy if I may ask?
Nothing. Caddy's USP is that the ACME HTTP protocol is builtin. So you setup www.mydomain.de, set "Letsencrypt on" and the rest is handled by magic. Plus the config is significantly shorter and easier to understand than either Apache or NginX, because "reasonable defaults". If you have just a single backend server and need SSL termination and SNI because "one static IP address", IMHO Caddy is for you.
-
Thanks!
-
I really like the community repo so far.
A great addition would be docker to give us tons of more features one could add to OPNsense. Maybe the installation of docker could be combined with Portainer for a web UI to easily manage the docker containers.
-
I really like the community repo so far.
A great addition would be docker to give us tons of more features one could add to OPNsense. Maybe the installation of docker could be combined with Portainer for a web UI to easily manage the docker containers.
Docker is a Linux ABI based technology. OPNsense does not run on Linux.
-
I really like the community repo so far.
A great addition would be docker to give us tons of more features one could add to OPNsense. Maybe the installation of docker could be combined with Portainer for a web UI to easily manage the docker containers.
Docker is a Linux ABI based technology. OPNsense does not run on Linux.
I know that but docker is available on FreeBSD since June 2015 too.
https://wiki.freebsd.org/Docker
PS: Yes, I read that it's currently broken but maybe they'll fix it at some point in the future.
-
They wont, I know the guy :)
-
Making Docker run on FreeBSD is an endless game of catch-up and I hope the foundation invests in improving the tooling of FreeBSD native containers (jails) instead. No matter how good your "Linux emulation" is - any day someone will come up with a new edge case and complain that this and that Docker image does not work. It's not a productive use of developer resources. If you need Docker, run Linux.
-
Using your OPN-arp plugin @mimugmail. Thanks again for the effort.
Running OPNsense 23.1.5_4-amd64 and since the recent upgrade the "opnarp daemon" service on my dashboard shows stopped. Initiating a restart generates a crash report with the progress bar hanging but nothing in the logs. Opnarp service appears to be working, I'm getting alerts via monit and I can start, restart the service w/o issue.
I've tried removing and reinstalling, same issue.
Any suggestions? Thanks
-
Reinstall the plugin should help
-
I tired removing the plugin, rebooting, and reinstalling. Still seeing the same issue with the opnarp daemon on the dashboard services page failing to start and creating a crash report when I try to start.
Any other suggestions?
-
Reinstall the plugin should help
Any other suggestions? I upgraded to 23.1.6, tried removing and reinstalling and having the same issue. Thanks
-
Do you filter for interfaces in opnarp config?
-
No i've left it blank to cover all interfaces.
-
A few more details. I've updated the opn-arp settings to include specific interfaces (igb0, lagg0). Still seeing the issue. I've tried clearing it out as well. In the Opn-arp setting I'm able to start, stop, restart the service w/o issue. I'm getting monit alert so I'm pretty sure the opn-arp service is running fine.
The issue maybe specific to the services dashboard widget. I don't see any indication of the opn-arp service not starting or throwing any errors in the logs. In the services dashboard widget the service field is missing, there is description "opnarp daemon". I tried excluding the service from the services widget using the opnarp, opnarp daemon, or opn-arp names, the service isn't excluded from the dashboard.
It appears the dashboard widget isn't populating the service name causing it to not be able to report status nor start,stop, w/o crashing.
-
What happens when you start it via CLI?
-
Haven't tried that @mimugmail, whats the command? I'll give it a try later this afternoon.
I have restarted from the opn-arp setting tab in the UI, it start's, stops, restarts fine.
-
Haven't tried that @mimugmail, whats the command? I'll give it a try later this afternoon.
I have restarted from the opn-arp setting tab in the UI, it start's, stops, restarts fine.
Is it possible that this still isn't fixed? the deamon keeps on stopping over here.
-
Haven't tried that @mimugmail, whats the command? I'll give it a try later this afternoon.
I have restarted from the opn-arp setting tab in the UI, it start's, stops, restarts fine.
Is it possible that this still isn't fixed? the deamon keeps on stopping over here.
Can you start via CLI?
-
Whats the CLI command to start opn-arp?
-
I found the error, will push an update
-
Awesome thanks, looks to have fixed the issue in that the daemon shows green and started.
The service column is still missing a value and if I restart the service from the dashboard widget I'm still seeing a crash.
-
Fixed ...
-
Looks good, service reloads from the dashboard and the service field is populated. Thanks greatly
-
Fixed ...
@mimugmail - anyway to resolve an IP to hostname in the monit alerts coming from the opn-arp alerts?
-
This is pretty nice!
Any chance to have Grafana updated to a newer version? 8.5.20 is not even the latest release in the 8.5.x series and the latest release is 10.4.1 now.
Thanks!