Messages

Appreciate the response, but that is a bit different.   

Right now I'm just curious what line I need to use in the 'include' so I can setup a custom view for DNSBL and have a bypass view.  It should work, but I need to know what to tie to since dnsbl.conf is empty and doesn't appear to be used, python module appears to utilize .json but not sure how Unbound handles that or even if it does handle it.

In the past I was able to create custom views within the command line and aded to /usr/local/etc/unbound.opnsense.d, however, that's when it was utilizing the dnsbl.conf directly.

Has anyone else attempted this?   All I see usable would be dnsbl.json, but when added to a custom .conf file unbound won't start.



This is the preliminary test:

server:
    access-control-view: 192.168.1.2/32 bypass
    access-control-view: 192.168.1.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /data/dnsbl.json




Any input would be appreciated!

Thank you!

System settings area is where I'm making the DNS changes.

ARe you using unbound or anything as a DNS server?

The only time I've ever used floating rules is when I needed the same rule to apply across multiple interfaces and weren't interface agnostic, if that makes sense.

It needs to go in the DNS over TLS dedicated section in Unbound.

Beat me to it!

You're sure that Unbound is set to run on the LAN interface you have 192.168.10.1 on?

Hi,
I have disabled the service Unbound DNS and re-run the command.

Sorry nothing is changed, the same error:

[1670531369] unbound-checkconf[64742:0] error: duplicate forward zone . ignored.
no errors in /var/unbound/unbound.conf

So, I'm confused, you say that DNS isn't working, but the service is running?
Can you give some examples of what ISN't working?

Hi,
the service is running, this is the result of command:

root@OPNsense:~ # configctl unbound check
[1670530498] unbound-checkconf[36560:0] error: duplicate forward zone . ignored.
no errors in /var/unbound/unbound.conf
root@OPNsense:~ #

Thanks

So if the issue happens where unbound stops, try the same command again with the service after it stops running, unless I"m misunderstanding what is going on

I would just make sure to apply the latest patch so you're at _3 patch level which has some fixes in it

Re-test and see if that works.

If you believe unbound isn't running, please drop to the command line and run:
configctl unbound check

Post the output here please.

If you're using suricata, disabled it, then apply the latest patch which should put you at 22.7.9_3 then start suricata again.

Where are you making the changes?

I use CrowdSec and it's using the same DNS servers that I've configured, and I've changed it a few times.

Yes I do. Static IP's, DHCPv4 server and RA for IPv6 that does tracking on my PPPoE Interface. (fun fact, when I loose the vlan's, I also loose IPv6 everywhere. So I suspect there might be some link somewhere)

Interesting, can you disable IPv6 on those interfaces just to test?

That doesn't sort the problem though. My Vlan client's can still ping each other through all the switches and the native vlan continues to work. But I completely loose all the vlan interfaces on the opnsense after a few minutes where it was working. The only log I get is the one I did put on the first post...

Do you have static IPs configured on those interfaces?  I've used VLANs on OPNsense for years and never have I see this issue.

I did try with a custom trunk profile. And that's when I got the problem's

Well you shouldn't need to create a custom trunking profile honestly.  Just mark the ports with the Profile "ALL"

That will automatically take your native vlan and pass it, and treat the others as tagged.