"Recent posts
#1
General Discussion / Re: OPNsense 26.1.1 with Adgua...
Last post by coffeecup25 - Today at 06:48:35 PMQuote from: akore on Today at 05:43:26 PMThanks coffeecup25.That is what I thought. I will do more research and give it another try. Thankfully OPNsense has Snapshots so that when I break it I can get it back to functioning without having to swap out the box while I nuke and pave and try again from scratch.
I have tried PFsense and OpenWRT on the Sophos box but I found the UI of OPNsense to be best out of the 3. OpenWRT is what I used for the first 4 months after buying the Sophos box but when I broke OpenWRT and I could not get it to install correctly a second time I thought it was time to try something else.
Once you get it figured out, I think you will be very happy with OPNsense and Adguard Home. I am. The initial config of Adguard Home was a little frustrating in getting everything properly synchronized. Sorting through all the differences is the worst part.
As I look back on it, the config was actually pretty simple. If it feels like you are jumping through strange hoops, start over. As I wrote before, the initial install screen is the most important. You only get one try and then have to go back to AdguardHome.yaml to fix what you need fixed. It's not difficult but it is annoying.
I haven't used OPNsense snapshots, so good luck there. I'm old fashioned and prefer good backups, but snapshots can certainly be better in the right circumstances.
I used pfSense CE for many years. Their update cycle was developing issues and becoming unreliable. OPNsense updates give me more confidence. My needs are simple so if development froze today, I would still remain happy. Nobody else would, I'm sure.
Openwrt on X86 looks like a bear to install. Good on you for getting it to work even once.
#2
Portuguese - Português / Estações não navegam na intern...
Last post by mshonorato - Today at 06:42:42 PMFala pessoal, blz?
Sou novo no opnsense e estou com algumas dificultades, se alguém puder ajudar.
Instalei uma VM com opnsense e outra com windows, a windows usa o opnsense como gateway, eu acesso o opnsense por esse windows, mas não consigo navegar na internet.
O opnsense tem 2 interfaces, a WAN tem fixo ip 192.168.0.253, a internet está funcionando, eu consigo atualizar o sistema e até pingar sites e ips.
A interface LAN tem ip fixo 192.168.1.1.
O windows tem ip 192.168.1.2.
OBS: O opnsense está sem DHCP
Em System: Settings: General está configurado com DNSs 8.8.8.8 e 1.1.1.1
O Gateway está com "Upstream Gateway" habilitado.
Em Firewall: Rules: LAN tem uma regra padrão que libera a LAN para navegar.
Em Services: Unbound DNS: General - Tá habilitado
Não estou enchergando o que está faltando.
Eu venho do pfsense, nele é mais "automático", estou apanhando um pouco do opnsense.
Se alguém puder ajudar eu agradeço.
Em anexo tem uns prints para facilitar.
Vlw
Sou novo no opnsense e estou com algumas dificultades, se alguém puder ajudar.
Instalei uma VM com opnsense e outra com windows, a windows usa o opnsense como gateway, eu acesso o opnsense por esse windows, mas não consigo navegar na internet.
O opnsense tem 2 interfaces, a WAN tem fixo ip 192.168.0.253, a internet está funcionando, eu consigo atualizar o sistema e até pingar sites e ips.
A interface LAN tem ip fixo 192.168.1.1.
O windows tem ip 192.168.1.2.
OBS: O opnsense está sem DHCP
Em System: Settings: General está configurado com DNSs 8.8.8.8 e 1.1.1.1
O Gateway está com "Upstream Gateway" habilitado.
Em Firewall: Rules: LAN tem uma regra padrão que libera a LAN para navegar.
Em Services: Unbound DNS: General - Tá habilitado
Não estou enchergando o que está faltando.
Eu venho do pfsense, nele é mais "automático", estou apanhando um pouco do opnsense.
Se alguém puder ajudar eu agradeço.
Em anexo tem uns prints para facilitar.
Vlw
#3
26.1 Series / Re: upgrade from 25.7.11_9 an...
Last post by jmcgee - Today at 06:39:40 PMTurns out it wasn't fine. Internet went down. Checked for updates, there was plugin for ISC to install. Let it do that. Maybe reboot again, anyway seems good now.
#4
26.1 Series / Re: QUESTION: How to implement...
Last post by Patrick M. Hausen - Today at 06:12:34 PMYou did split horizon with Unbound. Just keep doing it the same way. Split horizon and dynamic leases are in no way related.
#5
26.1 Series / Re: OpnSense 26.1.1 Destinatio...
Last post by opnseeker - Today at 05:59:40 PMSome additional info that may be relevant:
IoT interface is not part of the Interface Group used to redirect traffic to PiHole.
NAT rule redirecting IoT traffic to Unbound is right after the NAT rule redirecting traffic to PiHole.
One question that comes to mind is when the DNAT rules are executed in relation to the firewall filter rules and in what order.
IoT interface is not part of the Interface Group used to redirect traffic to PiHole.
NAT rule redirecting IoT traffic to Unbound is right after the NAT rule redirecting traffic to PiHole.
One question that comes to mind is when the DNAT rules are executed in relation to the firewall filter rules and in what order.
#6
26.1 Series / Re: upgrade from 25.7.11_9 an...
Last post by jmcgee - Today at 05:58:38 PMI upgraded this morning to the current version. 3 reboots I believe, but no problems, other than I cannot find ISC plugin. Everything works though. I go to services, and it doesn't show up.
#7
26.1 Series / OpnSense 26.1.1 Destination NA...
Last post by opnseeker - Today at 05:51:17 PMI have been using OpnSense since 2023 and I come to appreciate the effort put into creating such useful and usable software.
I upgraded to 26.1.1 and it is mostly working except I have a few issues with move from the previous port forwarding to Destination NAT.
I understand that the firewall rules have been decoupled from the NAT redirection rules and I took care of updating and moving them into the new rules section.
At this point I have one major issue and other minor ones.
Major issue - redirection seems to completely fail - redirect rule to direct DNS traffic to Unbound for one of the VLANs is ignored as described below.
Primary DNS works as follows:
Client (Interface Group VLANs) -> Pihole (53) -> DNSMAsq (OpnSense: 53) -> External resolver
The above is done using an already existing (still working) DNAT rule that forwards all DNS (53) traffic to PiHole (53) and it seems to continue to work. This is done using an interface group as not all VLANs use PiHole.
For the remaining interfaces/VLANs, DNS works as follows:
Client (remaining VLANs) -> DNSMasq (OpnSense: 53) -> External Resolver
No redirection is used here as DNSMAsq currently runs at port 53 on all interfaces of the OpnSense router. the default DNS address assigned by OpnSense works as is.
The non-working DNAT (redirection) rules is for one of the VLANs (IoT) that uses DNSMsq to use Unbound at 53053 as follows:
DNS Path anticipated:
Client (IoT VLAN) -> Unbound (Opnsense:53053) as recursive resolver
Interface: IoT
Version: IP4/IP6
Protocol: TCP/UDP
Source: any
Source Port: any
Dest: any
Dest Port: 53
Target IP: Numeric IP of the interface where Unbound is running - same as IoT interface on OpnSense
Target port: 53053
I also added a corresponding Firewall rule to allow traffic from IoT VLAN to Unbound (Opnsense 53053).
The issue:
All devices on IoT VLAN still use DNSMasq as ipleak.net shows the external resolver. Using Unbound as recursive resolver should show OpnSense WAN address as the resolver address on ipleak.net.
Conclusion:
The redirection is simply being ignored. If redirection is done but some other problem is causing the traffic not to reach Unboud, DNS should fail and ipleak.net should show DNS errors.
Other minor issues exist which caused other problems but they can wait for another time (there are workarounds).
Any help and guidance will be greatly appreciated.
I upgraded to 26.1.1 and it is mostly working except I have a few issues with move from the previous port forwarding to Destination NAT.
I understand that the firewall rules have been decoupled from the NAT redirection rules and I took care of updating and moving them into the new rules section.
At this point I have one major issue and other minor ones.
Major issue - redirection seems to completely fail - redirect rule to direct DNS traffic to Unbound for one of the VLANs is ignored as described below.
Primary DNS works as follows:
Client (Interface Group VLANs) -> Pihole (53) -> DNSMAsq (OpnSense: 53) -> External resolver
The above is done using an already existing (still working) DNAT rule that forwards all DNS (53) traffic to PiHole (53) and it seems to continue to work. This is done using an interface group as not all VLANs use PiHole.
For the remaining interfaces/VLANs, DNS works as follows:
Client (remaining VLANs) -> DNSMasq (OpnSense: 53) -> External Resolver
No redirection is used here as DNSMAsq currently runs at port 53 on all interfaces of the OpnSense router. the default DNS address assigned by OpnSense works as is.
The non-working DNAT (redirection) rules is for one of the VLANs (IoT) that uses DNSMsq to use Unbound at 53053 as follows:
DNS Path anticipated:
Client (IoT VLAN) -> Unbound (Opnsense:53053) as recursive resolver
Interface: IoT
Version: IP4/IP6
Protocol: TCP/UDP
Source: any
Source Port: any
Dest: any
Dest Port: 53
Target IP: Numeric IP of the interface where Unbound is running - same as IoT interface on OpnSense
Target port: 53053
I also added a corresponding Firewall rule to allow traffic from IoT VLAN to Unbound (Opnsense 53053).
The issue:
All devices on IoT VLAN still use DNSMasq as ipleak.net shows the external resolver. Using Unbound as recursive resolver should show OpnSense WAN address as the resolver address on ipleak.net.
Conclusion:
The redirection is simply being ignored. If redirection is done but some other problem is causing the traffic not to reach Unboud, DNS should fail and ipleak.net should show DNS errors.
Other minor issues exist which caused other problems but they can wait for another time (there are workarounds).
Any help and guidance will be greatly appreciated.
#8
26.1 Series / Re: QUESTION: How to implement...
Last post by Kornelius777 - Today at 05:49:16 PMThis obviously is a different approach from mine.
My explicit question was how to realize Split Horizon DNS.
Unfortunately, this whole discussion did not get me any step into that direction... ...yet...
Maybe, somebody could share some thoughts about that?
Looking forward to reading from you all!
My explicit question was how to realize Split Horizon DNS.
Unfortunately, this whole discussion did not get me any step into that direction... ...yet...
Maybe, somebody could share some thoughts about that?
Looking forward to reading from you all!
#9
General Discussion / Re: OPNsense 26.1.1 with Adgua...
Last post by akore - Today at 05:43:26 PMThanks coffeecup25.That is what I thought. I will do more research and give it another try. Thankfully OPNsense has Snapshots so that when I break it I can get it back to functioning without having to swap out the box while I nuke and pave and try again from scratch.
I have tried PFsense and OpenWRT on the Sophos box but I found the UI of OPNsense to be best out of the 3. OpenWRT is what I used for the first 4 months after buying the Sophos box but when I broke OpenWRT and I could not get it to install correctly a second time I thought it was time to try something else.
I have tried PFsense and OpenWRT on the Sophos box but I found the UI of OPNsense to be best out of the 3. OpenWRT is what I used for the first 4 months after buying the Sophos box but when I broke OpenWRT and I could not get it to install correctly a second time I thought it was time to try something else.
#10
26.1 Series / Re: QUESTION: How to implement...
Last post by Patrick M. Hausen - Today at 05:36:01 PMQuote from: Kornelius777 on Today at 05:13:29 PMIf you only use unbound (unlinked from dnsmasq), you will need overrides to resolve your hostnames internally.
For overrides, you need (static) IP addresses.
I am only interested in hosts I need to address, like internal services/servers. I don't need and don't want clients registered in DNS. Too much fragile technology for essentially nothing. Like reverse mapping getting stale and then I get nonsensical information back. Better no information than the wrong one. I can always browse the "Bonjour" (mDNS) domain with Discovery, look up the MAC, or use nmap to identify a system if I really need to.
I use Unbound with Kea to register static mappings.
