Messages

I am using AdGuard from this repo. Installation and set-up all fine. I can resolve from my "normal" networks. But I do not get DNS resolution from my client connected through Wireguard.

Before with unbound on port 53 it was working. No other change I did than installing AdGuard on port 53 and switched off Unbound.

Any idea where to search?

I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!

Is there any advantage using all three of them?
If you use adguard I do not see an advantage of unbound with blocking list.
Does sensei free on top of these give you so much more?

These are serious questions from me. So far, I was using unbound as forwarder and sensei free. I am just testing adguard and asking myself what unbound and sensei could be good for if I would use adguard.

[access needs]

Any suggestions on best practices to separate the devices?

I would separate the devices in some categories by access needs and by trust.
And then create groups out of it by finding the right balance between simplicity and the security level you want to achieve.

• does only need connection to internet. No connection to or from other devices. (e. g. IoT, guest devices)
• Connection to or from other devices required
• sensible devices worth to protect (e. g. server)
• trusted devices (e. g. PC, phone)
• untrusted devices (e. g. guest phone and PC,
• required connection speed (routing PC to NAS might be slow)
• ...

I personally do not separate wired and wifi devices. As my wifi AP can handle multiple SSID and VLAN I use only one network (VLAN) for wired and wifi devices of the same category.

unrelated to that it would be nice to have, on ntp conf:
- configure peers and not only servers

Chrony meanwhile is existing as a plugin. I will try out when I find time.
But this point above is what I am still missing in the current NTP config: peers.

Hello,

I noticed bad RTTd values in my local network,

Some days ago, I changed my network configuration. Two networks that before were directly connected to the OPNsense box now are getting handled by a L3 switch. Between OPNsense and L3 switch I added a "transport network", connected directly from nic to nic with a 50 cm cable. I added a static route between both devices. I am not using VLAN or LAGG on the OPNsense 20.1.1 box for this connection. But the RTTd values from gateway monitoring are worse in comparison to the values of my WAN connections.

Any idea what could be wrong?
Or could it be related to the way the monitoring is measuring?

It looks like I was thinking too complex.

After further research I found out, that in my small network I could do it much more simple: no transport net and therefore OPNsense firewall and L3 switch directly connected to the two networks I would like to route in between by L3 switch. Default route to firewall and L3 switch as gateway for for hosts in DMZ and LAN network.

[@Tubs]

@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

The issue popped up again when I updated to 21.1.
Yes, when I untick "check trusted certificate" all is working again.

Since the upgrade to 21.1-rc...my https-reverse-proxy does no longer start.
[...]
Somebody with a good idea?

Yes, have a look here in 20.7. Same for 20.7.8
https://forum.opnsense.org/index.php?topic=20989.0

Nobody, who can give me a hint if this network topology is correct?

I do not look for detailed configuration help. I only want to know if this way of routing will work and if it is the best way to do so.

[@Tubs]

@Tubs
hmm. a little weird. I think that for this it was necessary either to press "check for updates" or execute "# opnsense-revert os-nginx".

It is possible that I have done this. If so, for a different reason. I cannot remember. But in every case I did not confirmed any upgrade process.

[@Tubs]

@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

I have exactly the same issue. OpnSense updated to 20.1.8 and nginx is not starting anymore.

Code Select Expand

2021/01/20 22:03:14 [emerg] 95587#100595: SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_228ce5a1-*****.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

The file mentioned in the log file is not existing. But I have no glue how to figure out where it should belong to. I have a couple of upstream and a couple of server defined. So far nothing suspicious detected. But I have no idea where to search.

opnsense-revert -r 20.7.7 os-nginx

Dies this fix it?

Yes. In my case it helped. Nginx is running again.

[move the routing between the network "LAN" and "WAN" to an external 10 GBit L3 switch]

Hello,

currently my home network with a hand full of VLAN is set-up with in that way that opnsense is doing all routing between the sub-nets. All devices are connected to one L2 switch. But since I upgraded a part of my home network to 10 Gbit, I now have a bottleneck between the networks I call "LAN" and "DMZ". My opnsense is a small box with 1 GBit ports only, but good enough to handle the traffic to and from internet.

Three goals I have:
(1) I would like to move the routing between the network "LAN" and "WAN" to an external 10 GBit L3 switch (Ruckus 7250). For all other networks the routing can stay on the opnsense box. Only few traffic needs to get routed that is related to those.
(2) I would like to utilise the available 3 physical ports (A2, A3, A3) on the opnsense box as much as possible.
(3) I would like to minimize the overhead on the opnsense box generated by VLAN tagging or LAGG.

My ideas are:
- run LAGG over all three ports and run one VLAN trunk to the switch with all networks in
- run one VLAN / VLAN trunk on each of the three ports and manually distribute the VLAN / subnets acc. expected traffic
- as shown on the sketch: one separate gateway and route for LAN and DMZ, directly connected without VLAN or LAGG. All other packed in one VLAN trunk. No need for LAG or VLAN on the networks with highest traffic.

Any disadvantages by going with the last one?
Better ideas?

Code Select Expand


  opnsense                               L3 switch

       A1 --------X WAN

                GW1 - 192.168.1.10/30
       A2 -------------------------------- B1 - LAN: 192.168.40.0/24   

                GW2 - 192.168.1.20/30
       A3 -------------------------------- B2 - DMZ: 192.168.50.0/24

                 VLAN trunk
       A4 -------------------------------- B3 |--- VLAN 10: 192.168.10.0/24
                                              |--- VLAN 20: 192.168.20.0/24
                                              |--- VLAN 30: 192.168.30.0/24

Since 20.7.4 it is better again. Still more swap is used than before. But no service is stopping any more.

Not hidden - it is on almost every page on the bottom.

Vielen Dank!
Ich habe den Knopf gefunden, hatte aber niemals diese Funktion damit verbunden.