Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Andreas.Wien

Pages1
#1
25.7, 25.10 Series / cascaded AdGuard & unbound DNS startup issue
October 15, 2025, 06:46:49 PM
I experienced the issue of AdGuard being unable to startup, as unbound already bound to Port 53 (LAN)
The motivation is that AdGuard serves all local DNS-requests, including for .localdomain, but those are forwarded to unbound.

So this is my cfg for the AdGuard Settings > DNS Settings > Upstream DNS servers
Code Select
https://dns.quad9.net/dns-query
https://dns.google/dns-query
https://dns.cloudflare.com/dns-query
[/localdomain/]127.0.0.1:53
The necessary interface:port-binding that works4me is this:
Code Select
root@OPNsense:~ # sockstat -4 -l | grep :53
root     AdGuardHom 69756 76  udp4   192.168.0.1:53        *:*
unbound  unbound     3107 10  tcp4   127.0.0.1:53          *:*
[...]
root@OPNsense:~ # sockstat -4 -l | grep :853
unbound  unbound     3107 5   tcp4   127.0.0.1:853         *:*
unbound  unbound     3107 7   tcp4   192.168.0.1:853       *:*
[...]
however; in order to achieve this, there is no way in the GUI to specify these port-binding requirements.
I had to override it like this:
Code Select
root@OPNsense:/usr/local/etc/unbound.opnsense.d # cat 10-localbind.conf
server:
    interface-automatic: no
    interface: 127.0.0.1@53
    interface: 127.0.0.1@853
The only sideeffect is: a GUI Banner for unbound:
Code Select
The configuration contains manual overwrites, these may interfere with the settings configured here.
Furthermore it was necessary to start unbound like this:
Code Select
root@OPNsense:/usr/local/etc/rc.syshook.d/start # cat 50-unbound
#!/bin/sh
# Delay + Start Unbound DNS service if not already running
sleep 3
if ! service unbound onestatus >/dev/null 2>&1; then
  logger -t unbound "Starting Unbound (delayed boot fix)..."
  service unbound start
fi
I wonder ... did I miss something, or is this AdGuard integration so unusual that it's not readily supported in OPNsense's GUI?
Is there a 'clean' way to achieve the above?
#2
23.1 Legacy Series / OPN-Arp autostart
February 06, 2023, 04:22:52 PM
After reboot the OPN-Arp service doesnt autostart, though Enabled[X].
I have to manually start it every time after reboot.

Is there a way to fix the functionality of "enable", or a shell way to make it autostart after reboot?
#3
22.7 Legacy Series / AdGuard web-interface :3000 gone / unresponsive ... fixed. ✅
January 03, 2023, 03:31:15 PM
It happened with one of the recent updates, and I didn't check the problem with AdGuards web UI.
Its DNS functionality works still fine, but the web-interface doesnt respond anymore.

though the port is listening, with the right process:
Code Select
root@OPNsense:~ # sockstat -l -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     AdGuardHom 82770 19 tcp46  *:3000                *:*


and the AdGuard .log looks fine too:
Code Select
2023/01/03 03:54:39.034836 [info] AdGuard Home is available at the following addresses:
2023/01/03 03:54:39.035174 [info] Go to http://192.168.0.1:3000

anyone else with the same experience?
howto resolve this?
help's appreciated!
#4
Virtual private networks / VPN with WAN fallback
November 29, 2022, 07:26:49 PM
The usecases I find here force traffic through a VPN and block unencrypted WAN traffic.
I intend to implement a different policy:
primarily I want to use the VPN, and only as a failover the traffic can use plain WAN.

  • the two System.Gateways.Single gateways are dpinger monitored and online
  • I guess I have to combine the two gateways in a System.Gateways.Group
  • I've also created a Frirewall.Aliases list that defines all LAN sources that should follow this policy
  • a Firewall.Rules.LAN rule passes all such aliased Traffic to that Gateway-Group
  • Firewall.NAT.Outbound rules run hybrid with some manually added ones, see below
  • System.Settings.General.Gateway switching [X]checked
    Firewall.Settings.Advanced.Skip rules [_]unchecked
    Firewall.Settings.Advanced.Sticky connections [_]unchecked
however: Tier1 (VPN) has not priority, traffic is routed unencrypted out the WAN, even if WAN is set to never in the group.
According to the Firewall.Log Files.Live View the "(alias)-Traffic goes through VPN" rule is applied to pass the trafic.

Help's appreciated! What am I missing here?
#5
General Discussion / HowTo: monit PROTOCOL & FAULT TOLERANCE
November 21, 2022, 09:19:54 PM
I replaced my ISP-provided router with OPNsense 22.7.8 - and within one day this solution works like a charm, and the LAN issues are gone!
Really happy that added features like DHCP, AdGuard integration, intrusion detection, monitoring work out-of-the-box!

when I use monit to check all LAN devices are up I noticed that, by default, only the basic functionality of CHECK HOST ... PING is supported in the GUI.

I would also like to formulate a test like:
Code Select
check host PING.128_i4 address 192.168.1.128
    if failed PORT 8091 PROTOCOL http request "/" then alert

and also have fault-tolerance implemented, for things like:
Code Select
check host PING.220_NAS address 192.168.1.220
    if failed PORT 80
        3 TIMES WITHIN 5 CYCLES
    then alert

which infact works when edited directly in /usr/local/etc/monitrc - as long as the Service Settings in the GUI aren't touched, which writes a clean monitrc.

also thermal alerts would be nice to have!

[edit:] the above works with Service Test Settings / Condition: failed ping FOR 2 CYCLES  :)
Pages1