I have been using Opnsense for over 6 months or so. Prior to using Opnsense I used Mikrotk and EdgerouterX with Unifi AC-Lite access point.
This is for my home use. I have 4 users, 2 adults and two teenagers. The usage includes average IoT devices, mostly streaming, little work from home and regular browsing.
I'm loving Opnsense and it's performance.
My setup is very simple. I have a 1gig up/down fiber connection, provider's gateway is in pass-thru mode. My router is a fan-less embedded computer X86 box with 2 NICs, Intel i5 2.3 GHz CPU and 8 gig of ram.
My goal is to setup Opnsense with some kind of DNS to block ads, phishing sites etc.
I'm seeking suggestions so I can make a killer setup, lol.
Should I go with?
1. Pihole
2. Sensei – Sunny valley plugin
3. DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6 ( write up in the forum)
I'm sure there are many more options out there but I'm that unaware of.
I use a PiHole due to the fact that white and block lists are really easy to manage.
Sensei can block ads too but I prefer PiHole for this.
Easy to setup and maintain.
Quote from: sol on April 15, 2020, 11:10:20 AM
I use a PiHole due to the fact that white and block lists are really easy to manage.
Sensei can block ads too but I prefer PiHole for this.
Easy to setup and maintain.
I tried pihole earlier but could not setup correctly. How did you setup pihole's ip and firewall rules in Opnsense?
You don't have to setup anything really.
The easiest thing to do is to advertise the PiHole's IP address as DNS server in the DHCP settings of OPNsense (Services: DHCPv4: [LAN]).
If you want to have client hostnames resolved, you have to check the boxes for "Register DHCP leases" and "Register DHCP static mappings" in Services: Unbound DNS: General.
In PiHole's DNS settings I unchecked "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges", checked "Use Conditional Forwarding" (fill in IP + local domain name).
I selected Cloudflare as Upstream DNS Servers.
Works like a charm!
Note: I wanted to have PiHole's protection on my mobile devices, connected to my network through WireGuard. Took me a while I had to set PiHole's interface listening behavior to "Listen on all interfaces, permit all origins". If you just select "Listen on all interfaces", it ignores WireGuard clients.
Hope this helps :)
Quote from: Vlijm on April 15, 2020, 09:30:39 PM
You don't have to setup anything really.
The easiest thing to do is to advertise the PiHole's IP address as DNS server in the DHCP settings of OPNsense (Services: DHCPv4: [LAN]).
If you want to have client hostnames resolved, you have to check the boxes for "Register DHCP leases" and "Register DHCP static mappings" in Services: Unbound DNS: General.
In PiHole's DNS settings I unchecked "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges", checked "Use Conditional Forwarding" (fill in IP + local domain name).
I selected Cloudflare as Upstream DNS Servers.
Works like a charm!
Note: I wanted to have PiHole's protection on my mobile devices, connected to my network through WireGuard. Took me a while I had to set PiHole's interface listening behavior to "Listen on all interfaces, permit all origins". If you just select "Listen on all interfaces", it ignores WireGuard clients.
Hope this helps :)
Thanks.
I setup as you suggested. It seems to be working right.
One question, did you have to add any firewall rules?
I did not have to add rules to the firewall to get this working.