Messages

If you want to send any local DNS request to a local Unbound through wireguard to an upstream DNS, the easiest way is to use the documentation for wireguard selective routing (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) and modify it to only tunnel DNS traffic from any firewall IP to the upstream DNS IPs.

Are you referring to the section "Dealing with DNS Leaks"? If so, which of the 5 points/solutions would you recommend?

Tia.

Am I right in thinking that I need to set the OPNSense WAN interface to use VLAN101, and DHCP for it's IP config?  because (assuming I`m doing it right!), it doesn't seem to work.

VLAN tag must be set in the Draytek modem (as per the guide you linked), and the WAN in OPNsense must be set as DHCP, that's it!

And like OPNenthu, I never changed the default settings... anyways, it's now fixed, but frankly I don't know if it's because of the few times I did reboot the appliance or the crowdsec plugin which I had to remove and to reinstall or something else, thanks.

Not sure, do you see something wrong?

Code Select Expand

root@hush:/var/etc # cat ntpd.conf

#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12
# Max number of associations
tos maxclock 10


# Upstream Servers
pool 0.opnsense.pool.ntp.org maxpoll 9
pool 1.opnsense.pool.ntp.org maxpoll 9
pool 2.opnsense.pool.ntp.org maxpoll 9
pool 3.opnsense.pool.ntp.org maxpoll 9


statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict source  kod limited nomodify noquery notrap
restrict default  kod limited nomodify noquery notrap nopeer
restrict -6 default  kod limited nomodify noquery notrap nopeer
restrict 127.0.0.1  kod limited nomodify notrap nopeer
restrict ::1  kod limited nomodify notrap nopeer


I've just updated to 25.1.5_4 and after the reboot the NTP service doesn't start, anybody's seeing a similar behaviour?

I've attached some errors from the log, if it can help.

Tia.

and one more question: could you explain what the Virtual IPs are for ?

Tia.

Thanks both, turns out I had three faulty cables :-) and when tried the forth one (and the newest one), it now negotiates at 1000 Mb/s

@_Dave_
That's a great guide, many thanks. QQ: to whom the 4.2.2.1 & 4.2.2.2 IP addresses belong to?

[doktornotor]

I've followed the instructions by doktornotor here and that seems to work.

The issue I have (and I don't know what the root cause is) is that the modem GUI interface I created negotiates at 100 Mb/s rather than 1000 Mb/s: why on earth this is happening?

Tia.

Okey dokey, thanks for the responses

Lastly, would it make any difference whether before I'd backup my current configuration, I'd enable back the root user?

I'm not really sure, but I recall a post where the OP, while trying to import the backup file, went into troubles because the root user was disable.

I read the official article of how to import an existing configuration, and it seems quite straight forward.

I also came across with this post where the OP stated the importer doesn't work as expected and he used a workaround - has anybody used the  importer and in case can confirm whether or not it works as in the guide?

Tia.

Just follow the instructions:

Go to System -> Settings -> Tunables and add:

1) Enable multi threads

Code Select Expand

net.isr.maxthreads=-1
2) Enable bind threads

Code Select Expand

net.isr.bindthreads=1
3) Enable RSS

Code Select Expand

net.inet.rss.enabled=1
4) Set the value of net.inet.rss.bits
       

Code Select Expand

- for 4-core systems, use '2'
- for 8-core systems, use '3'
- for 16-core systems, use '4'
- etc.

The N100 should suffice.

Thank you, it worked :-)

I've set up two wireguard instances, one for ProtonVPN and one for Mullvad (and they both work), what I don't understand why on the dashoboard under gatewaus I can't see the Mullvad entry, any suggestions?

Tia.