Messages

What happens if you reload WAN interface settings if you have a DHCP enabled WAN?

I am experiencing the following issue: https://github.com/opnsense/core/issues/3200

FYI: There is already a thread on this subject here: https://forum.opnsense.org/index.php?topic=11430.0

Hi, Try to see if this issue applies to your situation:

https://forum.opnsense.org/index.php?topic=11401.15

Hi Noticed a new feature with Notifications. Once clicked on them, they disappear but don't know how to retrieve them once gone. The notification line is not word wrapped and extending outside the screen....

@All: experienced the same. Clear Chrome browsing history (assuming you use chrome) solved my issue.

https://www.webnots.com/how-to-fix-err_connection_reset-error-in-google-chrome/

Thx!

It was a temporary fix and ended up in the same issue as all the others. MTU 576 on WAN. WAN configured as DHCP on APU2D4 (intel NICs).

Applied supersede interface-mtu 0 in Option modifiers of WAN interface, which fixed the "problem"

@All: experienced the same. Clear Chrome browsing history (assuming you use chrome) solved my issue.

https://www.webnots.com/how-to-fix-err_connection_reset-error-in-google-chrome/

Don't have an answer for you, but there is a 6 pages long thread on this subject here: https://forum.opnsense.org/index.php?topic=9264.0

Hi mimino, could you please describe your configuration (I'll use Unbound with default config with Bind)? I'm tring to configure it from scratch and I don't want to make some mistakes...
Thank you so much!

Just follow the instructions from: https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/ and don't forget to set Outbound interface to localhost in the unbound settings. That is all.

Have a look at DNS blocking with Unbound and Bind, as mimugmail suggests. A useful tread to look into might be: https://forum.opnsense.org/index.php?topic=10180.0

Might suit your needs as there are multiple blocklists that can be enabled. The specific configuration options are less than squidguard lists, but there is a specific Porn blocklist as well as an ads and malware blocklist.

Regards,

Northguy

P.S. Can you tell me the story about this LeChuck guy? ;D ;D ;)

[the URL is not on any blacklist]

I get a DNS_PROBE_FINISHED_NXDOMAIN DNS error on www.synology-forum.nl of which I am sure it exists.

That would undicate the domain does not exist according to your DNS resolver.

That is quite obvious to me and the reason I started this post.

If I disable the BIND forward, Unbound resolves the URL without problems.

Big Question: what is causing Bind to not resolve the url?

That would indicate that the website is on a 'blacklist' and therefore gives the error I've quoted above, that's what a blacklist is for. You need to remove that domain name entry from your blacklist.

This is not true. It is not in the blacklist. I did check. See my other remarks in my post. Even disabling the the Blacklists, does not make Bind resolve the URL.

2) Checked the BIND DNSBL entries at /usr/local/etc/namedb/dnsbl.inc. the URL is not on any blacklist

It seems that BIND does something strange when contacting the root name server.... It is unclear to me what or why.

Code Select Expand


12-Jan-2019 13:42:06.790   lame-servers: info: broken trust chain resolving '236.28.59.37.in-addr.arpa/PTR/IN': 213.251.188.144#53
12-Jan-2019 13:42:05.045   lame-servers: info: host unreachable resolving 'notepad-plus-plus.org/A/IN': 2603:5:2272::18#53
12-Jan-2019 13:36:50.089   lame-servers: info: broken trust chain resolving '165.225.132.31.in-addr.arpa/PTR/IN': 31.132.224.5#53
12-Jan-2019 13:36:50.026   lame-servers: info: SERVFAIL unexpected RCODE resolving '182.244.72.144.in-addr.arpa/PTR/IN': 198.208.42.12#53
12-Jan-2019 13:36:49.752   lame-servers: info: SERVFAIL unexpected RCODE resolving '182.244.72.144.in-addr.arpa/PTR/IN': 198.208.43.11#53
12-Jan-2019 13:36:49.334   lame-servers: info: host unreachable resolving 'ns2.astra-mir.ru/AAAA/IN': 2001:678:17:0:193:232:128:6#53
12-Jan-2019 13:35:53.186   lame-servers: info: host unreachable resolving 'services.sonarr.tv/A/IN': 2400:cb00:2049:1::adf5:3bb8#53

Hi All,

Who has some suggestions on how to debug an unresolved URL of which I am most certain that it should exist.

I get a DNS_PROBE_FINISHED_NXDOMAIN DNS error on www.synology-forum.nl of which I am sure it exists.

OPNsense Setup:
I have setup Unbound with Bind DNSBL according https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
This is working fine in almost all cases and usual blocked sites I expect to be actively blocked by the DNSBL.

For mentioned synology-forum site I expect it to be legit, but run into a block and I do not know how/why.

Checks performed:
1) Checked Unbound log file, which results in a THROWAWAY error from BIND at 127.0.0.1
2) Checked the BIND DNSBL entries at /usr/local/etc/namedb/dnsbl.inc. the URL is not on any blacklist
3) Checked BIND log file, which results in the log shown below.

If I disable the BIND forward, Unbound resolves the URL without problems.

Big Question: what is causing Bind to not resolve the url?

[

Code Select Expand

12-Jan-2019 13:37:25.625 query-errors: info: client @0x54c39e2d600 127.0.0.1#32753 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.624 query-errors: info: client @0x54c39e2d600 127.0.0.1#52141 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.624 query-errors: info: client @0x54c39e2d600 127.0.0.1#27259 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.623 query-errors: info: client @0x54c39e2d600 127.0.0.1#54978 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.621 query-errors: info: client @0x54c3b1f2000 127.0.0.1#34524 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:10644
12-Jan-2019 13:37:17.951 query-errors: info: client @0x54c3ad0f000 127.0.0.1#10908 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.950 query-errors: info: client @0x54c3ad0f000 127.0.0.1#17174 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.948 query-errors: info: client @0x54c3ad0f000 127.0.0.1#43277 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.948 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#24151 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.947 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#11468 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.946 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#12382 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.946 query-errors: info: client @0x54c3ae78e00 127.0.0.1#18119 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.944 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#47096 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.941 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#25162 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.938 query-errors: info: client @0x54c3b1f7400 127.0.0.1#10239 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:10644
12-Jan-2019 13:37:17.917 lame-servers: info: host unreachable resolving 'www.synology-forum.nl/A/IN': 2001:9a0:2001:1::53:1#53
12-Jan-2019 13:37:17.916 lame-servers: info: host unreachable resolving 'www.synology-forum.nl/A/IN': 2001:9a0:2003:1::53:3#53
12-Jan-2019 13:37:17.916 lame-servers: info: host unreachable resolving 'www.synology-forum.nl/A/IN': 2001:9a0:2002:1::53:2#53


When inspecting the BIND log in more detail I see more of these resolve issues for known existing URLs like:

12-Jan-2019 13:42:06.790   lame-servers: info: broken trust chain resolving '236.28.59.37.in-addr.arpa/PTR/IN': 213.251.188.144#53
12-Jan-2019 13:42:05.045   lame-servers: info: host unreachable resolving 'notepad-plus-plus.org/A/IN': 2603:5:2272::18#53
12-Jan-2019 13:36:50.089   lame-servers: info: broken trust chain resolving '165.225.132.31.in-addr.arpa/PTR/IN': 31.132.224.5#53
12-Jan-2019 13:36:50.026   lame-servers: info: SERVFAIL unexpected RCODE resolving '182.244.72.144.in-addr.arpa/PTR/IN': 198.208.42.12#53
12-Jan-2019 13:36:49.752   lame-servers: info: SERVFAIL unexpected RCODE resolving '182.244.72.144.in-addr.arpa/PTR/IN': 198.208.43.11#53
12-Jan-2019 13:36:49.334   lame-servers: info: host unreachable resolving 'ns2.astra-mir.ru/AAAA/IN': 2001:678:17:0:193:232:128:6#53
12-Jan-2019 13:35:53.186   lame-servers: info: host unreachable resolving 'services.sonarr.tv/A/IN': 2400:cb00:2049:1::adf5:3bb8#53

Irgendwie scheint das seit Unboung 1.8 zu spinnen :(

Ich habe meine Fehler gefunden. Ich hatte mein WAN Interfaces activiert unter Unbound>general>Outgoing Network Interfaces und nicht Localhost. Jetzt habe ich nur Localhost activiert und WAN deactiviert und alles funktioniert!

From the changelog it doesn't look if something useful is fixed with this release.

OK.... found the setting in the GUI (at last)... hidden under the advanced options of Services: Web Proxy: Administration:General proxy settings. So issue solved for now.

Pending question: shouldn't it be more logical to have the "forwarded_for transparent" option set together with toggling the 'transparent' checkboxes under Forward Proxy:General Forward Setting?

I tried using a transparent proxy to realize a blocklist through Remote ACL (Shallalist), because the Bind/Unbound option does not seem to work (see this topic). The transparent proxy works when browsing webpages, but I experience streaming issues with my Teufel Raumfeld streaming radio.

Each time I disable the port forwards to the proxy, streaming starts working again, so it has something to do with the proxy. After trying a lot of things and pulling my hair for a few days, I think I found a solution by changing the forwarded_for configuration directive in squid.conf from "forwarded_for on" to "forwarded_for transparent".

After starting the service, I can now stream without issues, but I noticed that OPNsense did change this option back to "forwarded_for on" in squid.conf after starting. So now I am wondering: did the service actually load "forwarded_for transparent" and then overwrite again with "forwarded_for on" from the GUI?

Who can answer this question and how can I make "forwarded_for transparent" stick if this is the solution for my problem?