Messages

After upgrade 25.1.5_5 -> 25.1.6_4 we noticed that Dnsmasq now tries to load /usr/local/etc/dnsmasq.conf.d/* while previously it loaded only *.conf

If there are files it cannot parse in this folder, Dnsmasq service fails to start.

I am not sure if it is an intentional change as /usr/local/etc/dnsmasq.conf.d/README still talks about .conf files:

Code Select Expand

# Dnsmasq plugin directory:
# Add your *.conf files here, read in alphabetical order


Also curious about this, i have a number of hosts to insert and wildcard support would be great

Somehow this is a dupe. I found a solution here: https://forum.opnsense.org/index.php?topic=27650.0

Well, hindsight is almost always 20-20 (my concoction is from march, Modest's from august)
but good point, yeah

Hi,

currently, in Reporting > Traffic my opnsense seems to show traffic from the interface'is point of view. I.e. if you select LAN and WAN, LAN IN and WAN IN are shown on the same graph as well as LAN OUT and WAN OUT:


At least for me, it would make much more sense to compare the used bandwitdh from the opnsense's point of view, ie:
put LAN IN on the same graph as WAN OUT and vice versa.

I know I am essentially replying to myself here, but maybe someone else needs this. It appears that dnsmasq ipset functions work (albeit totally undocumented) in BSD as well and write to a pf table using the same configuration syntax. So all i needed to do is:

add to /usr/local/etc/dnsmasq.conf.d directory a file ALLOWTHIS.conf:

Code Select Expand

ipset=/somedomain.com/ALLOWTHIS

then I created an empty host(s) alias ALLOWTHIS from opnsense GUI and created appropriate firewall rules in the gui on this alias. I chose to disable the alias from GUI as a disabled alias seems to be enough to allow me to use it in firewall rules.

The result is the same as i described:
- client asks for asfgsgagasdgfarfarerf.somedomain.com
- dnsmasq looks it up, returns to client and adds it to a pf table ALLOWTHIS
- the rule i created eralier, applies instantly

There are some caveats:
- currently the ip addresses seem to be discarded from the pf table ALLOWTHIS. I have not yet figured out if it is dnsmasq cleaning up according to the TTL, but for my purposes it is no biggie
- the client might cache the dns response and not ask opnsense at all

I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com. I do not know the ip addresses, i do not even know the host name, only wildcard match. The ip address<>host name may change in time.

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?

I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?

Ok, it seems i found the reason for zabbix agent not responding, but not the underlying cause yet.

It seems to be blocked by firewall:

Code Select Expand

<134>1 2022-03-03T18:15:09+02:00 ##### filterlog 88758 - [meta sequenceId="14242"] 10,,,02f4bab031b57d1e30553ce08e0ec131,lo0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,65087,10050,0,S,2442566319,,65228,,mss;nop;wscale;sackOK;TS

This machine does not have Firewall > Rules > Loopback in the GUI which i have on other hosts where it contains automatically generated rules to allow anything from lo0.

I do not think that i have done any allow rules on lo0 (127.0.0.1) on any opnsense machines, but on this one, the section is missing, automatically generated rules are missing and i cannot choose Loopback interface when creating a "Floating" rule.

Also, verified with pfctl that on this host lo0 pass rules are missing.

I managed to create a floating rule to allow traffic from 127.0.0.1 to 127.0.0.1 ip on any interface and this seems to alleviate the original problem. Zabbix agent now responds.

However, the updated issue is now different - how come the Loopback section is missing and how do i get it back?

I feel stupid, but I cannot get zabbix agent to function on a particular opnsense machine. It works fine on several of them, but not at all in one.

Opnsense 22.1.2_1
os-zabbix-agent 1.11

I have also tried to install other zabbix version (os-zabbix54-agent), same behaviour
Zabbix agent conf is pretty basic:


Zabbix agent starts up with no errors, seems to listen to port 10050:

Code Select Expand

# sockstat | grep 10050
zabbix   zabbix_age 39652 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39642 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39623 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39546 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39464 4  tcp4   127.0.0.1:10050       *:*

However, when i run (it should immediately return zabbix agent version), it just lags until a timeout:

Code Select Expand

root@mono:~ # zabbix_get -s 127.0.0.1 -p 10050 -k agent.version
zabbix_get [93235]: Timeout while executing operation


it just hangs. Tcpdump on lo0 shows only packets going to port 10050, nothing returns:

Code Select Expand

17:08:08.858071 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000361919 ecr 0], length 0
17:08:09.868097 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000362929 ecr 0], length 0
17:08:12.095885 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000365157 ecr 0], length 0

Zabbix agent log with extended debugging seems normal, seems to loop on its own stuff, nothing "extra" gets added when i run zabbix_get:

Code Select Expand

99440:20220303:172553.024 In update_cpustats()
99440:20220303:172553.024 End of update_cpustats()
99440:20220303:172553.024 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172554.074 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172554.074 In update_cpustats()
99440:20220303:172554.074 End of update_cpustats()
99440:20220303:172554.074 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172555.085 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172555.085 In update_cpustats()
99440:20220303:172555.085 End of update_cpustats()
99440:20220303:172555.085 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172556.149 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172556.149 In update_cpustats()
99440:20220303:172556.149 End of update_cpustats()
99440:20220303:172556.150 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172557.159 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172557.159 In update_cpustats()
99440:20220303:172557.159 End of update_cpustats()
99440:20220303:172557.159 zbx_setproctitle() title:'collector [idle 1 sec]'


I am totally at a loss what to try next.

On another host, same settings, same software versions, all works well:

Code Select Expand

# zabbix_get -s 127.0.0.1 -p 10050 -k agent.version
5.0.19

I have stumbled upon the fact that dash character (-) is not accepted in a cron job description field. Is this intentional? Have not tried on 22.1 yet, but on 21.7:



Works fine without a dash.

Thanks, ill try that.
But the udp6 wildcard part? Any idea? The opnsense gui help text is misleading to say the least.

[Strict Interface Binding]

Hi,

for reasons I would rather not go at the moment, I would like to bind dnsmasq to specific interfaces. However no matter what i do, according to netstat it binds additionally to:
udp6       0      0 ::1.53
udp4       0      0 127.0.0.1.53

I have selected two interfaces on my system and enabled Strict Interface Binding which says: If this option is set, Dnsmasq will only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses. This option does not work with IPv6. If set, Dnsmasq will not bind to IPv6 addresses.

Hard to check after the fact, but i don't think syslog crashing was the issue. Other logs were behaving normally.

[during]

I think it was either 20.7.0 or 20.7.1.
Anyway, did an update to 20.7.2 and the stuff started to appear in ipsec.log during the update, even before reboot.
Go figure.

Hi,

I feel completely stupid, but I cannot get ipsec to log anything on a certain opnsense machine. I have turned everything to Raw under VPN->IpSec->Advanced Settings->IPsec Debug and still nothing - /var/log/ipsec.log remains empty.