Messages

Hello

I've been on pfS CE and plus for last 8 years.
Due to some technical issues I am considering to update my h/w (bought Glovary 4 port box) and also thinking maybe it's time to move to OPNSense.

Can someone share experiences and clues how easy/difficult this move may be?

TIA

I did this recently. Actually I now go back and forth because 1 is in use while the other is a lab that later goes back into use.

OPNsense has everything in a different place. That was the biggest problem. Once you find what you want it mostly works the same.

ISC is also being depreciated in OPNsense. I settled on KIA as it seemed better for my purpose. The only problem with KIA is if you use an override DNS server. This would occur if you used pihole or Adguard Home on a 24/7 server.  .You have to UNCHECK a box for the entry field to appear. I don't remember the name of the box at this time.

I also use Adguard Home on OPNsense. It works great. With one LAN the setup is fairly easy. With 2 LANS you need to edit AdguardHome.yaml for Adguard Home to see both subnets. Normal unbound works fine in this configuration if AdguardHome.yaml is edited.

I also have AdguardHome working in pfSense on the same box. I found some instructions from someone in India that covered it.

There is no other technical possibility to further harden RDP, unless you are willing to set up VPN.

You should not run RDP over the Internet but always use a VPN. Or some HTTPS based solution with 2FA enabled, like Apache Guacamole.

Agree strongly.

When I travel, I never access Remote Desktop or any other internet protocol for getting back home, without going though a VPN. Let the VPN be the only open port to your home. If the VPN is set up properly, accessing your network is no different from you being on the local LAN.  Using OPNsense as a VPN server is where it shines.

I can't speak to Wireguard as I used OpenVPN and travel little now. But certificates tied to user ids and the need for each device to host a unique certificate is pretty secure. Close the port when not needed.

Netlearn,

I agree with everything you said. In the US I really don't care much about who serves me my DNS as many public ones prefilter the data for me. But the world is changing and it's more than ad serving to worry about now in various places.

My Adguard Home server on my router started this whole adventure. It requires unbound to use an override port for listening for DNS.

A new network for IOT could not connect (initially) with DNS and needed an entry for an outside server on the DHCP page, which was very hard to find for KEA. (This created an uproar.) I wrote rules that kept LAN and IOT apart. This caused me to learn more about unbound than I ever dreamed. Before this, it was only a word people used about DNS.

Also, I finally figured out how to get DNS to the new subnet without the DHCP override. Firewall rules had nothing to do with it. The AdguardHome.yaml file needed to be edited to add a 2nd bind network. I also added a line for the new network to talk to the new Unbound DNS port.

I'm undecided on unbound for me right now. I tried it exclusively and some initial loads take a long time, although they are fast after they cache. I will play with it over time.

I just read an article about how internet privacy is changing in Europe. It was surprising. I now see why the privacy that unbound offers is so important. It's not VPN level privacy, but every little bit helps.

Yes, it appears you were using unbound. I spent some time researching unbound yesterday and I see more about what the others were saying about it. It's a full DNS server that knows how to access the DNS Database far away. You bypass the upstream servers. In fact, I didn't know it but I think I am using unbound on my main LAN even though I have DNS servers listed on the settings pages.

However, if you want to access pihole or adguard home on an outside home server, the general way to do that is by entering the fixed ip address for the home server on the DHCP page, bypassing unbound, unless you choose to use unbound in pihole. IDK about Adguard Home in that context. Both make upstream DNS servers easy to select and use. Unbound by design goes straight to the source DNS Database.

Upstream DNS servers offer other benefits. All need to cover their costs so all users probably contribute to that somehow. But Adguard provides a free public upstream server that provides ad blocking. I use it on my cell phone by simply typing in the ip address for it. Many claim to keep no logs. Many others offer a free and clean version of the same public DNS Database that unbound reads.  The Public one is raw data and has warts and all.  At least some of the upstream servers filter out a lot of the bad stuff before you get to see it. You need an adblocker and / or antivirus as protection with unbound.

I'm going to look into finding out how to not use unbound for access to the dns database for this reason. I want to use the servers listed on the settings pages, although I can always go to the DHCP page if needed. I now personally consider unbound to be a last resort situation for dns resolution.

Also, I added a 2nd subnet and locked it out of the main LAN for security reasons. That apparently locked that subnet out of unbound and all DNS. The internet could not be accessed. Lots of failed heroics including the need to wipe and reload OPNsense failed to bypass that lockout for DNS. So, I simply added an outside DNS server to the DHCP page for the new subnet and it popped to life.

So, in summary, unbound is a choice with good and less good considerations.

Edit: I used the DHCP page to bypass unbound. Entering external DNS servers on the DHCP  page caused Adguard Home on OPNsense to be bypassed completely. This approach completely eliminated ad blocking. I will try the 'Settings Pages' approach later.

I have 2 home servers for backup and other purposes. Both also have Adguard Home for Windows installed. Adguard Home there is for backup purposes. Both use upstream DNS servers for defaults. Both were entered in the DHCP page and both fired up perfectly.

I will also try entering upstream DNS Servers directly into Adguard Home on OPNsense later to see what happens. The two external Adguard Home servers are configured in this way. Unbound may or may not need the listening port to be changed. I will be surprised if it works the 1st time if at all. The 'settings page' DNS servers are most likely to retain adblocking, but not certain. Unbound DNS may be required for Adguard Home to be installed on OPNsense. Perhaps turning off all DNS in OPNsense to let Adguard Home do it using upstream servers will work? This will be another test.

(Why use OPNsense if 2 perfectly good home servers can do the job? Outside HOME DNS servers are a point of failure for the entire home network. Internal access to the DNS database is far more reliable. As is entering more than 1 external DNS server. That's why there are 2 home servers and Windows is sometimes not completely reliable when it decides to reboot on its own. 2 pihole servers in Ubuntu / Hyper-V proved that last year. Linux as a home server is overrated. Too many accommodations need to be taken to ignore what it can't do.)

zackboll, I'm responding to your original post. I have not read most of the rest of the thread as dual WAN is not in my network at this time.

I also recently changed over from pfSense. As this is a hobby for me, I am going from one to the other as I experiment. They are both excellent software routers.

The biggest problem I had with OPNsense initially was that everything is in a different place from pfSense. This is to be expected and normal. But it's a good chance something on your initial setup was missed. Take another look unless you have already done this and are sure they are comparable.

Here is an example for the alias as destination with invert.

Quick question as this has been unclear since someone else mentioned the invert option.

These non-public addresses are non-routable by definition, or so I have been told to believe. So, since it is supposedly impossible for them to travel the internet, why does a rule need to be created to prevent it? If they could travel, everyone with a 192.168.1.1/24 subnet would be in everyone else's 192.168.1.1/24 subnet. Since I create my own subnets, I have no need to prohibit ones that don't exist from going anywhere on my network. Basic firewall operations in every router on earth (NAT / SPI)  keeps the outside from coming in unless a port is open for them - IPS/IDS is for that.

How does that invert with non-public addresses work as it is very unclear to me what it is actually doing.

Initially, I did a search and did find hits on OPNSense affecting this.  Simple first question, if I can cast with a PC but not a tablet/phone, would that mean that the problem is not OPNSense related? Thanks

Probably not. ROKU has issues with some casting from some phones but always works with Windows. Some phones can't cast. I couldn't from an old Motorola I once owned. OPNsense couldn't possibly know anything about it, normally. I've seen some apps that allow Android casting to ROKU, but not all worked and they cost money.

I can't speak to FireTV or GoogleTV, except for the Motorola phone that couldn't cast to anything.

cookiemonster,

Thank you for your reply.

Regarding my understanding of DNS Servers, you are correct from one point of view that I did not describe them well.

However I stand by my point that the DNS source data is a 'black box' from the far downstream user's perspective. It is in no way essential to understand for the public DNS System to parse out an ip address from a name. It only has to work. The user only has to enter a name in a url or click on a link.

The programmer has to understand how to properly query a database of ip addresses in order to get the required information.

The problem with DNS Hierarchy explanations is that they are all horrible, generally speaking. Nobody can ask a simple question without getting an overflow of non-essential and over-complicated explanations about how the parsing is done. From a programmer's point of view, Upstream DNS servers are a database that needs to be queried properly. That's it. There's nothing magical about them although they are probably one of the most amazing inventions in the world.

Unbound is only a program that queries the DNS Database (I'm calling it a database to remove the mystique). It also coordinates ports in use for where to listen for DNS information between the downstream application and the router. I'm sure it does a lot more.

Until a couple of days ago, Unbound was only a name for something people seemed to talk about with reverence and otherwise seemed too out there to comprehend. I don't claim to be any kind of expert, but nobody needs to be to use it.

Unbound appears to be something nobody needs to think about unless you do something out of the ordinary with your router. I added a 2nd subnet for IoT and wrote rules to keep it completely apart from the main LAN subnet. These rules apparently locked unbound out of the new subnet also. Therefore, the need to use overide DNS servers in the DHCP Server Page to access the internet. This technique is common, and may be also essential, to send DNS queries to pihole or Adguard Home if they are on separate home servers on the home lan. My experience is this is the standard way to get to them.

Adding 'relevant rules' to bypass the one that kept the subnets apart was impossible for me as the port fields were protected from entry. Plus, I was not looking forward to the trial and error that would have been required as nobody is born with the knowledge to do this. So I used 'plan B' and I did it the common ordinary and real easy way by using the dns server override fields on the DHCP page for the IoT subnet. Worked like a charm. (Why put those entry fields there if they are not supposed to be used? Even though OPNsense hides them on KEA. I'm starting to wonder if that is politics rather than a simple programming error. If it is politics then that is a mistake. That would mean very fussy users are the driving force behind the design of a product intended for general use. Not good. Routers like OPNsense can be complicated simply to make them do what the users need. Adding religion into it makes it much harder to even understand.)

There are dozens of large public DNS servers that are in common use and perfectly safe. Adguard offers one that can be accessed using several techniques. It's safe and provides excellent ad blocking. I use their free public one on my phone by their dns number. Unbound is an amazing program that does far more than I imagined a couple of days ago, but there's nothing pure or holy about it. I need it to coordinate DNS ports between Adguard Home on OPNsense and the main router. I also have several outside DNS servers noted on various places in OPNsense. All are quite safe. None are the back-alleys that some people like to scare others about.

All, I am totally new at this. Maybe if I explain a bit further it would help. I am going to set this up on our local network at work, between our asa and the lan. I found an article on how to create a transparent bridge and got the hunsn firewall since it had several interfaces. I was able to flash opnsense (it came with pfsense), and was able to connect a laptop to the lan port and see the web interface at 192.168.1.1. I was wanting to set up an interface so that I could connect it to our local lan to see the web interface, and that is what I am attempting to do. Our local lan is on 10.x.x.x and it is /21. Our local lan has NO dhcp servers or services running, so everything on our network is static IP. I have a free ip to use for the interface, and I set it up using that IP. I also set up a pass firewall rule to pass everything in/out on that interface. We do have a dns server on our local lan which is our domain controller. I don't know where to enter that information so the interface sees it. I can go to the statistics and it shows entries coming in but not going out of that interface, and I am unable to ping it either. I do see other devices on our local lan on the stats so I know it is seeing the network, but still unable to access the web interface using that IP or ping it. Is this possible? My basic high level idea was create a transparent bridge for filtering traffic. Thank you, and again I am totally new at setting this up. I am studying all I can on this to figure it out.

I'm going to be blunt. I didn't even try to read through all your confusion. We were all beginners once. I have a rather complicated home system and I don't do anything as complicated as what I think you were trying to describe.

Unless there's a reason not to, just build a basic lan. Get is working. Then add the missing parts you need, not the ones you think you might need because you think you heard someone say something.

Adding a 2nd subnet is easy. It sounded like you already did that.  Do the rules thing I mentioned above. Then add a dns server to the dhcp. You will connect to the internet. Use unbound as the selected dns server but forget unbound as this magical complex thing.

If you need more, then it's a new problem.

Thank you. I have also read up on that topic, but there are a few drawbacks. I would have to activate a community repo to install the AdGuard plugin. Then there is the fact that local queries are also forwarded to Unbound, so it is the same flow as my current architecture. The only difference being both services running on the same machine. As mentioned in my first post, I rather want to use local address resolution first and then use pihole/adguard/whatever as upstream. But this is apparently only possible, if one accepts that conditional blocking won't work upstream since all requests will come from the same IP.
Additionally the configuration of AdGuard is not done via the OPNsense UI, so I also have to use a separate UI for it as it is with pihole.

I do not see any advantage moving to this architecture over sticking with my current setup (other than having the services on a single box). In fact using NAT to redirect all DNS requsts of clients, which try to use another DNS, to my pihole is easier, because I only have to create one rule instead of one for each VLAN or DHCP interface.

I've also learned of the possibility to add blocklists to Unbound, but then there is no way to whitelist domains for specific clients. Otherwise I could have dropped pihole/Adguard altogether and just used Unbound.

Maybe this is off-topic, but I think it's related or at least touches DNS: While reading the documentation I've noticed a few confusing and in my opinion wrong statements. There is an important message box that states the following: Domain overrides has been superseded by Query Forwarding.
Hmmm, what? I use domain overrides to add custom DNS records and aliases. This cannot be done via query forwarding. With that the above statement is false. You cannot supersede something, if the new thing does something completely different. This makes no sense.

You are greatly overcomplicating a rather simple situation. Installing Adguard Home into OPNsense is a little complicated with regards to coordinating DNS ports. It is exceptionally simple to use any router software or retail router in conjunction with separate pihole or Adguard Home servers in the same LAN. Local ip addresses tag along by default.

Best Wishes.

then subnet #2 might not find unbound depending on the firewall rules.

That's why you need to add rules for local services like DNS or NTP.
Works perfectly well.

I tried for an hour off and on and the port override fields were locked. No entry permitted. There's heroics and maximum effort, and there's getting the job done in a perfectly acceptable way that is easy for another person to figure out and maintain later  if needed. As I said, Unbound as a dns server is a convenience, but there's nothing pure and true about it. I'm using it as a program that only coordinates. The function calls to the database of dns addresses are not needed. Especially since it does not work properly in my situation without heroics being involved.

I also added a couple of NTP servers in the hidden fields, just because. I didn't want a rude surprise later in case one was coming.

Unbound isn't a service but a local recursive DNS server. It's maintained by volunteers like so many open source projects. You just run it locally, e.g. on OPNsense.

Any fully recursive DNS server - Unbound, BIND, djbdns (*gasp* the author is ... difficult to say the least) does not need a fixed upstream "service" to resolve names on the Internet. DNS is a *distributed* database. That is the point.

I explained it all in detail here:

https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462

HTH,
Patrick

It's still information out of yours, and mine, and everyone else's control. Public DNS servers offer other capabilities than DNS, like filtering and no record retention, or so they say.

And, to return to the original point, sometimes you need to use a public server to solve a problem. Especially since there's absolutely nothing wrong with using one.

Edit: I think I figured out why there needs to be a public DNS server entered.

I looked up unbound and how it works. Omitting the DNS hierarchy because it's a black box essentially, unbound is a program that queries a database for an ip address. It may ask a few times, before it gets the right answer, but it gets it or it doesn't. It's basically a series of function calls from a programmer's point of view. Then it caches the reply for later use if needed. Public dns servers do the same thing but make money at it one way or another.

OPNsense appears to tie unbound to the primary LAN. If a new subnet is locked out of the primary LAN, as most would be, then subnet #2 might not find unbound depending on the firewall rules. I could not bypass my  port 53 / 5353 situation because OPNsense protected those fields on the rules page. Therefore, a public DNS server is needed.

Also, as I wrote above, accessing pihole or Adguard Home on  a home server would also necessitate an override DNS.

Surprise. Then you're using your ISP's resolver, which may be google or anyone else.

No I am not. Unbound is a perfectly capable recursive DNS server that does not need any upstream.
I am an ISP. I have been doing this for three decades. Don't try to teach me DNS fundamentals.

And I perfectly understand the DNS hierarchy and how it is supposed to work - surprise.

Well butter my rear and call me a biscuit. I didn't know that.  Until now, I thought unbound was only software and a dns program. I didn't know it was a complete enterprise.

Same question ... What makes unbound pure and the other not so pure? It's all information that comes from out of your control. Unless you personally are unbound and speaking for yourself.

How does unbound make its money? Offering free 100% reliable DNS to the world must be very expensive. I'm sure it doesn't come from the air like electricity comes from the wall.

Well, I agree unless doing that doesn't work. Then you point to the override dns servers.

I prefer to make things work that should by finding the root cause of the failure. And I do not use public resolvers at all.

Surprise. Then you're using your ISP's resolver, which may be google or anyone else.  There is no 'official' DNS resolver. They follow a hierarchy I won't pretend to understand because it's not relevant. But, the ones we all use are public DNS servers at one level or another.

Also, it's just possible that an ISP DNS resolver is used to aggregate information to sell for a little extra cash. Therefore, public resolvers with the right retention policies are actually much more private.