Messages

Torno su questo vecchio post.
Ora ho configurato OPNsense con la wan in DHCP e prende indirizzo IP direttamente dal Fastgate (FTTH) non in DMZ. Tutto funziona bene a parte il fatto che, pur avendo connessione gigabit, il mio speedtest dalla console di OPNsense si attesta sui 70mb/s. Vorrei provare a mettere OPNsense nella DMZ del Fastgate ma, pur seguendo la guida sul forum FB, non navigo.
Qualcuno ha avuto successo con questa configurazione? Esiste una guida dettagliata?
Grazie a tutti!

I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.

Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

Thank you so much!

Sorry tillsense, what do you mean with "read the announcements"?
I've updated as usual, is there something that I have to do from now?
Thank you and sorry again for the dummie question.
Mayo

Hi Mayo,

this is a hint that with every new firmware announcement also the further information by the manufacturer about this in the links are read and considered.

cheers
till

Hi Bart, how can I implement in OPNsense? Thank you so much!

If you're looking for something simple, like point to your switch SNMP details simple then try checkmk: https://checkmk.com/open-source-monitoring.html

Bart...

Thanks for this. I am going to test it on my home virt lab.

Sorry tillsense, what do you mean with "read the announcements"?
I've updated as usual, is there something that I have to do from now?
Thank you and sorry again for the dummie question.
Mayo

@all

v4.13.0.2 was released.

https://pcengines.github.io/firmware/2020/12/30/PC-Engines-Firmware-v4-13-0-2.html

https://pcengines.github.io/#mr-42

Please read the announcements.
(small tip: the serial number of the apu1 is displayed again)


cheers
till

Thank you!

This tutorial will show you how to force all DNS querys to go through Opnsense router regardless of DNS servers specified on the local system. This will redirect anything going through 53 to the router itself.

Hi Cypher,
will this procedure also work for an DNS-Server, e.g. Pi-Hole, within my environment when I fill in the IP of Pi-Hole instead of 127.0.0.1 to the NAT rules?

Regards Chris

Have the same question.

Did you solved? I have your same configuration and want to set up everything in the best way. Thank you!

You have to install it:
pkg install flashrom

I'm trying to install it via OPNsense shell on a running device, but it says it can't find the flashrom command, do I need to install anything before I can use this? I've read that it should be included...

Very interesting! I will study how to do this because I'm not so expert... Thank you so much for your help both in configuring and understanding how it works! I hope to make it as better I can.

Just fyi on my network I have opnsense unbound set to use 1.1.1.1 as a forwarder and an internal DNS server that client nodes use and provides dns filtering - that dns server gets its answers from unbound running on the opnsense. On opnsense I redirect any queries on port 53 using outbound nat to the internal dns server except for the source ip of the firewall and the ip of the internal dns server, so their queries do not get looped back. This means anyone changing their dns server to either the opnsense firewall or any external IP are silently having their requests directed back to the internal dns filter server. An alert is then flagged on my opnsense. Currently I have found it n my network a roku tv and an ip camera that had hardcoded dns servers trigger this alert. I also block outbound traffic to known doh servers. Currently the only app that has triggered an alert to try bypass dns filtering by querying hardcoded external doh servers is the app 'tiktok' which I then subsequently blocked all of bytedances servers on the dns level so the apps do not function.

Perfect! last question: do I have to set Overrides or not with this configuration enabled?

Thank you.

I setup a windows dns server and unbound to test on opnsense. I also had an issue until I found this option here :

Once I set to be able to forward queries out of the lan interface my opnsense running unbound could resolve ptr records for me by forwarding the query to the windows dns server and querying the ptr records.

Please double check your config as I believe I have confirmed it can work.

Pete

Thank you allebone, I've made nslookup as you told and I have same results as yours with my IPs.
DNS is my pi-hole and it resolves hostnames correctly. (And currently I have no overrides configured...)

I have also tried, but not working. Still showing (reverse) IPs and a lot of PTR requests.

Thank you allebone.

I havent tested this but I believe you would go to overrides and then add a domain override.

The domain to add would be something like:
1.168.192.in-addr.arpa

(this would specify 192.168.1.x)

and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).

I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.

I have to setup the override in OPNsense, right? And nothing in pi-hole local DNS section?
Thank you!

Hi Taomyn,
did you resolved this iussue? I didn't found anything about it... Thank you in advance!

My current network is set up that I have internal servers providing DHCP and DNS services to my LAN, that then forward requests to my firewall via my Pi-Hole. This is all working really well except for one minor thing: the firewall cannot reverse lookup up any internal machines so things like the firewall log in the web console only ever shows the IP address. Internal domain lookups are fine as I have got that set up in the overrides section of Unbound, but the reverse ones are not.


What's the correct way in Unbound to set up the reverse lookup for my internal subnets? I can see the "Local Zone Type" is set to "Transparent", but I cannot fathom what to change it to and where configure the forwarder.