Messages

1

General Discussion / Re: Announce: new OPNsense community repository

« on: April 19, 2021, 04:29:54 pm »

Still loving the AdGuardHome plugin and that it works flawlessly on the same device as my opnsense installation.

I noticed from "System -> Firmware -> Plugins" that it shows up now as:

os-adguardhome-maxit (misconfigured)

It doesn't seem to affect things, but I did try deleting and reinstalling the software to see if it would go away and it doesn't? The console also displayed something about the metadata in /usr/local/opnsense/version/adguardhome-maxit being invalid or something?

2

General Discussion / Re: Announce: new OPNsense community repository

« on: January 16, 2021, 02:50:36 pm »

Looks like the service started up just fine after it was enabled. Turned down my old, physical pi-hole device yesterday. Thank you for your work on this!

3

General Discussion / Re: Announce: new OPNsense community repository

« on: January 15, 2021, 03:33:32 pm »

Thanks for your work on this. I have your Adguard package installed (although I have to run it manually for the time being as it looks like there are some startup issues with it). I didn't realize that this runs natively on FreeBSD so I'm looking forward to being able to move DNS services to opnsense and remove a server (dedicated linux Adguard [formerly pi-hole] server) off the network.

Any thoughts of incorporating static DHCP names into the DNS Rewrites section of Adguard? I have a few static DHCP entries on my network so to resolve these names, I have unbound running on a different port (which maps these names) and then have Adguard running on port 53 that forwards to this unbound service.

If the static name entries could be added directly into adguard, I could remove the unbound service from running entirely and forward directly to something upstream.

Thanks again!

4

20.7 Legacy Series / Re: Unbound service routinely stopping/crashing following 20.7.7 update

« on: December 22, 2020, 02:50:29 pm »

I only came here to say that I also have not experienced any issues with unbound crashing since upgrading to 20.7.7 on release day. I'm sorry to those that have had issues and based on the flurry of activity surrounding this, there clearly is an issue that is affecting *some* users. But not all users are having this problem.

5

20.1 Legacy Series / Re: 20.1.4 plugin: unbound-plus DNSBL

« on: April 09, 2020, 03:01:49 pm »

It looks like hphosts ad_servers.txt (and possibly the others?) is no longer actively being maintained and has been taken down:

https://forums.malwarebytes.com/topic/257401-inquiry-regarding-automated-processing-of-hosts-files/

Pi-hole is also removing it from their default configuration as well. Just a heads up in case you want to remove it from the next update.

6

Development and Code Review / Re: DNSBL and additional features Plugin for Unbound

« on: April 05, 2020, 09:45:48 am »

I just ran into an incident where it looks like unbound was updating its blocklist via cron and then it failed to restart due to an error in dnsbl.conf:

Apr  5 02:01:29 opnsense unbound: [50182:0] error: error parsing local-data at 2 '.text-center A 0.0.0.0': Empty label
Apr  5 02:01:29 opnsense unbound: [50182:0] error: Bad local-data RR .text-center A 0.0.0.0
Apr  5 02:01:29 opnsense unbound: [50182:0] fatal error: Could not set up local zones

This killed the process entirely and my installation was left without a working resolver (which made it appear that the internet was not working).

I checked the downloaded lists that I'm using and didn't see any one with ".text-center" in the same so maybe it's in the processing script someplace? I also noticed that one of my lists (https://hosts-file.net/ad_servers.txt) was giving me a 404 error when I tried just now to see if the offending line was in there. So perhaps a combination of the above failed download and then trying to process that download into the dnsbl.conf file?

In any case, I removed the offending line and unbound restarted normally. Maybe some further checks could be made to ensure that blocklists produce valid configurations? Or maybe a check into the blocklist update script that backs up the previous working config and reverts it if unbound refuses to start after an update (with a warning to take a close look)?

Thank you for your work with this plugin!

7

Development and Code Review / Re: DNSBL and additional features Plugin for Unbound

« on: March 25, 2020, 10:07:10 pm »

Just came across this after playing around with a separate pi-hole for a week or so. I like the pi-hole graphs and data, but do like the idea of having my DNS service running within opnsense itself.

This seems like a better option than having to run both unbound and bind at the same time and forward queries from one to the other. Thanks to everyone involved in this work!

I played around with logging and it does appear harder to get blocked queries out of unbound, though. It's either too verbose, or not verbose enough unfortunately.

8

19.1 Legacy Series / Re: 19.1 development milestones

« on: November 04, 2018, 03:19:25 pm »

Any idea if:

https://github.com/opnsense/core/issues/1494

Will be resolved in 19.1 still? I have in the past used that logging feature for debugging and for seeing who is connecting to various open ports on the firewall (outside of the individual service logs for each running service). Hopefully it'll get introduced soon?

Thanks for your continued work on opnsense!

9

18.7 Legacy Series / Re: https Not Secure - how can I use ACME and Let's Encrypt to change this?

« on: September 22, 2018, 08:15:20 pm »

After you got it working, did you change back from the development/test server over to the production one?

The certificates that are produced by the dev server aren't trusted, but the production ones should be?

10

18.7 Legacy Series / Re: Circular logging seems to be not working

« on: September 22, 2018, 06:23:13 pm »

No real ideas on how to solve the issue or where things got changed, but I checked both my NTP and unbound logs in /var/log just now and both of mine are showing up as circular log files? Strange.

11

18.7 Legacy Series / Re: https Not Secure - how can I use ACME and Let's Encrypt to change this?

« on: September 22, 2018, 02:53:13 am »

I already uninstalled the agent, but look around for the log files and tail them as you're trying to get your certificate issued. Lots of information in there that isn't otherwise available from the GUI.

In one case, everything I had was setup right (which I knew from using the development server instead of the production one) and there were a few errors on the LE side. I didn't change anything and just retried it a few times and it eventually went through.

Good luck.

12

18.7 Legacy Series / Re: https Not Secure - how can I use ACME and Let's Encrypt to change this?

« on: September 21, 2018, 03:32:34 pm »

Yes. I ended up manually having to add a rule in after wondering why things weren't working. As soon as I allowed port 80 traffic for the HTTP-01 challenges, everything worked great.

13

18.7 Legacy Series / Re: https Not Secure - how can I use ACME and Let's Encrypt to change this?

« on: September 21, 2018, 02:55:21 pm »

Just open up the port itself on the WAN. You don't need to setup a port forward to anything.

Once the port is open and the ACME agent is running, the firewall will take care of setting up the webserver to handle all the LE traffic in the backend.

14

18.7 Legacy Series / Re: lighttpd[<pid>]: (mod_openssl.c.1607) SSL (error): 5 -1 57 Socket is not connect

« on: September 20, 2018, 10:02:08 pm »

Hmm. I've been trying to recreate the problem and don't be able to do so consistently like I was able to this morning. I'll keep playing around with it and see if I can further isolate what is causing it to happen.

15

18.7 Legacy Series / Re: https Not Secure - how can I use ACME and Let's Encrypt to change this?

« on: September 20, 2018, 09:02:06 pm »

I shouldn't have to expose your admin interface. You can keep that running as https (443) and have the ACME server run on http (80). Then with your firewall rules, just open up port 80 to the outside and that should allow them access to the ACME agent without being able to connect to the admin interface.