Messages

1

23.7 Legacy Series / Using AdguardHome and Control D on OPNsense - help needed

« on: December 18, 2023, 08:52:36 pm »

My current setup is ADGH is running on 53 with its upstream pointing to Unbound on an alternate port.  For Unbound, I have DOT set up to use NextDNS and it works well.

I want to test with Control D in this role vs NextDNS.  I thought using the DOT hostname they provided, port 853, and an IP address of something like 76.76.2.11 would set it up - and it seemed okay.  Enabled this, disabled the NextDNS entries, and DNS continues to work for the most part.

Thing is, even after creating a device and playing with different Control D settings I can't see any traffic or other analytics reflected.  Running an online DNS check, it does appear Control D's servers are being used though.  I did also run into a Zoom call being blocked this morning and when I disabled the Control D entry and re-enabled the NextDNS items I was good to go.

I know there is a CLI command that will run an automated install, but I'm worried it assumes Control D will be the primary resolver or that it may do other undesired things.  Does anyone have a setup working and if so, would you share the secrets to success?

2

23.7 Legacy Series / Reverse DNS question for those using Adguardhome

« on: September 27, 2023, 06:15:00 am »

I have the ADGH plugin running on 53 and Unbound on 51515. OPNsense is the DHCP server. I've been running this setup for well over a year and for the most part it works great.

ADGH seems to get most hostnames from OPNsense just fine via rDNS, but I have a lot of localhost 127.0.0.1 entries that are clearly client requests. My upstream servers simply has 127.0.0.1:51515, pointing ADGH to the Unbound port for lookups, and then Unbound forwards any unknown queries up to my system DNS servers.

My theory is that this occurs because I haven't fully defined the upstream servers for reverse lookups properly. I use a few /24 ranges under the 192.168.0.0/16 range locally. I don't think I need any local entries that relate to my local DNS domain name, but maybe I need some .in-addr.arpa lines as well?

3

23.1 Legacy Series / Re: Send email when firewall configuration is changed?

« on: March 11, 2023, 10:22:36 pm »

Hopefully someone will eventually answer you.  I'm very interested in the same thing.

4

22.1 Legacy Series / Re: vlan issues - in combination with IPS (IDS works)

« on: December 23, 2022, 07:00:06 am »

Finally got around to enabling this myself and I'm seeing the same behavior on 22.7.10_2.  Huge bummer.

5

21.7 Legacy Series / Re: Why is OPNsense sending some private domain DNS queries upstream?

« on: October 29, 2021, 11:03:09 pm »

On a related note.....can anyone simply and clearly explain to me when and why Settings->General DNS servers are use by OPNsense vs the ones in Unbound?  I mean, with Forwarding disabled and  "Do not use the local DNS service as a nameserver for this system" both disabled? I'm trying to understand the use cases.

6

21.7 Legacy Series / Re: DNS Why is OPNsense sending some private domain queries upstream?

« on: October 29, 2021, 06:02:20 pm »

Awesome.  I think that's the route I'd rather go. Thanks again.

7

21.7 Legacy Series / Re: DNS Why is OPNsense sending some private domain queries upstream?

« on: October 29, 2021, 04:37:09 pm »

Thank you.  There are definitely some things in that thread, a couple of more worth looking into, and a couple I shouldn't have to do.  This is helpful.

For what it's worth, u/alexdelprete reports seeing the same exact issue in a Reddit thread I started on r/OPNSenseFirewall, and he did a great job explaining the exact issue we're seeing and his resolution: to set his local-zone type to refused. 
https://www.reddit.com/r/OPNsenseFirewall/comments/qhuev6/comment/hihq6wf/?utm_source=share&utm_medium=web2x&context=3

8

21.7 Legacy Series / Why is OPNsense sending some private domain DNS queries upstream?

« on: October 28, 2021, 11:43:57 pm »

Hey all, I have Adguard Home running on my FW on port 53 and it has Unbound on 127.0.0.1:50253 as it's upstream server. Unbound then has custom options set to send requests upstream over TLS to NextDNS.io. For basic resolution this works great, but I have noticed a troubling issue - local IP-related hostnames with my private domain are showing up at NextDNS. Example, to be clear 192.168.75.5-70.mydomain.me.

I was trying to fix it and I added mydomain.me as an override to redirect it to 127.0.0.1. Thought that fixed it, but I still see a few, though less now, showing up. I went to Diagnostics->DNS Lookup and put in that hostname and sure enough I got 127.0.0.1 but then I also got two NextDNS servers. I went to System->Settings->General and I see that the two NextDNS servers are listed there. If I remove them, it does seem to stop them from showing in the NextDNS logs, but running the Diagnostics gives me no results at all. DNS does seem to work just fine, though.

Without an DNS servers indicated under System->Settings->General is OPNsense following my desired Adguard->Unbound->NextDNS flow or does the system itself still send queries to DNS root servers or some other behavior?

9

Virtual private networks / Wireguard not starting upon firewall start, wireguard-kmod related? Other?

« on: October 01, 2021, 04:12:43 pm »

So I know there's a somewhat-related topic on the forum, but since it's related to 21.1 and in that version's main area, while I'm on the latest 21.7 version, I thought I'd add my issue to a new thread here in the VPN forum.  In short, I've been runing Wireguard on OPNsense for well over a year and it's one of the very best things I've ever done with my setup.  I have most of my mobile devices using "always on" VPN to connect when they're away from the home network, and it is performant with good battery and CPU efficiency. 

I also have Wireguard initiate a tunnel to a VPN provider that I use for some traffic.  It has also been working great for over 9 months.  Now there's a hiccup:  when I reboot the firewall, this tunnel doesn't start properly any more. I can disable the tunnel in the Wireguard section, then re-enable it and it does come up. This is a recent phenomenon, like within the last few weeks or so. 

I have been making some DNS changes, adding Adguardhome into the mix using Unbound as the upstream, but everything else seems to work fine.  That does seem to cause Unbound to restart several times after a boot while it goes through the DHCP client registration process.  It's definitely a longer time until DNS stabilizes than it was a few months back.

I also installed wireguard-kmod fairly recently, so maybe it is related to that, but again, everything else is working.  I wanted to get this out there for advice if it's just my setup, or to get it on the radar if it is the kmod package that needs some sort of accomodation for the DNS resolution flapping on reboot.

10

21.7 Legacy Series / Re: AdguardHome->Unbound->NextDNS TLS - breaks some things like TV streams auth?

« on: September 21, 2021, 04:36:39 am »

Fixed it by manually specifying the IP address of my OPNsense firewall in the container's Extra Parameters area in Unraid.

11

Documentation and Translation / Re: AdGuard Home setup guide

« on: September 21, 2021, 03:25:07 am »

deleted

12

21.7 Legacy Series / AdguardHome->Unbound->NextDNS TLS - breaks some things like TV streams auth?

« on: September 17, 2021, 06:24:33 pm »

With the awesome community online I've been able to get Unbound using NextDNS TLS via custom options.  Works great.  I'd rather use AdguardHome on my OPNsense box for initial name resolution and filtering as it has much better reporting and control for me, then have it use Unbound as the upstream and on to NextDNS beyond that. 

When I change the port on Unbound, activate AdguardHome and specify Unbound as the upstream (and the PTR host for local hostname resolution as I continue to use OPNsense for DHCP), most everything seems to work just fine.  I have a Channels DVR, however, that pulls in TVE tv streams from a couple of providers to integrate into a guide and DVR for me, but when I introduce the Adguardhome to Unbound step then Channels can no longer operate properly.  It seems it authenticates via an Adobe auth mechanism to the various TVE stream providers ant this breaks.  There may be other issues I haven't yet uncovered, but it seems like most everything else works just fine. 

I can't figure out why this is working so well yet not quite completely functional.  Any of you DNS gurus have an idea of what might be going on?

13

Intrusion Detection and Prevention / Re: Suricata doesn't filter anything with telemetry pro

« on: April 14, 2021, 05:21:14 pm »

I can confirm you that Suricata works and detects alerts when listening only on WAN interface too.
I have made a test for you, changing Suricata interface only on WAN and setting up Sensei to listen on the LAN side.
Then i have checked with the isd test i told you and how you can see Alerts are listed on Suricata.

I know this is a bit of an older thread, but I have been dealing with this over the last few days and I can confirm that while my other interfaces showed traffic without my ISP-assigned address, the WAN interface would not.  When I add that to local addresses it does show alerts, primarily STUN/NAT activity.

14

Virtual private networks / Re: SOLVED - Default gateway block rule for wireguard gateway hosts not working

« on: April 03, 2021, 04:39:57 am »

Not sure if it took one or both of these things, but in my floating block rule I just rely on TAGS and left source ANY instead of the VPN hosts alias as it seems to not work right without that.  It may have also involved a firewall rule order issue, as I moved it up higher as well.

15

Virtual private networks / SOLVED - Default gateway block rule for wireguard gateway hosts not working

« on: April 02, 2021, 08:57:16 pm »

So I'm routing a few of my Unraid containers with static IPs across a Wireguard VPN, while everything else goes out the default non-VPN gateway.  When I enable the VPN gateway the specified hosts (aliased on OPNsense) seem to follow the intended route out the VPN gateway - great.

So I also tried the "kill switch" steps from the guides I read to set a tag on that routing rule and to create a floating block rule on the non-VPN gateway interface that blocks traffic from those aliased hosts if the VPN goes down using the match tag option.  If I disable the VPN, however, the hosts are going out my default gateway instead of being blocked.  I mean, compared to the other stuff this part seems pretty dead simple.  I've restarted Wireguard, restarted the containers, etc. and it keeps behaving the same way. 

Anyone have ideas as to why this part wouldn't be working?