Messages

I have been running OPNsense for years and I'm on the latest community production version.  I run on a Lenovo M920q with 12GB of ram and an Intel X710-DA2. With my wife and I both WFH and teenage kids the high availability/fast recovery approach is key. I have a second M920q with another Intel X710-DA2 that I want to recover to if there were a hardware or corruption failure (the latter happened before).

I downloaded the latest installer and imported my latest config to the backup device and I see it boot fine. For whatever reason my internet access doesn't work on some of my VLANs/subnets, but on others it does. Weird. Anyway, I try to login with valid credentials (no fat fingering - direct copy/paste from my password manager) and I get a wrong username or password error. None of my 3 admin or 1 service accounts credentials work.

I've tested resetting the root password as a worst case fallback. I reset it (using the support instructions to mount rw and opnsense-shell password) and then login from the console after it completes boot in single user mode, but then I reboot into multi-user mode and I can't login with the new root credentials nor with any of the valid ones from the other accounts.

Can anyone help me understand what's going on? As it stands now I really have no backup and that worries me greatly.

Waited 4 days for these guys to give the okay before updating and then - yep - same mongodb errors multiple users here are reporting.  ZA is so frustrating.

EDIT -- Thanks @bandit8623 - your fix eliminated my crash report as well.  When I get some more cycles I'll have to dig deeper to ensure it did actually eliminate the log flood of those messages, but it's promising.

Every major update with these Zenarmore guys now..... Are they not testing it against the Beta and RC releases to get it ready for timely production release?  I'm leaning towards dropping my sub and Crowdsec and Suricata work fine for 99% of my need.

there is alot testing that needs to be done.  besides zenarmor customer base that pays are not upgrading right away unless you are abit crazy.  i run zen on my companies opnsense router and i wait a few weeks top make sure bugs are worked out.

We are already used to having to wait for Zenarmor to get right every time a new OPNsense update comes out.

If you are already used to it, why didn't you wait, until Zenarmor announces compatibility with OPNsense 25.1?

That's a sorry excuse in any case - even moreso because many people are paying for it.  They tout this tight relationship with OPNsense, and they're provided multiple betas and RCs and they can't get it ready on time.  It's tiresome, and I can't wait for the single need I have it for to wrap in October so I can cancel my sub.  After that I won't have to worry about delaying major updates over, dealing with the performance burden on my firewall, or being irritated over their ridiculously low (TWO, not THREE) policy contsraints.

Every major update with these Zenarmore guys now..... Are they not testing it against the Beta and RC releases to get it ready for timely production release?  I'm leaning towards dropping my sub and Crowdsec and Suricata work fine for 99% of my need.

Any updates?  This is becoming a common issue.  Can you guys not test on the Beta and Release Candidates?  Getting read to pull this off my box and cancel my sub.

My current setup is ADGH is running on 53 with its upstream pointing to Unbound on an alternate port.  For Unbound, I have DOT set up to use NextDNS and it works well.

I want to test with Control D in this role vs NextDNS.  I thought using the DOT hostname they provided, port 853, and an IP address of something like 76.76.2.11 would set it up - and it seemed okay.  Enabled this, disabled the NextDNS entries, and DNS continues to work for the most part.

Thing is, even after creating a device and playing with different Control D settings I can't see any traffic or other analytics reflected.  Running an online DNS check, it does appear Control D's servers are being used though.  I did also run into a Zoom call being blocked this morning and when I disabled the Control D entry and re-enabled the NextDNS items I was good to go.

I know there is a CLI command that will run an automated install, but I'm worried it assumes Control D will be the primary resolver or that it may do other undesired things.  Does anyone have a setup working and if so, would you share the secrets to success?

I have the ADGH plugin running on 53 and Unbound on 51515. OPNsense is the DHCP server. I've been running this setup for well over a year and for the most part it works great.

ADGH seems to get most hostnames from OPNsense just fine via rDNS, but I have a lot of localhost 127.0.0.1 entries that are clearly client requests. My upstream servers simply has 127.0.0.1:51515, pointing ADGH to the Unbound port for lookups, and then Unbound forwards any unknown queries up to my system DNS servers.

My theory is that this occurs because I haven't fully defined the upstream servers for reverse lookups properly. I use a few /24 ranges under the 192.168.0.0/16 range locally. I don't think I need any local entries that relate to my local DNS domain name, but maybe I need some .in-addr.arpa lines as well?

Hopefully someone will eventually answer you.  I'm very interested in the same thing.

Finally got around to enabling this myself and I'm seeing the same behavior on 22.7.10_2.  Huge bummer.

On a related note.....can anyone simply and clearly explain to me when and why Settings->General DNS servers are use by OPNsense vs the ones in Unbound?  I mean, with Forwarding disabled and  "Do not use the local DNS service as a nameserver for this system" both disabled? I'm trying to understand the use cases.

Awesome.  I think that's the route I'd rather go. Thanks again.

Thank you.  There are definitely some things in that thread, a couple of more worth looking into, and a couple I shouldn't have to do.  This is helpful.

For what it's worth, u/alexdelprete reports seeing the same exact issue in a Reddit thread I started on r/OPNSenseFirewall, and he did a great job explaining the exact issue we're seeing and his resolution: to set his local-zone type to refused. 
https://www.reddit.com/r/OPNsenseFirewall/comments/qhuev6/comment/hihq6wf/?utm_source=share&utm_medium=web2x&context=3

Hey all, I have Adguard Home running on my FW on port 53 and it has Unbound on 127.0.0.1:50253 as it's upstream server. Unbound then has custom options set to send requests upstream over TLS to NextDNS.io. For basic resolution this works great, but I have noticed a troubling issue - local IP-related hostnames with my private domain are showing up at NextDNS. Example, to be clear 192.168.75.5-70.mydomain.me.

I was trying to fix it and I added mydomain.me as an override to redirect it to 127.0.0.1. Thought that fixed it, but I still see a few, though less now, showing up. I went to Diagnostics->DNS Lookup and put in that hostname and sure enough I got 127.0.0.1 but then I also got two NextDNS servers. I went to System->Settings->General and I see that the two NextDNS servers are listed there. If I remove them, it does seem to stop them from showing in the NextDNS logs, but running the Diagnostics gives me no results at all. DNS does seem to work just fine, though.

Without an DNS servers indicated under System->Settings->General is OPNsense following my desired Adguard->Unbound->NextDNS flow or does the system itself still send queries to DNS root servers or some other behavior?

So I know there's a somewhat-related topic on the forum, but since it's related to 21.1 and in that version's main area, while I'm on the latest 21.7 version, I thought I'd add my issue to a new thread here in the VPN forum.  In short, I've been runing Wireguard on OPNsense for well over a year and it's one of the very best things I've ever done with my setup.  I have most of my mobile devices using "always on" VPN to connect when they're away from the home network, and it is performant with good battery and CPU efficiency. 

I also have Wireguard initiate a tunnel to a VPN provider that I use for some traffic.  It has also been working great for over 9 months.  Now there's a hiccup:  when I reboot the firewall, this tunnel doesn't start properly any more. I can disable the tunnel in the Wireguard section, then re-enable it and it does come up. This is a recent phenomenon, like within the last few weeks or so. 

I have been making some DNS changes, adding Adguardhome into the mix using Unbound as the upstream, but everything else seems to work fine.  That does seem to cause Unbound to restart several times after a boot while it goes through the DHCP client registration process.  It's definitely a longer time until DNS stabilizes than it was a few months back.

I also installed wireguard-kmod fairly recently, so maybe it is related to that, but again, everything else is working.  I wanted to get this out there for advice if it's just my setup, or to get it on the radar if it is the kmod package that needs some sort of accomodation for the DNS resolution flapping on reboot.

Fixed it by manually specifying the IP address of my OPNsense firewall in the container's Extra Parameters area in Unraid.