Messages

Hi there,

just updated from 24.7.5_3 to 24.7.6 and it looks like live view is somehowborked now.

Rules seem to be ok and everything is working as far is i could tell but log shows everything somehow wrong.
Also when showing detailed rule info the details are for wrong rules.
Sometimes the rule itself cannot be opened from link in rule details.

e.g. when looking at ipv6.png and ipv6_details.png, these entries should have nothing to do with ipv6 at all, also link to actual rule is not working.

Or there are some devices i know that they want to bypass dns on my opnsense, so i have defined port forward rule that i'm logging.
Usually these rdr rules pop up in log, with light blue background, but now these looks like in rdr.png and rdr_details.png

Is anybody experiencing similar problems?
Is there anybody who can help me to analyse further?

Thanks.

EDIT: I think I'm going to revert to 24.7.5_3 tomorrow

There is no pihole for opnsense.

If you use unbound as your dns you can set up blocklists directly: https://docs.opnsense.org/manual/unbound.html#blocklists

Or if you want to use adguard home, it's available from mimugmail 's community repo.
There is also a whole thread about it https://forum.opnsense.org/index.php?topic=22162.0

[Services ‣ Unbound DNS ‣ Log File]

Have you already checked logs under Services ‣ Unbound DNS ‣ Log File?
What does entry for fetching your blocklist show there?
It should list excluded, blocked and wildcard entries of list.

Also have you checked if domain you use for testing is in file?
Because the ones you posted (v2) are different from the one visible in your screenshot (without v2)

[then]

Some lists in the blocklist section will even lock Microsoft updates, seems like you're in that situation.

If that's not the case your upstream DNS is doing something weird, and you should consider encrypting all your queries outbound

Can you post a screenshot of your DNSBL page with advanced turned on and one of the Unbound reporting screen?

Are you using blocklists? If you do there most probably is no "issue". Microsoft domains frequently end up on blocklists, all the more so if you pull in a lot of them managed by volunteers.

Disable all block lists. Working now? If yes, then it's one of the blocklists, none of which are managed by the OPNsense project and none of which can be fixed by the OPNsense project.

If no, then we have an issue.

Still not clear which lists are enabled at all, but there are some blocklists built in that explicitely blocks microsoft stuff:

• WindowsSpyBlocker (spy)
• WindowsSpyBlocker (update)
• WindowsSpyBlocker (extra)

If one simly enables all blocklists without reading, this may lead to described behaviour too.

More details on these lists can be found here https://crazymax.dev/WindowsSpyBlocker/blocking-rules/
For extra list it explicitely says:

ONLY use if you know what you do
Be aware that these rules can also block Windows Update and other services.
Therefore, no support will be provided on them.

Unused memory is wasted memory :)
This behavior is totally fine for ARC, it will be freed if other processes needs more memory.

Wildcard domains will make list a lot smaller, which should be preferred IMO, but i have no experience with as it is pretty new.
Between domain list and hosts file there shouldn't be much difference.

Glad you found a solution with adguard.

You already mentioned in first post that the lists are specially for unbound following it's config format.

As documented, you would've needed a simple list of domains: https://docs.opnsense.org/manual/unbound.html#blocklists
But host files are working too and with recent update also lists including wildcard domains should work.

reverse dns is working fine here.
have you checked if something is wrong with your adguard settings or blocked by firewall itself?

https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#specifying-upstreams-for-reverse-dns

Ist das adguard plugin aus mimugmail's community repo und hört auf port 53?
Falls ja, dann muss beim Adguard service eine checkbox gesetzt werden.

Für details siehe https://forum.opnsense.org/index.php?topic=33661.0

edit: fixe ip für DNS sollte dann auch nicht mehr notwendig sein

Normally you don't need rules on WAN interface, because you establish connections only from the LAN side. 

You need to create your block rules on your LAN interface with given ips as destination and with direction IN: https://docs.opnsense.org/manual/firewall.html#direction

You already have an IP_BLOCK hosts which is good to keep number of rules short, you can use this as destination too.
After applying changes, your client shouln't be able to connect to mentioned game server anymore.
Dependent on how your game is getting list of available servers, it may still be shown, but connection is not possible.

explicit configuration is working here, it also makes more clear what is actually set/happening

but maybe updated adguard plugin will help too ;) https://github.com/opnsense/core/issues/6513#issuecomment-1518684956

Of course this is working, that's a different configuration with adguard *not* listening on port 53
With proper NAT rules ports may be changed as workaround too.

But for adguard listening on port 53 there is still something missing, as franco said:

The cleanup/feature here is that adguard can now work as standalone as well as bind or dnscrypt-proxy WITHOUT a running unbound or dnsmasq, but in order for this to work it needs to communicate which port it uses and only port 53 is eligible for a core DNS provider...

Same here. i just updated to 23.1.6 and dns names cannot be resolved any more.

i have adguard installed from mimugmail community repo, listening on port 53
adguard uses unbound as upstream dns server
unbound is running on firewall as dns resolver, listening on port 53530

From checking changelog i suspect https://github.com/opnsense/core/commit/9f6df9e5f3057ffb6759e151d7e2f5084a4af33d
Not sure if adguard plugin currently provides dns_ports which is checked now

Anybody can confirm this?

Edit: franco was a little faster, thx

OISD lists are not part of predefined sources, but you can add these lists to "URLs of blocklists" field.
In case of OISD the urls are https://big.oisd.nl/domains or https://small.oisd.nl/domains

Also you should add a cron job, from https://docs.opnsense.org/manual/unbound.html#blocklists:

In order to automatically update the lists on timed intervals you need to add a cron task, just go to System -> Settings ->Cron and a new task for a command called "Update Unbound DNSBLs".

Usually once a day is a good enough interval for these type of tasks.

Wird hier unbound als dns resolver verwendet? Sind unbound blocklists aktiviert?
Mit den listen WindowsSpyBlocker (update) und WindowsSpyBlocker (extra) werden windows updates und auch andere microsoft dienste geblockt.