Messages

My suggestion is based on me assuming you did know how it works, and you like to alter that by controling in detail which servers to use, aka custom settings. Greelan is correct in how it does work.

I would have thought you are seeing normal behaviour for a recursive resolver. For example, if there is a DNS request for facebook.com, unbound first queries the root servers. The root servers respond with the TLD nameservers for .com. unbound then queries one of those TLD nameservers. That TLD nameserver responds with the authoritative nameservers for facebook.com. Finally unbound queries one of those authoritative nameservers, which responds with the relevant records for facebook.com

Let me know if I have misunderstood your question

Looks like you are both correct. My understanding of how Unbound worked was incomplete, thanks for taking the time to explain it!

Hope you both had a good Christmas!

Why would I need to do that?

The default/expected behavior of Unbound should be to directly query the root servers.

If I had specified other servers or changed the configuration, I would expect to see queries directed at other nameservers but I have not.

I hope you understand what I am asking/trying to say, I'm not trying to be combative. I appreciate you taking the time to help me diagnose this issue.

What do you mean?

I don't have DoT configured and have not specified any servers for OPNsense to query, I want it to go to the root servers.

There's a problem with the current version of Unbound which results in errors like this taking up the entirety of the log: https://forums.freebsd.org/threads/libunbound-error.78121/

I expected to see only root server addressees in there but I am seeing a bunch of different addresses there including ones for Google, Facebook, and etc.

Any ideas as to how I can check the root.hints file on OPNsense?

Thanks!


Edit: I was able to SSH in and open up the root.hints file and it appears as if the root servers are listed correctly in there. If that's the case, why am I seeing DNS queries for other nameservers such as those owned by Google, Facebook, Cloudflare, and etc?

Anyone have any ideas what's going on? Thanks for your help!!

Hello,

I want to set up a guest AP using a separate piece of hardware than my LAN AP. My switch and AP are VLAN capable but I want to use one of the two open ports on my NIC since I figure I use them instead of leaving them to gather dust.

Is it possible to set up a new interface on OPT1, one where the traffic is sequestered to that network with zero interaction with the LAN? I want to block access to the webGUI, and to the other functions available on my LAN. With that set up, would I still be able to use unbound to resolve DNS queries on that network?

I did try to find what I was looking for in the documentation but wasn't able to find anything, and I saw these two threads: https://forum.opnsense.org/index.php?topic=1769.msg6736#msg6736, https://forum.opnsense.org/index.php?topic=450.msg1587#msg1587. They are both very old so I figured I'd ask on here to see if there have been any changes to the way that OPNsense functions now vs. back then.

Thanks!!

Hello,

Once in a while I try to get a new IP from my ISP, I would do this before on the router I had by releasing/renewing the DHCP lease from my ONT.

This doesn't seem to be working anymore on my OPNsense box, and I can't seem to get this to work properly. I have tried to spoof my MAC, rebooted the router, ONT, and etc.

I do not have a static IP so this behaviour is rather odd.

Do any of you have ideas as to how to force the OPNsense box to release the IP and get a new one?

See if this thread is helpful: https://forum.opnsense.org/index.php?topic=11900.0

If not, I can try and walk you through it.

Hello Steve,

I have it up and running and it's working without issues so far.

What are you having trouble with, is there a specific step that's causing issues of etc? I'll try to help if I can.

Hi Robi, If it isn't too much trouble, it might be good to reboot the boxes and see if the issue is resolved.

I had a sluggish experience initially as well, I just ended up reinstalling the software as I hadn't really configured anything at that point yet. In your case, I would try a reboot on both the master/slave boxes to see if that resolves your issues.

[edit:]

Thank you Bart!

I will test out the IPv6 configurations sometime this week/weekend.

Using that tool you linked to, I was able to discover that the DNS on my laptop is contingent on the DNS Windows assigns to the WiFi adapter, which can change based on the AP I'm connected to.

In my browser (Firefox), all of my traffic is resolved using their DoH implementation via their partnership with Cloudflare. In other browsers/programs, the DNS being used was what was picked up from the ISP/AP, in this case it was Level 3. I manually changed the DNS for the AP I'm currently using to Cloudflare. I will test when I'm home to see what that tool says on my home network.

That's good to hear, I will definitely keep an eye on developments here and hold off on buying a raspberry pi!! Might just end up donating the budget for that to OPNsense  :).

edit:I was able to figure something out using this link (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). I added these two options to my OpenVPN config file:

Code Select Expand

register-dns
block-outside-dns
After adding those two options, and enabling the 'DNS Servers' option in the server config on my OPNsense router, I was able to get my OpenVPN client to use the unbound server. On the DNS Leak Test tool, the IP/server that's now shown is the public WAN address on my OPNsense box/VPN server.

Ad made a plugin that may help, install the 'os-cache' plugin and see if that changes anything.

Hello Bart!

Thank you for the tips! I was able to get the issue with my VPN resolved and things seem to be working as expected. What I needed to do was enable the 'Redirect Gateway' option in the VPN Server settings, as I wanted all of the traffic generated by my client to travel through the VPN tunnel I set up.

I was also able to resolve my issue with the TOTP logins, I kept putting in the TOTP code sans my password so I kept getting errors when logging in.

After getting the VPN resolved, I have a few new questions.  I would be grateful if you or someone can answer them :) ---

• I'm not sure if it's an issue but it's a concern that I would like to resolve. When I travel, I use a hotspot whose carrier apparently supports both IPv4 and IPv6, and the device is assigned IP addresses on both IPv4 and IPv6.
  
  When I run the OpenVPN tunnel, my IPv4 traffic is routed via my OPNsense router's IP but the public IPv6 is still the one from the hotspot. Is there a way to configure my server/client to force all of the traffic, both v4 and v6, through the VPN tunnel?
  
  


• Also, is all of the traffic that's generated through my VPN using the Unbound DNS server that's on my OPNsense router? I have not changed any of the settings on there so before I go digging, I figured I'd ask.
  
  
• I saw in the Unbound DNS server's settings that the 'Custom options' section willl be deprecated sometime in the future for security reasons. I also saw that most configurations running a Pi Hole and Unbound need that functionality to work, is there a new way to get that done? I don't have a PiHole set up currently but I was planning on buying a board sometime in the next few months once I have a good grasp of how my OPNsense router works.

Thanks!!

Hello!

I set up my OPNsense firewall over the weekend and I have it up and running now, it's working great so far but I am having some trouble setting up OpenVPN and I have a few questions re. the firewall.

The docs have been very helpful but I believe the article for the SSL Road Warrior may be a bit outdated as it doesn't seem to have been updated to match the added functionality in the latest releases.

I followed the instructions exactly, and was able to connect to my router with my remote client but I was unable to access the internet or the LAN through the tunnel. Do I need to change the NAT settings as well to get this working or am I missing something that isn't presented in the docs?

In regards to the firewall, I have noticed a bunch of blocked connections from random IP addresses, and from a bit of digging, it seems that they might have something to do with NTP servers, is that something that I should be worried about? Also, the firewall is blocking connections on my lan but all of the addresses being blocked are IPV6 addresses -- I don't have an internal ipv6 setup, everything I have is basically default.

I would like to get the VPN server set up soon, anyone have suggestions as to what I could be missing? I configured the firewall rules as per the instructions in the docs, and set up the server exactly as its described in the documentation.

Thanks!

Did you ever figure out how to do this? I have been trying to figure this out myself but have had no luck in getting this sorted.