Messages

1

21.1 Legacy Series / Re: Update 21.1.5 dead opnsense

« on: April 25, 2021, 04:56:53 am »

Not to hijack the thread, but I upgraded to 21.1.5 and experienced an odd issue. I did not experience a dead OPNsense but I was not able to log into the web UI. The routing/firewall functionality seemed ok and the Internet and various accesses to other networks seemed ok. I could not SSH into the box from another VLAN but I could SSH within the same network. I rebooted the machine, still no luck.

So I connected my OPNsense box up to my KVM (since I do not normally need direct access to the box). I only saw a blank display (perhaps since I did not boot with a monitor). I then rebooted the machine so I can take a look at what was going on more easily. After rebooting the machine, I could see the login prompt and I realized that I could now access the web UI. The problem resolved itself after I connected a display/mouse/keyboard and rebooted.

I never experienced anything like it before since using OPNsense in late 2017. I saw in the notes that there was a change to the installer and some mention of migration of the Phalcon framework so not sure if there was a hiccup but I'm glad it recovered. I tried looking at a few logs but did not see anything that stood out. I thought I would mention the issue I had in case someone else had such a unique experience... (I also immediately made a configuration backup since I realized I had a slightly out of date one... just in case)

2

Intrusion Detection and Prevention / Re: Alias for public IP to add to home networks?

« on: June 19, 2020, 03:14:40 am »

I believe you can put a domain name (including a dynamic DNS address) instead of the IP address. I may not have been sure at the time that it works properly so I did not mention it in my blog post. There are certain areas in OPNsense where domain names will work (such as Suricata) and others where it will not work (firewall rules).

3

19.7 Legacy Series / Re: dnscrypt-proxy behind unbound

« on: December 23, 2019, 09:46:40 pm »

This response is late to the game, but I thought it may prove useful to anyone that may come across it. I too had a conflict with DNSCrypt-Proxy running on port 5353. I thought that port number sounded familiar when I saw that default value.

It is the port number used by multicast DNS so if you are running the MDNS-Repeater plugin like I am, it will conflict on port 5353. I saw the conflict when I looked at the error log for DNSCrypt-Proxy. I changed the default port number of DNSCrypt-Proxy plugin so it would not conflict and used that port number in the custom config for Unbound.

4

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: December 19, 2019, 10:48:54 pm »

I found the original instructions helpful. The server list is what I was stuck on the most. I didn't realize you had to enter the name of the server rather than the IP address. It makes sense because there are sometimes multiple options per DNS server (like Quad9).

One gotcha I would like to mention in case someone finds it useful. I am running the MDNS Repeater service (so that I can make use of certain services across VLANs like being able to autodiscover and access my printer/scanner across VLANs). This service runs on port 5353 which is the default value for the dnscrypt-proxy plugin. The dnscrypt-proxy service would not start unless I changed the port to something else. Once I changed the default port and updated my configuration in the Unbound settings, I was up and running!