Messages

1

23.1 Legacy Series / Recording/Reporting traffic by host

« on: June 19, 2023, 10:31:21 pm »

I've really enjoyed using Opnsense over the last 4 years. One thing I miss from my old prosumer grade router is the ability to see which devices on my network are consuming (Tx/Rx) the most bandwidth and which hosts these devices are talking to. I've got ntopng configured, but I can't seem to make that do what I want. I'm not looking for the information about who is consuming data right now, or in the last 2 minutes, I want to be able to log in 1 or 2 times/month and see which devices on my network consumed the most data in the last 30/60/90 days. I'm happy to file a feature request if that is needed. If this is currently possible, I'd love to know how to do it. Thank you!

2

22.7 Legacy Series / Re: Using munin to monitor Unbound

« on: October 23, 2022, 11:33:18 pm »

I found one issue, which is that the template code doesn't preserve permissions (unbound_munin_ needs execute permission). Not sure exactly how to solve this problem yet, probably need some scripting to make it work.

3

22.7 Legacy Series / Re: Using munin to monitor Unbound

« on: October 23, 2022, 08:53:44 pm »

Ok, I've got it figured out now and I thought I'd post my steps so if anyone else wants to do the same thing, they can save some time.

A couple links that were useful for me:
Unbound setup steps for munin: https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/
Opnsense docs on custom config of Unbound: https://docs.opnsense.org/manual/unbound.html#advanced-configurations

First you need to configure Unbound to enable unbound-control. This requires custom configuration of Unbound using templates. I created two new template targets and had them placed in the correct place.

Code: [Select]

Login to your opnsense router using SSH
cd /usr/local/opnsense/service/templates/OPNsense/Unbound
mkdir munin

Create a file called remote_control.conf and put this in it:

Code: [Select]

remote-control:
    control-enable: yes

Create a file called stats.conf and put this in it:

Code: [Select]

server:
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: no

We need to get the Unbound munin plugin code from: https://github.com/NLnetLabs/unbound/blob/master/contrib/unbound_munin_ and put that file into this same directory. I used vi and created a file named unbound_munin_ and then pasted the contents from the URL into this file.

Create a file called +TARGETS and put this in it (note that vi doesn't like files that start with +):

Code: [Select]

remote_control.conf:/usr/local/etc/unbound.opnsense.d/remote_control.conf
stats.conf:/usr/local/etc/unbound.opnsense.d/stats.conf
unbound_munin_:/usr/local/share/munin/plugins/unbound_munin_

After you do this, you need to generate the output from this configuration so run:

Code: [Select]

configctl template reload OPNsense/Unbound/munin

Then verify your Unbound config by running:

Code: [Select]

configctl unbound check

Then restart unbound through the UI.

Now we're ready to configure the munin plugins for Unbound. The Unbound docs (at the top link) describe all the different data that you can get graphed. To enable the basic one run this command:

Code: [Select]

ln -s /usr/local/share/munin/plugins/unbound_munin_ /usr/local/etc/munin/plugins/unbound_munin_hits

I'm guessing there is a way to do this following using the template feature and some python, but this is what I did to complete the configuration (if anyone has a better suggestion, I'd like to use it). Add the following to the bottom of /usr/local/etc/munin/plugin-conf.d/plugins.conf:

Code: [Select]

[unbound*]
user root
env.unbound_conf /var/unbound/unbound.conf
env.unbound_control /usr/local/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000

Finally, restart munin-node:

Code: [Select]

service munin-node restart

Logs for munin-node can be found in /var/log/munin

4

22.7 Legacy Series / Re: Using munin to monitor Unbound

« on: October 23, 2022, 03:01:42 am »

So this looks to be a bit more difficult than I was initially anticipating. Seems like I need to enable unbound-control which requires some templating to get all the settings correct. I've gotten part of the way there, but no stats are showing in munin yet.

5

22.7 Legacy Series / Using munin to monitor Unbound

« on: October 23, 2022, 12:26:31 am »

I am trying to enable monitoring of Unbound on my Opnsense box. This page shows how: https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/

But, I've got a few questions. It seems like the munin plugin code is included with the Unbound install.

First question: Where is Unbound on my box? I'd like to run the ln command but I'm not sure where to link from. Or do I just need to copy that file from the distribution on to my machine? If so, where should I put it so it survives upgrades?

Second question, the munin configuration that I do on Opnsense, will it survive upgrades or is there a way I should do that configuration so that it will survive upgrades? Essentially there are a bunch of symbolic links that get created in /usr/local/etc/munin/plugins and I'd like to make sure those stick around.

Thanks!

6

22.7 Legacy Series / Re: Upgraded to 22.7.4 now unable to check for updates

« on: October 09, 2022, 03:45:30 am »

I found a DNS setting in my wireguard setup in the config.xml file. Fixed that through the UI, but didn't find any other references to that DNS server. Any other ideas would be welcome.

7

22.7 Legacy Series / Re: Upgraded to 22.7.4 now unable to check for updates

« on: October 09, 2022, 03:37:22 am »

I restored it to the .bak file that was created, but I really want to find the source that the installer uses to generate the file and fix that. Does anyone know where to look for that? Thank you!

8

22.7 Legacy Series / Re: Upgraded to 22.7.4 now unable to check for updates

« on: October 09, 2022, 03:21:31 am »

Looks like /etc/resolv.conf got updated during the upgrade. So now the question is, what did it get updated from so I can get that fixed.

9

22.7 Legacy Series / Re: Upgraded to 22.7.4 now unable to check for updates

« on: October 09, 2022, 03:15:55 am »

I ssh into the opnsense box and ran:

Code: [Select]

dig google.com
The DNS server that it is hitting is not the correct one. It is trying to use an old pi-hole server that I turned off many months ago. It's like an old configuration came back from the dead. I'm trying to figure out where that setting is so I can undo it.

10

22.7 Legacy Series / Re: Upgraded to 22.7.4 now unable to check for updates

« on: October 08, 2022, 07:51:18 pm »

I have the same problem. I am looking for a solution now. It seems like this happens every few months and the problem is usually related to all DNS queries from the opnsense machine are failing. My client machines are all fine.

11

22.1 Legacy Series / Re: [SOLVED] Unbound not responding?

« on: August 14, 2022, 07:46:27 pm »

I have a very similar problem and this solution above "fixed" it for me. The twist on my problem is that I also could not get DNS resolution to work in the UI. DNS resolution from all of my client computers is fine, but the router could not resolve anything. I wonder if a recent update to Unbound changed some behavior.

12

20.7 Legacy Series / Re: Let's Encrypt Certificate Validation timeout not being honored

« on: November 24, 2020, 08:22:40 am »

I've filed this issue after looking at the code, in case anyone is interested...

https://github.com/opnsense/plugins/issues/2121

13

20.7 Legacy Series / Re: Let's Encrypt Certificate Validation timeout not being honored

« on: November 24, 2020, 06:54:53 am »

Ok, I see the problem in the code (or at least it seems to be a problem), where the timeout value is hardcoded to 960 in DnsNamesilo.php. I will open an issue for it.

Code: [Select]

class DnsNamesilo extends Base implements LeValidationInterface
{
    public function prepare()
    {
        $this->acme_env['Namesilo_Key'] = (string)$this->config->dns_namesilo_key;
        // Namesilo applies changes to DNS records only every 15 minutes.
        $this->acme_args[] = '--dnssleep 960';
    }
}
https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php

14

20.7 Legacy Series / Let's Encrypt Certificate Validation timeout not being honored

« on: November 24, 2020, 06:28:44 am »

So I've got Let's Encrypt configured with a validation method using DNS-01. I'm using NameSilo as my DNS provider and they only publish DNS records every 15 minutes. So I configured a timeout of 17 minutes (1020 seconds in Validation screen). When I look into the log files, I see this line:

Code: [Select]

Sleep 960 seconds for the txt records to take effect
Which is not 1020, that I expected.

Am I doing something wrong?

15

20.1 Legacy Series / Re: Darkstat removed?

« on: April 12, 2020, 10:08:46 pm »

So I've got vnstat turned on, which will give me the high level info for the WAN interface. However, I'd like to have some more details like: over the last month which PC in the house used the most bandwidth, and what site(s) did they go to. Then if there is suspicious traffic or behavior on the network I can drill in and find out if maybe there is malicious software or some other issue. I don't know if darkstat will provide that (hard to tell from the docs), so I wanted to try it out. While it's true that no updates have happened to darkstat in a while (2015), bandwidthd hasn't been updated since 2005.

I'll take a look at local netflow and LibreNMS to see if they offer what I want. ntopng is a huge resource hog, and my 2 core celeron wasn't up to it. Plus, I honestly could not figure out how to do what I described above after several hours of reading docs.