Messages

I've really enjoyed using Opnsense over the last 4 years. One thing I miss from my old prosumer grade router is the ability to see which devices on my network are consuming (Tx/Rx) the most bandwidth and which hosts these devices are talking to. I've got ntopng configured, but I can't seem to make that do what I want. I'm not looking for the information about who is consuming data right now, or in the last 2 minutes, I want to be able to log in 1 or 2 times/month and see which devices on my network consumed the most data in the last 30/60/90 days. I'm happy to file a feature request if that is needed. If this is currently possible, I'd love to know how to do it. Thank you!

I found one issue, which is that the template code doesn't preserve permissions (unbound_munin_ needs execute permission). Not sure exactly how to solve this problem yet, probably need some scripting to make it work.

Ok, I've got it figured out now and I thought I'd post my steps so if anyone else wants to do the same thing, they can save some time.

A couple links that were useful for me:
Unbound setup steps for munin: https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/
Opnsense docs on custom config of Unbound: https://docs.opnsense.org/manual/unbound.html#advanced-configurations

First you need to configure Unbound to enable unbound-control. This requires custom configuration of Unbound using templates. I created two new template targets and had them placed in the correct place.

Code Select Expand


Login to your opnsense router using SSH
cd /usr/local/opnsense/service/templates/OPNsense/Unbound
mkdir munin


Create a file called remote_control.conf and put this in it:

Code Select Expand


remote-control:
    control-enable: yes


Create a file called stats.conf and put this in it:

Code Select Expand


server:
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: no


We need to get the Unbound munin plugin code from: https://github.com/NLnetLabs/unbound/blob/master/contrib/unbound_munin_ and put that file into this same directory. I used vi and created a file named unbound_munin_ and then pasted the contents from the URL into this file.

Create a file called +TARGETS and put this in it (note that vi doesn't like files that start with +):

Code Select Expand


remote_control.conf:/usr/local/etc/unbound.opnsense.d/remote_control.conf
stats.conf:/usr/local/etc/unbound.opnsense.d/stats.conf
unbound_munin_:/usr/local/share/munin/plugins/unbound_munin_


After you do this, you need to generate the output from this configuration so run:

Code Select Expand


configctl template reload OPNsense/Unbound/munin


Then verify your Unbound config by running:

Code Select Expand


configctl unbound check


Then restart unbound through the UI.

Now we're ready to configure the munin plugins for Unbound. The Unbound docs (at the top link) describe all the different data that you can get graphed. To enable the basic one run this command:

Code Select Expand


ln -s /usr/local/share/munin/plugins/unbound_munin_ /usr/local/etc/munin/plugins/unbound_munin_hits


I'm guessing there is a way to do this following using the template feature and some python, but this is what I did to complete the configuration (if anyone has a better suggestion, I'd like to use it). Add the following to the bottom of /usr/local/etc/munin/plugin-conf.d/plugins.conf:

Code Select Expand


[unbound*]
user root
env.unbound_conf /var/unbound/unbound.conf
env.unbound_control /usr/local/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000


Finally, restart munin-node:

Code Select Expand


service munin-node restart


Logs for munin-node can be found in /var/log/munin

So this looks to be a bit more difficult than I was initially anticipating. Seems like I need to enable unbound-control which requires some templating to get all the settings correct. I've gotten part of the way there, but no stats are showing in munin yet.

I am trying to enable monitoring of Unbound on my Opnsense box. This page shows how: https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/

But, I've got a few questions. It seems like the munin plugin code is included with the Unbound install.

First question: Where is Unbound on my box? I'd like to run the ln command but I'm not sure where to link from. Or do I just need to copy that file from the distribution on to my machine? If so, where should I put it so it survives upgrades?

Second question, the munin configuration that I do on Opnsense, will it survive upgrades or is there a way I should do that configuration so that it will survive upgrades? Essentially there are a bunch of symbolic links that get created in /usr/local/etc/munin/plugins and I'd like to make sure those stick around.

Thanks!

I found a DNS setting in my wireguard setup in the config.xml file. Fixed that through the UI, but didn't find any other references to that DNS server. Any other ideas would be welcome.

I restored it to the .bak file that was created, but I really want to find the source that the installer uses to generate the file and fix that. Does anyone know where to look for that? Thank you!

Looks like /etc/resolv.conf got updated during the upgrade. So now the question is, what did it get updated from so I can get that fixed.

I ssh into the opnsense box and ran:

Code Select Expand

dig google.com

The DNS server that it is hitting is not the correct one. It is trying to use an old pi-hole server that I turned off many months ago. It's like an old configuration came back from the dead. I'm trying to figure out where that setting is so I can undo it.

I have the same problem. I am looking for a solution now. It seems like this happens every few months and the problem is usually related to all DNS queries from the opnsense machine are failing. My client machines are all fine.

I have a very similar problem and this solution above "fixed" it for me. The twist on my problem is that I also could not get DNS resolution to work in the UI. DNS resolution from all of my client computers is fine, but the router could not resolve anything. I wonder if a recent update to Unbound changed some behavior.

I've filed this issue after looking at the code, in case anyone is interested...

https://github.com/opnsense/plugins/issues/2121

Ok, I see the problem in the code (or at least it seems to be a problem), where the timeout value is hardcoded to 960 in DnsNamesilo.php. I will open an issue for it.

Code Select Expand

class DnsNamesilo extends Base implements LeValidationInterface
{
    public function prepare()
    {
        $this->acme_env['Namesilo_Key'] = (string)$this->config->dns_namesilo_key;
        // Namesilo applies changes to DNS records only every 15 minutes.
        $this->acme_args[] = '--dnssleep 960';
    }
}

https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php

So I've got Let's Encrypt configured with a validation method using DNS-01. I'm using NameSilo as my DNS provider and they only publish DNS records every 15 minutes. So I configured a timeout of 17 minutes (1020 seconds in Validation screen). When I look into the log files, I see this line:

Code Select Expand

Sleep 960 seconds for the txt records to take effect

Which is not 1020, that I expected.

Am I doing something wrong?

So I've got vnstat turned on, which will give me the high level info for the WAN interface. However, I'd like to have some more details like: over the last month which PC in the house used the most bandwidth, and what site(s) did they go to. Then if there is suspicious traffic or behavior on the network I can drill in and find out if maybe there is malicious software or some other issue. I don't know if darkstat will provide that (hard to tell from the docs), so I wanted to try it out. While it's true that no updates have happened to darkstat in a while (2015), bandwidthd hasn't been updated since 2005.

I'll take a look at local netflow and LibreNMS to see if they offer what I want. ntopng is a huge resource hog, and my 2 core celeron wasn't up to it. Plus, I honestly could not figure out how to do what I described above after several hours of reading docs.