Messages

Hello!

I have Squid up and running with the initial defaults. Unfortunately, Firefox (under Ubuntu 25.10) cannot use the service if it is directed to do so by Squid's <OPNsense server IP address>:3128.

Pardon me, but uploading screenshots is easier for me than typing in the all the configuration settings (mostly default). Please let me know if you see something obvious that I have set incorrectly (or need to specify explicitly). I have a feeling that Squid gets the packets but doesn't send them anywhere. Any advice would be appreciated. Thanks.

Regards.

Hello @fixwithzubari,

I uninstalled and re-installed Unbound DNS with pkg. Subsequently, I configured the loopback interface and everything is work as before.

Many, many thanks for nudging me in the right direction.

Regards.

[lo0]

Hello @fixwithzubair,

Allow me to add a note for your consideration:

Dnsmasq DNS/DHCP was working fine prior to my original post. In other words, hostname and FQDN were working but now it is broken. I messed up the reverse PTR configuration because I don't seem to have easy access to lo0 interface but I do believe it is set to 127.0.0.1/8.

Regards.

Thanks, @fixwithzubair! Here is the information you requested:

OS: Ubuntu 25.10 x86_64
Kernel: Linux 6.14.0-15-generic
Versions OPNsense 25.7.7_4-amd64
FreeBSD 14.3-RELEASE-p4

Under Lobby: Dashboard: Services, Unbound is the only line item that has two buttons - one red with tool-tip Stopped, the other Start which does not complete.

I logged on terminal mode and ran the following commands:
service unbound status
sudo killall unbound
sudo service unbound start

The commands run but on the Dashboard page, Ubound still appears with the red button.

I am not going to make any futher changes until I hear from you. Thanks a bunch.

Regards.

Hello!

How to restore FQDN resolution?

I am using Dnsmasq for DNS and DHCP, and I've enabled Unbound DNS. I can see lease activity and:

Services: Dnsmasq DNS & DHCP
Default
Enable [✓]
Interface [LAN]

DNS
Listen port

DNSSEC [✓] Current date/time is accurate on Lobby: Dashboard page

DHCP FQDN [✓]
DHCP default domain [name entered]
DHCP local domain [✓]
DHCP authoritative [✓]
DHCP reply delay [blank]
DHCP register firewall rules [✓]
Router advertisements [unchecked]
Disable HA sync [unchecked]

ISC/KEA DHCP (legacy) <== not using knowingly but
Register ISC DHCP4 leases [✓]
DHCP domain override [blank]
Reigster DHCP static mappings [✓]
Prefer DHCP [blank]

Services: Unbound DNS: General
Enable Unbound [✓]
Listen Port 53
Network Interfaces [All]
Enable DNSSEC Support [✓]
Register ISC DHCP4 leases [✓]
Register DHCP Static Mappings [✓]

How can I get FQDN lookup to work? Thanks.

Regards.

Configuration:
OPNsense 25.7.7_4-amd64
FreeBSD 14.3-RELEASE-p4

Thanks, @meyergru & @Vilhonator, for your patience & understanding. Your solution did the job for me.

Regards.

[*.server1.domain.org]

@meyergru:

Could you please clarify just a little bit more (for a newbie)? Under Unbound DNS, how do I navigate to the page where I can enter the data in the wildcard format that you have illustrated? I stepped through General, Overrides, Advanced, Access Lists and Query Forwarding but could not understand which of these pages could help me enter the wildcard formatted string, *.server1.domain.org, that you provided as an example. In my situation, server1.domain.org is being resolved by Unbound DNS locally. I feel that your example would serve my purpose much better than what I had used previously (one record for each virtual host). Thanks.

Regards.

[server1.domain.org]

Hello!

I would like to "register" a few virtual hosts. I need some guidance, please.

I'm using DHCP and Unbound under OPNsense. I have a server registered as server1.domain.org under DHCP. How can I leverage Unbound to register site1.server1.domain.org, site2.server1.domain.org, etc.? The virtual hosts may or may not use different port numbers under Apache2 virtual host control.

It is my understanding that if Unbound can resolve server1.domain.org, then I should be able to add the virtual hosts using Unbound (apart from the work needed under Apache2). Any advice would be appreciated. Thanks.

Regards.

P.S.
I was using another FOSS product to perform (DHCP, DNSmasq derivative & this specific configuration) but I need to rely solely on OPNsense now. DNSmasq is disabled in my OPNsense instance and I would prefer to limit myself to Unbound.

Please "close" the issue.

The ISP had configured the modem incorrectly! The 3rd person finally listened exactly what I needed and the connection was established.

Sorry for posting in haste yet again.

Regards.

Hello!

Need help, please. What are the recommended steps to troubleshoot LAN desktop access to the Internet?

The Lobby Dashboard shows the WAN Gateway as online.
The Firewall LAN rules, per default, allow LAN to any.
The Firewall WAN rules have no outbound block.
dig _gateway from desktop client responds correctly with the Open sense IP address.
The desktop client has a DHCP lease with correct gateway assignment.
Dig www.google.com or any Internet IP address fails with communication error (timed out) 127.0.0.53#53
ISP installed new modem and this error started.
Pihole logs show that Google Home Mini Speaker is calling "home"
Pihole is syncing with NTP Pool servers.

Where have I messed up?

Thanks.

OPNsense 24.1.8-amd64 on ProtectLi fw4b
Desktop client is Ubuntu 24.04

Hello,

I didn't find anyone else reporting a beginner issue on running Web Proxy for the first time so I need your help to determine my basic configuration error.

I setup Caching Proxy https://docs.opnsense.org/manual/how-tos/cachingproxy.html with the instructions in the official documentation using the Yoyo Ads Blacklist example. I setup Firewall Rule No Proxy Bypass (screenshot attached) - again using the official document. I did not encounter any issue in making these changes.

I enabled proxy use in Mozilla exactly as illustrated in the official documentation but with the specific address for OPNsense in my farm.

Unfortunately, I cannot go out to the Internet using the browser when the Web Proxy is enabled. Presumably, there is configuration issue at my end because if I unblock the two rules (HTTP/HTTPS) the browser can go out again. I am unsure about the rules changes that I have entered but obviously these rules when activated are disabling Internet access.

How can I fix this basic issue to become productive with Web Proxy? Thanks.

Regards.

[freeradius]

Thanks, franco and newsense!

I read franco's reply to another person a few minutes ago (sent several months back) and performed the same two steps to remove freeradius and reinstall. That got me to 22.7.11_1 and then I was able to upgrade 23.1. Obviously just using the search string "update" was insufficient to retrieve the applicable thread(s).

I am glad that franco reconfirmed the steps here.

Cannot thank you both enough for helping me to avoid a fresh re-install. Please consider the issue fully resolved thanks to your assistance.

Regards.

Thanks for your continuing support. Here is the output (with the credentials removed):

Code Select Expand

Last login: Thu Sep 21 08:37:59 2023 from
----------------------------------------------
|      Hello, this is OPNsense 22.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb1)      -> v4:
WAN (igb0)      -> v4:

HTTPS:
SSH:   SHA256
SSH:   SHA256
SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Hello there,

This will be the end of life release for the 22.7 series with only a small
number of reliability updates.  Upgrades to 23.1-RC1 are possible from the
development version of this release.  We do expect an online update for RC2
next week.

The final 23.1 release will be on January 26.  As always the upgrade path
from the community version will be added as a hotfix shortly after the final
release announcement is published.  However, this time around LibreSSL will
no longer update and must be switched to the OpenSSL flavour prior to the
upgrade.

Here are the full patch notes:

o system: fix a few minor Coverity Scan reports in Python code[1]
o firewall: show automated "port 0" rule as actual port "0" on PHP 8
o reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
o unbound: safeguard retrieval of blocklist shortcode
o mvc: fix IntegerField minimum value (contributed by xbb)
o plugins: os-acme-client 3.15[2]
o plugins: os-stunnel fixes missing include in certificate script
o ports: curl 7.87.0[3]
o ports: nss 3.87[4]
o ports: pcre 10.42[5]
o ports: phalcon 5.1.4[6]
o ports: php 8.0.27[7]
o ports: sqlite 3.40.1[8]
o ports: strongswan 5.9.9[9]
o ports: unbound 1.17.1[10]

A hotfix release was issued as 22.7.11_1:

o firmware: enable upgrade path to 23.1 (OpenSSL only)


Stay safe,
Your OPNsense team

--
[1] https://scan.coverity.com/projects/opnsense-core
[2] https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr
[3] https://curl.se/changes.html#7_87_0
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
[5] https://www.pcre.org/changelog.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/v5.1.4
[7] https://www.php.net/ChangeLog-8.php#8.0.27
[8] https://sqlite.org/releaselog/3_40_1.html
[9] https://github.com/strongswan/strongswan/releases/tag/5.9.9
[10] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
c-icap-modules: 0.5.5 -> 0.5.5_1
freeradius3: 3.0.25 -> 3.2.1_1
hw-probe: 1.6.4 -> 1.6.5
iperf3: 3.11 -> 3.12
isc-dhcp44-relay: 4.4.2P1 -> 4.4.3P1
mpd5: 5.9_9 -> 5.9_13
msktutil: 1.2 -> 1.2.1
opnsense: 22.7 -> 22.7.11_1
opnsense-installer: 22.1 -> 23.1.d
opnsense-lang: 22.7 -> 22.7.3
os-acme-client: 3.11 -> 3.15
os-bind: 1.23 -> 1.24_1
os-c-icap: 1.7_2 -> 1.7_3
os-clamav: 1.7_1 -> 1.8
os-freeradius: 1.9.19_1 -> 1.9.21_2
os-maltrail: 1.8 -> 1.10
os-net-snmp: 1.5_1 -> 1.5_2
os-nrpe: 1.0_2 -> 1.0_3
os-redis: 1.1_1 -> 1.1_2
os-rspamd: 1.12 -> 1.12_1
pftop: 0.8 -> 0.8_2
php80-dom: 8.0.20 -> 8.0.27
php80-filter: 8.0.20 -> 8.0.27
php80-phpseclib: 2.0.37 -> 3.0.18
php80-sockets: 8.0.20 -> 8.0.27
php80-sqlite3: 8.0.20 -> 8.0.27
php80-xml: 8.0.20 -> 8.0.27
redis: 7.0.4 -> 7.0.8
ruby: 2.7.6_2,1 -> 2.7.7,1
squid: 4.15 -> 5.7
strongswan: 5.9.6_2 -> 5.9.9_1
sudo: 1.9.11p3 -> 1.9.12p1
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-available/otp
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-enabled/cache_eap
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/GPLv2
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/LICENSE
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/catalog.mk
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb1)      -> v4:
WAN (igb0)      -> v4:

HTTPS: SHA256
SSH:   SHA256
SSH:   SHA256
SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:

[option 12]

Before replying to your first suggestion on using option 12 from the console terminal (logged in via SSH), I performed the operation several times (including using q to quit the update notice). Unfortunately, the cycle just repeats and the main menu for the terminal session is presented.

After reading your last suggestion, I repeated the exercise to select option 12 and entered q at the first chance when the scrolling list of updates paused. I repeated these steps 3 times but there was no change in the responses from the server.

The server is pointing to the mirror at https://pkg.opnsense.org/FreeBSD:13:amd64/22.7.

Is there an alternate approach that you recommend? Thanks.

Regards.

Thanks for fielding this request for assistance.

I did SSH in (first time to the OPNsense server after the initial install several years ago) and then I chose option 12 in accordance with your suggestion. After receiving the update information, the upgrade failed presumably owing to the following partial text from the server:

Code Select Expand

Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

Is there some way to specify the intermediate update to 22.7.11_1? Thanks.

Regards.

P.S.
Some additional information regarding my SSH session:

Code Select Expand


Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y


After the patch notes, there is no sub-option to specify a release number or identifier. I can use option 8 to shell out but I don't know the manual command(s) to complete the update/upgrade.

My settings are:

Code Select Expand


Mirror default
Flavor default
Type Community
Subscription <blank>


The web documentation at https://docs.opnsense.org/manual/updates.html#update-settings states that:

If you choose option 12 on the console menu on latest release, you are asked if you want to upgrade to the newest version or to the next major release. Type in the major release number (for example "19.1") and press enter. OPNsense will download all release files for an offline upgrade (kernel, packages etc.) and will reboot afterwards.

After a reboot, it will install all updates and when it is done, it will reboot again, then you should be on the desired release.

but I don't see that prompt in my environment.