Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - baqwas

#1
Tutorials and FAQs / Re: Unbound DNS Guidance
May 11, 2025, 10:47:48 PM
Thanks, @meyergru & @Vilhonator, for your patience & understanding. Your solution did the job for me.

Regards.
#2
Tutorials and FAQs / Re: Unbound DNS Guidance
May 02, 2025, 04:48:42 AM
@meyergru:

Could you please clarify just a little bit more (for a newbie)? Under Unbound DNS, how do I navigate to the page where I can enter the data in the wildcard format that you have illustrated? I stepped through General, Overrides, Advanced, Access Lists and Query Forwarding but could not understand which of these pages could help me enter the wildcard formatted string, *.server1.domain.org, that you provided as an example. In my situation, server1.domain.org is being resolved by Unbound DNS locally. I feel that your example would serve my purpose much better than what I had used previously (one record for each virtual host). Thanks.

Regards.
#3
Tutorials and FAQs / Unbound DNS Guidance
April 29, 2025, 01:59:42 PM
Hello!

I would like to "register" a few virtual hosts. I need some guidance, please.

I'm using DHCP and Unbound under OPNsense. I have a server registered as server1.domain.org under DHCP. How can I leverage Unbound to register site1.server1.domain.org, site2.server1.domain.org, etc.? The virtual hosts may or may not use different port numbers under Apache2 virtual host control.

It is my understanding that if Unbound can resolve server1.domain.org, then I should be able to add the virtual hosts using Unbound (apart from the work needed under Apache2). Any advice would be appreciated. Thanks.

Regards.

P.S.
I was using another FOSS product to perform (DHCP, DNSmasq derivative & this specific configuration) but I need to rely solely on OPNsense now. DNSmasq is disabled in my OPNsense instance and I would prefer to limit myself to Unbound.
#4
Please "close" the issue.

The ISP had configured the modem incorrectly! The 3rd person finally listened exactly what I needed and the connection was established.

Sorry for posting in haste yet again.

Regards.
#5
General Discussion / Can't traverse to Internet
June 19, 2024, 07:24:20 PM
Hello!

Need help, please. What are the recommended steps to troubleshoot LAN desktop access to the Internet?

The Lobby Dashboard shows the WAN Gateway as online.
The Firewall LAN rules, per default, allow LAN to any.
The Firewall WAN rules have no outbound block.
dig _gateway from desktop client responds correctly with the Open sense IP address.
The desktop client has a DHCP lease with correct gateway assignment.
Dig www.google.com or any Internet IP address fails with communication error (timed out) 127.0.0.53#53
ISP installed new modem and this error started.
Pihole logs show that Google Home Mini Speaker is calling "home"
Pihole is syncing with NTP Pool servers.

Where have I messed up?

Thanks.

OPNsense 24.1.8-amd64 on ProtectLi fw4b
Desktop client is Ubuntu 24.04
#6
Hello,

I didn't find anyone else reporting a beginner issue on running Web Proxy for the first time so I need your help to determine my basic configuration error.

I setup Caching Proxy https://docs.opnsense.org/manual/how-tos/cachingproxy.html with the instructions in the official documentation using the Yoyo Ads Blacklist example. I setup Firewall Rule No Proxy Bypass (screenshot attached) - again using the official document. I did not encounter any issue in making these changes.

I enabled proxy use in Mozilla exactly as illustrated in the official documentation but with the specific address for OPNsense in my farm.

Unfortunately, I cannot go out to the Internet using the browser when the Web Proxy is enabled. Presumably, there is configuration issue at my end because if I unblock the two rules (HTTP/HTTPS) the browser can go out again. I am unsure about the rules changes that I have entered but obviously these rules when activated are disabling Internet access.

How can I fix this basic issue to become productive with Web Proxy? Thanks.

Regards.

#7
General Discussion / Re: HOWTO: Update from 22.7
September 21, 2023, 06:59:53 PM
Thanks, franco and newsense!

I read franco's reply to another person a few minutes ago (sent several months back) and performed the same two steps to remove freeradius and reinstall. That got me to 22.7.11_1 and then I was able to upgrade 23.1. Obviously just using the search string "update" was insufficient to retrieve the applicable thread(s).

I am glad that franco reconfirmed the steps here.

Cannot thank you both enough for helping me to avoid a fresh re-install. Please consider the issue fully resolved thanks to your assistance.

Regards.
#8
General Discussion / Re: HOWTO: Update from 22.7
September 21, 2023, 04:07:06 PM
Thanks for your continuing support. Here is the output (with the credentials removed):

Last login: Thu Sep 21 08:37:59 2023 from
----------------------------------------------
|      Hello, this is OPNsense 22.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb1)      -> v4:
WAN (igb0)      -> v4:

HTTPS:
SSH:   SHA256
SSH:   SHA256
SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Hello there,

This will be the end of life release for the 22.7 series with only a small
number of reliability updates.  Upgrades to 23.1-RC1 are possible from the
development version of this release.  We do expect an online update for RC2
next week.

The final 23.1 release will be on January 26.  As always the upgrade path
from the community version will be added as a hotfix shortly after the final
release announcement is published.  However, this time around LibreSSL will
no longer update and must be switched to the OpenSSL flavour prior to the
upgrade.

Here are the full patch notes:

o system: fix a few minor Coverity Scan reports in Python code[1]
o firewall: show automated "port 0" rule as actual port "0" on PHP 8
o reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
o unbound: safeguard retrieval of blocklist shortcode
o mvc: fix IntegerField minimum value (contributed by xbb)
o plugins: os-acme-client 3.15[2]
o plugins: os-stunnel fixes missing include in certificate script
o ports: curl 7.87.0[3]
o ports: nss 3.87[4]
o ports: pcre 10.42[5]
o ports: phalcon 5.1.4[6]
o ports: php 8.0.27[7]
o ports: sqlite 3.40.1[8]
o ports: strongswan 5.9.9[9]
o ports: unbound 1.17.1[10]

A hotfix release was issued as 22.7.11_1:

o firmware: enable upgrade path to 23.1 (OpenSSL only)


Stay safe,
Your OPNsense team

--
[1] https://scan.coverity.com/projects/opnsense-core
[2] https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr
[3] https://curl.se/changes.html#7_87_0
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
[5] https://www.pcre.org/changelog.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/v5.1.4
[7] https://www.php.net/ChangeLog-8.php#8.0.27
[8] https://sqlite.org/releaselog/3_40_1.html
[9] https://github.com/strongswan/strongswan/releases/tag/5.9.9
[10] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
c-icap-modules: 0.5.5 -> 0.5.5_1
freeradius3: 3.0.25 -> 3.2.1_1
hw-probe: 1.6.4 -> 1.6.5
iperf3: 3.11 -> 3.12
isc-dhcp44-relay: 4.4.2P1 -> 4.4.3P1
mpd5: 5.9_9 -> 5.9_13
msktutil: 1.2 -> 1.2.1
opnsense: 22.7 -> 22.7.11_1
opnsense-installer: 22.1 -> 23.1.d
opnsense-lang: 22.7 -> 22.7.3
os-acme-client: 3.11 -> 3.15
os-bind: 1.23 -> 1.24_1
os-c-icap: 1.7_2 -> 1.7_3
os-clamav: 1.7_1 -> 1.8
os-freeradius: 1.9.19_1 -> 1.9.21_2
os-maltrail: 1.8 -> 1.10
os-net-snmp: 1.5_1 -> 1.5_2
os-nrpe: 1.0_2 -> 1.0_3
os-redis: 1.1_1 -> 1.1_2
os-rspamd: 1.12 -> 1.12_1
pftop: 0.8 -> 0.8_2
php80-dom: 8.0.20 -> 8.0.27
php80-filter: 8.0.20 -> 8.0.27
php80-phpseclib: 2.0.37 -> 3.0.18
php80-sockets: 8.0.20 -> 8.0.27
php80-sqlite3: 8.0.20 -> 8.0.27
php80-xml: 8.0.20 -> 8.0.27
redis: 7.0.4 -> 7.0.8
ruby: 2.7.6_2,1 -> 2.7.7,1
squid: 4.15 -> 5.7
strongswan: 5.9.6_2 -> 5.9.9_1
sudo: 1.9.11p3 -> 1.9.12p1
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-available/otp
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-enabled/cache_eap
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/GPLv2
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/LICENSE
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/catalog.mk
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb1)      -> v4:
WAN (igb0)      -> v4:

HTTPS: SHA256
SSH:   SHA256
SSH:   SHA256
SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:
#9
General Discussion / Re: HOWTO: Update from 22.7
September 21, 2023, 04:25:39 AM
Before replying to your first suggestion on using option 12 from the console terminal (logged in via SSH), I performed the operation several times (including using q to quit the update notice). Unfortunately, the cycle just repeats and the main menu for the terminal session is presented.

After reading your last suggestion, I repeated the exercise to select option 12 and entered q at the first chance when the scrolling list of updates paused. I repeated these steps 3 times but there was no change in the responses from the server.

The server is pointing to the mirror at https://pkg.opnsense.org/FreeBSD:13:amd64/22.7.

Is there an alternate approach that you recommend? Thanks.

Regards.
#10
General Discussion / Re: HOWTO: Update from 22.7
September 21, 2023, 01:09:23 AM
Thanks for fielding this request for assistance.

I did SSH in (first time to the OPNsense server after the initial install several years ago) and then I chose option 12 in accordance with your suggestion. After receiving the update information, the upgrade failed presumably owing to the following partial text from the server:

Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***


Is there some way to specify the intermediate update to 22.7.11_1? Thanks.

Regards.

P.S.
Some additional information regarding my SSH session:

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y


After the patch notes, there is no sub-option to specify a release number or identifier. I can use option 8 to shell out but I don't know the manual command(s) to complete the update/upgrade.

My settings are:

Mirror default
Flavor default
Type Community
Subscription <blank>


The web documentation at https://docs.opnsense.org/manual/updates.html#update-settings states that:
Quote
If you choose option 12 on the console menu on latest release, you are asked if you want to upgrade to the newest version or to the next major release. Type in the major release number (for example "19.1") and press enter. OPNsense will download all release files for an offline upgrade (kernel, packages etc.) and will reboot afterwards.

After a reboot, it will install all updates and when it is done, it will reboot again, then you should be on the desired release.

but I don't see that prompt in my environment.
#11
General Discussion / HOWTO: Update from 22.7
September 19, 2023, 10:10:19 PM
Hello,

The Update button is no longer visible. I'm currently at 22.7 (yes, my fault for neglecting timely upgrades). The System: Firmware Updates reports:
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.7 (amd64/OpenSSL) at Sat Sep 16 09:01:16 CDT 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
...
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***


In the past, I would simply click on the Update button to complete the upgrade but since it is not present currently, I don't know how to proceed. I've checked online docs and archived forum threads (there was one on 17.x upgrade) but there is no explanation on the next steps if the Update button is missing.

How do I upgrade to the latest stable release, please? Thanks.

Regards.
#12
General Discussion / Re: How to leverage deny-ip.txt?
November 29, 2021, 12:54:28 PM
Thx, @benyamin.  :)
#13
General Discussion / Net-SNMP Daemon Doesn't Start
November 12, 2021, 12:01:26 PM
Hello,

I'm posting this because I noticed another user is having similar difficulty in starting the SNMP service. I want to avoid the perception of "No Repro" syndrome from support members. I've had this issue ever since I embarked on the Protectli FW4B/OPNsense journey in mid-2019. An authoritative person ("...mail", I believe) tried to assist me in the early days but the suggestion to start the service explicitly from the Dashboard screen never worked. I haven't had much luck with Netgear MIBs and therefore this SNMP anomaly is not a handicap for me but if it helps others in reproducible diagnostics, I'll do whatever suggestions that are relayed to me and are practical for me.

During the boot process, I noticed ~4 lines of text stating:

  • SNMP service could not be started
  • Conf file should be checked

As a newbie with OPNsense (even though I've been operating it for over two years) I am ignorant on how to check for the corresponding SNMP config file. Thanks for your understanding.

Kind regards.[/list]
#14
General Discussion / How to leverage deny-ip.txt?
November 10, 2021, 12:37:37 PM
Hello,

I have accumulated a deny-ip.txt file over the years. Each line in the file is an IPv4 address. What are the ways that I can leverage this in OPNsense?

I have read a few pages on Suricata and other utilities but didn't quite understand how to import these addresses. Are there some links that would step me through the process under OPNsense 21.7.3-amd64? Thanks.

Kind regards.

P.S. OPNsense GeoIP is doing a fantastic job but I have to keep port 25 open and that is causing minor headaches.
#15
@rhubarb, thanks!

Kind regards.