Messages

thanks for pointing out the script, I will try and fix it from here.

Yeah, neither do we. We do it for clients that are supposed to be in DNS permanently and not change their IPs - which certainly is not every single piece of random equipment out there sending out its hostname that's supposed to be trusted by DNS. The whole "feature" is a hack, not something integrated in Unbound and ISC DHCP (unlike Windows AD, now that you've mentioned it)

Related: this "feature" is currently missing altogether in Kea DHCP... https://github.com/opnsense/core/issues/7475

Just so I understand correctly, who is 'we' in this context? OPNsense devs?

Anyways, just to reiterate, I do not care what IP address my clients have, I just want to be able to ping/connect/whatever them by their hostname. Shouldn't be a too radical thing to do?

I thought that if the feature to register those DHCP leases in DNS is enabled that it would magically just work.

So are you saying this is not a real feature and only works sometimes? Maybe it would be best to include that in the description.

Also if that is the case, again my question: can I patch it up with my script? I would only need to know how to send unbound registrations manually. Or do I append to the unbound/dhcpleases.conf and send a SIGHUP?

Maybe this is not something others find useful, but again I would love to have the feature simply work, even with a patch script in crontab rather than having to manually go and assign static leases just because I want to VNC to a PC via its hostname.

Thanks again for any help in advance.

my clients are not releasing anything. the leases are still there in opnsense. (see also script output) It seems non-sensical to me to give every single client a static lease.

I have never had to do this with any other dhcp server whether win or *nix.

Also to make this extra clear: the LGwebOSTV client is/was connected and active, still was not in unbound database...

My browser extension couldn't connect as the FQDN dns lookup failed..

thanks for your help. I thought this was maybe a hiccup, but this keeps happening. Every configuration I have that relies on a FQDN continually breaks...

So I made a small script to detect the missing items:

Code Select Expand

#!/usr/local/bin/bash

IP_HOSTNAMES=$(awk '/lease / {ip=$2} /client-hostname/ {print ip, $2}' /var/dhcpd/var/db/dhcpd.leases | tr -d '";')
COUNT=0

while IFS= read -r line; do
  HOST=$(echo $line | cut -f2 -d' ')
  grep $HOST /var/unbound/dhcpleases.conf >/dev/null || {
    echo "$HOST is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf"
  }
  COUNT=$(($COUNT+1))
done <<< "$IP_HOSTNAMES"

echo "---"
echo "$COUNT total records in dhcpd//dhcpd.leases"



this is the output:

Code Select Expand

./unbound_dhcp_check.sh
RS is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
LGwebOSTV is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
PX-i7 is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
LGwebOSTV is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
---
24 total records in dhcpd//dhcpd.leases

Is there any simple way to find out whats wrong?

Do I have to make a script to patch unbound continually? I don't know a command to re-register dhcp leases into unbound...

Many thanks in advance for your help.

Hi there,

I am using 24.x and I have about 10 different OpenVPN setups currently running. They are quite relaxed and have general firewall rules that allow them specific access to/from different networks.

Now for the first time I will have a OpenVPN access to a third party where I need maximum security.

I was hoping to simply set a firewall rule that says "OpenVPN Configuration userXYZ" => block *ALL*. And then allow that user to *only* have traffic to an internal IP address on a specific port.

However intuitively I haven't found a way to do this in the UI, as all openvpn connections are grouped together in the fw rules.

In the docs it says

Code Select Expand

Tip

In order to use features as policy based routing or manual routes, you can assign the underlying devices and use them in a similar fashion as physical interfaces.

I am not sure if that means I can assign a "network"/similar to one specific OpenVPN instance and thus enable me to simply select that specific instance in the fw rules?

-

ps.: I know I can glue together a fw rule by going via IPs. But I want a really robust solution that *never* allows traffic for that third party, even in case of a misconfiguration or configuration change. Also since in this instance I am *dialing out* to a OpenVPN server (I am the OVPN client) I have no control over the transfer networks involved.

Any help would be greatly appreciated.

Thanks!

hey meyergru,

thanks!

so opnsense /ui/dhcpv4/leases shows 29 entries

and
@opnpx:/var/unbound # cat dhcpleases.conf | sort | cut -d":" -f1 | uniq -c
  22 local-data-ptr
  22 local-data

so 7 missing. Is there a command to re-register them?

heya,

I really love opnsense, but sometimes it can be quite confusing to find info.

I have my LAN interface setup to serve IPs via ISC DHCP and to register new leases with dns (unbound).

But whenever devices go offline, they seem to vanish from unbound. Is this per definition? Can I deactivate this? I want the dns entries to stay as long as the dhcp lease is still not expired.

Please help me to help myself:

Where can I verify that the entries are in fact removed from unbound, where can I see the current dns list?

If it is actually removed, where should I go look for these "unregister" messages in unbound?

Where can I change settings as to keep DNS?

Many thanks!

BTW: Using OPNsense 24.1.8-amd64.

If theres anything else I should post please advise. Thanks!

Sorry for reviving this thread, but I did not find a suitable topic.

I have the same problem running OPNsense 22.7.10_2.

I have ipv4 and ipv6 setup on LAN interface.

This is my config in Administration:

Code Select Expand

Secure Shell Server [x] Enable Secure Shell
Login Group wheel, admins
Root Login [x] Permit root user login
Authentication Method [x] Permit password login
SSH port 22
Listen Interfaces LAN

Code Select Expand

:~ # netstat -an | grep 22
tcp4       0      0 192.168.1.1.22         *.*                    LISTEN
tcp4       0      0 127.0.0.1.22           *.*                    LISTEN
tcp6       0      0 ::1.22                 *.*                    LISTEN


Seems like it is only listening on the ipv4 LAN  address, not on the ipv6 address.

Code Select Expand

igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether dc:58:bc:e0:24:7b
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::<redacted>:247b%igb2 prefixlen 64 scopeid 0x3
        inet6 2a00:<redacted>:247b prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


other than that, like OP my IPv6 generally works. Just not for ssh to the firewall.

hey guys,

thanks for the healthy discussion. Looking at the 4993 issue thats exactly what I was fearing, it is more or less a crutch. Not meaning any ill intention - something thats supposed to be THE alerting/notification method in opnsense should be build on more solid ground? I am hoping the new monit version (29) will be updated soon!

Does anyone have an answer to 1) in the OP?

thanks

OK seems like check PROGRAM with IF CONTENT is only supported from monit 5.29.0 onwards which is currently not available in opnsense

Hi there,

I am relatively new to opnsense (21.1) and trying to understand some architectural concepts.

So as the documentation states, notifications are to be handled by monit.

1) in system -> settings -> cron there are entries for "Firmware changelog update" and "Firmware update check". What do these do, I am not sure which does what? Will they emit a notification if new updates are detected? If not do I have to setup monit to emit these via email? I see no preconfigured entries...

2) I am trying to make notifications for OpenVPN. I want to receive an email if a client connects. There doesn't seem to be a preconfigured entry for this so I digged a little deeper in monit configuration.

It seems like for this I need to watch the /var/log/openvpn.log and look for a "connection initiated" strings. I thought I had it configured correctly but it would not trigger.

I wondered why the file is a fixed size and has strange binary leftovers at the end. So I found out that this is caused by a mechanism called circular logs which is not recommended (anymore?).

So I disabled them. However now, the file is not called /var/log/openvpn.log anymore, but instead /var/log/openvpn/openvpn_20210828.log.

So it seems like the

Code Select Expand

check file openvpn with path "/var/log/openvpn.log" syntax doesn't work with dynamic file names? That would lead to having to use a program output content test with a bash script that collects the correct log data. But it is limited to 511 characters which means depending on the monit checking interval it could miss data.

This is my understanding so far and before I dig even deeper maybe someone could help me out a bit whether I am totally wrong and can help me nudge in the correct direction.

Many thanks

Niemand?

Evtl. ist dieses Problem zu selten oder ich habe nicht alle benötigten Infos geliefert.

Ich wäre auch dankbar für eine Info bezüglich weiterem Logging/Debugging um dem Problem auf die Schliche zu kommen.

Vielen Dank für jegliche Hilfe.

Hallo,

zunächst möchte ich vorschießen, dass ich mich im Bereich DNS nur sehr dünn auskenne. Ich benutze OPNsense seit erst einigen Monaten und mein Mailserver spuckte nun folgende Messages aus:

Code Select Expand

DNS failure while trying to find address 168.78.123.119.bl.spamcop.net in blacklist SpamCop
DNS failure while trying to find address 168.78.123.119.bl.spamcop.net in blacklist SpamCop
DNS failure while trying to find address 168.78.123.119.zen.spamhaus.org in blacklist SpamHaus SBL-XBL
DNS failure while trying to find address 168.78.123.119.db.wpbl.info in blacklist WPBL - Weighted Private Block List
DNS failure while trying to find address 168.78.123.119.db.wpbl.info in blacklist WPBL - Weighted Private Block List

Also machte ich mich auf die Suche warum dem so ist. Nach einigem Suchen kam ich darauf dass die OPNsense folgende Antwort schickt:

Code Select Expand

drill @192.168.200.1 168.78.123.119.db.wpbl.info
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9656
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; 168.78.123.119.db.wpbl.info. IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
db.wpbl.info.   86145   IN      NS      ns2.wpbl.info.
db.wpbl.info.   86145   IN      NS      ns1.wpbl.info.

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 192.168.200.1
;; WHEN: Thu Oct  1 10:55:30 2020
;; MSG SIZE  rcvd: 81


Er gibt also keine IP-Adresse zurück, sondern scheinbar zuständige Upstream DNS Server?

Wenn ich das gleiche Query auf irgend einem anderen Server (z.B. google.dns) schicke, bekomme ich die korrekte Antwort. Interessanterweise bekomme ich auch die korrekte Antwort wenn ich auf der OPNsense drill mache. Es gibt also einen Unterschied zwischen dem was drill lokal anspricht und dem DNS der auf den Interfaces sitzt? (drill @192.168.200.1)

Mein Setup in OPNsense ist wie folgt:

Code Select Expand

# cat /etc/resolv.conf
domain xxx.local
nameserver 185.xx.yy.zz
nameserver 185.xx.yy.ww
nameserver 8.8.8.8
nameserver 192.168.200.101


Kann mir jemand helfen bzw. versuchen zu erklären, was ich nicht verstehe?

Vielen Dank!