1
24.1 Legacy Series / Re: unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline
« on: July 24, 2024, 12:17:54 pm »
thanks for pointing out the script, I will try and fix it from here.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.1 Legacy Series / Re: unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline
« on: July 21, 2024, 10:19:14 pm »Yeah, neither do we. We do it for clients that are supposed to be in DNS permanently and not change their IPs - which certainly is not every single piece of random equipment out there sending out its hostname that's supposed to be trusted by DNS. The whole "feature" is a hack, not something integrated in Unbound and ISC DHCP (unlike Windows AD, now that you've mentioned it)
Related: this "feature" is currently missing altogether in Kea DHCP... https://github.com/opnsense/core/issues/7475
Just so I understand correctly, who is 'we' in this context? OPNsense devs?
Anyways, just to reiterate, I do not care what IP address my clients have, I just want to be able to ping/connect/whatever them by their hostname. Shouldn't be a too radical thing to do?
I thought that if the feature to register those DHCP leases in DNS is enabled that it would magically just work.
So are you saying this is not a real feature and only works sometimes? Maybe it would be best to include that in the description.
Also if that is the case, again my question: can I patch it up with my script? I would only need to know how to send unbound registrations manually. Or do I append to the unbound/dhcpleases.conf and send a SIGHUP?
Maybe this is not something others find useful, but again I would love to have the feature simply work, even with a patch script in crontab rather than having to manually go and assign static leases just because I want to VNC to a PC via its hostname.
Thanks again for any help in advance.
3
24.1 Legacy Series / Re: unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline
« on: July 21, 2024, 09:12:19 pm »
my clients are not releasing anything. the leases are still there in opnsense. (see also script output) It seems non-sensical to me to give every single client a static lease.
I have never had to do this with any other dhcp server whether win or *nix.
Also to make this extra clear: the LGwebOSTV client is/was connected and active, still was not in unbound database...
My browser extension couldn't connect as the FQDN dns lookup failed..
I have never had to do this with any other dhcp server whether win or *nix.
Also to make this extra clear: the LGwebOSTV client is/was connected and active, still was not in unbound database...
My browser extension couldn't connect as the FQDN dns lookup failed..
4
24.1 Legacy Series / Re: unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline
« on: July 21, 2024, 05:11:26 pm »
thanks for your help. I thought this was maybe a hiccup, but this keeps happening. Every configuration I have that relies on a FQDN continually breaks...
So I made a small script to detect the missing items:
this is the output:
Is there any simple way to find out whats wrong?
Do I have to make a script to patch unbound continually? I don't know a command to re-register dhcp leases into unbound...
Many thanks in advance for your help.
So I made a small script to detect the missing items:
Code: [Select]
#!/usr/local/bin/bash
IP_HOSTNAMES=$(awk '/lease / {ip=$2} /client-hostname/ {print ip, $2}' /var/dhcpd/var/db/dhcpd.leases | tr -d '";')
COUNT=0
while IFS= read -r line; do
HOST=$(echo $line | cut -f2 -d' ')
grep $HOST /var/unbound/dhcpleases.conf >/dev/null || {
echo "$HOST is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf"
}
COUNT=$(($COUNT+1))
done <<< "$IP_HOSTNAMES"
echo "---"
echo "$COUNT total records in dhcpd//dhcpd.leases"
this is the output:
Code: [Select]
./unbound_dhcp_check.sh
RS is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
LGwebOSTV is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
PX-i7 is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
LGwebOSTV is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
---
24 total records in dhcpd//dhcpd.leasesIs there any simple way to find out whats wrong?
Do I have to make a script to patch unbound continually? I don't know a command to re-register dhcp leases into unbound...
Many thanks in advance for your help.
5
Virtual private networks / Jail/Lock down one specific OpenVPN connection
« on: June 26, 2024, 09:28:29 am »
Hi there,
I am using 24.x and I have about 10 different OpenVPN setups currently running. They are quite relaxed and have general firewall rules that allow them specific access to/from different networks.
Now for the first time I will have a OpenVPN access to a third party where I need maximum security.
I was hoping to simply set a firewall rule that says "OpenVPN Configuration userXYZ" => block *ALL*. And then allow that user to *only* have traffic to an internal IP address on a specific port.
However intuitively I haven't found a way to do this in the UI, as all openvpn connections are grouped together in the fw rules.
In the docs it says
I am not sure if that means I can assign a "network"/similar to one specific OpenVPN instance and thus enable me to simply select that specific instance in the fw rules?
-
ps.: I know I can glue together a fw rule by going via IPs. But I want a really robust solution that *never* allows traffic for that third party, even in case of a misconfiguration or configuration change. Also since in this instance I am *dialing out* to a OpenVPN server (I am the OVPN client) I have no control over the transfer networks involved.
Any help would be greatly appreciated.
Thanks!
I am using 24.x and I have about 10 different OpenVPN setups currently running. They are quite relaxed and have general firewall rules that allow them specific access to/from different networks.
Now for the first time I will have a OpenVPN access to a third party where I need maximum security.
I was hoping to simply set a firewall rule that says "OpenVPN Configuration userXYZ" => block *ALL*. And then allow that user to *only* have traffic to an internal IP address on a specific port.
However intuitively I haven't found a way to do this in the UI, as all openvpn connections are grouped together in the fw rules.
In the docs it says
Code: [Select]
Tip
In order to use features as policy based routing or manual routes, you can assign the underlying devices and use them in a similar fashion as physical interfaces.I am not sure if that means I can assign a "network"/similar to one specific OpenVPN instance and thus enable me to simply select that specific instance in the fw rules?
-
ps.: I know I can glue together a fw rule by going via IPs. But I want a really robust solution that *never* allows traffic for that third party, even in case of a misconfiguration or configuration change. Also since in this instance I am *dialing out* to a OpenVPN server (I am the OVPN client) I have no control over the transfer networks involved.
Any help would be greatly appreciated.
Thanks!
6
24.1 Legacy Series / Re: unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline
« on: June 05, 2024, 08:08:31 pm »
hey meyergru,
thanks!
so opnsense /ui/dhcpv4/leases shows 29 entries
and
@opnpx:/var/unbound # cat dhcpleases.conf | sort | cut -d":" -f1 | uniq -c
22 local-data-ptr
22 local-data
so 7 missing. Is there a command to re-register them?
thanks!
so opnsense /ui/dhcpv4/leases shows 29 entries
and
@opnpx:/var/unbound # cat dhcpleases.conf | sort | cut -d":" -f1 | uniq -c
22 local-data-ptr
22 local-data
so 7 missing. Is there a command to re-register them?
7
24.1 Legacy Series / unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline
« on: June 05, 2024, 06:07:42 pm »
heya,
I really love opnsense, but sometimes it can be quite confusing to find info.
I have my LAN interface setup to serve IPs via ISC DHCP and to register new leases with dns (unbound).
But whenever devices go offline, they seem to vanish from unbound. Is this per definition? Can I deactivate this? I want the dns entries to stay as long as the dhcp lease is still not expired.
Please help me to help myself:
Where can I verify that the entries are in fact removed from unbound, where can I see the current dns list?
If it is actually removed, where should I go look for these "unregister" messages in unbound?
Where can I change settings as to keep DNS?
Many thanks!
BTW: Using OPNsense 24.1.8-amd64.
If theres anything else I should post please advise. Thanks!
I really love opnsense, but sometimes it can be quite confusing to find info.
I have my LAN interface setup to serve IPs via ISC DHCP and to register new leases with dns (unbound).
But whenever devices go offline, they seem to vanish from unbound. Is this per definition? Can I deactivate this? I want the dns entries to stay as long as the dhcp lease is still not expired.
Please help me to help myself:
Where can I verify that the entries are in fact removed from unbound, where can I see the current dns list?
If it is actually removed, where should I go look for these "unregister" messages in unbound?
Where can I change settings as to keep DNS?
Many thanks!
BTW: Using OPNsense 24.1.8-amd64.
If theres anything else I should post please advise. Thanks!
8
22.1 Legacy Series / Re: No access via IPv6 to the firewall it self, even though rules SHOULD permit it
« on: February 16, 2023, 12:58:19 pm »
Sorry for reviving this thread, but I did not find a suitable topic.
I have the same problem running OPNsense 22.7.10_2.
I have ipv4 and ipv6 setup on LAN interface.
This is my config in Administration:
Seems like it is only listening on the ipv4 LAN address, not on the ipv6 address.
other than that, like OP my IPv6 generally works. Just not for ssh to the firewall.
I have the same problem running OPNsense 22.7.10_2.
I have ipv4 and ipv6 setup on LAN interface.
This is my config in Administration:
Code: [Select]
Secure Shell Server [x] Enable Secure Shell
Login Group wheel, admins
Root Login [x] Permit root user login
Authentication Method [x] Permit password login
SSH port 22
Listen Interfaces LANCode: [Select]
:~ # netstat -an | grep 22
tcp4 0 0 192.168.1.1.22 *.* LISTEN
tcp4 0 0 127.0.0.1.22 *.* LISTEN
tcp6 0 0 ::1.22 *.* LISTEN
Seems like it is only listening on the ipv4 LAN address, not on the ipv6 address.
Code: [Select]
igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN
options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
ether dc:58:bc:e0:24:7b
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::<redacted>:247b%igb2 prefixlen 64 scopeid 0x3
inet6 2a00:<redacted>:247b prefixlen 64
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
other than that, like OP my IPv6 generally works. Just not for ssh to the firewall.
9
General Discussion / Re: General questions understanding monit and its integration with opnsense
« on: August 29, 2021, 10:59:39 pm »
hey guys,
thanks for the healthy discussion. Looking at the 4993 issue thats exactly what I was fearing, it is more or less a crutch. Not meaning any ill intention - something thats supposed to be THE alerting/notification method in opnsense should be build on more solid ground? I am hoping the new monit version (29) will be updated soon!
Does anyone have an answer to 1) in the OP?
thanks
thanks for the healthy discussion. Looking at the 4993 issue thats exactly what I was fearing, it is more or less a crutch. Not meaning any ill intention - something thats supposed to be THE alerting/notification method in opnsense should be build on more solid ground? I am hoping the new monit version (29) will be updated soon!
Does anyone have an answer to 1) in the OP?
thanks
10
General Discussion / Re: General questions understanding monit and its integration with opnsense
« on: August 28, 2021, 09:49:27 am »
OK seems like check PROGRAM with IF CONTENT is only supported from monit 5.29.0 onwards which is currently not available in opnsense
11
General Discussion / General questions understanding monit and its integration with opnsense
« on: August 28, 2021, 08:54:17 am »
Hi there,
I am relatively new to opnsense (21.1) and trying to understand some architectural concepts.
So as the documentation states, notifications are to be handled by monit.
1) in system -> settings -> cron there are entries for "Firmware changelog update" and "Firmware update check". What do these do, I am not sure which does what? Will they emit a notification if new updates are detected? If not do I have to setup monit to emit these via email? I see no preconfigured entries...
2) I am trying to make notifications for OpenVPN. I want to receive an email if a client connects. There doesn't seem to be a preconfigured entry for this so I digged a little deeper in monit configuration.
It seems like for this I need to watch the /var/log/openvpn.log and look for a "connection initiated" strings. I thought I had it configured correctly but it would not trigger.
I wondered why the file is a fixed size and has strange binary leftovers at the end. So I found out that this is caused by a mechanism called circular logs which is not recommended (anymore?).
So I disabled them. However now, the file is not called /var/log/openvpn.log anymore, but instead /var/log/openvpn/openvpn_20210828.log.
So it seems like the
This is my understanding so far and before I dig even deeper maybe someone could help me out a bit whether I am totally wrong and can help me nudge in the correct direction.
Many thanks
I am relatively new to opnsense (21.1) and trying to understand some architectural concepts.
So as the documentation states, notifications are to be handled by monit.
1) in system -> settings -> cron there are entries for "Firmware changelog update" and "Firmware update check". What do these do, I am not sure which does what? Will they emit a notification if new updates are detected? If not do I have to setup monit to emit these via email? I see no preconfigured entries...
2) I am trying to make notifications for OpenVPN. I want to receive an email if a client connects. There doesn't seem to be a preconfigured entry for this so I digged a little deeper in monit configuration.
It seems like for this I need to watch the /var/log/openvpn.log and look for a "connection initiated" strings. I thought I had it configured correctly but it would not trigger.
I wondered why the file is a fixed size and has strange binary leftovers at the end. So I found out that this is caused by a mechanism called circular logs which is not recommended (anymore?).
So I disabled them. However now, the file is not called /var/log/openvpn.log anymore, but instead /var/log/openvpn/openvpn_20210828.log.
So it seems like the
Code: [Select]
check file openvpn with path "/var/log/openvpn.log" syntax doesn't work with dynamic file names? That would lead to having to use a program output content test with a bash script that collects the correct log data. But it is limited to 511 characters which means depending on the monit checking interval it could miss data.This is my understanding so far and before I dig even deeper maybe someone could help me out a bit whether I am totally wrong and can help me nudge in the correct direction.
Many thanks
12
German - Deutsch / Re: Unbound DNS - Warum antwortet er auf ein A Query mit einer Liste an Servern?
« on: October 13, 2020, 11:16:22 am »
Niemand?
13
German - Deutsch / Re: Unbound DNS - Warum antwortet er auf ein A Query mit einer Liste an Servern?
« on: October 02, 2020, 05:41:47 pm »
Evtl. ist dieses Problem zu selten oder ich habe nicht alle benötigten Infos geliefert.
Ich wäre auch dankbar für eine Info bezüglich weiterem Logging/Debugging um dem Problem auf die Schliche zu kommen.
Vielen Dank für jegliche Hilfe.
Ich wäre auch dankbar für eine Info bezüglich weiterem Logging/Debugging um dem Problem auf die Schliche zu kommen.
Vielen Dank für jegliche Hilfe.
14
German - Deutsch / Unbound DNS - Warum antwortet er auf ein A Query mit einer Liste an Servern?
« on: October 01, 2020, 11:07:10 am »
Hallo,
zunächst möchte ich vorschießen, dass ich mich im Bereich DNS nur sehr dünn auskenne. Ich benutze OPNsense seit erst einigen Monaten und mein Mailserver spuckte nun folgende Messages aus:
Also machte ich mich auf die Suche warum dem so ist. Nach einigem Suchen kam ich darauf dass die OPNsense folgende Antwort schickt:
Er gibt also keine IP-Adresse zurück, sondern scheinbar zuständige Upstream DNS Server?
Wenn ich das gleiche Query auf irgend einem anderen Server (z.B. google.dns) schicke, bekomme ich die korrekte Antwort. Interessanterweise bekomme ich auch die korrekte Antwort wenn ich auf der OPNsense drill mache. Es gibt also einen Unterschied zwischen dem was drill lokal anspricht und dem DNS der auf den Interfaces sitzt? (drill @192.168.200.1)
Mein Setup in OPNsense ist wie folgt:
Kann mir jemand helfen bzw. versuchen zu erklären, was ich nicht verstehe?
Vielen Dank!
zunächst möchte ich vorschießen, dass ich mich im Bereich DNS nur sehr dünn auskenne. Ich benutze OPNsense seit erst einigen Monaten und mein Mailserver spuckte nun folgende Messages aus:
Code: [Select]
DNS failure while trying to find address 168.78.123.119.bl.spamcop.net in blacklist SpamCop
DNS failure while trying to find address 168.78.123.119.bl.spamcop.net in blacklist SpamCop
DNS failure while trying to find address 168.78.123.119.zen.spamhaus.org in blacklist SpamHaus SBL-XBL
DNS failure while trying to find address 168.78.123.119.db.wpbl.info in blacklist WPBL - Weighted Private Block List
DNS failure while trying to find address 168.78.123.119.db.wpbl.info in blacklist WPBL - Weighted Private Block ListAlso machte ich mich auf die Suche warum dem so ist. Nach einigem Suchen kam ich darauf dass die OPNsense folgende Antwort schickt:
Code: [Select]
drill @192.168.200.1 168.78.123.119.db.wpbl.info
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9656
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; 168.78.123.119.db.wpbl.info. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
db.wpbl.info. 86145 IN NS ns2.wpbl.info.
db.wpbl.info. 86145 IN NS ns1.wpbl.info.
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 192.168.200.1
;; WHEN: Thu Oct 1 10:55:30 2020
;; MSG SIZE rcvd: 81
Er gibt also keine IP-Adresse zurück, sondern scheinbar zuständige Upstream DNS Server?
Wenn ich das gleiche Query auf irgend einem anderen Server (z.B. google.dns) schicke, bekomme ich die korrekte Antwort. Interessanterweise bekomme ich auch die korrekte Antwort wenn ich auf der OPNsense drill mache. Es gibt also einen Unterschied zwischen dem was drill lokal anspricht und dem DNS der auf den Interfaces sitzt? (drill @192.168.200.1)
Mein Setup in OPNsense ist wie folgt:
Code: [Select]
# cat /etc/resolv.conf
domain xxx.local
nameserver 185.xx.yy.zz
nameserver 185.xx.yy.ww
nameserver 8.8.8.8
nameserver 192.168.200.101
Kann mir jemand helfen bzw. versuchen zu erklären, was ich nicht verstehe?
Vielen Dank!
Pages: [1]