Messages

Have you tried disabling the main tunnel and clients and then re-enabling them?  I have found that the Wireguard setup is somewhat finnicky when it comes to that if a major upset to the system happens.  It seems as if timing matters so maybe try a couple of disables and re-enables and it may come back for you.

Try shutting off the blocklists....I had the same issue on a different instance with unbound active....never did understand why they would cause it.....but once I shut the lists off....the memory leaking stopped.

Are blocklists enabled??  If yes...try to shut that off and see if it helps....it did for me....

@NoOne777, what do you mean when you say 'crashing'? What does the log say?

FWIW....I found that Unbound was pretty unreliable when blocklists were on.  It worked and then didn't work...haha.

I've since moved to using AdGuard with Unbound resolving but Adguard performing the filtering and blocking.  I haven't had any Unbound related issues since.

Thx ilikenwf for your answer.

Yes, me too .. have got blocklists turned on in UNBOUND.
May be the blocklists can have a negative "side-effect" !?

But you're right ... this is severe behave and need to be addressed.

Wondering, if we both are the only ones, who caught this error ?

Apologies...I likely wasn't clear...you surely need a resolver of some kind...but Unbound with AGH gets you the resolving and blocking/filtering/control you want without cleanbrowsing in the loop....

And since both services are local to you, the whole DoT thing becomes irrelevant.

I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....

What will be the settings if Unbound is disabled. No more DOT IP used i.e. cleanbrowsing
Opnsense +AGH only
In this case how Opnsense will forward the DNS request. There should be DNS server somewhere.

I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....

Check this out....this is where I went to set mine up....

https://forum.opnsense.org/index.php?topic=22162.msg107450#msg107450

1) There is no reason to have NAT port forwarding or special rules set.

I will test all the NAT rules later if AGH is working. I hope no host will use their own DNS addresses.

2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)

I will test with new port, but I'm sure i'm not using 5353 elsewhere.

3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.

WiFi is not VLAN. its physcially connected from Opnsense to WiFi AP port (see attached)

Did you try the test button in AGH?

Yes all tests are successful

Also...did you try different configs of safe search and secure web service being checked and unchecked?  Try both unchecked first and see if that helps.

See attached AGH current settings. With these options checked all ok. As soon as i enable (highlighted in attachment) web service protection internet doesn't work. I have tried enabling both same time and each also.

IPS is disabled

Where are AGH logs to check why DNS requests are failing with these 2 web service features

Minor things but I have my upstream DNS server set to load balance....

And I don't have any address in the private reverse DNS lookup box; although you putting your OPNsense IP shouldn't matter....

this is weird.....sorry I can't help more....

Ok, I think I know what you want now.  Just to summarize...you want Unbound to do your resolving locally on your OPNSense server and use AGH as a blockfilter....that's what I have by the way.

If that's the case, then

1) There is no reason to have NAT port forwarding or special rules set.
2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)
3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.

Did you try the test button in AGH?

Also...did you try different configs of safe search and secure web service being checked and unchecked?  Try both unchecked first and see if that helps.

Another thing to look at is if you also have Suricata running....shouldn't matter but try disabling that too to see if it might be blocking something unnecessarily.

Do you wish to use AGH in this setup?  If yes, then 853 and your DNS service need to be setup in AGH not Unbound.   If you are using Unbound then yes of course you need to set that up.

I want to use Unbound + AGH.
In AGH
upstream DNS servers
192.168.50.254:5353(Opnsense LAN)
192.168.10.254:5353 (Wifi Interface)

parallel requests

bootstrap dns servers
192.168.50.254:5353(Opnsense LAN )
192.168.10.254:5353 (Wifi Interface)

private reverse dns servers
192.168.10.254:5353 (Wifi Interface)
192.168.50.254:5353(Opnsense LAN )


The only issue i have now is DNS not working if AGH protection enabled.

Any further troubleshooting lead?
[/quote]

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

Just a thought....but do you have the DNS namesservers setup under General settings?  And then have the DNS Query Forwarding checked in Unbound?

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

Honestly, everything you want is in AGH.....no need for Cleanbrowsing DNS really....and you can even set up a per client override....and use whatever blocklists you want...although pretty well all of the best stock ones are built-in.

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

Do you wish to use AGH in this setup?  If yes, then 853 and your DNS service need to be setup in AGH not Unbound.   If you are using Unbound then yes of course you need to set that up.

If you want to use Cloudflare or other providers for DNS, you can set that up in Unbound using DoT with no port forwarding at all.....not sure why the tutorials say to do so....

@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?

I can't get AGH working properly for parental control and threat protection.

I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).

I could not get any indication from Unbound logs or FW logs yet.

Not sure if anyone using Unbound+AGH has faced such issue.

WG itself isn't filtering anything of course.  It's just a secure tunnel back to my OPNSense/AGH box....which then performs the blocking/filtering.  So basically I have my kids' devices route all of their traffic back through WG to home so the safe search and safe browsing settings are applied to them....just like if they were at home on the WIFI.

Any reason why you have those port forward rules in place?  You shouldn't need them afaik. 

I have DNS static mapping also set via the Unbound GUI as well as DHCP lease registration.  Apart from that, an the listening port change from 53 to whatever (5353 in your case) there isn't anything else to change in OPNSense I believe.

In the AGH interface, you need to put in your OPNSense IP:Listening Port in both of upstream and bootstrap.

That should pretty well be it.