Messages

Hi, i had a working configuration of opnsense on 22.7 following these guides. I updated to 23.1.7. A result of this was that adguard was also updated to now be 107.29. Post this my Lan clients no longer receive a DNS address at all. If I disable adguard and change unbound back to dns port 53 the lan clients again recieve a DNS server. Appears that there are some issues regarding adguard now running with opnsense. A google found a similar issues lodged with adguard home on github .

https://github.com/AdguardTeam/AdGuardHome/issues/5827

Appears that you will now need to specify the DNS server in your Services->DHCP->DNS Servers for adguard to work. Without this the clients never get a DNS server.

EDIT/UPDATE: Confirmed with wireshark that opnsense is now only providing a default system dns entry to the LAN when unbound is running on port 53. If unbound is running on any other port then opnsense does not supply a default dns address to the lan dhcp request. This obviously breaks the listed settings for getting adguard home to work and does not appears to be an adguard issue but an opnsense issue. For example, with unbound set to listen on port 53 and the Services->DHCP->DNS servers blank a DHCP request has a return option 6 of the default LAN interface address. If I change unbound to listen on port 54 the a DHCP Request has no option6 (Domain Name Server) returned. Previously it used to return Option 6 regardless.

Hi, I'm looking for some assistance as I've read the entire 12 pages and have not been able to get opnsense dns resolution working after the settings below are applied. It times out. There are a number of requests in the thread which states to follow the set up which I think I have done but still the own self status check does not work.

Appreciate any input.

Opnsense 22.7.4

1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
      DNS Servers: empty
      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Services – DHCPv4 – [LAN] : DNS Servers all blank
6 – Opnsense – Servies - Unbound DNS – General
       Tick: Enable Unbound
       Tick: Enable DNSSEC Support
       Tick: Register DHCP Leases
       Tick: Register DHCP static mappings
       Tick: Register IPv6 link-local addresses
7 - Opnsense - Services - Unbound - Dns Over Tls
      Untick: Use System Nameservers
      Domain: blank
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

8 - Opnsense - Services - Unbound - General
 
     Listen Port: 53530

9 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

10 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:53530  ( 192.168.1.1:5353 ) Delete those that exist

11 – Adguard Home – DNS Configuration – Private reverse DNS servers
       127.0.0.1:53530
      192.168.1.1:53530



Edit
Unfortunately with either the above configuration and or the previous one when I visit
https://1.1.1.1/help
it states that DNS over TLS is not being used. So I'm at a loss. Appears AGH is running and using unbound but unbound is not using the DNS over TLS configuration?

Edit
I remove AGH from the picture to validate that unbound is performing DNS over TLS. Using tcp dump on the WAN interface I can see that there are TLS sessions set up to 1.1.11 and 1.0.0.1 but the client dns queries are still going out the WAN interface on port 53. Guess that LAN fw rule may be required. I need to resolve this I guess before being concerned with AGH.

Edit
Easier avenue for initially validating DNS over TLS is Services-Unbound-Advance and set log level verbosity =2 and tick Log Queries. Then in unbound logs set to informational and you will see the queries and port #.

Solved
Issue is when you install AGH you need to bind to all interfaces or later edit the /usr/local/AdGuardHome/AdGuardHome.yaml file to bind to 0.0.0.0. Doing that permits the resolv.conf to still point to 127.0.0.1 which is bound to AGH and then to Unbound. The unbound logs are showing #853. So I'm happy. Good learning session.

sadly no suggestions as to why this occurs in opnsense. I guess its up to myself to set up an environment, simulate and then change code.

The other item I have noticed is that after the restoration of service my WAN IP address is now in a different subnet. So I'm guessing some thing with OPNSense and stale or retention of trying to connect to the old address. ie. OPNSense has died trying to connect to the old address and retain that instead of requesting a new address. Just a guess.

The complete log to where opnsense seems to have died at 00:52:44 with the configd error. The 4.08am next entry is myself removing the WAN connection to OPNSense to see if a standard PC can get DHCP.

I've not more to go on except to start looking at source code by the looks. Not many replies so I guess I am by myself.

Code Select Expand


2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: Accept router advertisements on interface igb0
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: Clearing states for stale wan route on igb0
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igb0.pid' 'igb0'' returned exit code '15', the output was 'DHCPREQUEST on igb0 to 255.255.255.255 port 67 DHCPACK from 202.63.66.1'
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for dynamic wan(igb0)
2022-03-15T00:52:44 Error configctl error in configd communication  Traceback (most recent call last):   File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd     line = sock.recv(65536).decode() socket.timeout: timed out
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: The WAN_DHCP monitor address is empty, skipping.
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: The WAN_DHCP6 monitor address is empty, skipping.
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv6 default gateway set to wan
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway 'xxx.xxx.xxx.1'
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to xxx.xxx.xxx.1
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: xxx.xxx.xxx.215) (interface: WAN[wan]) (real interface: igb0).
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb0'
2022-03-15T00:50:44 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for dynamic wan(igb0)
2022-03-15T00:50:43 Error opnsense /usr/local/etc/rc.linkup: Clearing states for stale wan route on igb0
2022-03-15T00:50:43 Error dhclient connection closed
2022-03-15T00:50:42 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for dynamic wan(igb0)
2022-03-15T00:50:42 Error opnsense /usr/local/etc/rc.newwanipv6: warning: ignoring missing default tunable request: debug.pfftpproxy
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: The WAN_DHCP monitor address is empty, skipping.
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: The WAN_DHCP6 monitor address is empty, skipping.
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: keeping current default gateway 'fe80::d677:98ff:fe87:9081%igb0'
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: setting IPv6 default route to fe80::d677:98ff:fe87:9081
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: IPv6 default gateway set to wan
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: keeping current default gateway 'xxx.xxx.xxx.1'
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: setting IPv4 default route to xxx.xxx.xxx.1
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: IPv4 default gateway set to wan
2022-03-15T00:50:40 Error opnsense /usr/local/etc/rc.newwanipv6: ROUTING: entering configure using 'wan'
2022-03-15T00:50:39 Error opnsense /usr/local/etc/rc.newwanipv6: On (IP address: 2401:d002:5000:200:1::14) (interface: WAN[wan]) (real interface: igb0).
2022-03-15T00:50:39 Error opnsense /usr/local/etc/rc.newwanipv6: IPv6 renewal is starting on 'igb0'
2022-03-15T00:50:37 Error opnsense /usr/local/etc/rc.linkup: warning: ignoring missing default tunable request: debug.pfftpproxy
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: Warning! dhcpd_radvd_configure(manual) found no suitable IPv6 address on igb1
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: ROUTING: IPv6 default gateway set to wan
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: ROUTING: keeping current default gateway 'xxx.xxx.xxx.1'
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to xxx.xxx.xxx.1
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: ROUTING: entering configure using 'wan'
2022-03-15T00:50:36 Error opnsense /usr/local/etc/rc.linkup: Accept router advertisements on interface igb0
2022-03-15T00:50:31 Error opnsense /usr/local/etc/rc.newwanip: warning: ignoring missing default tunable request: debug.pfftpproxy
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: The WAN_DHCP monitor address is empty, skipping.
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: The WAN_DHCP6 monitor address is empty, skipping.
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv6 default gateway set to wan
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway 'xxx.xxx.xxx.1'
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to xxx.xxx.xxx.1
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: xxx.xxx.xxx.215) (interface: WAN[wan]) (real interface: igb0).
2022-03-15T00:50:30 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb0'
2022-03-15T00:49:09 Error dhclient send_packet: Network is down
2022-03-15T00:49:03 Error dhclient send_packet: Network is down
2022-03-15T00:49:01 Error dhclient send_packet: Network is down
2022-03-15T00:49:00 Error dhclient send_packet: Network is down



Thanks for the reply. No I do not have IDS/IPS enabled at present while trying to address this.

Just noticed the following in the general log as well. So appears that there is some thing wrong with unbound?

Code Select Expand


2022-03-15T04:12:41 Error configd.py [8d6eb68d-e7b4-4945-88e2-feeb42f374c1] Script action failed with Command 'pkg rquery "%n|||%v|||%c|||%sh|||0|||0|||%L|||%R|||%o" ' returned non-zero exit status 3. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 478, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.8/subprocess.py", line 364, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command 'pkg rquery "%n|||%v|||%c|||%sh|||0|||0|||%L|||%R|||%o" ' returned non-zero exit status 3.
2022-03-15T04:12:21 Error configd.py Timeout (120) executing : firmware remote
2022-03-15T04:10:22 Error configd.py Timeout (120) executing : unbound cache dump
2022-03-15T00:52:46 Error configd.py Timeout (120) executing : unbound cache dump


HI, first time poster. Recently due to weather events m ISP has had a number of outages. After each OPNSense WAN IPv4 interface does not attempt to obtain a new address. The only recovery I have tried is a complete reboot which generally makes the IPv4 WAN interface recover and get an address from ISP DHCP Server. Hoping some one can assist as its painful to have to manually deal with this each time. I'm no OPNSense expert but I think the relevant part of the logs from last night is below. Service was working until ISP went off the air. At 4.08 I unplugged the LAN interface to see if my PC could get an address, which it could.

This never used to occur and only started with the last 2 updates.

Any assistance appreciated.

Code Select Expand


2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: ROUTING: IPv6 default gateway set to wan
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: ROUTING: entering configure using 'wan'
2022-03-15T04:08:04 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2022-03-15T04:08:04 Error dhcp6c transmit failed: Network is down
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: Accept router advertisements on interface igb0
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: Clearing states for stale wan route on igb0
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igb0.pid' 'igb0'' returned exit code '15', the output was 'DHCPREQUEST on igb0 to 255.255.255.255 port 67 DHCPACK from xxx.xxx.xxx.1'
2022-03-15T04:08:04 Notice opnsense plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,Array))
2022-03-15T04:08:04 Notice opnsense plugins_configure dhcp (,inet6,Array)
2022-03-15T04:08:04 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for dynamic wan(igb0)
2022-03-15T00:52:44 Error configctl error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2022-03-15T00:50:47 Notice opnsense plugins_configure newwanip (execute task : webgui_configure_do(,wan))
2022-03-15T00:50:47 Notice opnsense plugins_configure newwanip (execute task : vxlan_configure_interface())
2022-03-15T00:50:45 Notice opnsense plugins_configure newwanip (execute task : unbound_configure_do(,wan))
2022-03-15T00:50:45 Notice opnsense plugins_configure newwanip (execute task : openssh_configure_do(,wan))
2022-03-15T00:50:45 Notice opnsense plugins_configure newwanip (execute task : opendns_configure_do())
2022-03-15T00:50:45 Notice opnsense plugins_configure newwanip (execute task : ntpd_configure_do())
2022-03-15T00:50:45 Notice opnsense plugins_configure newwanip (execute task : dyndns_configure_do(,wan))
2022-03-15T00:50:45 Notice opnsense plugins_configure newwanip (,wan)
2022-03-15T00:50:45 Notice opnsense plugins_configure vpn (execute task : openvpn_configure_do(,wan))