Messages

Und damit stehe ich nicht allein ;-)

Rischtisch. Ich denke, ungeachtet von Kea vs. DNSmasq ist das Hauptproblem bei DHCPv6 mit dynamischen Adressen in jedem Fall, dass DHCP eben ein Pull-Ansatz ist: Bevor der Client nicht selbst fragt, bekommt er keine neue IPv6-Adresse, auch, wenn er sie aufgrund des geänderten Präfixes bräuchte. Bis zum Ablauf des Lease ist er dann offline.

Deswegen setze ich im IPv6-HOWTO auf SLAAC, wo der neue Präfix gepusht wird, sowie er sich ändert.

That is the whole point here:

1. The best / most secure way to do it is to create a client configuration on the client itself. You need the server ip, port, public key and optionally, the shared secret for that. Then you would have to import the client's public key into the server and use that as the key (not the other way around). If you do that, the peer generator does not help, either way.

2. If you trust OpnSense to create a private key, you can use the peer generator and import the generated secrets - including the private key - into your client. That works best with the QR code, which you can directly scan from the screen if your device supports it. You can also copy & paste the text and transfer it some other way to your client. However, since you probably lack a secure way to do that, it is debatable if you should. If there was a way to download the config directly, many people would not notice what security problem they are about to create just now.

3. Lastly, if you want to use the peer generator regardless - do not complain that you cannot export the client configuration after the fact. Actually, it is a sign of security that the client's private key is not stored on the server. Also, if you need to export the peer config later on, you can always delete that peer configuration and create a new config with a new key instead - it will work just as well and nobody has the old key, anyway - this being the very reason why you need that config again.

You are theoretically correct, alas, it suffices to have "some" sites checking with the same DNS entries that the ads use and making those fail.

And by using a PC blocker, the use can always selectively disable the blocker for sites that do not work and that he needs to work (even with ads) - this granular control is what you miss by using a DNS blocker on your firewall.

On Youtube, not only are no ads showing up on the page - the videos are not interrupted by ads, either.

Man muss bei den Alder Lake-Systemen ein paar Dinge beachten, sind hier unter Punkt 23 beschrieben. Insbesondere die Tuneables im dort verlinkten Post sind wichtig.

Darüber hinaus gibt es oft noch zwei Probleme:

1. Die Fertigungsqualität ist oft nicht die beste, weil die CPU nicht gut am Gehäuse anliegt oder die Wärmeleitpaste schlecht sitzt.
Außerdem wäre ein passiv gekühlter N3xx wohl zu viel des Guten, speziell, wenn noch die Abwärme der 10G-Ports hinzukommt

2. Die Hersteller (auch CWWK) betreiben die Nxxx CPUs meist am oberen Limit Ihrer möglichen TDP, beispielsweise beim N100 statt mit 6W mit 25 Watt, und oft genug kommt man im BIOS an diese Einstellungen nicht ohne weiteres heran.

Habe ich alles schonmal hier erzählt - aber Du hast ja einen mit Lüfter, da wiegt das nicht so schwer.

By using a mechanism that "always" blocks known ad distributing sites, you will automatically trigger blocks on sites that rely on such ads. The only way of having the best of both worlds is to use ad-blocking mechanisms that fake the ads being displayed. Such mechanisms are available for many browsers, think of uBlock Origin.

A prominent example of a site that does not tolerate ad-blocking is Youtube.

On devices where those tools are not available, you can still use DNS-based ad blockers, e.g. by identifying your smartphones and using AdGuard DNS rules only for those devices.

I did not see that one coming, nice one, Cedrik! There goes your next USA trip... ;-)

This is a tutorial topic. For an individual setup, please start a new thread.

Das ist ja wenigstens Traffic, der die OpnSense durchläuft. Kann schon mal passieren, dass Pakete im falschen Zustand ankommen und geblockt werden, z.B. wenn TCP-Verbindungen stale werden.

Yup, as I said, the moment you connect via HTTP/2 to Zoraxy with OpnSense as the backend, it does not work any more.

There must be something that is special on the backend when that happens which OpnSense does not like. However, I have found no way of setting or deleting HTTP headers on the frontend not could I find a setting within Zoraxy to change it. I used many combinations of advanced settings, like deleting headers that pertain to HTTP/2, to no avail.

The only approach I can think of is to dump all request data on the HTTPS backend - but that is not easy, since you cannot easily use tcpdump for that, you will need to have the web server (or Zoraxy as the client) do it. Zoraxy itself is relatively fresh - there is a bug open for this problem and there are no means to log requests, either (that is a feature request).

Das sieht allerdings seltsam aus, weil die beiden IPs mumaßlich im selben Subnetz 10.20.1.0/24 und offenbar auch auf dem selben Interface liegen. Ich nehme außerdem an, dass die Interface-Gruppe local_vlans das vlan20 enthält. Dann ist es allerdings so, dass dieser Traffic die OpnSense nicht passieren dürfte.

Du schriebst allerdings eingangs etwas von /16, das passt ja nicht so ganz.

Only a minor observation, but I could access at least the / URI with curl - IFF I call "curl -vk --http1.1". You cannot try this on any modern browser, since you cannot force HTTP/1.1 any more with TLS/ALPN.

Also, I tried modifying HTTP headers to no avail. There seems to be something way off with the way Zoraxy translates frontend calls to backend.
Other reverse proxies do this just fine, like HAproxy or Caddy.

You do not have to set an upstream DNS server for Unbound at all, because it can resolve on its own.

Try leaving the DNS servers empty in System:Settings:General and uncheck both "DNS server options" on that page.

If both firewalls can ping one another (BTW: on which address? The tunnel IP or their LAN IP?), then it seems obvious that your firewall rules created in step 6 of the official instructions are wrong. You should not have to use NAT on the Wireguard interfaces. Just follow the docs.
 

No, Patrick, just no. That device is not at all transparent, which is a huge difference.

Should I add a new point "About Home Network Guy's and other's youtube videos and why to avoid transparent bridges in general" to the READ ME FIRST article? Up to this point, I avoided changing the order because of the many references, but this one should probably be way up.

Or you go cheap (as I did) and switch to Intel 12th-14th gen. Those LGA1700 boards are still available and many use DDR4. New AM4 boards are unobtanium. And having had the experience of a 400€ board passing out after less than three years, I am not too keen on trying a used/refurbished one.

I never had failing RAM until now, only mainboards. I think it is getting worse with the voltage regulation now on the mainboards instead of the PSU and the obscene power draw of modern CPUs.