Messages

Hate to bump an old thread but just want to clear something up for anyone reading it. Services-Router Advertisement is *not* part of the ISC DHCP suite. Thus there is no *need* to migrate away from that (it is a separate service called radvd and actively maintained.)

So my migration became a lot easier. The steps (essentially) for me are like this https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration and for a TLDR-

dnsmasq settings
- general- configure what you need here (including adding static mappings)
- hosts- export csv (tiny button in UI) from ISC DHCPv4 then import them into this panel
- domains- NA
- DHCP ranges- add all IPv4 ranges here (no need for dhcpv6)
- DHCP options- NA
- DHCP tags- NA

So basically just get your static mappings over, configure your ranges, then enable it (and add the unbound domain config as in the official docs.)

Hope this helps someone. If you still want to use nothing but dnsmasq and move away from radvd then I found this link helpful for understanding the RA modes in dnsmasq- https://rakhesh.com/linux-bsd/brief-note-on-ipv6-flags-and-dnsmasq-modes/

It seems to me (based on looking at the key usage specs) that CAs generated by opnsense are not designed to be used with revocation?

I ask this because I've had an old CA and am standing up a new one and see that my CAs are listed under revocation but are unable to export a CRL. Ones I've imported from a vendor or two are able to but clicking on the export button or anything else for mine does nothing.

Also, unsure but the docs say to click the "+" button to add one but I see no button like that on mine. Changed the theme back to the included stock "opnsense-dark" and still didn't see it.

Woof- I love the new (to me) docs with the tabs but man, I should've looked way closer and have seen that. Thank you.

For me I suppose ra-stateless would be the best for me. Thanks again.

Perhaps I should've read the opnsense config examples a bit more but now it's still a bit odd-

ra-stateless will generate ONLY a slaac address but slaac will receive a dhcpv6 address as well...

Honestly would volunteer to update the docs if I can figure out what option goes with what. I think it would make it a bit easier for people migrating. I just don't know what goes to what yet. :)

I am planning out my migrations from ISC DHCP to dnsmasq as my install shouldn't need all the bells and whistles of Kea.

The question I am running into is what the 1:1 match is for router advertisement modes from the old ISC implementation (Services-Router Advertisements) to dnsmasq (dnsmasq-DHCP Ranges-RA mode). Hoping this also serves as a clarifying post for people who come after me (I searched and didn't find what I needed.

dnsmasq

```
ra-only tells dnsmasq to offer Router Advertisement only on this subnet, and not DHCP.

slaac tells dnsmasq to offer Router Advertisement on this subnet and to set the A bit in the router advertisement, so that the client will use SLAAC addresses. When used with a DHCP range or static DHCP address this results in the client having both a DHCP-assigned and a SLAAC address.

ra-stateless sends router advertisements with the O and A bits set, and provides a stateless DHCP service. The client will use a SLAAC address, and use DHCP for other configuration information.

ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an AAAA record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra-names can be combined with ra-stateless and slaac.

ra-advrouter enables a mode where router address(es) rather than prefix(es) are included in the advertisements. This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option is also included, as described in RFC-3775 section 7.3.

off-link tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
```

So I am wondering if my translation is right as I am using unmanaged currently on ISC-

(dnsmasq / ISC )
- ra-only = unmanaged (will basically serve DNS servers but clients use SLAAC for addressing)
- slaac = assisted
- ra-stateless = stateless DHCP
- ra-names = NA - seems an additional option you can use with slaac to resolve names for both v4 and v6 addresses on the same network
- ra-advrouter = router only?
- off-link = or this is router only?

I'm mainly interested for my use case in unmanaged. What this did for me in ISC was
- SLAAC addresses
- doled out DNS servers
- doled out a ULA prefix for clients

I didn't need dhcpv6 and it properly allowed clients to use ipv6 DNS which did ad blocking, etc. via unbound. Looking to replicate the same for dnsmasq. Apologies for formatting. I am trying to see about doing it a little cleaner.

I set my DNS in the WG config as well.  I don't bother with having a redirect rule.

What do you have set for Private DNS on the phone?

I did have my main LAN address as the DNS in the wireguard config on the phone. I changed that to the wireguard gateway and it still lets ads through.

I have nothing set for private DNS on the phone itself. I assume the wireguard app itself will direct all DNS to what I tell it.

I will note that I recently upgraded to 23.1.x (and still on that until 23.7 has another patch or two) and it now has the wireguard kernel implementation and no longer the go version. Did that introduce something different? Figured it'd be a seamless transition.

You have Private DNS set to Off or Automatic?  You should be using the os-wireguard plugin and not the go implementation, but that shouldn't be causing this.

What are you seeing in the unbound reporting?  What domains get queried when you start a game?  These are game apps, correct?

Can you have OPNSense grab a packet capture?  I'm wondering if the game is falling back to DoT or DoH after getting failures using the system DNS.  A lot of things will either hardcode additional DNS servers and/or use DoT/DoH.

Thank you both. I didn't have time for the longest time to troubleshoot further but finally got a sec.

Private DNS- *was* set to Automatic (by default I guess). Switched off and on. No change it seems.
Unbound- I do *not* see queries for it in my logs.
IPv6- I have configured this on a separate VLAN and tested- all works well at home. I can safely say ipv6 queries are successfully blocking it too.

But just sitting here, I will explain how I have it set up and how I figured out the issue.

1) Configure wireguard VPN per docs. https://docs.opnsense.org/manual/how-tos/wireguard-client.html
  a. Can configure ipv6 too and use this site to create a UL prefix for it- https://www.unique-local-ipv6.com/

2) *Optional* but I think it's prudent- assign the interfaces for your wireguard connection in opnsense (Step 5 from above guide). You can leave IPv4 set to "None" but I recommend taking one address (that isn't assigned to a wireguard client) and assigning it as a static IPv6 address on the interface. Reason why- unbound will now listen on this interface (if you allow it to listen on this or "All" interfaces) and can set this as a DNS server in your Android/mobile wireguard settings. IPv4 (for me) can be set to just your normal LAN IP of opnsense (assuming you allow traffic to your LAN, which is half of what I intend when setting this up, the other half blocking ads/scams/bs.) IPv6 (for my ISP) sometimes changes the prefix (no static here) so by leveraging a private address (instead of trying to track a randomly set "track" interface from your WAN on your WG or LAN interface) we can set this to always listen. It will thus be available without fail once you connect to the VPN.

3) Firewall-NAT-Port Forward- I set 4 rules here (NOTE the inverted destination with "!" and allow it to create filter rule association on the WG interface itself)
  a. Ipv4 tcp/udp to ! LAN_IP (for unbound) on DNS (53) and redirect to LAN IP on DNS (port 53)
  b. Ipv4 tcp/udp to ! LAN_IP (for unbound) on DoT (853) and redirect to LAN IP on DNS (port 53)
  c. Ipv6 tcp/udp to ! <our private IPv6 address set in step 2> on DNS (53) and redirect to <our private IPv6 address set in step 2> on DNS (port 53)
  d. Ipv6 tcp/udp to ! <our private IPv6 address set in step 2> on DoT (853) and redirect to <our private IPv6 address set in step 2> on DNS (port 53)
  e. I cannot guarantee this is absolutely necessary but...we're here so why not. Might help with apps that hardcode to google DNS, etc.

4) Firewall-WG interface - set up an IPv4/v6 pass * rule BELOW the automatically created rules (pass all traffic- if desired. Customize however you like)

5) Can leave Private DNS to Automatic (seems to work fine now that I've figured it out.)

Now...the actual crux of the issue that I had not even thought of is that the faulty app (among others) exist in my work profile. I run CalyxOS so all my "trusted" apps are basically FOSS and reside in the normal profile. All the google BS and stuff I like to freeze (with Shelter) or that I don't care to get any other data by whatever means they might go in the work profile.

Google, for good or bad reasons, doesn't want work profile traffic going over a VPN initiated in the main profile. That is why I was not seeing the queries.

This portion can be solved in one of two ways:
1) Install the offending app in the main profile.
2) Clone/install the VPN app (wireguard) into the work profile. Activate it from there, etc.

So once again, THANK YOU guys for helping me get this. Figuring out that ipv6 worked over wifi at home (for ad blocking) and all that helped me to really hone in on Android and then it just clicked when I thought of it being in the work profile.

Hopefully this helps someone in the future.

Edit- we don't listen on 853 with unbound (no infra set up for that- at least on my config) so I changed the 853 redirect to go to 53.

I set my DNS in the WG config as well.  I don't bother with having a redirect rule.

What do you have set for Private DNS on the phone?

I did have my main LAN address as the DNS in the wireguard config on the phone. I changed that to the wireguard gateway and it still lets ads through.

I have nothing set for private DNS on the phone itself. I assume the wireguard app itself will direct all DNS to what I tell it.

I will note that I recently upgraded to 23.1.x (and still on that until 23.7 has another patch or two) and it now has the wireguard kernel implementation and no longer the go version. Did that introduce something different? Figured it'd be a seamless transition.

I've reasoned about this a bit and can't get it.

I used the road warrior setup for wireguard. The idea being that I could use mainly mobile phones to connect back home and get all the benefits of ad blocking, LAN access, etc.

While at home, I can confirm that adblocking and such works just fine though I will note that I run only IPv4 on my main wifi VLAN. That DHCP server offers up my main LAN IP as the sole DNS provider.

For wireguard, I followed the guide all the way through 5 (so I have a WG interface.) I can see the rule automatically added in NAT outbound.

• 
  Firewall rules for the WG interface
  block ipv6
  (linked NAT port forward ---> IPv4 tcp/udp * * dst ! LAN_ADDRESS on 53 )
  IPv4 tcp/udp * * 127.0.0.3 53

That loopback is a new interface that I created and unbound listens on.

Now...in my wireguard configs I set my main LAN_ADDRESS as the sole dns server. DNS is NOT set on wireguard local (server) portion and disable routes is unchecked.

I can use termux and do nslookup on known domains that are redirected to 0.0.0.0.

nslookup 2no.co 8.8.8.8

Returns 0.0.0.0 and I can see in the unbound logs that it answers that itself. I can't seem to understand just how ads are getting in then.

If I open a game I can see via PCAPdroid that it's looking for certain domains and some are blocked, some aren't. It can be the same domain and one attempt is "error" and one is succeeded. Usually takes 15 seconds for the first ad to get through but then it's constant.

I feel like I'm missing something but can't see what. Anyone else have this going without issue?

Edit- apologies if it's a little scattered. I can provide any more info on request. Just not sure where to look at this moment.

I believe you would have to update your AdGuard Home yaml file itself on the host to mimic the same behavior in it as Unbound.

Few questions to help guide it along..

1) Are they on the same subnet as your linux PCs? Ie. do the same firewall rules apply to your linux PCs as your Android phone and TV?

2) Did you install with zfs? Maybe try using bectl to make a snapshot then upgrade again to 22.7 series and see if it works?

3) Have you done the log live view with maybe a few filters such as interface=$LAN (or whichever), IP=$sonyIP, etc.? Do you use netflow to gauge traffic to individual clients? That could help too.

I can't confirm as I didn't much use it before with my old system (on 21.x) but I'm using 22.1.2_1 with ZFS and see the same error when trying to authenticate. I couldn't authenticate over openvpn so I went back to basics, made sure freeradius is set and configured and used System-Access-Tester and still get this same error.

For you 22.1.3 should do it, I dont use zfs, No idea whats wrong over there

Well, I've been doing a little swapping between my backup firewall and my normal one and the one on 22.1.4_1 is now working just fine authenticating via freeradius. No config changed between it all so must have just been a bug on that version or something.
Thanks!

I can't confirm as I didn't much use it before with my old system (on 21.x) but I'm using 22.1.2_1 with ZFS and see the same error when trying to authenticate. I couldn't authenticate over openvpn so I went back to basics, made sure freeradius is set and configured and used System-Access-Tester and still get this same error.

What is set for ipv6 in Server 2019?

Also, your "fe80:xxxxx" addresses are the private ones. And if you wanted ipv6 disabled entirely, you can do so under Firewall-Settings-Advanced if you don't plan on using it (and prefer not to for whatever reason.)

Trying to configure GeoIP and am unsure what I am doing wrong.

I'm trying to make my firewall aliases smaller by selecting the countries I want to allow then just inverting them.
So I've selected maybe 15 countries and made a GeoIPv4 alias (only IPv4 entries).

I then go to make a rule on my LAN with
- reject
- ipv4
- in
- destination ! GeoIPv4

This does not work. It seems to just block any and all traffic on the LAN. I've upped the max firewall entries from 400k to 800k, recreated the alias etc. and nothing seems to work. My only real thought is I either need to make it out direction OR make a newer alias including GeoIPv4 and LAN in one (so I can hit my dns, etc.)

I hope this is a right place to post.
I have PIA VPN and trying to get it to work via OpenVPN.
What I basically want: route none but specific machines through PIA.

I've read most of this thread, and in the essence, I can either:
- have a full tunnel and everything going through the VPN or
- nothing

I tried various combinations with the boxes set in the Client-Connection (Don't pull routes and Don't add/remove routes), first, second or both checked.
NAT is configured manually, I have created both NAT for the LAN net and localhost net.
I created a rule saying IPv4* LAN net over PIA_VPN gateway.

Yet, I get the ISP-IP when querying the IP over internet.

And the same thing happens when I try doing it the other way: everything over VPN, except client x. In that case, the client remains in the VPN, although the rule is in place.

Where do I start troubleshooting?

Small edit:
I found out that if I use a "Don't pull routes" configuration, and both NAT and rules as needed, I can't browse... but I figured I can ping.  Apparently resolution isn't working... so, how do I get DNS to work?

From the log:
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.32.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.32.112.224 255.255.255.0,peer-id 2,cipher AES-128-GCM'

This will be basic and quick but I believe I got it.

1) Configure your aliases- just whatever you want to put behind a vpn.
2) Configure your client- this varies between VPN providers but the stickler is leaving don't pull routes unchecked but do check "Don't add/remove routes".
3) Add the interface- don't change defaults- just add it.
4) NAT outbound- make it hybrid and then add a rule

• VPN interface
• Source- your VPN alias for what is behind it
• NAT Address- VPN interface (I did not leave this as Interface Address)

5) Firewall rule on LAN that is pass, IPv4, direction in, vpn alias as source, sent out the VPN gateway, then expand advanced and set local tag NO_WAN_EGRESS or other. This rule needs to be above your default LAN pass rule.
6) I like this one just in case- firewall rule on LAN above #5- reject, ipv4 tcp/udp, source is your vpn alias, dest is LAN address, port 53 (or select DNS). This will block VPN clients from your internal DNS just in case.
7) Firewall rule on floating- Reject, IPv4, direction out, source and dest are any, gateway is your normal WAN gateway. Expand advanced and on Match tag put NO_WAN_EGRESS (or whatever common thing you want- we are just matching the tags for policy routing.)


Going off memory but I believe that is it. You can test for dns leaks while it's up with whatever client you want that is in your alias list. Should ping, have DNS, etc. If you are assigning clients into a certain subnet (which I do), you can set them statically in your VPN alias range AND set their DNS options there like using OpenDNS or other. Or set them on the client itself- whichever works.

I tested for leaks and found it worked. Then I set a constant ping and confirmed it was going out properly. From there I disabled the VPN tunnel and having 2 windows on the GUI I could see that the firewall blocked it as it was catching the NO_WAN_EGRESS floating rule. Enabled the client, ping did not start going through because I think the state was kept. In any case, restarted the ping fine and then did another dns leak test and it was confirmed good.