Messages

[25.7.7_4]

Hi there,

I have a strange issue regarding a device that gets an IP, but has no reservation set for it. First things first, I'm on opnSense 25.7.7_4. The device is a soundbar, that is connected via cable and once had 10.0.40.4 as IP reservation. Several months ago, I decided that this device doesn't need to be online anymore, so I removed it's reservation in KEA.

A couple days ago I found out that 10.0.40.4 is (still) ping-able, even though it has no IP reservation in KEA. When I disable the switch-port (where the soundbar is connected to), I can't ping that IP.

My (IoT) VLAN is defined as 10.0.40.0/24, with just a single IP (10.0.40.199/32) as pool.

In my understanding - if I haven't set up an IP reservation for a certain device (based on its MAC), this device shouldn't be able to obtain an IP and access subnets. Am I wrong or is this actually an issue?

[hier meine erste Frage: an was kann das liegen, respektive wie kann man das optimieren?]

Hallo opnsense-Community,

ich hätte ein paar Fragen betreffend AGH, zunächst jedoch mein Setup.

• OPNsense 25.1.3-amd64
• AGH v0.107.57

Ich habe bis dato mit unbound (inkl.) Blocklists gearbeitet, nun aber gesehen dass AGH doch sehr gute Werkzeuge mit an Bord hat um zu "switchen". Allen voran die Client-basierten Möglichkeiten klingen spannend.

AGH läuft aktuell (als primary DNS) und nutzt unbound als Resolver, ich habe hier jedoch relativ hohe Antwortzeiten (~200-250ms).
Direkt über unbound läuft das performanter, direkt über AGH ebenso (bei identen Blocklists) -> hier meine erste Frage: an was kann das liegen, respektive wie kann man das optimieren?
(siehe auch ein ähnliches Problem hier: https://forum.opnsense.org/index.php?topic=44439.msg221745#msg221745)

Meine zweite Frage betrifft die definierten upstream-Server, in diesem Falle direkt über AGH.

Trage ich hier bspw. (basierend auf https://adguard-dns.io/kb/de/general/dns-providers/)

• tls://security.cloudflare-dns.com
• tls://dns.quad9.net

ein, bekomme ich eine Fehlermeldung: "Server ,,tls://security.cloudflare-dns.com:853": konnte nicht verwendet werden, bitte überprüfen Sie die korrekte Schreibweise".

Trage ich tls://dns.adguard-dns.com ein, funktioniert alles fehlerfrei - und das bringt mich zu meiner zweite Frage: an was kann das liegen?

Ich habe absolut nichts an den Bootstrap-DNS-Server geändert, der Adguard-DNS funktioniert ja - nur der Rest eben nicht.

Danke euch für eure Zeit und schönen Tag!

Aktuelle CFG (Ausschnitt):

Code Select Expand

http:
  pprof:
    port: 6060
    enabled: false
  address: <OPNSENSE_IP>:3000
  session_ttl: 720h
users:
  - name: <AGH_USER>
    password: <AGH_PASSWORD>
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - <OPNSENSE_IP>
    - <VLAN_A>
    - <VLAN_B>
    - <VLAN_C>
    - <VLAN_D>
    - <VLAN_E>
    - <VLAN_F>
    - 127.0.0.1
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '[/*.<LOCALDOMAIN>/]127.0.0.1:<UNBOUND_PORT>'
    - 127.0.0.1:<UNBOUND_PORT>
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 2s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 127.0.0.1:<UNBOUND_PORT>
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 24h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt
    name: HaGeZi's Pro Blocklist
    id: 1742110114
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Big
    id: 1742110115
whitelist_filters: []
user_rules:
  - <REDACTED>
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    ecosia: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites:
    - domain: <CLIENT>.<LOCALDOMAIN>
      answer: <ANSWER>
  safe_fs_patterns:
    - /usr/local/AdGuardHome/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  enabled: true
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 29



[.localhub]

Hi, just wanted to know if someone could tell me what I need to if wanted to route all internal DNS-requests (xyz.localhub) to unbound (overrides) and the rest to Proton's DNS server (10.2.0.1)? Thank you!

 I've got a setup with two working WG ProtonVPN-tunnels, but I am facing DNS leaks. This is due to the fact that I need unbound to resolve my local domain (.localhub), obv. because Proton's DNS server can't do that. For external requests, I'm using DNS over TLS towards Cloudflares' DNS servers.

As of now, I'm working with overrides, so e.g. "test.localhub" would have an A-entry with value 10.0.0.99.

I have two question in that regard;

1) Can someone please tell me why clients in my network, that use this WG tunnel have issues browsing e.g. with Reddit? (as an example: if not logged in, I can't access Reddit due to "security issues" -> Reddit tells me I need to login to do anything. In contrast, when I start the native ProtonVPN client on my PC and connect to to the same ProtonVPN server, it's working fine without any issues)

2) What do I need to do, so that opnSense can distinguish between a local DNS request (basically *.localhub) and an outbound DNS request? (assuming this would prevent DNS leaks and prevent occasional "browsing issues" like mentioned with Reddit)

Thanks for your time, have a great day!

i've came up with pings initially, following https://forum.opnsense.org/index.php?topic=38485.0. but, tbh, i thought there should be a more "straight-forward" approach as the tunnel status information is already available in a system widget (as mention below; online/offline).

so that's why i was asking how to get this (.. already available) tunnel status information into monit to tell it "if tunnel wg1 status changes from online to offline -> restart wg1".

thanks for your answer, i've set it up like described in the link below.

Hi there,

can someone please tell me how to get the WG tunnel status information (online/offline as shown in the dashboard widget) into monit for further action?

Background: I want monit, if a tunnel goes from online to offline, to restart that tunnel. Monit is already set up, the defined (execute) are tested and should work.

OK, i understood it that way that all hosts of a certain internal domain (.zzz) are forwarded to a specific dns server. Thanks for clarification.

[What I don't understand:]

Hi mate, of course I can live with CloudFlare as I've set them for DoT - just wanted to understand what's happening. In that matter, many thanks for your time and reply.

I got it working for my Guest VLAN (where I can run such tests w/o any interruption). In fact..

1) I provide a specific domain for all clients in that Guest VLAN (zzzguest)
2) I configured unbound to forward requests of that domain (zzzguest) towards the tunnel DNS IP of ProtonVPN

What I don't understand: in unbound, via DOT, I've two entries for CloudFlare (1.0.0.2 and 1.1.1.2). Currently, the domain is empty (what equals "fetch all domains"). If I set this to my standard domain (zzz), I can't resolve anything. Even after multiple dns-flushes.

Hi there,

I need some help regarding the following; I have set up a WG ProtonVPN tunnel, that works fine. So basically I followed the official docs, with one difference -> I'm not routing particular clients over the tunnel, but a whole VLAN.

Now, while browsing https://ip.me/ it shows the correct IP, but https://dnsleaktest.com/ tells me that DNS requests are answered by Cloudflare, not ProtonVPN.

opnSense's DNS is unbound, which is actually configured to use Cloudflares' 1.1.1.1 and 1.1.1.2, but unbound is not(!) listening on the affected VLAN.

KEA is serving as DHCP and offers 10.2.0.1 (ProtonVPNs' tunnel DNS) and 1.1.1.1 (because if I remove the latter, resolving doesn't work at all). I'm aware that DNS offerings are not sequential, but random.

What's even more curious is, that in the live view I can see DNS requests being made towards 10.2.0.1.

Can you point me into a direction where I could search for issues?

Thanks in advance!

Hi there,

could someone please point me in the right direction? Here's what I've got (works fine!);

• WAN -> standard gateway
• WG1 -> wireguard gateway for specific VLANs
• WG1 -> wireguard gateway 2 for specific VLANs

What do I need to do that if either one WG1/WG2 fails it connects to the other and if both fail the standard WAN gateway should be used?

Thanks in advance!

Hi there,

I'm Sorry for my late reply, didn't catch your answer (somehow I wasn't notified via eMail). Just wanted to say I've got it working - just followed the guide all over again and now it works :).

It seems it had to do with the rule in the affected VLAN that causes the clients to be routed to the WG interface/gateway.

[Now to my issue]

Dear all,

could you please help me with the following; I'm a Proton(VPN) user and set up a Wireguard VPN connection following https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html, respectively https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (as step 6 and ongoing).

Sidenote; the only difference would be that I've set up the according rules as floating, as the clients which shall use the tunnel reside in different VLANs.

The WG instance is "up", the corresponding peer has a recent handshake entry.
The gateway is "online" with 0.0 loss.

Now to my issue -> as soon as I enter my mobile phone for testing to the alias (clients which shall use the tunnel), I can't reach any non-internal hosts anymore (browsing the web, Firefox shows a black screen and an error message "this website requires a secure connection" / HSTS).

In the FW logs, I can see that the rules that I've added during the setup trigger pass, so no blocks for the test client.

I've ran that setup now three times, but always with the same negative result.

To test the ProtonVPN-conf itself I loaded it directly into my Fritzbox for testing purposes, that's working like a charm (so basically all traffic is now on the tunnel, I could also live with that :) ).

To summarize;

• the underlying ProtonVPN is working fine -> tested on Fritzbox
• the WG instance/peer combination is working fine -> instance is "up", peer has a recent handshake
• the gateway is online, 0.0 loss

Many thanks in advance for your time in advance!

[hope that helps!]

hi mate,
thanks for sharing your insights and the links to the other reports.

good news; i got it working again.

as for the acme-client:

• reset acme-client
• remove acme-client
• re-install acme-client

as for NAT:

• i changed the port forward (had a custom port) and adopted according to https://letsencrypt.org/docs/challenge-types/#http-01-challenge

as for haproxy:

• i changed the listening port for http-challenges

that's basically it. afterwards i've re-created the settings in the acme-client and force-refreshed my cert. it was provided immediately w/o any errors.

hope that helps!

[syslog]

hi there,
i'm running on OPNsense 24.1.1. nextcloud behind haproxy/acme working fine since ages, so i never paid attention for the automatic cert-renewals as this was a working process. today my client told me that the cert was outdated, so i had a look into the acme/LE certs and yes, it's past its renewal date. i'm using http-01 challenge.

my question to you; were there any changes to haproxy/acme since december 2023 (i'm not aware of any that would require a change in settings)?

what happens when i force-renew a certain certificate..

syslog

Code Select Expand

AcmeClient: validation for certificate failed: <REDACTED>

acme log

Code Select Expand

[Thu Feb 8 15:28:32 CET 2024] Invalid status, <REDACTED>:Verify error detail:<REDACTED>: Fetching https://<REDACTED>/.well-known/acme-challenge/<REDACTED>: Error getting validation data

/var/log/acme.sh.log doesn't show anything additional.

oc i've also tried to run w/o haproxy.

many thanks for your time!

hi there, thanks for confirmation (regarding the grouping of ovpn IFs).

got it working after installing 24.1.1 (i doubt that's the reason, because looking into https://forum.opnsense.org/index.php?topic=38644.0 the only ovpn-relevant change has nothing to do with my reported issue).

tbh, didn't change my "approach"; deactivate old "server" -> set up new "instance" -> export profile -> activate "instance" -> connection / accessibility checks.

again, thanks for your time, cs1!