Messages

Just upgraded to Opnsense 22.1, then upgraded Zenarmor. Now Elasticsearch won't start. Packet engine and cloud agent are running. Ideas?

Thanks for the tip! Is this port forward rule what you had in mind? My OpenSense IP is 10.13.2.1 and it's forwarding to NextDNS for filtering.

I've been using Sensei/Zenarmor for months, and whenever I went to the Blocks report or Blocks real time view it always had data to show me. However, I hadn't checked blocks in a while so I went in today and the entire blocks dashboard is empty and the live blocks session view has no entries. I find that hard to believe, as I have a number of security policies enabled.

All services appear to be running so I can't see an obvious reason why Zenarmor is not blocking anything. Ideas?

I have a similar setup, with a layer3 Mikrotik router on the LAN side of my home network. In order to get those subnets internet access I:

-Created a Firewall alias for the lab network
-Added an outbound NAT rule for the lab network alias to allow WAN access

After I did that, the lab network VMs could route to and from the internet.

I opened a support ticket with Protectli, and they came back with a solution. I now get the 'ssh' console menu via the built-in serial port. However, I still get the "validate_packet got 22" constantly on that screen. The proper console config screenshot is attached to this message.

Here's a blog on setting up OPNsense + NextDNS: https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html


That bypasses unbound, so DNS queries go directly from client -> OPNsense gateway -> NextDNS. This allows NextDNS to show client/device info, if that's something you are interested in.

Have you considered NextDNS? I used to run Pi-Hole + Wireguard, but recently dumped Pi-Hole. NextDNS is very much like Pi-Hole in terms of block lists, but I think is a better solution. I haven't used AdGuard home before, so I can't compare NextDNS to that. But I'm exceptionally happy with NextDNS + OPNsense. I followed this guide:

https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html

[validate_packet got 22]

I installed OPNsense on my Protectli FW6D, which has a built in serial console port. However, I thought I could get the OPNsense console menu over said console port, but I'm not having any luck. All I get when connected to the console port at 115200 is validate_packet got 22 over and over.

I've fiddled with the Settings/Administration/Console settings to no avail. Is what I'm trying to do possible? Basically get the same OPNsense menu over the serial port as you get when you SSH in.

I should add when I reboot OPNsense that over the console port I do see all the boot messages. But can't access the 'ssh' OPNsense menu.

Since I was using DNSCrypt to forward queries to NextDNS, I fixed this problem via a config change. I directly installed NextDNS CLI on OPNsense and have it listening on port 53. Clients then point to OPNsense for DNS, and all queries are directed to NextDNS, bypassing the need for DNSCrypt.

For the a step by step walk-through of the configuration, there's this blog post:

https://www.derekseaman.com/2021/04/how-to-nextdns-opnsense-firewall.html

Thanks for the reply, much appreciated! So I found a solution to my problem. I had to disable route mode on the NextDNS client:

setup-router false

Then I configured NextDNS to listen on my LAN IP and loopback:

listen 10.13.2.1:53
listen localhost:53

Restarted the NextDNS service, and now WireGuard clients can resolve via NextDNS.

I'm in a bit of a pickle, trying to get WireGuard (kernel module) on OPNSense working + NextDNS CLI playing well together. As far as I can tell, WireGuard itself is working perfectly as I can ping LAN/WAN/Internet addresses all day long without issue.

Problem: If I point my wireguard clients to the OPNSense LAN IP (10.13.2.1) for DNS (in the WireGuard client), they are unable to resolve DNS queries. I have NextDNS CLI running on OPNSense, and my DHCP clients use 10.13.2.1 as the DNS resolver without issue.

I have a legacy RasperryPi running Pi-hole, and if I point the Wireguard client to that IP (10.13.2.200), then DNS resolution works just fine.

From the WG client I can ping 10.13.2.1, no problem. I also ran a portscan from my WG client (iphone) and the port scan shows port 53 listening on 10.13.2.1. But DNS resolution from the WG network when pointed to the OPNSense LAN IP just won't work and I can't figure out why.

Any ideas?

Any ideas here? I'm kind of at a loss on what's going on with DNScrypt.

Yes that did the trick, thanks!

I found the solution here:
https://forum.opnsense.org/index.php?topic=16994.0

Basically I had to go into Firewall:Settings:Advanced and check the box:
Bypass firewall rules for traffic on the same interface

The rebooted the firewall, and now RDP sessions are stable.