Messages

locked away in users custom configuration

What does this mean exactly? I can still set them via creating a config file on the opnsense box? If so, how? I couldn't find any documentation on that.

some are deprecated or irrelevant in modern deployments

I think it is important to differentiate between client and server. If I create a server I am in control. All is good. But if I need to create a connection to an OpenVPN server, I have to follow their setup and connection properties. I don't have a choice but to set them or the connection will not succeed. (eg. I only use the client setup, since I need parts of my network to use the VPN gateway.)

some don't make a difference on BSD.

Once again, I believe this is more geared towards the server component. But either way, is there a list of options that are irrelevant on BSD? Also what does that mean for connections (opnsense as a client)? If the VPN provider requires option X, but option X is irrelevant on BSD, what then?

Hopefully the plugin fixes it for both of us :)

Well, I tried to use the new page to create an OpenVPN connection and it worked. I am just a bit concerned that I can't set certain options in the new interface. Will those missing options have a performance or security impact? I don't really know.

Thus I hope that the new interface will allow these options to be set in the future or that the documentations explains why they are not necessary anymore. Reading the OpenVPN documentation does not state that these options are deprecated or why they are irrelevant all of a sudden.

Thank you. I have also read up on that topic, but there are a few drawbacks. I would have to activate a community repo to install the AdGuard plugin. Then there is the fact that local queries are also forwarded to Unbound, so it is the same flow as my current architecture. The only difference being both services running on the same machine. As mentioned in my first post, I rather want to use local address resolution first and then use pihole/adguard/whatever as upstream. But this is apparently only possible, if one accepts that conditional blocking won't work upstream since all requests will come from the same IP.
Additionally the configuration of AdGuard is not done via the OPNsense UI, so I also have to use a separate UI for it as it is with pihole.

I do not see any advantage moving to this architecture over sticking with my current setup (other than having the services on a single box). In fact using NAT to redirect all DNS requsts of clients, which try to use another DNS, to my pihole is easier, because I only have to create one rule instead of one for each VLAN or DHCP interface.

I've also learned of the possibility to add blocklists to Unbound, but then there is no way to whitelist domains for specific clients. Otherwise I could have dropped pihole/Adguard altogether and just used Unbound.

Maybe this is off-topic, but I think it's related or at least touches DNS: While reading the documentation I've noticed a few confusing and in my opinion wrong statements. There is an important message box that states the following: Domain overrides has been superseded by Query Forwarding.
Hmmm, what? I use domain overrides to add custom DNS records and aliases. This cannot be done via query forwarding. With that the above statement is false. You cannot supersede something, if the new thing does something completely different. This makes no sense.

Interesting proposal. I have never used AdGuard Home and have to do some research about how to transfer my pihole setup (the client groups). Creating them manually in AdGuard Home might be quite taxing (but is something I would still consider).
My pihole (which is actually a keepalived cluster) would still be running either way, because I am using those 2 Pis also for an active-active LDAP cluster. Thus I wouldn't be saving any electricity, but the architecture would be less complex, which is always a plus.

However, I am not quite sure how AdGuard ties into the OPNsense upstream. If OPNsense forwards to AdGuard, its the same issue as with pihole (client ips are masked). If AdGuard forwards internal requests to OPNsense's DNS, its also the same as conditional forwarding on pihole. I have to read up on it. Currently I have no idea how this works.

Thanks again for the idea. I will certainly check it out.

I am currently using a pihole that my clients use directly (DNS assigned via DHCP or set statically). To get the internal DNS names (ISC DHCP and Unbound), I've setup conditional forwarding on my pihole. This works nicely, but in certain situations a loop might occur, although I was able to configure it in a way that this almost never happens.

I really would like to change the setup (to mitigate possible DNS loops and simplify the architecture) in such a way that all my clients use OPNsense's DNS and my pihole is then used as the upsteam server (System -> Settings -> General).

However, this makes all requests appear to be coming from OPNsense's IP address(es). This is a serious problem, because pihole's group and client group management no longer works. (For people who are not familiar with pihole: this basically means that I cannot create rules (blocking/allowing DNS requests) based on clients. e.g. I have blocked FB and other social media, but I allow it for my friend's laptop and cellphone.)

I am just wondering how people are using pihole in their home environment with OPNsense? Is there maybe a hidden flag, so that client IPs are forwarded (similar to forwarding real IPs in reverse-proxy setups)?

Patrick, thanks again for your help.

Just for anyone who stumbled across this topic: My 200MB EFI partition had a 779K filesystem on it. The reason could be from previous methods of requisition from FreeBSD or OPNsense of said partition (e.g. via dd or other methods). I made the mistake of confusing this fact with the legacy partition that had a similar size. As mentioned before I am not a FreeBSD person, thus my experience with it is very limited. Patrick is clearly the person to ask, and in case my comments came across as rude or hostile I want to sincerely apologize. This was never my intention and I know very well that reading comments are conceived differently than listening to a face-to-face conversation.

I can't stress enough how impressed I am by OPNsense and its community. Thank you for all the help I have received so far.

Ha, ok. This is interesting. I thought that I mounted the 2 partition for some reason, since the size was very close to the 512K. And who knows what weird byte calculations OSes do these days. e.g. I grew up with base-2 sizes and not using the i size notation. These days, it's a mess, especially because often the wrong units are used. Very annoying and confusing.

Th only other explanation is that my 200MB EFI partition has a 779K msdos filesystem on it, which makes no sense. Once again, here is my gpart output:

Code Select Expand

gpart show
=>       40  234441568  ada0  GPT  (112G)
         40     409600     1  efi  (200M)
     409640       1024     2  freebsd-boot  (512K)
     410664  215567272     3  freebsd-ufs  (103G)
  215977936   16777216     4  freebsd-swap  (8.0G)
  232755152    1686456        - free -  (823M)

Patrick, you told me to add the following to my fstab:

Code Select Expand

/dev/ada0p1    /boot/efi       msdosfs     rw,noauto             2       2

I did that and when I mounted it, df showed me the following:

Code Select Expand

Filesystem                   Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              100G     15G     77G    16%    /
devfs                        1.0K      0B    1.0K     0%    /dev
devfs                        1.0K      0B    1.0K     0%    /var/dhcpd/dev
devfs                        1.0K      0B    1.0K     0%    /var/unbound/dev
/usr/local/lib/python3.11    100G     15G     77G    16%    /var/unbound/usr/local/lib/python3.11
/lib                         100G     15G     77G    16%    /var/unbound/lib
/dev/ada0p1                  779K    644K    135K    83%    /boot/efi
So something is wrong with your last comment, because I mounted the legacy bootloader with the commands you gave me.

Thanks for the info.

Please ignore the next paragraph. (Keeping it for some laughs.) I must have been out of my mind...
The bootloader is not in the EFI partition but in the bootfs partition. When I installed OPNsense in 2021, the bootloader was less than 300KB and now it's 658432 bytes. I am a bit fuzzy as to why it says 512KB for my bootfs partition, because when I mount it, it's actually 779K. So I am really lucky, because otherwise the 658432 bytes wouldn't have fit. But according to most manuals, one should actually copy the loader twice and this will definitely not work with the current 512KB bootfs partition. So in a few years the bootloader is bigger than the partition and then it's over.

@beneix may I ask when you installed your system?

I thought that newer installer images create a bigger bootfs partition... If that's not the case, maybe there is a way to change that during install.

I cannot speak for OPNsense but I guess their stance is "we are an appliance, reinstall and import your configuration and you will be fine."

I am ok with that, in a sense (pun intended). This is a valid argument and the only issue I have is that my OPNsense is headless. Connecting stuff to it is a hassle. I usually like to avoid it. So I am happy, if I just, upgrade, upgrade, upgrade. But at one point "old" issues catch up (my very small bootfs, old BIOS, old bootloader) and there is no other choice than doing a fresh install. And of course it probably wouldn't hurt to use ZFS instead of UFS.

Either way, OPNsense upgrades always went well and I am very impressed that all the major upgrades didn't mess up my firewall and always booted up again. (I read in this forum that people often had to reinstall after a major upgrade. This never happened to me.)

Not necessarily - some systems treat USB drives as a hard disk and won't boot an ISO file system from them.

This is interesting. I've never run into this issue, ever. Luck, I guess.

a DVD must contain an ISO image and not a generic hard disk one.

Yep, that I knew.

See, this is what I don't understand. You can flash a DVD iso to an USB stick as well. And it boots. So I don't understand the difference.

Anyway, I'll just use the vga one. Thanks for all your help.

Thanks again for your reply. One last question (or actually 2). For me there are 2 OPMsense images relevant: vga (I used this type in 2021 when I installed OPNsense) and dvd.

Both fit on an USB stick so I don't see why there are 2 types. The explanation also seems to be the same:

vga: USB installer image with live system capabilities running in VGA mode as GPT boot. On amd64, UEFI boot is supported as well.
dvd: ISO installer image with live system capabilities running in VGA mode. On amd64, UEFI boot is supported as well.

What's the actual difference and which one should I use?