Messages

yes, that a option I was thinking about but I dont see any service making a connection to external IP to that port. OK, I will try to monitor ...

anyway, thanks for tip

hi, I am not sure if this is related to opnsense but trying to understand what is going on.

I have server in local network, opnsens router is forwarding tcp 80 and 443 port from WAN to server. I have firewall on server and time to time I can see that firewall reject udp connection to port 14738 {several times in few seconds} and connection is comming from external ip {it is not from local net or any other vlans I have} I have static public ip on WAN

for example :

Code Select Expand

IN_public_REJECT: IN=lag1 OUT= MAC=0e:a8:4e:1d:3f:ed:00:0d:b9:58:db:24:08:00 SRC=141.148.95.205 DST=192.168.53.43 LEN=960 TOS=0x00 PREC=0x00 TTL=51 ID=28793 DF PROTO=UDP SPT=6969 DPT=14738 LEN=940

it is not clear how is that possible. thanks for help ...

I am just trying to migrate one VLAN from ICS to KEA but find out that ICS is binding *.67 s KEA is not able to start.
hope this will be solve soon so we could run both.

[watcher]

Hi

I was reporting this issue in 21.7 release. After some time it was fixed.

I did upgrade to 23.1 and and I'm seeing the problem again.

happen just now:
- new device connected to network
- new devices get IP and it can access local network and internet
- I can ping that new device from my laptop BUT only using IP
- if I am using hostname I get error saying not able resolve name ...

I did login to router and run this command:

Code Select Expand

sudo ps -aux|grep unbo
root    88022   5.1  3.3 197748 134948  -  S    Sun14      34:07.57 /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.9)
unbound 84539   0.0  1.4 145996  56208  -  Ss   Sun14       0:38.30 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    87907   0.0  0.1  12756   2232  -  Is   Sun14       0:00.00 daemon: /usr/local/opnsense/scripts/unbound/logger.py[88022] (daemon)
jano    95697   0.0  0.1  12748   2364  0  S+   18:45       0:00.01 grep unbo

then I did restart unbound in web gui and run that command on console again:

Code Select Expand


sudo ps -aux|grep unbo
root    76021   4.6  0.4  25764  15348  -  Ss   18:45       0:05.32 /usr/local/bin/python3 /usr/local/opnsense/scripts/dhcp/unbound_watcher.py --domain doma (python3.9)
root    76350   1.5  2.8 192116 115176  -  S    18:45       0:05.85 /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.9)
unbound 31762   0.0  1.3 145996  55064  -  Ss   18:45       0:01.00 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    76233   0.0  0.1  12756   2232  -  Is   18:45       0:00.00 daemon: /usr/local/opnsense/scripts/unbound/logger.py[76350] (daemon)
jano    71423   0.0  0.1  12748   2364  0  S+   18:46       0:00.01 grep unbo

As you can see after restarting unbound service watcher is running. But was not.

Just let me know which log to check (maybe I need to tune log level)  to find out more details so I can help to find out what's going on.

just updating
I did update to 22.1. and problem remain, so if I change configuration of unbound it will restart but watcher is not running so I have to start it manually.

aha, somohow I did not understand CN field correctly and I did put there just XXXX part.

thanks, it is working now

I am another happy user who succesfully transfere from UFS -> ZFS.

thanks to @teosoft for steps and @Greelan to mention about  password for installer which is same as root which is after import same as original

edit:
original verzion was 21.7 but I did flash 22.1. to usb and boot it from that, so I did also upgrade OPNSense

I did find out that I did post to not correct thread, so copy past my question here


1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find


2022-02-03T21:08:05   unbound[92145]   [92145:2] notice: ssl handshake failed 45.90.28.179 port 853   
2022-02-03T21:08:05   unbound[92145]   [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


any idea?
thanks



NOTE #1
cat /usr/local/etc/unbound.opnsense.d/dot.conf

server:                                                                         
   tls-cert-bundle: /etc/ssl/cert.pem                                           
forward-zone:                                                                   
   name: "."                                                                     
   forward-tls-upstream: yes                                                     
   forward-addr: 45.90.28.179@853#XXXXX



NOTE #2
I still run opnsense 21.7.7
should I update to 22 ?



NOTE #3
I suspect that my IPS changing my dns queries.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks OK
but when using nexdns 45.90.28.179 then dns leak test web page show me that I am using google or opendns.

thats for 53 port and I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to and it could be problem of "certificate verify failed"

what do you think?

I suspect that that IPS changing my dns query.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks ok
but when using nexdns 45.90.28.179 dns leak test web page show me that I am using google or opendns.

thats for 53 port
I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to.

what do you think?

1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find


2022-02-03T21:08:05   unbound[92145]   [92145:2] notice: ssl handshake failed 45.90.28.179 port 853   
2022-02-03T21:08:05   unbound[92145]   [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


any idea?
thanks



edit #1:
cat /usr/local/etc/unbound.opnsense.d/dot.conf

server:                                                                         
   tls-cert-bundle: /etc/ssl/cert.pem                                           
forward-zone:                                                                   
   name: "."                                                                     
   forward-tls-upstream: yes                                                     
   forward-addr: 45.90.28.179@853#XXXXX



edit #2:
I still run opnsense 21.7.7
should I update to 22 ?

I am using dnscrypt and I think it is using protocol which is not DNS over TLS / HTTP.
https://dnscrypt.info/protocol/

nextDns is supporting DoH and DoT
https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3

so client {your router} is comunicating with oposite side by secure channel. But what happend on oposite side? in case DNScrypt there can be any from many servers {some of them are privacy friendly some not} but in case NextDNS there is just one company.

I am planing to try NextDNS to see how it is working and what benefit I get. But know, I dont know.

not sure but check https://docs.opnsense.org/manual/unbound.html?highlight=unbound#advanced-configurations

for correct path of that nextdns.conf

I would like to change configuration of sshd so it will offer only

HostKey /conf/sshd/ssh_host_ed25519_key


Know, and I think as default it offers

HostKey /conf/sshd/ssh_host_rsa_key                                             
HostKey /conf/sshd/ssh_host_ecdsa_key                                           
HostKey /conf/sshd/ssh_host_ed25519_key


thanks for advice

sorry, Meanwhile I did update to 21.7.7-amd64 and unbound_dhcpd.py did not start.

which log file should I look at?
it is bit conusing for me, I am not able to find correct log file in web gui.
and on console I am not sure too.

edit:
1) I did got to Services -> Unbound DNS -> Log file
2) search for "watcher"
3) I can see that "daemonize unbound dhcpd watcher" string did appear in log cca at time when I was updating.
4) but I did remember that I did log into router over ssh and check if it is running and wasn't

[/usr/local/opnsense/scripts/dns/unbound_dhcpd.py]

I did update my router to OPNsense 21.7.5-amd64 today.
BUT /usr/local/opnsense/scripts/dns/unbound_dhcpd.py did not start so I did start it manualy.

do you have some news / progress on this? should I write a bug ?

thanks