Messages

I did have a file in /etc/rc.conf.d/unbound with only the contents unbound_enable="yes".

I removed that, and it fixed this issue, thanks.

Maybe related: I also no longer have adguardhome starting at boot time. When I run it manually after a restart, it does launch. What method does opnsense use to decide which services to launch at boot? I'd like to make sure adguardhome is included in that.

Somehow, I think when I upgraded to 25.7, my opnsense server started runing a second unbound instance. Each time I reboot the system, it causes some issues where I have to manually kill one. I see that I've got the following running:

Code Select Expand

root@opnsense:~ # ps ax | grep unbound
47667  -  Is    0:00.03 /usr/local/sbin/unbound -c /usr/local/etc/unbound/unbound.conf
59585  -  Ss    0:03.94 /usr/local/bin/python3 /usr/local/opnsense/scripts/dhcp/unbound_watcher.py --domain [my.domain.tld] (python3.11)
93490  -  Is    0:00.28 /usr/local/sbin/unbound -c /var/unbound/unbound.confIt looks like the one that uses /var/unbound/unbound.conf is the correct config. The one using /usr/local/etc/unbound/unbound.conf should not be running.

I've grepped around trying to find why that second instance is loaded, but I don't see anything. Can anyone point me in the right direction? It also seems that my AdGuardHome doesn't run at boot anymore, but I'm guessing that's because this second instance of unbound consumes ports which I configure AdGuard to use, so AdGuard can't run until I kill the one unbound.

Thanks in advance!

I'm seeing the same thing with AdGuardHome. I can manually start the service after boot, both from the shell and from the GUI, but it doesn't seem to want to autostart. It worked fine before I updated to 25.1.

Thanks very much. Is there a way to auto-restart using either monit or some other service? In pfSense I used to use a watchdog to do that.

Still not sure why I'm losing connectivity, though knowing I've lost it is interesting.

I've been running 22.x since it came out and my system has been very stable. I updated to 23.1, and since then, my system will occasionally (maybe every ~2-3 days) stop serving up DHCPv4 addresses to machines on my network. Even if hardcode an address and ping or try to connect to the router, I cannot. I don't really know how to troubleshoot this more, since the only good fix I've found is to reboot the box. My questions:

1. Any good way to look at the logs from before the previous shutdown?
2. I've seen monit, but I haven't figured out how to use it to make sure that e.g. DHCP is up and running, or other core services
3. I've read through a bit of the forum and I haven't seen others with similar trouble. What should I do to help narrow this down so I can file a formal bug report, if that is indeed what this is?

thanks!

Thanks for sharing that config. It's similar enough to mine that it unfortunately didn't help. I'm now working with support at Namecheap to figure out what I'm supposed to enter as the domain to update. My wild guess is I'd have to make something like e.g. 'dd.EXAMPLE.COM' and then make a CNAME that aliases that, rather than just using EXAMPLE.COM as the dynamic host.

I'm setting up OPNsense to update dynamic DNS at provider Namecheap. In this case, the dynamic address is assigned to my base domain (e.g. example.com), so at Namecheap I have that configured as "@". In ddclient on OPNsense, I have configured the base domain (example.com).

In my logs I'm seeing that the domain is not found. I'm unable to set "@.example.com" in ddclient so I'm guessing that the base domain name is correct. My logs show the following errors. Can anyone tell me what I'm doing wrong?

Code Select Expand

2022-06-06T21:28:26-07:00 Notice ddclient[50858] 63477 - [meta sequenceId="78"] FAILED: updating EXAMPLE.com: Invalid reply.
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="77"] WARNING: </interface-response>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="76"] WARNING: <debug><![CDATA[]]></debug>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="75"] WARNING: <Done>true</Done>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="74"] WARNING: </responses>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="73"] WARNING: </response>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="72"] WARNING: <ResponseString>Validation error; not found; domain name(s)</ResponseString>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="71"] WARNING: <ResponseNumber>316153</ResponseNumber>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="70"] WARNING: <Description>Domain name not found</Description>

Just wanted to bump this to see if anyone had any ideas?

We had a power outage a few days ago, and OPNsense came up fine after the outage, but only had a IPv6 gateway to my ISP. I manually disabled the WAN interface and then re-enabled it, and after that both IPv4 and IPv6 came up.

Is there a setting I need to do to force IPv4 to keep retrying to come up on WAN?

Also is there magic (such as firewall rules or otherwise) to let my internal IPv4 network use the IPv6 gateway to my WAN? thanks a lot.

(Edit: Renamed the subject for clarity)

Ok I've figured it out. I had the OpenVPN server set to listen on Interface "any". It needs to listen on Interface "WAN". D'oh!

thanks all!

Thanks. I realized I created that interface for VPN when I was trying to look at the live firewall log and wanted to watch all traffic on the interface. I deleted it and still don't seem to be able to reach the intranet, though the VPN seems intact.

bumping this with the hope that anyone has ideas?

I'm a relatively new convert from pfSense to opnsense. I've been happy with it, but I'm still unsure how to get my firewall rules configured correctly.

First, when I navigate to Firewall -> Rules, I have a ruleset for "OPENVPN" and a second ruleset for "OpenVPN". Is this correct? The all-caps one is from the Interface that I created that maps to "ovpns1". I'm unsure what the ruleset for "OpenVPN" came from, nor how/if to delete it.

Both of these rule sets are empty, except for some default rules on the OPENVPN for blocking bogon networks. When I connect to the VPN, I find that I can't even connect to the VPN's gateway (192.168.x.1) to get to opnsense. It feels like it's a firewall block, since the telnet command gets hung.

Is there some obvious thing I'm missing? Thanks much.

I've put a few screenshots showing the interfaces, the VPN rules, and the firewall logs, at this link. https://imgur.com/a/98vZ7nX

EDIT: I figured out what's wrong. I needed to setup the VPN server to listen on Interface "WAN" instead of Interface "any".

Thanks, this sounds exactly like what I need to do.

Would you be willing to share a screenshot or detail of the floating firewall rule?

I did something of this sort with Unbound and AdGuardHome. I kept Unbound on 9 of my VLANs plus localhost. (10.0 thru 10.8, and localhost) The 10th VLAN (which is streaming TV i.e. Roku and Apple) has AdGuard listening on port 53 and forwarding to localhost:53 for upstream. I did this lazy approach so I could see what the streaming TV's are doing. Also did an outbound NAT port 53 into localhost:53 to stop the Roku going to 8.8.8.8. Next step is looking at ZenArmor to stop DoT & DoH from getting out, as I see my iPhone when on Wifi goes to some dns-apple.com site it looks like for resolution. So far it's working good. The only gotcha, I had to modify my floating rule to reverse/ignore via an alias my domain/dns to allow them outside access (no blocking of anykind) as backup/testing of name resolution.

Hi, I'm trying to setup AdGuard Home for my home network, but I have to leave one subnet untouched by AdGuard.

Is the right way to do this to do a few port forwarding rules so that the networks I want protected redirect to AdGuard's DNS port, and the other nets point to Unbound directly? It looks like AdGuard Home has support for mapping individual clients, but I'd prefer to do this with rules of the form:

192.168.1.0/24 --> AdGuard DNS --> Unbound DNS forward
192.168.41.0/24 --> Unbound DNS directly

(I configure the "Unbound DNS forward" as a fallback DNS server in AdGuard Home.)

I'm running AdGuard Home via the os-adguardhome-maxit community plugin, btw.

thanks