Messages

ok I believe I fixed it.

on the SPFLAN interface I created an allow rules to destination - this firewall. TOP of list

on the guest/ IOT VLANS.   top rule I created block rule to destination - this firewall.

I believe I am good now,   totally different how I had it before.

    earned me some new brain wrinkles

so I never had this rule.  but this resolved it (attached)

is this expected?     this also isn't what I want.    I want to restrict.    only one network to access the GUI>.   when I changed this yesterday I had to restore a backup.    this also worked previously.   my head hurts

you list the same router.  if you open system > trust > certs > webgui TLS key.   then edit it and try to close it.   does it give you an error?

any device going over the wireguard tunnel can't access the router gui.

What firewall rules have you created on the Wireguard interface?

Do you mean wireguard group
Or the wireguard tunnel to external isp

Group has the default rule still which I honestly don't remember being there on my old appliance I can boot it up to verify

The other is empty just like the old device. I imported the rules from the configuration file

I've gone in and made rules on each interface.  I allowed all, didn't work.  then I created allowed to destination *this firewall).  that did not work either after cleaning states.     I can not PING the appliance.   how is that possible?
2nd part of weirdness.  under System: Trust: Certificates.   the  webgui tis cert is there.  but when you open it.  and try to close it it says error missing CA key.   

when I received the appliance I did a fresh install of business edition.    is that error part of this,  or is that normal?

DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.

Great. And you needed to add a forward from unbound to dnsmasq, right? As for DNSEC, I have been reading up on this:
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too

I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"
It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them. If you turn off DNSSEC, then you can no longer trust the answer you get was from your provider.

In summary:
DoT: Encrypts your DNS query.
DNSSEC: cryptographically verifies DNSSEC-signed records. (only within unbound)

Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.

DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.

Ordered and the rj45 spf modules in the opnsense store.

Finally got the sp+ setup as my primary lan though the console.
Dec740 port 0- 9 the spf port on the pro ui switch.  It shows connected at full duplex 10gb

Now when I activate wireguard tunnels, any device going over the wireguard tunnel can't access the router gui.   If I create a rule to have that device go over the wan I can access the gui?    I can't believe this is my only issue and I've spent hours on trying to fix this.  Disable routes is checked on each tunnel.  Everything is setup exactly as my previous appliance.  But I am struggling to figure this out.

It is setup to listen on all interfaces so that is not the issue

Any suggestions are welcome

when using servers that use dnssec.  you don't need it enabled on the router within unbound.
that is my understanding

i turn off dnssec:  https://docs.quad9.net/Setup_Guides/Open-Source_Routers/OPNsense_%28Encrypted%29/

its personal preference. 

unbound set to not forward should never go down/ have any issues.   it also does not use dns over tls which i prefer to use myself:

if forwarding you are at the mercy of the servers you choose to forward to for privacy and reliability

screen shot 3.  i would turn off DNS within dnsmasq. change listen port to 0.      you also do not need dnssec enabled if using quad 9

i use unbound and it works 100% reliable.

i setup dns over tls for quad 9 or similar products though. 

are you using community or business edition?

i have used business edition for the use of my appliance and always used just the blocklist tab.  then check those i wanted to use.
the extended i never used?   

  should i be reconsidering this (it doesn't show Hagazi)   so it seems like a move backwards

To the original poster.

The appliance came with a 180 dollar business licenses that last a year. 

 Why did you decide to wipe and go to the community version?

@franco and opnsense team, thank you for keeping us secured

purchased my 2nd appliance. and a couple modules
looking forward to the quick swap out from the dec 670 

Thanks. Will your username change then?

sure if its not frowned upon :)

purchased my 2nd appliance. and a couple modules
looking forward to the quick swap out from the dec 670