Messages

Minor feature request, however I really would like the ability to add the photo/picture widget back onto the new dashboard please.  :)

I currently have OPNsense setup with Unbound, and all devices on the network use it. I want all the devices to connect directly to the firewall IP for DNS. I have a few VLANs, and port 53 is forwarded locally for all so they can reach DNS (correct me if there is a more secure way of doing that).

Now I want to setup LANCache, likely in Promox.
I do not want to have to have the computers connect to LANcache as their DNS. I want them to connect to opnsense as they currently are. But have LANcache work in the background alongside Unbound if that makes sense.



Basically I want all devices to point to 192.168.1.1 (firewall) for DNS, but if they are downloading something LANcache supports, LANcache feeds them that data.
How would I set this up ideally?

My network is basically a few VLANs (family VLAN, my vlan, guest vlan)
And I run Unbound on OPNsense. That acts as the DNS server, all devices point to it. (Which I do have a question, is this type of DNS considered an "Authoritative DNS Server?" The 2 confuse me still.

Anyways, I read about Squid, and how it can cache stuff and speed up things.
I am curious, my drive in my system is about 500gb. So OPNsense is using barely anything of it. Should I install Squid? Or does Unbound have these capabilities?
I see there are some settings about Caching in Unbound > Advance. Not sure if changing these numbers would be beneficial.

Not that stuff is slow, but more speed is always better lol ;)

..also for clarification I will never come close to even using 100gb (nevermind the 250-512gb which the drives are) so size should not be an issue.
I think I'm only using 2.2GB/452 on my current drive haha

Hey so just getting around to trying this.
Sounds good, my new drive is also going to be ada0.
However when running

Code Select Expand

gpart backup ada1 | gpart restore -F ada0
I run into a

Code Select Expand

gpart: size '983025664' invalid argument error. I assume this is because the new drive is smaller in size, so the partition sizes won't match.

Can you please help clarify how to safely proceed. Thanks.

Here is the disk layout

Code Select Expand


# geom disk list
Geom name: ada0 (new second disk adding in)
Providers:
1. Name: ada0
   Mediasize: 250059350016 (233G)
   Sectorsize: 512
   Mode: r0w0e0
   descr: SanDisk SDSSDH3 250G
   lunid: 5001b448b243e95c
   ident: 230206A0004C
   rotationrate: 0
   fwsectors: 63
   fwheads: 16

Geom name: ada1 (original disk)
Providers:
1. Name: ada1
   Mediasize: 512110190592 (477G)
   Sectorsize: 512
   Mode: r1w1e2
   descr: SanDisk SDSSDH3 512G
   lunid: 5001b448ba4679ef
   ident: 21120U801225
   rotationrate: 0
   fwsectors: 63
   fwheads: 16


I am looking to add a second SSD.
Upon first install, I installed using ZFS on a single SSD.
I recently acquired another SSD and I wanted to mirror it. I know it's an option on first install.

I am looking to avoid needing to backup, and fresh install.
How can I add it in, without fresh installing?

Ok so I believe I got this working.
I had to uncheck all my lists in blocklist, and then apply. Then re-enable the lists I want and apply.
Nslookup now shows they are resolving to 0.0.0.0 as expected (before they were actually resolving, not being blocked).
It also now shows rhe count in the new Unbound stats page.

However, after my last update it broke again, and I had to disable each list ,apply, then reenable them.
Not sure why but its working again.
Seems like some bug.

[cannot confirm]

So I want to preface this with the note that I cannot confirm this is a result of upgrading to 23.1. I did not test this beforehand. However it is not major enough of an issue to make me want to deal with flashing back. But it is major enough where I really want to try to fix it.
I do say I feel like I have always had issues with unbound blocklist in the past not working, and I remember I've tried doing resolves with some of the domains in the lists, and I think they always resolved depsite forcing unbound as my dns on all my devices, and even trying resolving directly from the opnsense shell. Nothing is using DoT/DoH. So I'm questioning now if it ever really even worked.

Anyways the issue is, it seems like the blocklists are just not working. I first noticed this with the new statistics, where it shows "Size of Blocklist" as "0". Despite having multiple blocklists selected in Unbound > Blocklists (and yes it's enabled and I've tried rebooting the service and firewall).

For example: https://blocklistproject.github.io/Lists/tracking.txt

Tried resolving from my computer:

Code Select Expand


nslookup 1000mercis.com
Server:  firewallhostname
Address:  myfirewallip

Non-authoritative answer:
Name:    1000mercis.com
Addresses:  64:ff9b::5396:f484
          83.150.244.132

And then also tried it directly in firewall shell:

Code Select Expand


nslookup 1000mercis.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   1000mercis.com
Address: 83.150.244.132
Name:   1000mercis.com
Address: 64:ff9b::5396:f484

So I looked a bit further and ran

Code Select Expand

unbound -d -vv -c unbound.conf
and it prints the following:

Code Select Expand


[1675862429] unbound[40886:0] debug: setup SSL certificates
[1675862429] unbound[40886:0] debug: switching log to syslog
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = 'unbound'
  isolated = 0
  environment = 1
  user site = 1
  import site = 0
  sys._base_executable = ''
  sys.base_prefix = '/usr/local'
  sys.base_exec_prefix = '/usr/local'
  sys.platlibdir = 'lib'
  sys.executable = ''
  sys.prefix = '/usr/local'
  sys.exec_prefix = '/usr/local'
  sys.path = [
    '/usr/local/lib/python39.zip',
    '/usr/local/lib/python3.9',
    '/usr/local/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x0000000801412000 (most recent call first):
<no Python frame>


Not sure if that is a major or related issue. Also not sure where to go from here.
I want to avoid breaking my config, and I'd like to avoid a fresh install.
Figured I'd try the forums with people who are significantly more experience with opnsense and  this stuff in general than me.

Ok final revelation because I am completely unsure of where to go from here on out with diagnosis.

So i just tested the internet on my family vlan on my brothers computer, and it seems to be working without issue.
it seems to be potentially vlan related. I cannot ping my desktop rom even the firewall, despite being on the same vlan.
I can however ping google from the firewall.
i can't ping the firewall from my desktop.

Usually it says in the shell "web interface can be reached at X ip"
I noticed it doesn't say that.
I do see sums for HTTPS.

Also It looks like all the interface ips are set correctly.
I know I have the web ui set to only listen on my vlan not my families, so it probably is something relating to that. It partially makes sense why I can't ping around my vlan, and also can't reach the web ui if it's a vlan issue.

But I fail to see why this issue occured, and I fail to see what the actual issue is.
I don't understand why the restore didn't resolve the issue either, seeing that was a period where the firewall was working without issue.

I don't know how to further diagnose this issue and really need to get this internet back up.

Ok so, I was able to delete it with os-sunnyvalley.

Also I didn't realize it made automatic backups. So I restored a backup from the 14th when the system was working no issues.
I hit yes to reboot for clean config, and then when finished it was STILL giving the same issue. So I rebooted once more, I could access the web gui and ping the server for a few seconds and then it went responsive again!

This makes no sense to me, all I did was install a package. And even after reverting to a backup created in a working period, it is still giving the same exact issue.

I see it under pkg info, I can search it with pkg search sunny
but I can't pkg delete or pkg install it without it saying it can't find it. I don't understand.
It still doesn't make sense to me that just installing the package would cause this issue. 

Ok I was able to login to the web ui fast enough to enable the root user, before it crashed again but I can login to shell via root now!
I tried pkg delete sunnyvalley-1.2_2 and it just says packages requested for removal: 0 locked, 1 missing.

I looked in pkg info and I see it there, but the beginning part of my screen is cutoff on the monitor so maybe I'm missing something before it?

So, I was in the webgui under plugins and went to install Sensei. It installed, I didn't see it in the services list, so I logged out and back in. Still didn't see it, as I was clicking through menus the web ui just crashed. Internet stopped working, can't ping anything from my client, not even the server.

If I reboot the server, everything works for about a 20seconds and then all crashes again and becomes unresponsive.

I didn't even enable it yet, I doubt it starts in an enabled state so Idk what is going on but I have zero internet and limited time.
Stupid me didn't make a recent backup, I was wondering if anyone had any ideas, and yes I learned my lesson.

I CAN get in via shell, not ssh. In shell I login to my user, and try to delete the package and hope that fixes. I get a user is not in the sudoers file error. Well I disabled root user via web interface, and this user has no issues managing stuff in the web ui. I gave it wheel/root access when I did it so idk wtf to do.
Not sure if deleting it will even fix it so idk. I'm not sure why this even happened but I'm so lost and can't find anything when searching.

Is there a way to setup a simple custom HTML+CSS page to display, when clients visit a website that is blocked by Unbound's Blocklist? And ideally have it display which blocklist it is blocked from.

How do you properly read the Unbound logs to determine sites that are blocked, and are passed?
It looks like there is no way to filter between the two which sucks.

And as for the syntax for whitelisting/blacklisting, how do I make a catch all for a domain?
For example if I wanted to whitelist all of facebook would facebook.com/* not work?
Or all of a website with domains like 1.amazon.com 2.amazon.com something like *.amazon.com/* ?

Not exactly familiar with regex, so a simple cheatsheet would be nice. I don't plan on doing anything crazy but I can not seem to figure it out.