Messages

See here and note the links that explain the privacy/reliability advantages: https://nlnetlabs.nl/projects/unbound/about/

While your ISP can't see your DNS requests because they are encrypted, my understanding is that Google/Cloudflare could. Similar to how you can log into your AdGuard console and can see all of the DNS requests coming into AdGuard from your local devices.

As I understand it, Unbound provides more privacy than using AdGuard for your DNS service. Unbound is a resolver that directly queries authoritative nameservers, while AdGuard forwards requests to your ISP's (or Google's, etc.) DNS service. DOH will secure your request in transport, but the DNS service you are using will still know your DNS requests.

Notifications using HomeAssistant to Amazon Echo is genius! Thank you for sharing. I'm going to add that.

I'm really impressed with Uptime Kuma's abilities and UX for up/down monitoring in my homelab. I am using Uptime Kuma to monitor opnsense gateway and opnsense services (api/core/service/search Query:$exists(rows[running=0]) Expected Value:false). I looked at Zabbix for the "fun" of it, but I really don't "need" to monitor with that level of granularity.

I am using Graylog/Grafana for log monitoring, but I am nearly done switching over to Alloy/Loki/Grafana.

@Meyergru, I'd be interested in learning what else you are monitoring within OPNsense using Uptime Kuma.

Thank you Meyergru! You led me to the right solution. In researching how to parse the status of the specific gateway, I realized that I was using the wrong JSON expression notation. Uptime Kuma uses JSONata and not JSONpath. I also learned that if you clear off the last error message and the same error exists, you won't get a new error message. In case anyone else finds this thread:

* You can query for a specific gateway status using: items[name="XXX"].status_translated == Online where XXX should be replaced with the gateway name you want to monitor
* The correct syntax for checking the success of the gateway request: status == ok (not $.status == ok)
* Select basic auth from the Authentication method dropdown, put the key in for the username and the secret for the password

If you just need basic up/down monitoring in your home lab, I highly recommend Uptime Puma.

I am trying to monitor the status of my WAN gateway using Uptime Kuma and the OPNsense API. Despite my best efforts and google skills, I cannot get it to work and would appreciate any help. The monitor is showing red/down continually and there are no errors in the Uptime Kuma messages area. I am pretty sure it is an error in the way I am configuring Uptime Kuma. Here's what I have done:

1) Setup a new user, with access to the Gateways and generated the key/secret
2) Used CURL -k -u "<key>":"<secret>" https://myIP/api/routes/gateway/status from the Uptime Kuma console and I get the expected response
3) Configured Uptime Kuma as follows:

• Monitor type = HTTP(s)-Json Query and the URL is the same as in step #2
• Json Query expression and associated fields are set to $.status == ok
• Method is GET, body encoding is JSON and body/header fields are blank
• Authentication is set to basic auth and I put the key/secret into the username/password fields

I've tried various combinations of putting the authorization into the header/body, encoding the key/secret into base64, checking/unchecking the "ignore TLS/SSL errors". I'm probably just not using the right combination of things.

See the OPNsense docs for guidance on selecting a DHCP server. https://docs.opnsense.org/manual/dhcp.html

@meyergru, I always learn something from your posts. Thanks for taking the time to elaborate.

I agree that Unifi is spread way too thin. They still haven't even removed the old legacy interface from the Network App.

FYI - I am running the USW 48 POE with 7.2.120, OPNsense 25.7.3 and multiple VLANs. I have not had any problems with STP. I do not have any untagged traffic on my trunk. Are you using RSTP or STP? I am using RSTP, and all Unifi options on my ports are off (e.g., storm control, loop protection,  etc.) except for STP.

You either need to run Kea or ISC or Dnsmasq for DHCP services. You can't run all three at the same time, even on different interfaces. If you are going to stay with ISC, I suggest removing all interfaces from Kea/DNSmasq and then disabling Kea/DNSmasq.

Note that the recommended DHCP setup for small networks is to use DNSmasq. It is the default for the setup wizard for new installs. See here. https://docs.opnsense.org/manual/dnsmasq.html

@meyergru and @OPNenthu - thank you for educating me. I always learn new things from this forum. I didn't consider the dependency on the native port in the case of a switch failure. Fortunately, I keep an old 8 port Unifi switch around as a cold spare for my main switch. In the event of my switch failing, I can at least get my 4 APs back online. I should be able to provision a new switch by setting one of the ports to a full trunk. Like @meyergru, I never experienced a problem when I had my OPNsense router (Protectli with Intel NICs) plugged into a full trunk port.

Why is a native network needed for Unifi gear? I have VLAN 90 set as my management VLAN. My Unifi switch and APs are all in VLAN 90. The UniFi Network Application is sitting in a server VLAN. When I provision a new Unifi AP, I set the new AP's port on the switch to tagged VLAN 90. This gets the new AP on the network with an IP in VLAN 90. I then adopt the AP, set the management VLAN to 90 in the device's settings and then change the switch port to a "trunk" (all VLANs without a native).

I changed my MGMT VLAN in Unifi to 90 and that avoids the whole native/VLAN1 issue.

I've been running AdGuard Home from mimugmail for years. It works great.

@benix, the utility recommends the commands to run. You'll need to run those commands to do the update. Or you can run the utility with the "shoot-me" option and it will prompt/run each command for you.