Messages

Good afternoon everyone,

Currently my home router/firewall is Opnsense 24.7.10_2 on an old Dell server I had lying around.  I'd like to get some things set up on it.  Hoping someone can point me in the right direction, hopefully to recent tutorial(s) or video(s) to walk me through.  I've been scouring the interwebs, but anything I find is either outdated or incomplete.  I'm not even entirely sure it's possible to do what I want.

I'd like the basic setup to be:  Computers, phones, etc ---> Opnsense box ---> Pi-hole/Adguardhome ---> PIA VPN

Basically I want all devices (except perhaps specific machines or VLANs) to be run through my PIA VPN without needing to set up each one, AND have ad blocking and adult website blocking at the router level.  Further, I'd like Pi-hole or Adguardhome to NOT route traffic to specific websites through PIA (like Disney+ or other sites that break when using PIA, for instance), but instead to Unbound or Cloudflare or something.  This second part is what I don't know if it's even possible on a per-website basis.

For now, I really want to at least get the first part set up.  I successfully got Adghardhome set up on the Opnsense box itself using a tutorial.  I tried installing Pi-hole in Docker on my home server, but could not seem to get Opnsense connected to it (as an aside, if someone has a tutorial on how to do that, it would be much appreciated - I would still like to get this working, even if I decide to stick with Adguardhome in the end).  I'm not helpless, just completely strapped for time right now, but at the same time I've put this off far too long.

Thanks in advance everyone!

It is the FQDN from the client perspective, i.e. your Cloudflare DDNS name.

Interesting, because I know I have setups still on previous versions of Opnsense where it just says "internal-ca" for the CN and (seems to be) working just fine.  But I'll definitely try putting my domain address in there and see what happens.  Thanks again!

The place to choose your newly-created CA is under Key->Issuer. Not sure if this is a change in 24.7 (I don't have anything older to compare to right now), but it's a doc bug (now) anyway....

Thanks for the clarification!  I guess the docs haven't been updated to match the new interface layout yet?

You don't need to create a cert for the CA, it comes with one. You need to request a cert for your server (i.e. the firewall) and later on for your clients (the VPN users)

- create a CSR with the CN which will match your DNS FQDN
- sign it with OpenVPN_CA
- configure OpenVPN to use it

Bart...

Thanks for the clarification on server (firewall) vs CA.  I was wondering about the FQDN too.  In previous (working) iterations, I noticed that under Common Name it just said "internal-ca" and I saw some places in the interwebs saying to use that.  When you say to use a Common Name that will match my DNS FQDN, do you mean put in "subdomain.mywebsite.com"?  Because the instructions said to use the FQDN of this machine.  Which as far as I know, my firewall doesn't have one.

Hello all,

Wondering if you could help with a little problem I'm having.  Probably end up to be some stupid oversight on my part, but I'm prepared to be humbled.  Recently upgraded to 24.7, imported all my settings, but my OpenVPN connection no longer worked.  The clients on remote PCs just hung and then timed out.  I'm using DDNS to Cloudflare on one of my subdomains.  That seems to be fine.  I can ping the subdomain and my home IP from my ISP remotely.  Not sure what broke, but thought maybe it had something to do with the certificates.  So I decided to try starting from scratch using the new "instance" version of OpenVPN.

I was following the instructions in the documentation here https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html .  Step 1, create certificate authority.  No problem, created one called OpenVPN_CA.  Step 2, generate a certificate for the CA.  Here's where I'm getting confused.  The second bullet point says "Choose the just created authority in Certificate authority".  However, on the certificate creation window there is no field called "Certificate Authority" from which to select the newly created OpenVPN_CA.  See attached screenshot.  What am I missing here??

Thanks!

Well, I've got a weird update.  Everything works now!  After wondering yet again whether it was really Comcast screwing everything up, I logged into our Comcast Business account and verified one more time that SecurityEdge still showed "not set up".  All good.  But this time, I decided to go a step further and clicked on Set Up, did the first setup step, but then went back without finishing.  Now on the Internet settings page, lo and behold, SecurityEdge was now turned on, with a message that setup was not finished.  So I clicked the toggle and turned it off.  And DHCP DNS worked!  Whether from a phone connected to Wifi or a desktop PC using DHCP connected via ethernet.  And Opnsense system updates work too!  Near as I can figure, SecurityEdge was actually turned on, even though it said it was not, and was never set up.  From many other posts, it seems SecurityEdge causes all sorts of grief when trying to run one's own firewall.  Who would have thought that when it showed as off it was actually on. 

So sorry to waste your time with all of that.  I do appreciate you sticking with me.  I did learn a LOT about my firewall.  Fingers crossed that this is the end of this particular issue!

P.S. - I discovered one thing left still checked from all of my monkeying with this.  On Services: Unbound DNS: DNS over TLS (which I was looking into in case I could not get around Comcast...but SecurityEdge was "off".... ::) ), the box Use System Nameservers was checked, and there was a little warning underneath saying there were no system nameservers configured (which was true).  So I unchecked that.  But in testing, it seems to make no different whether it was checked or not.

Heh, I did read through that article.  I just went through it again with a fine tooth comb.  Nothing stood out to me with regard to anything checked or unchecked, set or unset, that might be causing this.

Yes, any client with an external DNS address directly configured works fine.  It's when clients try and use the LAN IP as the DNS that issues come up.  Also, system queries are failing (at least, when using the "Check For Updates" as a test - with DNS address erased from everywhere, no update server can be found - when 1.1.1.1 entered under System:Settings:General, the update server can be reached again).

I'll upload screenshots of everything tomorrow.

Sorry for the delay.  Busy weekend.

resolv.conf has only the following in it:

domain localdomain
nameserver 127.0.0.1
search localdomain

Packet capture had the following pair for google.com from igb0 (LAN) when the PC is switched to DHCP (and identical responses for any other website attempted to visit).  .2 = Opnsense LAN, .175 = desktop PC:

492   7.344390   192.168.10.175   192.168.10.2   DNS   74   Standard query 0xc9a5 A www.google.com
494   7.345286   192.168.10.2   192.168.10.175   DNS   74   Standard query response 0xc9a5 Server failure A www.google.com

On the WAN side (em0) packet capture, there are no DNS entries from any local device, just a bunch of DNS entries back and forth between the WAN address to outside DNS like Cloudflare (1.1.1.1) or Comcast (75.75.5.75).   Which is to be expected I guess.  Any device on the network with a static LAN IP is set to use our server as DNS first (which is then set to use Cloudflare) or Cloudflare second if the server's down.  Weird aside, the server is supposed to be using 1.1.1.1 for DNS too, but the timestamps indicate it seems to be the only device querying 75.75.75.75.  Not sure why, I can't seem to find any evidence of 75.75.75.75 in any settings on the server.  But I did inherit this setup, so I'm sure there are oddities left over from the previous setter-upper. 

Also, there were no entries on the WAN side in the packet capture at the 7.34 second mark to match the entries on the LAN side above.

It's like once on DHCP, a device's DNS queries are getting as far as Unbound on the Opnsense box and then just getting blocked or disappearing.  Thanks again for sticking with me on this.  I hardly ever post in forums any more because 99.9% of my issues have already been posted about and solved.  But this one really has me stumped.

Logging was already on.  When switching the test PC to DHCP, a green log "allow access to the DHCP server" showed up, along with the "anti lockout rule" allowing access to the WebUI.  That was it.  Bunch of 127.0.0.1 from and to different ports (including port 53 of unbound) when attempting to check for updates.  I thought maybe it would show 127.0.0.1 trying to reach the WAN or the update server address when checking for updates, but it's always 127.0.0.1:port to 127.0.0.1:some other port.  Don't know if that matters any.  Would it be worth picking some other port for Unbound just to try?

If you have a link for a packet capture tutorial, or feel like explaining it yourself, I'd be grateful.

OK, I will turn on logging of default rules.  Is there a specific one I should be looking at?

I have a laptop with Mint installed on it that I could use for packet capture.

Thanks for hanging in with me through this!  I really appreciate it.

@cookiemoster, amazing guess on the network setup without my having explicitly laid it out for you.  <smacks face>  Yes, that is exactly correct.  I have verified multiple times that no AP is doing DHCP.

As a further test, on my own desktop PC, (plugged into the switch) I changed it entirely over to DHCP.  Soon as I do that, no internet access.  It correctly chooses the Opnsense box for both gateway and DNS.  If I manually change just the DNS on the desktop PC to 1.1.1.1 or 8.8.8.8, immediately it has internet access again.

Second screenshot.

Here are two screenshots.  You can see the PC (.175) trying to reach youtube and google, and Opnsense itself trying to reach the update servers.

Under System: Settings: General:  all DNS entries are blank, all "Use Gateway" dropdown menus are set to none.  Under "DNS server options", everything is unchecked.

Under Services: ISC DHCPv4: [LAN], "Enable DHCP server on the LAN interface" is checked, and the Range is set from .125 to .200.  Otherwise everything is blank or unchecked including DNS.

Under Services: Unbound DNS: General:  Enable Unbound is checked, port is left at default of 53, three boxes are checked (which were not initially, but I added a few days ago to try and solve the DHCP DNS issue):   Enable DNSSEC Support, Register ISC DHCP4 Leases, Register ISC DHCP Static Mappings.

After the current config listed above, I did reboot the box, which did not seem to change anything.

For lack of knowing a better way, I did try scanning my network with AngryIP the other day just to see if something else was using port 53, but nothing showed using it at all.

I will try restarting Unbound service and enabling the logging you suggested.

I did notice under Services: Unbound DNS: Advanced that "Aggressive NSEC" was checked, though I did not check that, so I don't know if that is a default setting.

@cookiemonster, thanks for the suggestions.  When I had read through this article, https://homenetworkguy.com/how-to/confused-about-dns-configuration-in-opnsense/, what I thought it was saying, along with some other posts in this forum, was that even if DNS IP's were put in those two locations, it didn't matter because Unbound would ignore them.  Seems I had it exactly backwards.

So a couple of things.  When I switched a PC over to "obtain everything automatically", I did see the "allow access to DHCP server" in the log live view.  Unbound's log did not show anything related to that PC, and no errors or warnings, just Informational and Notice items.  Closest I could find was an occasional "daemonize unbound dhcpd watcher".  However, under Reporting:Unbound DNS:Reporting tab, everything is red with a return code of SERVFAIL and a resolve time of 0ms.  Bunch of entries there from the PC trying to reach different websites, and a bunch of stuff from Opnsense itself trying to check for updates (which incidentally no longer works after I removed all of the DNS IP's).

What should I try next?  Also, do you need screenshots of anything?