Messages

Hello, I am experiencing an odd issue with DNS on my OPNsense firewall itself where it is unable to properly resolve local domain names (configured using this setup, specifically Part 7 for local only: https://forum.opnsense.org/index.php?topic=23339.0. I notice this because I have a Nextcloud backup running nightly from OPNsense as well as a Github configuration change plugin running, both pointing at local domains (nc.mydomain.me and gitea.mydomain.me). I started to see failures in my OPNsense logs and that my backups had stopped, and when I went to investigate I discovered that my previously-working setup was no longer resolving the domain I had configured. To further investigate, I attempted to use the ping tool built into OPNsense and try to ping the ANY local domain on my network, and they are all unable to resolve *.mydomain.me addresses. Pinging using IP address works fine throughout this process, so I am confident that there are no firewall blocks and that this is a DNS issue. I have no issues using local domains from any other machine in my network.

I have my DNS setup with a very similar setup to what is posted here: https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626. I have Adguard Home listening on port 53, Unbound on 5353 and routing DNS over TLS via a Wireguard network interface.

From any other machine in my network, I am able to resolve local domains without issue, but it appears that OPNsense itself is having trouble. The only resolution I have discovered is that if I add 127.0.0.1 to System -- Settings -- General, OPNsense is suddenly able to resolve local domains again... but this only lasts for a couple of days and then I start seeing my backups failing. If I go back into System -- Settings -- General and click "save", everything starts working again...

I have firewall rules in place to redirect DNS queries back to the interface itself, but I don't believe that has any impact on OPNsense itself being unable to resolve local domains.

My /etc/resolv.conf is setup as follows:
domain localdomain
nameserver 127.0.0.1
nameserver 127.0.0.1
search localdomain

I saw a similar post here: https://forum.opnsense.org/index.php?topic=32656.15, but the resolution appeared to be that Adguard Home was not listening on all interfaces. In my case, it already is.

I am quite baffled and not sure where to continue investigating with this intermittent issue. Only other thing I can think of is that maybe I need to add a Cron job to "Reload system DNS resolver config", since it looks like simply going into my System -- Settings -- General and clicking "save" provides temporary relief... is this a valid thing I should be doing and if so, why?

Any help or directions to look would be greatly appreciated!

@TheHellSite, I saw some other posts over thr last year with similar problems to me (503 error) and solved it by de-selecting SSL in the Real Server section. I tried that with Jellyfin and nothing changed for me (still same 503 with valid cert).

I get the same error for every service, no matter if SSL is selected or not. Is there anything else I should be changing aside from just de-selecting SSL?

Thanj you again!

EDIT: As of this morning (and changing nothing), everything started to work. Not sure what did it, but awesome tutorial and thanks for the feedback/troubleshooting with everyone, helped immensely.

Good Evening,

Thank you for the excellent tutorial! I have setup HAProxy + Wildcard Certificates following this tutorial, but am experiencing a 503 error when trying to access jellyfin.example.com using the setup here. I do not have any of these services accessible from outside my network (I.E. no WAN 443/80 ports open) and am only interested in being able to access "jellyfin.example.com" --> 192.168.5.88:8096 with a valid Let's Encrypt cert from inside my network. Right now when I access jellyfin.example.com, my browser shows a valid cert but throws a 503 error. Double and triple checking the tutorial has left me without any further options to explore.

Does anyone have any suggestions where I can look? Thank you very much in advance!

Unbound Host Override: *.example.com --> 192.168.5.1 (OpnSense LAN IP)

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: HTTPS_Frontend (Listening on 127.4.4.3:443)
frontend HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63687fb14df779.98297035.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Local_Only_Subnet
    acl acl_63687bc7cf9331.77802781 src 192.168.5.0/24

    # ACTION: Local_subdomain_map
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63687b6d92a544.19528694.txt)] if acl_63687bc7cf9331.77802781

# Frontend: SNI_Frontend (Listening to 0.0.0.0:80; 0.0.0.0:443)
frontend SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: HTTP_Frontend (Listening on 127.4.4.3:80)
frontend HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_Condition
    acl acl_63687974def2f4.69235454 ssl_fc

    # ACTION: HTTPtoHTTPS
    http-request redirect scheme https code 301 if !acl_63687974def2f4.69235454

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Jellyfin 192.168.5.88:8096 ssl verify none

# Backend: TPLink_Backend ()
backend TPLink_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server TPLinkSwitch 192.168.5.5:80

# Backend: Opnsense_Backend ()
backend Opnsense_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Opnsense 192.168.5.1:8100 ssl verify none

# Backend: Proxmox_Backend ()
backend Proxmox_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Proxmox 192.168.5.201:8006 ssl verify none



# statistics are DISABLED

Map File:

Code Select Expand


jellyfin Jellyfin_Backend
tplink TPLink_Backend
opnsense Opnsense_Backend
proxmox Proxmox_Backend