Messages

@meyers @franco @others

Any ideas...

[Query is about building a 'NON-KILL' switch.]

Query is about building a 'NON-KILL' switch.

There are plenty of guides suggesting how to build a 'Kill-Switch' - but what I am after is a 'Non-Kill' switch.

Essentially, if the WG VPN tunnel goes down (for whatever reason), I want OPNsense hosts to start using the default 'WAN' tunnel for traffic.

I know that it is a slightly weird situation - but with family/wife/kids .... it is important that internet traffic continues without interruption.


My setup:
- I have a 3rd party VPN (let's say an external hosted VPS or NordVPN or Surfshark).
- I wish to have some specific OPNsense clients go through the WG VPN tunnel.

Actions followed:
- I used the OPNsense documentation for selective routing. The 'WireGuard Selective Routing to External VPN Endpoint' document for IPv4.
- I followed it down to a tee (barring the kill switch listed in Step 11)
- Setup all firewall rules, everything as per documentation.

Everything works as expected 👍, as in the specific hosts now connect through the VPN tunnel and traffic is routed through WG tunnel as expected. All good so far.


Q: However, if this WG tunnel was to drop (or the Gateway monitoring showing 100% loss) - I would like the same hosts to start using the default 'WAN' gateway. Currently, these hosts cannot access the internet at all.


Anyone can help how to do this?

Hi, @dseven and @gspannu thanks for your answers.
I´m use mimugmail-single.conf for AdGuard
My concern was, if opnsense or some script regularly checks, overwrite or do something else with the file.
But like you wrote, editing manual or with the WebUI works nice.
I made manual changes yesterday evening, and everything works so far.
(changes like: password, ssl 4 webui, bind ip port.)

My question was answered.
Thanks a lot.

👍

Reporting > Health > Quality

This will be shown only if monitoring of the GW is active.

Regards,
S.

Thanks... 👍

Hi,
I've been having a look around my Opnsense server and was hoping someone could explain what system information quality is showing me.

I've attached an image of what I get.
Thanks

Would you be kind enough to advise 'Where is this graph within OPNsense'?
Which menu item?

Hi,
have someone a running customized AdGuard setup with modifications to the AdGuardHome.yaml file?
So if I change the password and insert a self singed cert ( certificate_chain and private_key ) and so on, will this work  or  is this not the way we can do this on opnsense?

( opnsense 25.1.1 – home environment, private use )

Thanks

Yes, AdGuardHome.yaml can be configured to your hearts content... not an issue. The AGH implementation in OPNsense is no different than AGH anywhere else. The plugin is just a service wrapper.

What are you trying to do with the certs within AGH? Run as DoT/DoH/quic server?

- Please explain what you are trying to achieve, and maybe I could assist?

[Thank you all...]

Thank you everyone for the amazing amount of information in the above posts on this topic. Need to read each post carefully and then get to playing around with my setup.

Thank you all...

[Is there an issue with the mimugmail repo?]

Is there an issue with the mimugmail repo?

I am on 25.1.1 and facing a similar problem. Choosing Update from either the GUI or CLI does not check for any updates and just 'sort of hangs'. The system keeps running fine. A reboot foes not fix the issue.

However, removing the mimugmail conf file from `/usr/local/etc/pkg/repos/` and running `pkg update -f` and then checking for updates seems to fix the updates and the system checks for updates as expected.

This has only just started... only noticed this after the 25.1.1 update, it definitely was not an issue until 25.1

[thanks]

...

@meyergru First of all, thanks for writing out this great detailed guide... Really, really helpful to get started with IPv6.

I have a similar setup, I get a /56 dynamic IPv6 range from the ISP that changes with every reboot.
So far have not been able to get the same IPv6 allocated on reboot - played around with the suggested settings of specifying values for 'DHCP Unique Identifier' and enabled 'Prevent release' in Interfaces->Settings.

I am running Blocky (It is an adblocker like AdGuardHome/PiHole) as a plugin on OPNsense, but in order to manage adblocking per client, I need static IP addresses with hostnames for each IPv6 client for use within the local network. IPv4 is super simple and all clients across my 3 VLANs are assigned static IPv4 through DHCPv4 server.

Q: How do I get static IPv6 addresses to these LAN/vLAN clients using the setup you have suggested above? Some have suggested static ULAs, but I have no idea how to implement the same.

Request: Could you please expand your guide to cover static IPv6 addresses (similar to IPv4) for LAN clients, so that IPv6 clients can be assigned hostnames and be distinguished uniquely for PiHole kind of applications (within the local network)?

Thanks..

Hi Franco,

This 'bug/issue' has likely been introduced sometime in 24.7.x, as I was running this setup for many months without any issue and the failover principle always worked.

I then switched dover to AGH at some point, so cannot pinpoint in which 24.7.x build this may have crept in.

It is definitely not working as expected in 25.1 beta.

Happy so send any logs or any other information required.

As a side question, is there any plan to build DHCP into dnsmasq itself?

I agree, I believe it came in with 24.7.12. All was fine until I updated then had a dnsmasq issue of some sort. I also noticed that my advanced settings conf file in the dnsmasq.conf.d folder was wiped out after the update. This would have just simplified my client reporting to pihole. Something else must have also happened since my DNS wasn't working at all.

You may be right that something definitely changed around 24.7.x

I also recall that in earlier versions (24.7.?) the check-box settings 'Query DNS servers sequentially' did not work at all; the only way to make this work was to write 'strict-order' in a custom conf file.
However, now the checkbox setting does work, but now dnsmasq doe snot utilise the next server.

There is definitely something that has happened over the last few updates... Hopefully @Franco/ others will look into these.

@franco:

Are you aware of the default timeout as used by dnsmasq (in OPNsense) for its forwarded query? Or any way of finding out.

I think there may be an issue with the default timeout or some other code base that is causing dnsmasq not to use the next available server (if the first fails).

Hi Franco,

This 'bug/issue' has likely been introduced sometime in 24.7.x, as I was running this setup for many months without any issue and the failover principle always worked.

I then switched dover to AGH at some point, so cannot pinpoint in which 24.7.x build this may have crept in.

It is definitely not working as expected in 25.1 beta.

Happy so send any logs or any other information required.

As a side question, is there any plan to build DHCP into dnsmasq itself?

Bump:

Anyone else seeing this behaviour in dnsmasq ?

[here]

Added an issue regarding dnsmasq in 25.1 here

Essentially, dnsmasq option"Query DNS servers sequentially" not working as expected.

[A fairly simple setup:]

dnsmasq option for "Query DNS servers sequentially" is not working as expected in 25.1.b_20-amd64

A fairly simple setup:

192.168.1.111 is a PiHole machine on the same LAN
8.8.8.8 is the external Google DNS

The two DNS servers are defined in System > Settings > General in this order
- 192.168.1.111
- 8.8.8.8

The underlying idea is that OPNsense should first try and resolve the DNS query using PiHole (192.168.1.111) and ONLY if it fails, should then resolve the query using the next DNS server i.e. Google (8.8.8.8)


Working behaviour:

• dnsmasq receives the queries from clients.
• DNS queries are forwarded to 192.168.1.111
• No queries are forwarded to 8.8.8.8 (as the query DNS server sequentially is set).

- Verified this with dnsmasq logs. All good.
- Just as information, if the 'Query DNS server sequentially' flag is unset, queries are forwarded to both upstream servers, exactly as expected.
All good so far.

Problematic behaviour:

• Turn the PiHole machine (192.168.1.111) off or remove network cable (i.e. make PiHole inaccessible)
• dnsmasq should forward query to 192.168.1.111 (It does, all good)
• On failing to resolve the query (i.e. timeout), dnsmasq should now forward the query to 8.8.8.8, but it never does.
• No query is ever sent to 8.8.8.8

- Essentially, all DNS queries from clients now start to fail and dnsmasq never forwards any queries to the next DNS server (8.8.8.8)

As info, this setup was working fine until 24.7 (from what I recall)

-----------------------------------------

Additional information:

• Unbound is running on port 53535 (I know not needed, but should not be relevant for the use case)
• Also using a custom dnsmasq config file (/usr/local/etc/dnsmasq.conf.d/0-myfile.conf).
• It contains two entries so that PiHole can identify the client correctly.

Code Select Expand

add-mac
add-subnet=32,128