Messages

1

24.7 Production Series / Re: Any way to update AdGuardHome to edge release?

« on: October 24, 2024, 08:40:11 pm »

Do the following:

1) Check current version

Code: [Select]

sudo /usr/local/AdGuardHome/AdGuardHome -v --version
2) Download beta/edge version of AGH as appropriate

Code: [Select]

fetch -o agh.tar.gz https://static.adguard.com/adguardhome/beta/AdGuardHome_freebsd_amd64.tar.gzor

Code: [Select]

fetch -o agh.tar.gz https://static.adguard.com/adguardhome/edge/AdGuardHome_freebsd_amd64.tar.gz
3) Stop AGH, disable the service

4) Extract the AGH binary to the appropriate location:

Code: [Select]

sudo tar xvf agh.tar.gz -C /usr/local/;
sudo rm agh.tar.gz;
sudo rm /usr/local/AdGuardHome/LICENSE.txt;
sudo rm /usr/local/AdGuardHome/README.md;
sudo rm /usr/local/AdGuardHome/CHANGELOG.md;
5) Check version again

Code: [Select]

sudo /usr/local/AdGuardHome/AdGuardHome -v --version
6) Start AGH, enable the service

2

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: October 04, 2024, 01:37:28 am »

I'm more drawn to a lightweight solution that doesn't require installing the large AdGuard binary on my firewall.
I'm debating whether to install AdGuard Home on the firewall device, but Blocky is also a (big) binary.

That's why I prefer using extended blocklists as my solution.

So do you mean blocklists in Unbound?

How do you configure certain specific clients to bypass adblocking but still use Unbound?

3

24.7 Production Series / Re: Power Management with AMI (standard) vs Coreboot BIOS on Protectli devices

« on: September 14, 2024, 10:18:00 pm »

You cannot in any way control CPU power states from within a VM. That has to be done on your hypervisor, i.e. Proxmox.

In the case of OPNsense running on hardware: yes, you are supposed to add tunables that are not present in the default setup.

Thanks for the clarification. 👍
Do you have any idea for the settings for Proxmox ? (I believe that the core of Proxmox is effectively Debian).

4

24.7 Production Series / Re: Power Management with AMI (standard) vs Coreboot BIOS on Protectli devices

« on: September 14, 2024, 09:58:00 pm »

I also use a Protectli VP2420, and after the 24.7 update have had higher CPU temps and utilization. After a little research on things to mitigate the problem, I added the "dev.cpu.0.cx_lowest" tunables.

This reduced my CPU temps by ~4C, and haven't noticed any issues. I was concerned about possible stability or latency issues, but so far it has been a positive improvement.

Instead of doing one entry for each cpu in Tunables, you can just do hw.acpi.cpu.cx_lowest = C3 one time

I am ruining OPNsesne as a VM on Proxmox on Protectli VP2420.
I do not see this entry hw.acpi.cpu.cx_lowest in OPNsense tunables, do I need to manually create this entry and assign it a value of C3? Could you send a screenshot please?

Since the VP2420 does not pass through the thermal sensor information to VMs, I will just have to rely on ‘hand felt’ temperature to see if it makes any difference…

5

24.7 Production Series / Re: OPNsense installation image doesn't enter the installation mode with new install

« on: September 12, 2024, 11:42:26 pm »

Wild guess !
Is it that your keyboard is not working under Coreboot, so OPNsense installer does not detect any key presses; and only after OPNsense boots up fully, you get a working keyboard.

6

24.7 Production Series / Re: Power Management with AMI (standard) vs Coreboot BIOS on Protectli devices

« on: September 12, 2024, 10:13:10 pm »

I am going to rebuild my VP2420 in a few weeks time, I will then start with a Coreboot BIOS…
I don’t have any measuring equipment, but I guess using a new-gen BIOS can’t hurt either and if the appliance happens to run more efficiently, then all is good.

7

24.7 Production Series / Re: Power Management with AMI (standard) vs Coreboot BIOS on Protectli devices

« on: September 12, 2024, 09:14:55 pm »

Just a quick question:
Would this energy efficiency gain be available only on bare metal installations or also if running OPNsense as a VM through Proxmox?

I am running OPNsense through Proxmox installed on Protectli VP2420.

8

Virtual private networks / Re: Help with WireGuard VPN - no KILL Switch needed

« on: September 10, 2024, 08:24:43 pm »

That is what my guess was as well… but as soon as the VPN Gateway drops, the 4 clients lose their connection to the internet.

I will post my firewall settings shortly, maybe there is an issue there.

9

Virtual private networks / Help with WireGuard VPN - no KILL Switch needed

« on: September 10, 2024, 01:52:34 pm »

I have setup my WireGuard VPN to an external provider by following the WireGuard Selective Routing to External VPN Endpoint guide. All firewall rules, etc, setup as per the guide.

I have 4 clients (on 2 different VLANs) that use this VPN connection for their traffic.

Everything works as expected - No issues.


Question:
Contrary to most people, what I would like is that if this VPN connection drops/ disconnects, I would like to have these 4 clients use the normal (default) WAN Gateway - so that internet services are not impacted.

i.e. the opposite of Kill Switch

What settings or firewall rules do I need to add to accomplish this?  Layman/ newbie explanation please...

What I have already tried?
Enabling/ disabling the gateway Monitoring Skip Rules check-box seems to have no effect.

10

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: September 10, 2024, 12:31:20 am »

and, from all the posts over time with people encountering problems with lists in Unbound, makes more sense to me to leave this on the add-ons that already do it like AdGH.

You can do that with AGuard Home already.

Thank you for the suggestions. I am already using AGH and also Blocky (this conversation started with a plugin for the same).

The whole idea is to have this feature in Unbound, and since it appears that this is already available in OPNsense Business Edition, my request is to also make it accessible in the Community Edition as well - I am guessing it should be relatively easy (barring any commercial implications)

There will be all types of users, some will use AGH, some will use Blocky, some will stick with plain old simple dnsmasq and some will use core Unbound (if it gains this additional functionality)…. essentially providing more choice.

11

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: September 09, 2024, 10:37:36 pm »

I just found out its a feature of the OPNsense Business Edition. So its already available in that version:

https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html

@Franco/ @Monviech

Unbound extended blocklists (or more specifically the ability to exclude certain IP addresses/ranges from default adblocking) - can this feature be made available in the community edition please?
Or some mechanism/ hack to try it out in the community version?

Many thanks…

12

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: September 09, 2024, 10:36:00 am »

I just found out its a feature of the OPNsense Business Edition. So its already available in that version:

https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html

Any chance to make this feature available on the community edition... or some patch at the moment to at least try out the feature.

I am a home user...

13

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: September 08, 2024, 11:57:35 pm »

I dont know, I gonna talk with others whats possible and if its a good idea to add more options to Blocklists.

Thanks.

I think the exclusion of configurable IP addresses/ networks for blocklists will provide the best bang for the buck...

14

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: September 08, 2024, 09:03:25 pm »

So to lock down the scope, without promising anything:

- If there would be an additional field inside blocklists, in which multiple ip addressed/networks can be input, and these would be excempt from the blocklist, that would make the Unbound implementation already fit a lot more usecases?

I imply, most people want to block everything, for example for kids/staff etc..., and excempt themselves from the same blocking.

Since it would be only one additional item in the menu, maybe that scope can be satisfied. (I didnt check yet, just implying here.)

I believe that will be an excellent addition to Unbound, adding the ability to exclude certain IP addresses, network ranges, etc from default blocking.

If you are going to look at the inbound code, is there any possibility of adding Regex to the blocking liss? I know I am being greedy !

15

Development and Code Review / Re: Blocky DNS (Alternate to AdGuard Home) available as plugin

« on: September 08, 2024, 05:21:42 pm »

Interesting. If thats the exact scope and usecase why people choose adguard home or blocky, and the same goal can be reached in Unbound, maybe create an issue with a feature request in Opnsense Core for this feature:

https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html

OPnsense (a few versions back) used to allow custom configuration of Unbound and it was likely possible to achieve these enhanced configs. I think with the latest version of OPnsense's Unbound implementation, a lot of the custom configuration has been lost... hence a lot of movement towards AGH/Blocky.

I personally would just stick with Unbound - if it was possible to have different clients use different blocklists or bypass blocking completely, and still have everything routed through Unbound for its caching and resolver abilities.

Another thing need in Unbound is support of sequential order of upstream DNS (something that dnsmasq does very well with its strict-order parameter in the conf file and blocky supports it very well too).

With Unbound, there is no mechanism to control the behaviour if using unbound as a plain forwarder.
A lot of people run their own DNS servers (with redundancy across different addresses) and would like Unbound to only use the specific upstream if the first one fails.... sequential order.

Unbound is very powerful, but I think it needs some more options exposed in OPNsense to make it a real powerful DNS resolver/ forwarder/ adblocker, etc..... or at the very minimum needs to support custom.conf files where users can configure it to behave as desired.

Thank you for looking into this...