Messages

i gave adguard a try and i am currently using that and working on adguard plugin, the 3rd party repo adguard home plugin doesn't really have a native interface...

That is some effort that you are putting in... AGH has a ton of options and to capture them all into an OPNsense GUI and then ensure that future updates also work.... Hats off to your effort.

I very much look forward to your plugin... Is there a GitHub link for it?

[that hard to simply check your Pi-Hole Query Log (or the same in AdGuard) and figure out what is being blocked]

To be honest : People should really avoid needing such a feature!

Is it really that hard to simply check your Pi-Hole Query Log (or the same in AdGuard) and figure out what is being blocked and solve the issue once and for all ?!
_{Nothing personal by the way. Talking about people in general!}

And in the worst case you even have the option to use some kind of DoH/DoT feature in Mozilla Firefox for example to check if your adblocker is the issue at all :)

It is not about whether I can analyse and check what websites are being blocked and then whitelist these permanently, its about other users in the home who are not that tech-savvy... and for the times that I am not available to do the same.

Hence, my request for a API call (I know that it exists, as the OPNsense API documentation does refer to adblocking... I just haven't been able to get my head around it to make it work !) - if anyone who understands API can help; then it would be much appreciated.

May I suggest considering to use AdGuard Home instead for DNS blocking? There are nice mobile apps that let you disable filtering with a single tap - for 1 minute, 5 minutes, 1 hour ... etc.

I have been using AGH for a long time, but was keen to start using Unbound and remove all (non-native components from OPNsense). hence, the query...

[Help needed....]

Help needed....

Does anyone know as to how to use the API to enable & disable Unbound Blocklists using an API?

I have Unbound setup with a few blocklists and combination of source nets; so most of the time Unbound Blocklists can keep running.

However, there are times when other family members use laptops/machines (that are a part of the blocklists) but just need Ad-Unblocking for a short duration. Expecting them to login into the GUI in OPNsense to disable this is a bridge too far.


Q: Is there a global API (or some mechanism without having to log into OPNsense GUI) to temporarily disable all blocklists and then enable them later.

Q: Is there a quick way to do this via a simple curl command that can execute a preformed API call?  I can then create a shortcut on these machines that can be used to turn on/off Unbound blocking.

I have tried reading into the API docs, but unable to figure it out...

If they are meant to cascade, is there a way to make the policies work like pf 'quick' rules, on first match?  Alternatively, can anyone think of a creative hack to make this scheme work as intended and still support dynamic prefixes? :)

I am looking for the same info.... It would be great if the Blocklists rules worked like firewall, the first match wins. Also would be great if dynamic prefixes could be used as source lists.

Thanks for the help, everyone.  I guess we'll wait and see....

I guess it may have been implemented in 26.1, I haven't had chance to read the changes notes (or install 26.1 yet), but I have an inclination, it has been included...

I have created a #5170 feature request on Github for the same.

I use Verizon 5G Home Internet and their XCI55AX cell router. My journey to OPNsense started when I decided I wanted to use Pi-hole but the XCI55AX router will not allow the end user to change the DNS settings, so what I must do is put their router in passthrough mode and use my own router instead.

If anyone has already done this, I would appreciate whatever you are willing to share regarding the appropriate configuration settings. I've gotten as far as installing OPNsense VM on my Proxmox installed mini-pc (a Beelink SER5 Ryzen 7 5825U) and poking around a bit to get oriented.

Any and all advice/pointers will be appreciated.

Install another VM on Proxmox, either Alpine Linux or Debian. Install PiHole in this VM. Make sure this VM gets assigned a static IP.
Now in OPNsense, assign the PiHole IP as your DNS.

This is good info.

I have been running OPNSense as a guest under Proxmox on a small server that has one other VM on it (basic linux install for pihole) but I have found that WireGuard requires WAY more CPU than I expected at gigabit speeds, so I am considering doing away with Proxmox, running OPN Sense bare metal, and moving the pihole VM into bhyve on OPNSense instead to make sure OPNSense can talk straight to the hardware and be more efficient.

In my config the one VM would not be externally exposed, but instead get its own entirely virtual local network on the LAN side of the OPNSense firewall, so I am not terribly concerned about security, but I'll port scan it from the WAN side just to make sure.

I probably won't get around to this right away, but when I do I'll definitely post back here.

Thanks for sharing.

I intend to run a similar setup (a PiHole running on Alpine Linux in a VM under bhyve).

Did you ever manage to get this setup working properly? Can you share your complete/ detailed instruction set.. would be much appreciated.

Thanks.

Chipping in from some experience with my setup.

netgraph networking works very well with bhyve.

I use the following script to setup a bridge to link the virtual machine directly to the OPNSense LAN interface:

Code Select Expand

# Setup ng_bridge if required
if ! ngctl status bnet0: >/dev/null 2>&1; then
  ngctl -f- <<END
    mkpeer igc0: bridge lower link0
    name igc0:lower bnet0
    connect igc0: bnet0: upper link1
    msg igc0: setpromisc 1
    msg igc0: setautosrc 0
END
fi

This creates a bridge linked to igc0 (my OPNsense LAN interface) and prepares for bhyve to attach.

bhyve can subsequently attach to the bridge as follows:

Code Select Expand

bhyve \
-c sockets=1,cores=8,threads=1 \
-m 16G \
-s 0,hostbridge \
-s 2,virtio-blk,/vm/hdd.img \
-s 3,virtio-net,netgraph,path=bnet0:,peerhook=link2 \
-s 4,virtio-9p,data=/zdata/vm \
-s 5,virtio-rnd \
-s 31,lpc \
-l bootrom,/vm/BHYVE_UEFI.fd,/vm/efi-vars.fd \
-l com1,stdio \
-u \
-H -P -S \

This has provided very stable and performant networking on the bhyve instance.

Thanks...

Few questions:
1) Can you post your entire setup instructions of running bhyve on OPNsense. I tried to follow the previous posts, but am unable to get an Alpine VM to install.

2) Your networking script - does this auto start at boot up of OPNsense or how to manage this?

Some help in setting up a complete bhyve (Alpine Linux VM) from scratch would be very helpful. Thank you.

https://github.com/opnsense/core/milestones

Thank you, so the date looks to be 28 Jan...

You've got a brand new Protectli and you are going to wait for 26.1? You are way more patient than I would be with a new toy. :)

Ha, ha..

That's because I already have a Protectli, this is my 2nd vault - I am planning to repurpose the 1st one as a Proxmox device and run multiple VMs on it. The new Protectli will just server as a bare metal OPNsense.

Hi OPNsense developers,

Any prospective dates as to when 26.1 gets released?

I am just looking to rebuild my OPNsense bare metal (have just got a new Protectli device) and I plan to install everything from scratch, so might as well do it with 26.1

Thanks.

[I think its irresponsible for OPNsense]

Here's the reason:

My home internet is 400down/30-35 up. My computers pretty fast, but to get fiber internet means we have to trust AT&T to dig up and fix THEIR cable, and charge me the same for the same bandwidth I get on my cloud. If AT&T did fix their cable, the physical cable in clay would easily break again and I'd lose connection due to their failure to protect the cable to cut corners.

I have a cloud server that's got 8c/16t (AMD Ryzen 7 3800X), 500Mbps up and down, and 128GB RAM, but the baremetal server runs 128GB of RAM. I have 3 IPs, and I don't want to run only 3 virtual machines on it.

I think its irresponsible for OPNsense to expect us to not provide a direct iso link when there's plenty of mirrors I can cancel, and turn around and copy link/paste. Heck, I could get a Windows ISO on my hypervisor faster than I could OPNSense.

I don't think such strong language is warranted for this supposed issue

Hi All

I have already tried all steps but no luck, Just FYI I am installing opnsense in OCI cloud linux server

If you detail what steps you have done, it may be easier to diagnose your issues.

As a start, can you confirm that you
- have actually installed OPNsense; and not just running this in live mode?
- have removed the drive/image you installed from, and confirm that your OPNsense instance has actually booted up from the' installed' drive?