Messages

If they are meant to cascade, is there a way to make the policies work like pf 'quick' rules, on first match?  Alternatively, can anyone think of a creative hack to make this scheme work as intended and still support dynamic prefixes? :)

I am looking for the same info.... It would be great if the Blocklists rules worked like firewall, the first match wins. Also would be great if dynamic prefixes could be used as source lists.

Thanks for the help, everyone.  I guess we'll wait and see....

I guess it may have been implemented in 26.1, I haven't had chance to read the changes notes (or install 26.1 yet), but I have an inclination, it has been included...

I have created a #5170 feature request on Github for the same.

I use Verizon 5G Home Internet and their XCI55AX cell router. My journey to OPNsense started when I decided I wanted to use Pi-hole but the XCI55AX router will not allow the end user to change the DNS settings, so what I must do is put their router in passthrough mode and use my own router instead.

If anyone has already done this, I would appreciate whatever you are willing to share regarding the appropriate configuration settings. I've gotten as far as installing OPNsense VM on my Proxmox installed mini-pc (a Beelink SER5 Ryzen 7 5825U) and poking around a bit to get oriented.

Any and all advice/pointers will be appreciated.

Install another VM on Proxmox, either Alpine Linux or Debian. Install PiHole in this VM. Make sure this VM gets assigned a static IP.
Now in OPNsense, assign the PiHole IP as your DNS.

This is good info.

I have been running OPNSense as a guest under Proxmox on a small server that has one other VM on it (basic linux install for pihole) but I have found that WireGuard requires WAY more CPU than I expected at gigabit speeds, so I am considering doing away with Proxmox, running OPN Sense bare metal, and moving the pihole VM into bhyve on OPNSense instead to make sure OPNSense can talk straight to the hardware and be more efficient.

In my config the one VM would not be externally exposed, but instead get its own entirely virtual local network on the LAN side of the OPNSense firewall, so I am not terribly concerned about security, but I'll port scan it from the WAN side just to make sure.

I probably won't get around to this right away, but when I do I'll definitely post back here.

Thanks for sharing.

I intend to run a similar setup (a PiHole running on Alpine Linux in a VM under bhyve).

Did you ever manage to get this setup working properly? Can you share your complete/ detailed instruction set.. would be much appreciated.

Thanks.

Chipping in from some experience with my setup.

netgraph networking works very well with bhyve.

I use the following script to setup a bridge to link the virtual machine directly to the OPNSense LAN interface:

Code Select Expand

# Setup ng_bridge if required
if ! ngctl status bnet0: >/dev/null 2>&1; then
  ngctl -f- <<END
    mkpeer igc0: bridge lower link0
    name igc0:lower bnet0
    connect igc0: bnet0: upper link1
    msg igc0: setpromisc 1
    msg igc0: setautosrc 0
END
fi

This creates a bridge linked to igc0 (my OPNsense LAN interface) and prepares for bhyve to attach.

bhyve can subsequently attach to the bridge as follows:

Code Select Expand

bhyve \
-c sockets=1,cores=8,threads=1 \
-m 16G \
-s 0,hostbridge \
-s 2,virtio-blk,/vm/hdd.img \
-s 3,virtio-net,netgraph,path=bnet0:,peerhook=link2 \
-s 4,virtio-9p,data=/zdata/vm \
-s 5,virtio-rnd \
-s 31,lpc \
-l bootrom,/vm/BHYVE_UEFI.fd,/vm/efi-vars.fd \
-l com1,stdio \
-u \
-H -P -S \

This has provided very stable and performant networking on the bhyve instance.

Thanks...

Few questions:
1) Can you post your entire setup instructions of running bhyve on OPNsense. I tried to follow the previous posts, but am unable to get an Alpine VM to install.

2) Your networking script - does this auto start at boot up of OPNsense or how to manage this?

Some help in setting up a complete bhyve (Alpine Linux VM) from scratch would be very helpful. Thank you.

https://github.com/opnsense/core/milestones

Thank you, so the date looks to be 28 Jan...

You've got a brand new Protectli and you are going to wait for 26.1? You are way more patient than I would be with a new toy. :)

Ha, ha..

That's because I already have a Protectli, this is my 2nd vault - I am planning to repurpose the 1st one as a Proxmox device and run multiple VMs on it. The new Protectli will just server as a bare metal OPNsense.

Hi OPNsense developers,

Any prospective dates as to when 26.1 gets released?

I am just looking to rebuild my OPNsense bare metal (have just got a new Protectli device) and I plan to install everything from scratch, so might as well do it with 26.1

Thanks.

[I think its irresponsible for OPNsense]

Here's the reason:

My home internet is 400down/30-35 up. My computers pretty fast, but to get fiber internet means we have to trust AT&T to dig up and fix THEIR cable, and charge me the same for the same bandwidth I get on my cloud. If AT&T did fix their cable, the physical cable in clay would easily break again and I'd lose connection due to their failure to protect the cable to cut corners.

I have a cloud server that's got 8c/16t (AMD Ryzen 7 3800X), 500Mbps up and down, and 128GB RAM, but the baremetal server runs 128GB of RAM. I have 3 IPs, and I don't want to run only 3 virtual machines on it.

I think its irresponsible for OPNsense to expect us to not provide a direct iso link when there's plenty of mirrors I can cancel, and turn around and copy link/paste. Heck, I could get a Windows ISO on my hypervisor faster than I could OPNSense.

I don't think such strong language is warranted for this supposed issue

Hi All

I have already tried all steps but no luck, Just FYI I am installing opnsense in OCI cloud linux server

If you detail what steps you have done, it may be easier to diagnose your issues.

As a start, can you confirm that you
- have actually installed OPNsense; and not just running this in live mode?
- have removed the drive/image you installed from, and confirm that your OPNsense instance has actually booted up from the' installed' drive?

Hello,

I just upgraded from 25.7.5 to 25.7.10
The upgrade went well, but my adguard home was not working anymore (not running and when I want to start it it just stops immediatly)

I put my snapshot of 25.7.5 back and all worked again.

I found alot of people with similar problems on the forum, only sollution that seemed to work for them was stopping and uninstalling adguard home, rebooting, doing the upgrade and reïnstalling and configuring adguard home.

Before I got that way, I wonder if anyone has an official working upgrade path without having to reinstall adguard home ?

And if this is the only way to go, can anyone give me a "noobs" guide on fully backing up my adguard home settings ? I have ALOT of rules and configured clients (wife and kid's devices) that have specific blocking (mainly my wife's devices have limited blocking because all she wants to do is use shit like facebook , .... "sigh") My wife realy is my networks biggest security risk :) )

Is it enough to just backup the Adguardhome.yaml file , and than just put it back where it was ? or is there something else needed ?


All help is appreciated

You are spot on...

Search for the file AdGuardHome.yaml - this is the file that contains all your AGH configs. It will most likely be in /usr/local/AdGuardHome/ folder. So to keep a copy, just make a copy of this file.

As a side note, it is recommended to stop AdGuardHome (from the GUI) before taking a backup and also before restoring.

Are we sure that the Unbound blocklists feature really supports targeting individual hosts?  The only place where it's hinted at is in the helptext for the Source Net(s) field, which gives 192.168.1.1 as an example input.  However, the field itself and the rest of the helptext talks only about networks.

Same for the docs: https://docs.opnsense.org/manual/unbound.html#blocklists

Multiple policies can be defined, each separated by one or more source nets. This means you can use blocklists or specific (wildcard) domains on specific networks, allowing more fine-grained control over your setup. The algorithm selects the most specific subnet when domains overlap across subnet sizes.

Might be good to raise a GitHub issue, at least for clarification.

EDIT: the helptext also says something about equally sized networks:

All specified networks should use the same protocol family and have equal sizes to avoid priority issues.

... not sure if that's per-blocklist entry or across all of them.

Unbound blocklists does support hosts/ networks - it is just that the current implementation is a bit basic (perhaps wrong description, as it does the job well), I think the source hosts/networks/ exclusions needs to be further developed to make it more user accessible and feature rich.

The same protocol/ equal size applies to each block-list entry

Or use AdGuard Home which has a much nicer UI for tasks like this one.

I have used AGH extensively, also used Blocky (similar to AGH, but with even more granular control !).
However, these both are not recursive DNS resolvers (only forwarders)

... I am now keen to use Unbound (and the latest update for blocklists has made it promising), I would like to keep everything native.

It would be nice if Unbound had some more development work done regarding Blocklists

[This would make it much easier to use adblocking feature]

I have managed to workaround this in a way by defining multiple CIDRs... Not the best solution, but it works.

1) Do not set any Unbound DNS blocklist for Guest clients

2) Change my static DHCP settings for main LAN clients; and assigned each a static IP
I segregated into 4 groups - just for ease of management
192.168.1.0/26:   192.168.1.1 - 192.168.1.62
192.168.1.64/26:   192.168.1.65 - 192.168.1.126 (clients that do not need adblocking)
192.168.1.128/26:   192.168.1.129 - 192.168.1.190
192.168.1.192/26:   192.168.1.193 - 192.168.1.254

Now created an entry in Unbound Blocklists
- Choose blocklists as desired
- Set source as 192.168.1.0/26, 192.168.1.128/26, 192.168.192/26 - so now all LAN clients except in range (192.168.1.65 - 192.168.1.126) get ad-blocking.

I still feel that Unbound ad-blocking should either work sequentially and use the rules on first match or each Unbound Blocklist entry should also have an exclude source list - This would make it much easier to use adblocking feature.