Messages

This is good info.

I have been running OPNSense as a guest under Proxmox on a small server that has one other VM on it (basic linux install for pihole) but I have found that WireGuard requires WAY more CPU than I expected at gigabit speeds, so I am considering doing away with Proxmox, running OPN Sense bare metal, and moving the pihole VM into bhyve on OPNSense instead to make sure OPNSense can talk straight to the hardware and be more efficient.

In my config the one VM would not be externally exposed, but instead get its own entirely virtual local network on the LAN side of the OPNSense firewall, so I am not terribly concerned about security, but I'll port scan it from the WAN side just to make sure.

I probably won't get around to this right away, but when I do I'll definitely post back here.

Thanks for sharing.

I intend to run a similar setup (a PiHole running on Alpine Linux in a VM under bhyve).

Did you ever manage to get this setup working properly? Can you share your complete/ detailed instruction set.. would be much appreciated.

Thanks.

Chipping in from some experience with my setup.

netgraph networking works very well with bhyve.

I use the following script to setup a bridge to link the virtual machine directly to the OPNSense LAN interface:

Code Select Expand

# Setup ng_bridge if required
if ! ngctl status bnet0: >/dev/null 2>&1; then
  ngctl -f- <<END
    mkpeer igc0: bridge lower link0
    name igc0:lower bnet0
    connect igc0: bnet0: upper link1
    msg igc0: setpromisc 1
    msg igc0: setautosrc 0
END
fi

This creates a bridge linked to igc0 (my OPNsense LAN interface) and prepares for bhyve to attach.

bhyve can subsequently attach to the bridge as follows:

Code Select Expand

bhyve \
-c sockets=1,cores=8,threads=1 \
-m 16G \
-s 0,hostbridge \
-s 2,virtio-blk,/vm/hdd.img \
-s 3,virtio-net,netgraph,path=bnet0:,peerhook=link2 \
-s 4,virtio-9p,data=/zdata/vm \
-s 5,virtio-rnd \
-s 31,lpc \
-l bootrom,/vm/BHYVE_UEFI.fd,/vm/efi-vars.fd \
-l com1,stdio \
-u \
-H -P -S \

This has provided very stable and performant networking on the bhyve instance.

Thanks...

Few questions:
1) Can you post your entire setup instructions of running bhyve on OPNsense. I tried to follow the previous posts, but am unable to get an Alpine VM to install.

2) Your networking script - does this auto start at boot up of OPNsense or how to manage this?

Some help in setting up a complete bhyve (Alpine Linux VM) from scratch would be very helpful. Thank you.

https://github.com/opnsense/core/milestones

Thank you, so the date looks to be 28 Jan...

You've got a brand new Protectli and you are going to wait for 26.1? You are way more patient than I would be with a new toy. :)

Ha, ha..

That's because I already have a Protectli, this is my 2nd vault - I am planning to repurpose the 1st one as a Proxmox device and run multiple VMs on it. The new Protectli will just server as a bare metal OPNsense.

Hi OPNsense developers,

Any prospective dates as to when 26.1 gets released?

I am just looking to rebuild my OPNsense bare metal (have just got a new Protectli device) and I plan to install everything from scratch, so might as well do it with 26.1

Thanks.

[I think its irresponsible for OPNsense]

Here's the reason:

My home internet is 400down/30-35 up. My computers pretty fast, but to get fiber internet means we have to trust AT&T to dig up and fix THEIR cable, and charge me the same for the same bandwidth I get on my cloud. If AT&T did fix their cable, the physical cable in clay would easily break again and I'd lose connection due to their failure to protect the cable to cut corners.

I have a cloud server that's got 8c/16t (AMD Ryzen 7 3800X), 500Mbps up and down, and 128GB RAM, but the baremetal server runs 128GB of RAM. I have 3 IPs, and I don't want to run only 3 virtual machines on it.

I think its irresponsible for OPNsense to expect us to not provide a direct iso link when there's plenty of mirrors I can cancel, and turn around and copy link/paste. Heck, I could get a Windows ISO on my hypervisor faster than I could OPNSense.

I don't think such strong language is warranted for this supposed issue

Hi All

I have already tried all steps but no luck, Just FYI I am installing opnsense in OCI cloud linux server

If you detail what steps you have done, it may be easier to diagnose your issues.

As a start, can you confirm that you
- have actually installed OPNsense; and not just running this in live mode?
- have removed the drive/image you installed from, and confirm that your OPNsense instance has actually booted up from the' installed' drive?

Hello,

I just upgraded from 25.7.5 to 25.7.10
The upgrade went well, but my adguard home was not working anymore (not running and when I want to start it it just stops immediatly)

I put my snapshot of 25.7.5 back and all worked again.

I found alot of people with similar problems on the forum, only sollution that seemed to work for them was stopping and uninstalling adguard home, rebooting, doing the upgrade and reïnstalling and configuring adguard home.

Before I got that way, I wonder if anyone has an official working upgrade path without having to reinstall adguard home ?

And if this is the only way to go, can anyone give me a "noobs" guide on fully backing up my adguard home settings ? I have ALOT of rules and configured clients (wife and kid's devices) that have specific blocking (mainly my wife's devices have limited blocking because all she wants to do is use shit like facebook , .... "sigh") My wife realy is my networks biggest security risk :) )

Is it enough to just backup the Adguardhome.yaml file , and than just put it back where it was ? or is there something else needed ?


All help is appreciated

You are spot on...

Search for the file AdGuardHome.yaml - this is the file that contains all your AGH configs. It will most likely be in /usr/local/AdGuardHome/ folder. So to keep a copy, just make a copy of this file.

As a side note, it is recommended to stop AdGuardHome (from the GUI) before taking a backup and also before restoring.

Are we sure that the Unbound blocklists feature really supports targeting individual hosts?  The only place where it's hinted at is in the helptext for the Source Net(s) field, which gives 192.168.1.1 as an example input.  However, the field itself and the rest of the helptext talks only about networks.

Same for the docs: https://docs.opnsense.org/manual/unbound.html#blocklists

Multiple policies can be defined, each separated by one or more source nets. This means you can use blocklists or specific (wildcard) domains on specific networks, allowing more fine-grained control over your setup. The algorithm selects the most specific subnet when domains overlap across subnet sizes.

Might be good to raise a GitHub issue, at least for clarification.

EDIT: the helptext also says something about equally sized networks:

All specified networks should use the same protocol family and have equal sizes to avoid priority issues.

... not sure if that's per-blocklist entry or across all of them.

Unbound blocklists does support hosts/ networks - it is just that the current implementation is a bit basic (perhaps wrong description, as it does the job well), I think the source hosts/networks/ exclusions needs to be further developed to make it more user accessible and feature rich.

The same protocol/ equal size applies to each block-list entry

Or use AdGuard Home which has a much nicer UI for tasks like this one.

I have used AGH extensively, also used Blocky (similar to AGH, but with even more granular control !).
However, these both are not recursive DNS resolvers (only forwarders)

... I am now keen to use Unbound (and the latest update for blocklists has made it promising), I would like to keep everything native.

It would be nice if Unbound had some more development work done regarding Blocklists

[This would make it much easier to use adblocking feature]

I have managed to workaround this in a way by defining multiple CIDRs... Not the best solution, but it works.

1) Do not set any Unbound DNS blocklist for Guest clients

2) Change my static DHCP settings for main LAN clients; and assigned each a static IP
I segregated into 4 groups - just for ease of management
192.168.1.0/26:   192.168.1.1 - 192.168.1.62
192.168.1.64/26:   192.168.1.65 - 192.168.1.126 (clients that do not need adblocking)
192.168.1.128/26:   192.168.1.129 - 192.168.1.190
192.168.1.192/26:   192.168.1.193 - 192.168.1.254

Now created an entry in Unbound Blocklists
- Choose blocklists as desired
- Set source as 192.168.1.0/26, 192.168.1.128/26, 192.168.192/26 - so now all LAN clients except in range (192.168.1.65 - 192.168.1.126) get ad-blocking.

I still feel that Unbound ad-blocking should either work sequentially and use the rules on first match or each Unbound Blocklist entry should also have an exclude source list - This would make it much easier to use adblocking feature.

[introduced (upgraded) Unbound Blocklists]

I have started using the recently introduced (upgraded) Unbound Blocklists in 25.7.9

My setup:

I have a fairly simple LAN setup
Main subnet: 192.168.1.1/24 (static IP defined for most clients)
Guest vLan subnet: 192.168.10.1/24


Unbound as main Recursive DNS resolver on port 53
dnsmasq running as DHCP on port 53035


Requirements:
1) I do not want any blocklists for my Guest subnet (192.168.10.1/24) clients
This is easy to implement in DNS blocklists, I add an entry with no blocklists; and set the source as 192.168.10.1/24. No DNS query from this subnet is blocked. Works exactly as expected.

2) I want all of my main LAN clients (192.168.1.1/24) to be using Blocklists, except 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100)
I add an entry with appropriate blocklists; and set the source as 192.168.1.1/24. All DNS queries from this subnet run through block lists.
Works as expected - but not for the 3 specific clients as expected.

Therefore,
3) I add another entry with no blocklists; and set the source as the 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100).
All DNS queries from these specific clients should not run through blocklists - however, these 3 clients also run through blocklists, Not working as expected.

------------------

I tried changing the order of the entries as well, making the 3 specific clients entry as the 1st entry.

Using the tester GUI, it shows that the 3 clients are also part of the policy in 192.168.1.1/24. It seems that Unbound is not treating the matches in a sequential fashion.

-----------------

Can someone guide me how to setup the Blocklists to achieve the desired outcome?


Suggestion:
I think, the Unbound blocklist GUI screen should also have an entry for 'Excluded Net' in addition to the 'Source Net' - this could then perhaps achieve the desired result
or make Unbound Blocklists process/match the 'Source Net' entries sequentially; so the first match gets processed according to the rules.

Thanks so much!
Today a bugfix v0.28.1 version was released, sorry for pinging too early!

Updated...

I'm still only receiving v0.28.0 via OPNsense, no update to be found.
Thanks so much for keeping the packages updated.

Worked fine on mine installation .... Try uninstalling & reinstalling again.

Just be sure to disable Blocky first, enable some other DNS server, ensure your internet is working - then delete plugin and reinstall again and see if that helps...

Thanks so much!
Today a bugfix v0.28.1 version was released, sorry for pinging too early!

Updated...

[That will be awesome]

FYI Unbound supports the full source selection with blicklists soon, its on our roadmap and already merged into master.

@ Monviech (Cedrik)

That will be awesome; have been waiting for this feature for a while now....

If I have understood it correctly, the Unbound plugin will now allow certain clients DNS queries to be filtered using Blocklists and certainclients to just just pass through..

Yep thats correct.

https://github.com/opnsense/core/pull/9301

@ Monviech (Cedrik)
Thanks for the confirmation.

Just another quick question. I presume the source selection will support clients with static IPv4, IPv6 (as well as IPv6 addresses where the IPv6 prefix is dynamic).

e.g. 192.168.1.1/24, 192.168.100.100/32, 10.10.0.4, ::1234, ::00dd

My current dnsmasq hosts are defined as dual-stack with both IPv4 and (prefix style) IPv6 addresses.