"
Thanks for taking the time to answer my questions.
If anyone is successfully using 'no-resolv' in DNSmasq, I'd love to hear from you.
Cheers
If anyone is successfully using 'no-resolv' in DNSmasq, I'd love to hear from you.
Cheers
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.1, 25.4 Series / Re: DNSmasq 'no-resolv' issue
June 10, 2025, 02:18:50 AM
Thanks again for the reply.
The docs appear to imply that DNSmasq is used for dhcp. I'm using KEA at the moment and would really rather not go through transferring all my reservations again.
Do you happen to know how to manually restrict the scope of server= to have dnsmasq still perform hostname resolution according to the host overrides list?
Thanks
The docs appear to imply that DNSmasq is used for dhcp. I'm using KEA at the moment and would really rather not go through transferring all my reservations again.
Do you happen to know how to manually restrict the scope of server= to have dnsmasq still perform hostname resolution according to the host overrides list?
Thanks
#3
25.1, 25.4 Series / Re: DNSmasq 'no-resolv' issue
June 09, 2025, 06:19:10 PM
Thanks for replying. I suspect you're correct.
However, I've tried defining local domains (local=/local.domain.1/ local=/local.domain.2/ - on separate lines). I've tried inserting bogus-priv. I've tried defining host overrides in the config (address=/local.domain.1/192.168.x.x). Whatever I do, local hostname resolution breaks.
I'm not a particularly advanced user regarding DNS, would you happen to know how to properly limit the scope of server=?
Cheers
However, I've tried defining local domains (local=/local.domain.1/ local=/local.domain.2/ - on separate lines). I've tried inserting bogus-priv. I've tried defining host overrides in the config (address=/local.domain.1/192.168.x.x). Whatever I do, local hostname resolution breaks.
I'm not a particularly advanced user regarding DNS, would you happen to know how to properly limit the scope of server=?
Cheers
#4
25.1, 25.4 Series / Re: DNSmasq 'no-resolv' issue
June 09, 2025, 03:26:20 AM
Is anyone using 'no-resolv' without any side effects?
#5
25.1, 25.4 Series / DNSmasq 'no-resolv' issue
June 08, 2025, 07:21:47 PM
Hello,
I'm having a strange (I think) issue with DNSmasq. If I set it up to use the servers listed in System/Settings/General, everything works perfectly: I can go out to the internet and resolve local hostnames (as defined by the host overrides).
However, if I create a custom .conf file in /usr/local/etc/dnsmasq.conf.d/ with:
(using the same server that I would put in System/Settings/General), I can still go out to the internet but I lose local hostname resolution despite host overrides being defined.
Is this expected behavior?
Running 25.1.7_4.
Thanks
I'm having a strange (I think) issue with DNSmasq. If I set it up to use the servers listed in System/Settings/General, everything works perfectly: I can go out to the internet and resolve local hostnames (as defined by the host overrides).
However, if I create a custom .conf file in /usr/local/etc/dnsmasq.conf.d/ with:
Code Select
no-resolv
server=<dns server ip>(using the same server that I would put in System/Settings/General), I can still go out to the internet but I lose local hostname resolution despite host overrides being defined.
Is this expected behavior?
Running 25.1.7_4.
Thanks
#6
25.1, 25.4 Series / Is it normal for WireGuard to drop packets during a sustained download?
February 20, 2025, 04:27:09 AM
Hello,
I have a working road warrior WireGuard setup on my OPNsense box. It works well. However, if I do a sustained download when connected to the VPN (that saturates the connection), like a speed test, I can see packet loss on the WireGuard interface, in Interfaces > Diagnostics > Netstat. It's not major, usually 2000 to 3000 packets dropped out of roughly 900000 to 1000000 packets. So we're talking 0.22% or 0.33%. If I don't run a speed test, I get no packet loss at all.
I also have a road warrior IPsec setup on the same box and running a speed test while connected to IPsec does not incur any packet loss.
Is there something about WireGuard that makes it more prone to packet loss than other VPN protocols? I'm pretty sure this isn't a MTU/MSS issue - they've both been lowered to accommodate WireGuard, and were it that, I'd expect to see packet loss all the time, not just during sustained downloads/speed tests.
I'm trying to figure out if there's an issue with my WireGuard setup or if this is normal.
Any insights are welcome.
Thanks
I have a working road warrior WireGuard setup on my OPNsense box. It works well. However, if I do a sustained download when connected to the VPN (that saturates the connection), like a speed test, I can see packet loss on the WireGuard interface, in Interfaces > Diagnostics > Netstat. It's not major, usually 2000 to 3000 packets dropped out of roughly 900000 to 1000000 packets. So we're talking 0.22% or 0.33%. If I don't run a speed test, I get no packet loss at all.
I also have a road warrior IPsec setup on the same box and running a speed test while connected to IPsec does not incur any packet loss.
Is there something about WireGuard that makes it more prone to packet loss than other VPN protocols? I'm pretty sure this isn't a MTU/MSS issue - they've both been lowered to accommodate WireGuard, and were it that, I'd expect to see packet loss all the time, not just during sustained downloads/speed tests.
I'm trying to figure out if there's an issue with my WireGuard setup or if this is normal.
Any insights are welcome.
Thanks
#7
24.7, 24.10 Series / Re: IPSec issues since 24.7.4_1
September 21, 2024, 05:22:13 AM
Update: If I create my connection on the mac (without a profile) it connects. It sends exactly the same proposals as with the profile, so I don't understand why it works. Something appears to have changed in OPNsense's IPSec implementation that doesn't play nice with profiles. Even creating a standard profile with the same values as the connection created in the macOS UI fails to connect.
I want to use the profile because I specify options that are not available in the UI.
Again, any help would be appreciated. And I'm not expecting a "just do this, bro" or "tick this box" response. I guess I'm asking if anything has changed with IPSec in OPNsense since 24.7.4_1. Nothing changed on my end apart from the update.
Cheers
I want to use the profile because I specify options that are not available in the UI.
Again, any help would be appreciated. And I'm not expecting a "just do this, bro" or "tick this box" response. I guess I'm asking if anything has changed with IPSec in OPNsense since 24.7.4_1. Nothing changed on my end apart from the update.
Cheers
#8
24.7, 24.10 Series / IPSec issues since 24.7.4_1
September 21, 2024, 05:05:52 AM
UPDATE: Saved and restored a config (i.e. the exact same settings the box was running prior to restoring) and now it works... Dunno what to say... Maybe something silently went wrong with the update and restoring the config fixed it? I guess there are some things Man is just not meant to know...
Hello,
I'm having issues with IPSec and macOS since the update to 24.7.4_1. Prior to the update, everything was working fine. Now, I can no longer connect from macOS. macOS is running the same version as before the 24.7.4_1 update.
I use a configuration profile (.mobileconfig) to setup my IKEv2 connection on macOS. And I'm aware there's a bug in macOS Sonoma, where it ignores the values you set in the profile for proposals and rekey time. Regardless what you configure in the profile, macOS will send the following proposals to the server:
2024-09-20T22:40:56-04:00 Informational charon 11[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
So I made sure the server supported at least one of those:
11[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Prior to 24.7.4_1, the profile and connection worked just fine. Since 24.7.4_1, I can no longer connect. I've attached a picture of the logs. Happy to provide more logs if needed.
I also have a pfSense box that runs the same services and has IPSec setup with the same values and it connects just fine. But I don't want to go back to pfSense - I'm an OPNsense guy now :-)
Anybody else running into issues like this? Anyone have any ideas? Was IPSec changed in 24.7.4_1?
Any help would be appreciated. Thanks.
Hello,
I'm having issues with IPSec and macOS since the update to 24.7.4_1. Prior to the update, everything was working fine. Now, I can no longer connect from macOS. macOS is running the same version as before the 24.7.4_1 update.
I use a configuration profile (.mobileconfig) to setup my IKEv2 connection on macOS. And I'm aware there's a bug in macOS Sonoma, where it ignores the values you set in the profile for proposals and rekey time. Regardless what you configure in the profile, macOS will send the following proposals to the server:
2024-09-20T22:40:56-04:00 Informational charon 11[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
So I made sure the server supported at least one of those:
11[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Prior to 24.7.4_1, the profile and connection worked just fine. Since 24.7.4_1, I can no longer connect. I've attached a picture of the logs. Happy to provide more logs if needed.
I also have a pfSense box that runs the same services and has IPSec setup with the same values and it connects just fine. But I don't want to go back to pfSense - I'm an OPNsense guy now :-)
Anybody else running into issues like this? Anyone have any ideas? Was IPSec changed in 24.7.4_1?
Any help would be appreciated. Thanks.
#9
23.7 Legacy Series / New IPsec Connections setup for eap-tls
November 29, 2023, 12:19:30 AM
Hello,
Has anyone managed to configure an IPsec tunnel using eap-tls in the new "Connections" tab? There is no tutorial for this setup in the docs, only a legacy example using the old UI. I've tried adapting the tutorial for eap-mschapv2 that exists for the Connections tab to use eap-tls but it fails to connect, always.
I'm wondering if it's supported at this time.
Thanks.
Has anyone managed to configure an IPsec tunnel using eap-tls in the new "Connections" tab? There is no tutorial for this setup in the docs, only a legacy example using the old UI. I've tried adapting the tutorial for eap-mschapv2 that exists for the Connections tab to use eap-tls but it fails to connect, always.
I'm wondering if it's supported at this time.
Thanks.
#10
23.1 Legacy Series / ddclient with NameCheap is broken
May 27, 2023, 12:41:31 AM
Hello,
I hate to add to the ddclient woes, but... While it used to work with NameCheap, it does not anymore. ddclient is setup correctly and runs. But it always fetches the VPN IP address even though the selected interface is WAN. This happens using Interface as the method.
Anyone else experience this? Any workarounds? NameCheap isn't available when selecting the OPNsense backend and using 'custom' doesn't work because you can't select NameCheap as a protocol...
Cheers
I hate to add to the ddclient woes, but... While it used to work with NameCheap, it does not anymore. ddclient is setup correctly and runs. But it always fetches the VPN IP address even though the selected interface is WAN. This happens using Interface as the method.
Anyone else experience this? Any workarounds? NameCheap isn't available when selecting the OPNsense backend and using 'custom' doesn't work because you can't select NameCheap as a protocol...
Cheers
#11
22.1 Legacy Series / Re: os-ddclient
May 10, 2023, 05:19:39 AM
Hey, just something that might be helpful for those who use a dynamic dns service that isn't supported/working properly with ddclient.
I use namecheap, which is only supported using 'ddclient' as the backend. But I have a particular setup in which my "default" gateway is a gateway group comprised of three wireguard gateways. Using 'Interface' as the IP check method and selecting WAN, ddclient always detects my wireguard IP, despite WAN being selected as the interface. It would probably work just fine with a more "vanilla" setup.
Anyway, what I ended up doing and which may be helpful to others, is using dns-o-matic. It's more of a "meta" dynamic dns service in that it can update your IP at your dynamic dns service without you having to switch your dynamic dns provider. I created an account with dns-o-matic. And using dns-o-matic (and configuring ddclient to use dns-o-matic rather than namecheap) detects the correct IP and everything works properly and my IP is updated in my namecheap dashboard. It's not the ideal solution but it works.
Maybe everyone already knows this and I just stated the obvious. But I didn't know and it helped me out.
Cheers
I use namecheap, which is only supported using 'ddclient' as the backend. But I have a particular setup in which my "default" gateway is a gateway group comprised of three wireguard gateways. Using 'Interface' as the IP check method and selecting WAN, ddclient always detects my wireguard IP, despite WAN being selected as the interface. It would probably work just fine with a more "vanilla" setup.
Anyway, what I ended up doing and which may be helpful to others, is using dns-o-matic. It's more of a "meta" dynamic dns service in that it can update your IP at your dynamic dns service without you having to switch your dynamic dns provider. I created an account with dns-o-matic. And using dns-o-matic (and configuring ddclient to use dns-o-matic rather than namecheap) detects the correct IP and everything works properly and my IP is updated in my namecheap dashboard. It's not the ideal solution but it works.
Maybe everyone already knows this and I just stated the obvious. But I didn't know and it helped me out.
Cheers
#12
23.1 Legacy Series / Re: Uber Slow OpenVPN
April 04, 2023, 09:16:51 AM
I doubt there's anything to glean from my server configuration. So it's more about asking if anyone else has ever encountered this with OpenVPN and what they did to resolve it.
Thanks
Thanks
#13
23.1 Legacy Series / Uber Slow OpenVPN
April 04, 2023, 06:25:29 AM
Hi,
I recently transitioned from pfSense to OPNsense and everything works extremely well - except for OpenVPN. While it does work, it's exteremely slow.
I have WireGuard and IPsec (IKEv2) tunnels running on the same box and both WG and IPsec are blazing fast. I understand that OpenVPN is single-threaded and generally slower than the other two protocols. But I believe I should be getting roughly 300 - 400 Mbps with this box. I'm barely getting 80Mbps. With WG and IPsec, I'm getting close to 900Mbps.
My OpenVPN server has pretty much a "vanilla" configuration. Essentially the same settings in pfSense get me 400Mbps, so I'm inclined to believe I should be getting roughly the same speed woth OPNsense.
I've attached a screenshot of my server config. If anyone has any ideas as to what might be bogging OpenVPN down, I'd appreciate it. If any more info is need, I'm happy to provide it.
I'm running OPNsense 23.1.5_4 on a Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz (4 cores, 4 threads).
Cheers.
I recently transitioned from pfSense to OPNsense and everything works extremely well - except for OpenVPN. While it does work, it's exteremely slow.
I have WireGuard and IPsec (IKEv2) tunnels running on the same box and both WG and IPsec are blazing fast. I understand that OpenVPN is single-threaded and generally slower than the other two protocols. But I believe I should be getting roughly 300 - 400 Mbps with this box. I'm barely getting 80Mbps. With WG and IPsec, I'm getting close to 900Mbps.
My OpenVPN server has pretty much a "vanilla" configuration. Essentially the same settings in pfSense get me 400Mbps, so I'm inclined to believe I should be getting roughly the same speed woth OPNsense.
I've attached a screenshot of my server config. If anyone has any ideas as to what might be bogging OpenVPN down, I'd appreciate it. If any more info is need, I'm happy to provide it.
I'm running OPNsense 23.1.5_4 on a Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz (4 cores, 4 threads).
Cheers.
#14
23.1 Legacy Series / Re: Cron jobs not running on schedule
March 20, 2023, 05:22:07 PM
Thanks for looking into this @meyergru.
Turns out you're correct. Looking in System > Log Files > Backend and filtering with the term "alias", shows the job being run every minute, as it should.
I was just looking at the wrong logs. Non-issue.
Thanks again.
Cheers
Turns out you're correct. Looking in System > Log Files > Backend and filtering with the term "alias", shows the job being run every minute, as it should.
I was just looking at the wrong logs. Non-issue.
Thanks again.
Cheers
#15
23.1 Legacy Series / Re: Cron jobs not running on schedule
March 20, 2023, 12:31:00 AM
Firewall > Log Files > General
The job runs every 6 minutes on the dot.
The job runs every 6 minutes on the dot.
