Messages

1

24.1 Legacy Series / Re: Different upstream DNS forwarder depending on source

« on: May 06, 2024, 01:11:25 am »

I'd rather not switch to AdGuardHome. Is it feasible to use dnsmasq on a different port, port forwarded from that network segment? If Unbound doesn't have the functionality, seems the only other way. But not sure if dnsmasq can do DNS over TLS and have a different upstream from the rest of the gateway. Has anyone done this?

2

24.1 Legacy Series / Different upstream DNS forwarder depending on source

« on: May 05, 2024, 04:48:11 am »

I have a few network segments in my home network. I want to be able to use NextDNS filtering for my IOT network that I also use to block specific applications when the kids use the wifi.

I currently can achieve this using the NextDNS command line tool in a docker container. I'm just forwarding all DNS requests from that segment to the docker container on another host. I'd prefer to not use this extra service though as it's just another thing to manage.

Is there any way to configure Unbound to use a different upstream DNS server depending on the source net/IP of the request? If not, is there any other way to have OPNSense achieve the same? Appreciate any suggestions

3

23.1 Legacy Series / WAN interface fails to reconnect after outage

« on: April 14, 2023, 12:25:56 am »

More recent versions of OPNsense appears to have an issue reconnecting the WAN interface after an outage from our provider. I'm using a cable modem that provides DHCP ethernet. In the past I've simply rebooted OPNsense and everything would return to normal. OPNSense is setup as our home gateway, so this solution isn't very wife friendly when I'm away, so it would be ideal if it fixed itself.

I've done some forum digging, and others have put in crontasks to toggle the WAN interface (this and this). When this occurred yday, I tried doing this manually and it didn't work, as the interface ALREADY had the correct DHCP ip address from my provider so nothing really changed.

Doing some more digging, I found the running a RENEW from the Interfaces / Overview / WAN interface page DID solve the issue, with the following in the logs:

Code: [Select]

2023-04-13T19:33:20   Notice   opnsense   /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.   
2023-04-13T19:33:20   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure vpn (execute task : openvpn_configure_do(,wan))   
2023-04-13T19:33:20   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure vpn (execute task : ipsec_configure_do(,wan))   
2023-04-13T19:33:20   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure vpn (,wan)   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure monitor (execute task : dpinger_configure_do(,WAN_DHCP6))   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure monitor (,WAN_DHCP6)   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '159.196.116.1'   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 159.196.116.1   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'   
2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: IP renwal starting (new: 159.196.119.169, old: , interface: WAN[wan], device: vtnet2)   
2023-04-13T19:33:19   Notice   opnsense   /status_interfaces.php: plugins_configure monitor (execute task : dpinger_configure_do(,WAN_DHCP6))   
2023-04-13T19:33:19   Notice   opnsense   /status_interfaces.php: plugins_configure monitor (,WAN_DHCP6)   
2023-04-13T19:33:19   Notice   opnsense   /status_interfaces.php: ROUTING: setting IPv4 default route to 159.196.116.1   
2023-04-13T19:33:19   Notice   opnsense   /status_interfaces.php: ROUTING: IPv4 default gateway set to wan   
2023-04-13T19:33:19   Notice   opnsense   /status_interfaces.php: ROUTING: entering configure using 'wan'   
2023-04-13T19:33:19   Notice   dhclient   Creating resolv.conf   
2023-04-13T19:33:19   Notice   dhclient   New Routers (vtnet2): 159.196.116.1   
2023-04-13T19:33:19   Notice   dhclient   New Broadcast Address (vtnet2): 159.196.119.255   
2023-04-13T19:33:19   Notice   dhclient   New Subnet Mask (vtnet2): 255.255.252.0   
2023-04-13T19:33:19   Notice   dhclient   New IP Address (vtnet2): 159.196.119.169


This line in particular suggests OPNsense didn't think there was ANY IP address associated with the WAN link.

2023-04-13T19:33:19   Notice   opnsense   /usr/local/etc/rc.newwanip: IP renwal starting (new: 159.196.119.169, old: , interface: WAN[wan], device: vtnet2)   

FWIW I have setup a Monitor IP for the Gateway. When returning from an outage, this shows as Online so it appears as OPNsense is aware the connection has returned but doesn't refresh the interface properly and so no routes are refreshed.

Digging further, it appears I can use the CLI to automate the renewal process, by running `configctl interfaces reconfigure wan` either by cron or manually. I CAN do that - but why is OPNsense not doing this automatically? Is this a bug OR am I missing some config somewhere?

4

23.1 Legacy Series / Re: Strange ERR_CONNECTION_CLOSED for one specific site

« on: March 20, 2023, 06:16:01 am »

Writing it down gets the 'ole noggin going.

So I also use ZenArmor and turning this into passthru mode confirmed that it was responsible for the blocking action. Looking at the settings further, I've added that domain to the Allowlist and it's now functioning. The reports show it was being flagged as a 'Potentially Dangerous Site'. Because I'm using the FREE version, there is no block message or template, so it's not clear when ZenArmor is doing this from the request.

5

23.1 Legacy Series / Strange ERR_CONNECTION_CLOSED for one specific site

« on: March 20, 2023, 04:19:39 am »

I'm using OPNsense at home as the border gateway and largely it's working fine. I'm having one strange issue with a single site. If I try and access anything on the 'passport.online' domain in a web browser on multiple clients (only tested Mac, but on Chrome, Safari and Android Chrome) I get an error:

This site can't be reached
stratechery.passport.online unexpectedly closed the connection.

If I tether to my phone's cell network, the issue goes away and the websites work as expected. I'm not using any of the web filtering / outbound proxy functions in OPNsense (Services / Web Proxy is disabled).

I suspect a SSL / certification issue of some sort as the browser reports the web page (eg. https://stratechery.passport.online) is NOT secure. Again, if I simply switch to mobile tethering, same pages are secure, so root certs in Chrome or ay settings on my Mac don't appear to be causing the issue. If I try the same on my phone on the wifi going through OPNsense - it also fails. Suggests to me something in the gateway is causing a problem. The problem occurs whether I'm connected via WIFI or ethernet.

I'm a little stumped. Any suggestions are welcome.