Messages

1

24.1 Legacy Series / Re: Unbound ignores blocklist

« on: April 03, 2024, 02:14:31 pm »

And none of that was clear from the OP, hence why I had originally asked.

It was perfectly clear, this is why I've provided txt files.

2

24.1 Legacy Series / Re: Unbound keep crashing

« on: March 25, 2024, 01:20:57 am »

I was just posting as a counterpoint because I've seen people commenting that the reason unbound isn't working correctly is due to DHCP, DoT, DNSSEC, the upstream resolver, DNSBL, etc.  And I've had none of these issues dispute using all of those.

I did not use DoH/DoT just plain old DNS.

I will note that in the other thread, it seems that a lot of the people having issues with Unbound have a PC directly connected to OPNsense instead of through a switch.  The only direct connects that I have are APs and they're always on, but even so, I've not had a problem when swapping them out.

Since I only have two interfaces everything on the LAN side is behind a switch (or two).

Regarding Unbound temporarily not resolving, enabling the DNS reporting and higher log levels can help with troubleshooting that.  But I would think a new thread would be in order as this one is about Unbound crashing and not just temporarily having an issue.

I agree, a new thread would be needed.

3

24.1 Legacy Series / Re: Unbound ignores blocklist

« on: March 20, 2024, 12:22:41 am »

What do they think they're getting by using a random IP

not random. it is possible to specify the desired ip address which, for example, will lead to a page explaining the reason for the blocking (and collect statistics  )

This is exactly what server behind IP visible on my screenshot does. It's a service provided free of charge by national CERT of Poland.

tested with  https://hole.cert.pl/domains/v2/domains.txt
works

Either 24.1.3_1 or reboots/Unbound reloads fixed it, now it works for me too. Case closed I guess

4

24.1 Legacy Series / Re: Unbound ignores blocklist

« on: March 17, 2024, 03:35:34 pm »

How are you testing?  What leads you to believe that it's not working?

I'm testing by using dig (eg. dig @routerIP notwanted.domain), it should resolve to a predefined IP (as shown on screenshot) effectively blocking that domain. That's what blocklists are for, right?

In regards to your destination IP, what are you expecting to accomplish?

Please read my original post again, it'll clarify everything. By blocking selected domains (or actually redirecting them to "wrong" IP, as shown on screenshot) instead of allowing access to malicious service, let's say a web page something else will be provided by a non-malicious server. Very simple solution.

5

24.1 Legacy Series / Unbound ignores blocklist

« on: March 07, 2024, 01:17:58 pm »

I'm trying to use the blocklist available at https://hole.cert.pl/domains/v2/domains.txt (also https://hole.cert.pl/domains/v2/domains_hosts.txt in hosts format) with Unbound - it is ignored despite using the correct settings. Check hosts version of the blocklist to understand why I've used this exact destination IP.

6

24.1 Legacy Series / Re: Unbound keep crashing

« on: February 22, 2024, 12:20:44 am »

Now Unbound sometimes (twice a day?) just stops resolving (response timeout) and it fixes itself after 5 minutes or so.

This issue persists on 24.1.2

But my Unbound isn't crashing, just not always resolving a domain.

It appears that it doesn't die per se for me too, it just stops resolving whatsoever for few minutes.

The only Unbound issues I've seen with Quad9 are some weirdness with DNSSEC and Quad9 returning different results per resolver.

Neither Cloudflare's 1.1.1.1 nor ControlD at 76.76.2.0 seem to have this issue afaik.

7

24.1 Legacy Series / Re: Unbound keep crashing

« on: February 20, 2024, 10:53:54 pm »

I dont know if this is a unbound or quad9 issue.

It's probably not Quad9 issue. I'm using ControlD as traditional DNS provider, I didn't even bother trying DNS over TLS after very bad experience on OpenWrt (it was painfully unstable).

8

24.1 Legacy Series / Re: Unbound keep crashing

« on: February 20, 2024, 01:18:39 am »

I find that quite often (several times week/day) DNS have stopped working due to Unbound being stopped as well.

Under system->general->logfiles it seems like the reason is a segfault:
<6>pid 57337 (unbound), jid 0, uid 59: exited on signal 11

It has been like this since 23.7 and also now with 24.1.

I have this issue with 24.1.1 and on 23.7.12 it worked fine, rock stable. Now Unbound sometimes (twice a day?) just stops resolving (response timeout) and it fixes itself after 5 minutes or so.

I do not have any blocklists engaged and DNS over TLS isn't used either. There's nothing whatsoever related to Unbound crashing in logs (levels set to default). There's plenty of RAM available (around 6GB out of 8GB) and CPU load is low (around 0.23).

9

23.7 Legacy Series / Re: ses0 device visible in SMART widget

« on: August 03, 2023, 02:20:05 pm »

Yes but.. what is the exact metric for ignoring something that is not a disk after all?

The ses0 device probably can't fail (it's not a real disk) so it can be ignored.

10

23.7 Legacy Series / Re: ses0 device visible in SMART widget

« on: August 02, 2023, 03:58:17 pm »

This is how "smartctl" sees devices and things

I assume this could be safely ignored then (eg. only aesthetic issue). Thanks for rapid reply and have a great day

11

23.7 Legacy Series / ses0 device visible in SMART widget

« on: August 02, 2023, 03:43:59 pm »

Hello,

I've just upgraded my router from 23.1.11_1 to 23.7 release. Everything seems to work fine but I see a non-existent device named ses0 within SMART widget on dashboard. How do I remove it? This device is not visible in SMART menu, just ada0 (SSD system drive, the only storage available for this machine).

Thanks in advance for any help.

12

Hardware and Performance / Re: Which Chromebox for OPNsense?

« on: July 11, 2023, 09:43:06 pm »

A device with two network interfaces will be much better suited alternative to what you've provided. Buy relatively modern (6th gen of Intel CPUs and later will be a great choice, 4th gen if you really need it to be dirt cheap) SFF or even USFF desktop from manufacturer of your choice (HP for example) and install OPNsense on it.

13

Hardware and Performance / Re: Coil whine

« on: July 11, 2023, 09:38:52 pm »

I don't have this device but as far as I can see it has SSD inside and those are known to produce sounds comparable to coil whine during normal operation. Is your environment very silent (eg. enough to hear those faint SSD noises)?

14

23.1 Legacy Series / Re: A newbie issues

« on: April 13, 2023, 06:02:01 pm »

1- i want WebGUI access allow on internet (like my cellphone gsm access to my home opnsense)
2- i want ping hosts in lan (like in lan, ping pc1 to pc2)
3- i want reach lan host to lan2 (like in lan(lan) pc1 to lan2(securitycams) nvrdevice)

1) exposing any administrative panels to the Internet is not a good idea
2) this is default behaviour
3) allow traffic between these networks in firewall rules

15

23.1 Legacy Series / Re: Should I stay in UFS

« on: April 13, 2023, 05:55:30 pm »

Versions = OPNsense 22.7.11_1-amd64
CPU type = Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz (2 cores, 2 threads)
real memory  = 1074790400 (1025 MB)
avail memory = 991195136 (945 MB)

I think you should consider upgrading your hardware at least to meet current hardware requirements (eg. 2GB RAM). Your platform most likely uses DDR3 memory which can be obtained extremely cheap nowadays (eg. less than espresso in semi-decent cafe per gigabyte).

If you can't upgrade then stay on UFS, if you can then get at least 4GB (this should be enough for single 128GB SSD) and migrate to ZFS.