Messages

Okay it only needed some time now it's showing DOT  :)

I uninstalled the CLI version and completely removed the configuration using Putty, but it still only supports UDP.
I activated the Unbound Plugin, and here are my settings.

No one can help?

 I'd like to mention that I'm accustomed to using the CLI version because of my experience with UDM-Pro from UniFi. The CLI offers a familiar interface and workflow, making it easier for me to manage my network settings effectively.

[Setup Details]

Hello fellow forum members,

I hope you all are doing well. I've encountered an issue with my OPNsense setup that I'm hoping some of you can help me solve. I've successfully installed the CLI version of NextDNS on my OPNsense router, but I'm having difficulty enabling DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) as the protocols.

Setup Details

• OPNsense version: 23.7.5
• NextDNS CLI version: 1.41.0
• Zenarmor is also in use and configured to allow DoH traffic.

Even after installation and configuration, when I visit test.nextdns.io, it shows that my protocol is still UDP. I've also tried disabling Unbound to see if it was causing conflicts, but no luck there.

What I've Tried

• Checked all NextDNS CLI configurations.
• Allowed DoH traffic in Zenarmor.
• Used the bypass function in Zenarmor for test purposes.
• Restarted OPNsense.
• Restarted NextDNS service via SSH

Is there anything specific in the OPNsense settings that I should look for?
Are there any known conflicts with Zenarmor?
What logs should I be looking at to troubleshoot this issue?
Are there specific firewall rules I should be checking?
Any insights or guidance on solving this problem would be greatly appreciated. Thank you for taking the time to read my post and for any help you can provide.

Code Select Expand

C:\Users\Fabio>curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
* Connecting to hostname: 45.90.28.0
* Connecting to port: 443
*   Trying 45.90.28.0:443...
* Connected to (nil) (45.90.28.0) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
> GET /info HTTP/1.1
> Host: dns.nextdns.io
> User-Agent: curl/8.0.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< Timing-Allow-Origin: *
< Date: Wed, 11 Oct 2023 21:17:38 GMT
< Content-Length: 80
<
{"locationName": " Frankfurt, Germany", "pop": "zepto-fra", "rtt": 5740}* Connection #0 to host (nil) left intact

I was able to solve my problem by setting up an allow rule between the IoT and Camera VLANs. Additionally, I removed the cameras from the Unifi Controller, restarted the HomePod, and since then, I haven't encountered any issues.

Thank you for your response. I've just tested the Aqara app and can confirm that it streams correctly both over mobile data and VPN, which narrows down the issue to HomeKit.

Your suggestion to go back to basics and verify general traffic between interfaces before diving into HomeKit-specifics is well taken. I haven't yet delved deeply into packet capturing and command-line diagnostics like curl, but I agree that understanding basic traffic flow is essential.

Thanks again for pointing me in the right direction.

Thank you for providing the screenshots; however, they did not resolve the issue I am facing. I attempted implementing an 'any to any' floating rule, but to no avail. Currently, I can only access the HomeKit camera stream when connected to the WiFi network. Neither cellular data nor VPN connections allow for streaming. Moreover, the security system fails to function even when I am connected via WiFi.

I am at a loss regarding how to create the dump. Would anyone have insights or alternative solutions to suggest?

Like described I'm alreafy using the mDNS repeater on all VLAN interfaces and the LAN interface. I'm also using a floating rule for the mDNS Port 5353.

I'm already using a any to any rule on my LAN and wireguard interface but I'm still can't see the Homekit stream outside my network even when I'm connected via wireguard from outside.

I have a camera wifi which is assigned to my camera VLAN and I have a main wifi which is assigned to my LAN interface. All cameras are in the camera subnet such as the camera wifi. And I can only see the stream when I'm in that specific wifi network.

I already have that floating rule with the HomeKit Ports 51826 and 51827 like described above :)

Each VLAN has its own interface, and in my UniFi Switch, I have only designated the VLAN IDs as networks. The OPNsense acts as the DHCP IPv4 server. I have already posted the rules above. Only the Main LAN interface has an any-to-any rule.

Hello everyone,

I've been encountering a couple of problematic scenarios in my setup and I'm in dire need of some assistance. My network comprises three VLANs: Guest, IoT, and Cameras. I am using OPNsense version 23.7.6 on a local Beelink Mini PC. For network management, I have a UniFi Controller running in a Docker container on my Synology NAS, which resides in the main LAN.

My first hurdle is with the camera access. I can view the cameras on HomeKit only when I'm connected to the Camera WiFi network or in the Main Wifi at Home. However, I want to be able to access them from the IoT and main LAN as well.

The second issue arises when I try to connect to the HomeKit devices remotely either via mobile data or through a WireGuard VPN on my phone; the video stream from the cameras doesn't come through.

Additionally, the security sensors on my Aqara G2 Pro are not functional in HomeKit, which is quite frustrating.
I have the mDNS Repeater activated for all interfaces except WAN, and I have attached my current firewall rules for reference. The HomeKit Ports in the floating rules are 51826 and 51827. My Bridges (ATV 4k and Homepod Mini) are both on the IoT Network.

I've been wracking my brain over these issues and am desperate for a resolution. Your expertise and suggestions on how I could resolve these problems would be immensely appreciated. Thank you in advance for your time and assistance.

Hallo zusammen,

ich habe ein herausforderndes Problem mit meiner OPNsense Firewall und bin auf der Suche nach einigen Einsichten oder Vorschlägen. Ich nutze eine DoorBird Türkamera in meinem Heimnetzwerk, die ich gerne in einem separaten VLAN für Kameras betreiben möchte. Allerdings stoße ich auf Schwierigkeiten, wenn es darum geht, eine direkte Verbindung zwischen der OPNsense Instanz und der DoorBird Kamera herzustellen, solange sich die Kamera in meinem speziellen Camera VLAN befindet.

Interessanterweise funktioniert die direkte Verbindung einwandfrei, wenn ich die DoorBird Kamera in das Default LAN Subnet verschiebe. Doch dies ist aus verschiedenen Gründen, vor allem aus Sicherheits- und Organisationsgründen, nicht wünschenswert.

Zur Fehlerbehebung habe ich sogar eine Allow Any to Any Regel in meinem Camera VLAN eingerichtet, allerdings hat auch das keine Änderung gebracht. Die Kamera scheint einfach nicht in der Lage zu sein, durch das VLAN zu direkt zu kommunizieren, um eine Verbindung mit der OPNsense Instanz herzustellen. Hier wird direkt eine Verbindung über die Cloud der DoorBird aufgebaut.

Hat jemand von euch vielleicht ähnliche Erfahrungen gemacht oder hat eine Idee, woran das liegen könnte? Gibt es spezielle Einstellungen in OPNsense oder auf der DoorBird Kamera, die ich überprüfen oder anpassen sollte, um die Kommunikation zwischen den beiden über das VLAN zu ermöglichen?

Ich bin für jede Hilfe oder jeden Vorschlag sehr dankbar. Es ist ziemlich frustrierend, dass etwas, das so einfach erscheint, zu solchen Kopfschmerzen führen kann.

Vielen Dank im Voraus für eure Zeit und eure Hilfe!