Messages

Hi everyone,
I am currently struggling to setup the dynamic DNS update from opnsense to powerdns.

In pdns.conf I added the interface of my FW to allow updates (actually the dhcp request is incoming on other vlnas / subnets, this is the GW IP of my opnsense in the network with powerdns).

But all I see is a time out in the opnsense: Unable to add forward map from hostname.my.domain to 192.168.10.15: timed out

Anyone any idea? I cant really find a tutorial for it.

allow-dnsupdate-from=192.168.1.1,127.0.0.0/8,::1
and I configured:
dnsupdate=yes

I created a tsig key:

pdnsutil list-tsig-keys
Apr 20 16:03:41 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
wck. hmac-sha512. yFHsE/DG45Tb92MK5Ogu+2z2svqSo7OsfphKUw<SECRET>==


No errors in the pdns log:

Apr 20 15:54:23 dns01 systemd[1]: pdns.service: Consumed 9.958s CPU time.
Apr 20 15:54:23 dns01 pdns_server[4456]: Loading '/usr/lib/x86_64-linux-gnu/pdns/libgsqlite3backend.so'
Apr 20 15:54:23 dns01 pdns_server[4456]: Loading '/usr/lib/x86_64-linux-gnu/pdns/libbindbackend.so'
Apr 20 15:54:23 dns01 pdns_server[4456]: This is a standalone pdns
Apr 20 15:54:23 dns01 pdns_server[4456]: Listening on controlsocket in '/run/pdns/pdns.controlsocket'
Apr 20 15:54:23 dns01 pdns_server[4456]: [bindbackend] Parsing 0 domain(s), will report when done
Apr 20 15:54:23 dns01 pdns_server[4456]: [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
Apr 20 15:54:23 dns01 systemd[1]: Starting PowerDNS Authoritative Server...
Apr 20 15:54:23 dns01 pdns_server[4456]: UDP server bound to 127.0.0.1:5300
Apr 20 15:54:23 dns01 pdns_server[4456]: TCP server bound to 127.0.0.1:5300
Apr 20 15:54:23 dns01 pdns_server[4456]: PowerDNS Authoritative Server 4.5.3 (C) 2001-2021 PowerDNS.COM BV
Apr 20 15:54:23 dns01 pdns_server[4456]: Using 64-bits mode. Built using gcc 11.2.0.
Apr 20 15:54:23 dns01 pdns_server[4456]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to th>
Apr 20 15:54:23 dns01 pdns_server[4456]: [webserver] Listening for HTTP requests on 192.168.2.11:8081
Apr 20 15:54:23 dns01 pdns_server[4456]: Creating backend connection for TCP
Apr 20 15:54:23 dns01 pdns_server[4456]: About to create 3 backend threads for UDP
Apr 20 15:54:23 dns01 systemd[1]: Started PowerDNS Authoritative Server.
Apr 20 15:54:23 dns01 pdns_server[4456]: Done launching threads, ready to distribute questions

This is the config.
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
   log {
      output net unixgram//var/run/caddy/log.sock {
      }
      format json {
         time_format rfc3339
      }
   }

   servers {
      protocols h1 h2 h3
   }

   email security@example-1.com
   auto_https off
   grace_period 10s
   import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "79179cc0-6ab4-4a49-9d79-5d58cf46062a"
drive.example-1.com {
   tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

   handle {
      reverse_proxy 192.168.1.110:10003 {
         transport http {
            tls
            tls_insecure_skip_verify
         }
      }
   }
}
# Reverse Proxy Domain: "cfb6ccd1-1006-453b-92f6-1d449b125935"
data.example-1.com {
   tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

   handle {
      reverse_proxy 192.168.1.110:5001 {
         transport http {
            tls
            tls_insecure_skip_verify
         }
      }
   }
}
# Reverse Proxy Domain: "03f9ea48-f45d-4609-9df8-01bdba6806ed"
file.example-1.com {
   tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

   handle {
      reverse_proxy 192.168.1.110:7001 {
         transport http {
            tls
            tls_insecure_skip_verify
         }
      }
   }
}
# Reverse Proxy Domain: "0a5d6560-cd3b-44a3-8d34-fd86f6e7b37e"
photos.example-1.com {
   tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

   handle {
      reverse_proxy 192.168.1.110:5003 {
         transport http {
            tls
            tls_insecure_skip_verify
         }
      }
   }
}
# Reverse Proxy Domain: "a76af138-0c5c-453d-80d0-e21bd176672a"
photos.example-2.my {
   tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

   handle {
      reverse_proxy 192.168.1.110:5003 {
         transport http {
            tls
            tls_insecure_skip_verify
         }
      }
   }
}

import /usr/local/etc/caddy/caddy.d/*.conf

Hi everyone,

I just setup caddy and it works totally fine - for one domains.

The second domain always fails on the external interface.

I have two domains:
image.example1[.]com
image.example2[.]com

Both point to the same reverse proxy (caddy).

image.example1[.]com - works totally fine. EDIT: Doesnt work anymore. Only when this DNS resolves to internal interface of FW
image.example2[.]com - results in a server connect error.

If I test it from my internal network, setting up a local DNS resolver pointing image.example2[.]com to the internal interface of my FW, it works totally fine.

So the firewall accepts the requests for this hostname / domain. Internally it works. Externally it fails.

Duplicating the caddy configuration from example2 domain to example1 (which works with with multiple sites) it works totally fine.

There must be something wrong with the domain. But I have no idea why. I verified it multiple times in my local DNS, my public DNS etc.

Any input is highly appreciated! I am totally lost on this one.

Tom

EDIT: Now the same hostname on both different domains doesnt work externally.

having DNS for image.example1[.]com and image.example2[.]com pointing to internal interface of FW - All good!

having DNS for image.example1[.]com and image.example2[.]com pointing to external interface of FW - Cant connect to server!

Hi Mombro,
glad I am not the only one being confused  ::)

I am also struggling with the unclear terms and who they are supposed to be configured.

I found the same references as you did, but nothing worked so far. If I have made some progress I will keep you posted!

Hello everyone,
I am trying to get Wireguard up and running for days and I am lost now.

The Wireguard setup has been configured according to: https://docs.opnsense.org/manual/how-tos/wireguard-client.html#
The tunnel address of the instance is 192.168.1.0/24
For the peer I added

Code Select Expand

192.168.1.10/32 (the same IP I use on my client) and I add

Code Select Expand

0.0.0.0/0 (because I don't want split tunneling but everything to go through the tunnel).

I added the NAT and Firewall rules as well.

When I connect via the official Wireguard client on my Mac Book it appears to be working. However I am unable to access any ressources, neither internal ones (10.0.1.0/24) nor any public ones like 9.9.9.9 for DNS or any URLs.

The client configuration is:

Code Select Expand

[Interface]
PrivateKey = SECRET=
Address = 192.168.1.10/32
DNS = 10.0.1.20

[Peer]
PublicKey = PUBKEY=
AllowedIPs = 0.0.0.0/0
Endpoint = My-public-IP-of-OPNsense:51820


Anyone any idea what could be the issue here or where to look for more infos?

Thanks in advance!
Tom

PS: It seems like some automatic NAT rules or something similiar is causing even more issues. As soon as I connect one client for test via Wireguard, disconnect the client and try to access the internet, everything fails. But not only for this client but for all devices on my network.
The only solution is to disable the Wireguard interface on the opnsense.

Hello there,
I just got my first OpnSense (DEC850v2).

The problem is that my WAN port only gets an IPv6 address, but no IPv4.
I have waited for 8h to ensure the DHCP lease from my ISP is timed out, I have power cycled the fiber modem and the OpnSense - all without effect.

Something I see in the logs is alot of "2024-03-01T05:02:58   Error   dhclient   send_packet: No buffer space available".

I found this Netgate page: https://docs.netgate.com/pfsense/en/latest/troubleshooting/buffer-space-errors.html?highlight=buffer

The WAN port is assigend to ax0 and I use the SFP module recommended by my ISP: Optik-1GSFPBiDiLX/S.B1312.10.XDL

Does anyone have any idea?

Thanks in advance!

Tom

[EDIT]
I tested the old configuration and used the CAT cable from the media converter. And all of a sudden it works. The WAN int gets IPv4 and IPv6 and routing works.

Does anyone has any idea what this could be? Why does IPv6 arrives on the SFP but no IPv4 and with copper everything works.