Messages

Hi,

Thank you for the clarification, that makes sense now.
I appreciate the quick and detailed response.

Hi,

Thanks a lot for creating this plugin. It can be a great addition to OPNsense

I've installed the Q-Feeds Connector plugin on OPNsense Business 25.10_2. At first glance it seems to work, but the blocklist doesn't show up in the Unbound DNS > Blocklist section.

In the Feeds tab, "Malicious domain names" is up to date, and "Register domain feeds" is checked.

Restarting the Unbound DNS service doesn't make the blocklist appear.
Restarting the firewall doesn't fix the issue either.

According to the plugin documentation, the domain feeds should appear in Unbound once "Register domain feeds" is enabled and Unbound blocklists are active, but that doesn't seem to be happening here.

Hi Steffen,

Thanks for your feedback. 
I submitted the file to various vendors so that it would be less likely to be detected as malware.
The program can still be launched directly from the sources with Python.

Hey,

I was looking for a simple solution to view past firewall logs on the firewall, but displaying them in plain view is pretty much unusable.
So I created a small application with a GUI to import the data locally and process it easily on your PC without having to set up a syslog/graphana solution.

I think this could be useful to others, so you can find it on GitHub.

https://github.com/Shayano/opnsense-log-viewer

ps: Retrieving label information via root is not very elegant, so if you have a better suggestion, I'm all ears.

Hi there,

Very happy that there is finally a simple way for users to manage their own TOTP tokens and Openvpn file downloads.

There are a few things that could be improved though.

• If users authenticate via LDAP, it's not possible to hide the "Account" tab, which would be preferable to prevent them from having the impression that they can change their password when they can't.
• The "welcome message" doesn't take line breaks into account; it would be interesting if it did, for better legibility and maybe html links.
• End users do not need to access the online resources (Help) visible in the left-hand menu. Unless this can be configured for OpenVPN configuration, for example.

It's all about the details, but it's for a better user experience.
Do you have any other ideas for improvement or feedback?

Hi, the problem is still there Opnsense business when ugprade from 24.10.1 to 24.10.2
More than half of my installations are blocked on

Code Select Expand

Stopping crowdsec.
Waiting for PIDS: 14449.
Waiting for PIDS: 92556
On the crowdsec thread it says it's been fixed since community 24.7.6
https://discourse.crowdsec.net/t/bug-opnsense-24-7-5-crowdsec-1-6-3/2057

Business 24.10.2 is based on community 24.7.12, so this should be fixed, but it doesn't seem to be the case.

Does anyone else have the problem?

[1. Create Aliases for Each wildcard]

Hi, there,

The post is old, but I'll take the liberty of replying to it as I've been faced with the same problem. I was able to solve it based on other forum user entries.
Unfortunately it requires some tweaking to use wildcard domains.

References
- https://github.com/opnsense/core/issues/4145
- https://gist.github.com/PiDroid-B/078198bc84c1e8451d5fd331b46b332d

1. Create Aliases for Each wildcard

For each domain that uses a wildcard, create two aliases "External (advanced)" (e.g., _a and _b).
Then create a "Host(s)" alias containing the two externals created above.

Example Aliases for Multiple Domains:

- Microsoft_IPs_a External (advanced)
- Microsoft_IPs_b External (advanced)
- Microsoft_IPs Host(s)

2. Configure DNSMASQ on Port 53530

•   Navigate to Services > DNSMASQ in the OPNsense web interface.
•   Set DNSMASQ to listen on port `53530`.

Edit the DNSMASQ Configuration File

Access the firewall via CLI/SSH and edit the DNSMASQ configuration:

Code Select Expand

vi /usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf
Example Configuration File:
Replace the domain names and alias names with those relevant to your environment.

Code Select Expand

# Add the response for certain A/AAAA lookups to an OPNsense alias
ipset=/microsoft.com/windowsupdate.com/windows.net/Microsoft_IPs_a,Microsoft_IPs_b

# Uncomment these if Unbound is still your primary DNS server; otherwise, it may cause a loop
no-resolv
server=1.1.1.2
server=1.0.0.2
server=9.9.9.9
server=149.112.112.112
3. Configure Unbound DNS to Use DNSMASQ for specific domain resolution

Unbound DNS will forward specific queries to DNSMASQ to handle the aliases.
Navigate to Services > Unbound DNS > Overrides and create an entry in "Domain Overrides".

Example Entry:

Domain: microsoft.com
IP: 127.0.0.1@53530

Domain: windowsupdate.com
IP: 127.0.0.1@53530

Domain: windows.net
IP: 127.0.0.1@53530

4. Create a Cron Job to Flush Alias Entries

To prevent aliases from growing indefinitely and containing obsolete data, set up a cron job to flush the alias entries periodically (e.g., every 48 hours).
Create the Action Configuration File

Code Select Expand

vi /usr/local/opnsense/service/conf/actions.d/actions_alias-flush.conf
Add the Following Content:**

Code Select Expand

[flush]
command:/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables_blk.lock /usr/home/alias-flush.sh
parameters: %s
type:script_output
message:Alias IPs flushed
description:Flush IPs from alias
Reload the system to make the cron job task appear

Code Select Expand

service configd restart
5. Create the Flush Script

This script will handle flushing the IPs from the specified alias.

Code Select Expand

vi /usr/home/alias-flush.sh
Add the Following Content:

Code Select Expand

#!/bin/sh
# Check if the alias name is provided as a parameter
if [ -z "$1" ]; then
    echo "Error: No alias name provided."
    exit 1
fi

ALIAS_NAME="$1"

pfctl -t "$ALIAS_NAME" -T flush

if [ $? -eq 0 ]; then
    echo "Alias '$ALIAS_NAME' flushed successfully."
    exit 0
else
    echo "Error while flushing alias '$ALIAS_NAME'."
    exit 1
fi
Make the Script Executable

Code Select Expand

chmod 755 /usr/home/alias-flush.sh

6. Schedule the Cron Jobs for Each Alias

Create cron job for each alias to flush them alternately (e.g., *_a` and *_b`) every 48 hours.
This rotation ensures that the aliases do not accumulate obsolete data.

Example Cron jobs:

Code Select Expand

enabled: Check
Minutes: 4
Hours: 3
Days of the months: *
Months: *
Days of the week: 1,3,5,7
Command: Flush IPs from alias
Parameters: Microsoft_IPs_a (Must be the exact name of you external alias)
Description: Flush -  Microsoft_IPs_a


Code Select Expand

enabled: Check
Minutes: 5
Hours: 3
Days of the months: *
Months: *
Days of the week: 2,4,6
Command: Flush IPs from alias
Parameters: Microsoft_IPs_b (Must be the exact name of you external alias)
Description: Flush - Microsoft_IPs_b
7. Configure Firewall Rules Using the Aliases

Create firewall rules based on your requirements and use the combined aliases.
When users perform DNS resolutions, the aliases will dynamically populate with the relevant IPs.

If Unbound has a cached resolution, the request might not be forwarded to DNSMASQ, preventing the client from communicating with the desired IP.
To resolve this issue, restart the Unbound service to clear the cache.

Hi,  :)

I use the Business version and the Extended Blocklists function.

Would it be possible to add Blocklists manually as in "Services > Unbound DNS > Blocklist"?
If at least it were possible to add lists yourself, that wouldn't be a problem, but unfortunately it's not possible at the moment. Or at least I haven't found out where.

The main lists on offer today come from blocklistproject, some of which haven't been updated in over a year or more. The project no longer seems to be actively maintained

Would it be possible to add (via the CLI) additional blacklists for Extended Blocklists?

Open to any proposal other than the use of Zenarmor  :P

This project seems to be up to date
https://github.com/hagezi/dns-blocklists

Regards