Messages

I create here /usr/local/opnsense/service/conf/actions.d  the file actions_VPN_GW_CZ_routes.conf

inside there is this

[trace]
command:traceroute -s 192.168.2.1 10.2.2.1
parameters:
type:script
message:automatic traceroute to VPN CZ gateway
description:automatic traceroute to VPN CZ gateway

I reset the service using
service configd restart

I can see the new line in the CRON drop down menu

But if I try to run
configctl VPN_GW_CZ_routes trace

It returns
Action not allowed or missing

What I am doing wrong?
thanks

yes

yes sorry, i just pasted the example from freebsd page

the command would be something like traceroute -g 192.168.2.1 172.16.7.1 (where both these addresses are from internal subnets)

A is a gateway and B is an IP.

Maybe I found a suitable possible example:

traceroute -g 10.3.0.5 128.182.0.0

would this work considering 10.3.0.5 the gateway and the 128.128.0.0 the ip?

thanks

Hi Franco, yes I understad the guide (I already used it) but I do not know how to properly populate the .conf file with the command that perform the traceroute from A to B.

Thanks

Hi , I want to create a job following this https://docs.opnsense.org/development/backend/configd.html
that periodically perform a trace-route from internal gateway A to internal ip B

can you help me understand how to fill the .conf file for this ?

Thanks

did you go tosystem-settings-cron add a a new job using "Update and reload firewall aliases".

Just remember to set the time when this task shall run.

Inside the wireguard gateway settings, "Disable Host Route" was flagged or not?

I found that opnsense has some problem with that option, therefore I flag it AND I create a dedicated static routing (be aware that you shall restart opnsense in order to get it working).

solution found: services->unbound dns->general (advanced) : if you select interfaces in the "Outgoing Network Interfaces", the system reach the dns server on every outgoing interface.
Instead if you de-select all of them and "All (reccomended)" appears as choice, only the effective outgoing interface is used.

@bringbacklanparties and now I thank you, because without the "ALL (reccomended)" but specifying the single gateways, the unbound dns was sending outside request on all of those gateways in parallel :)

Again, you are replying with things not relevant for my question.

question 1:

Redirect rule on lan1-lan10 to catch dns: IPv4 TCP/UDP    *    *    127.0.0.1    53 (DNS)    *    *

how can this intercept the internal dns queries if the are directed to the subnet gateway IP and not to 127.0.0.1 ?

question 2:

dns1: 192.168.0.2 failover on 4 wg-tunnels
dns2: 192.168.0.3 failover on 4 (different) wg-tunnels

I think there is something wrong here, I mean that here there should be the authoritative DNS server address.

Again, my issue is not the dns queries from devices but from the firewall itself. All the devices queries are already redirected to the firewall itself.

Hi, the VPNs are all wiregaurd.

I think that what you suggested can work if I have to redirect the dns queries from a device in the subnet, but my intention is to route the unbound queries to the authoritative DNS server.

The queries are coming out from the 127.0.0.1 and there iare no queries going inside gateways but only going out, therefore a firewall rule is not able to redirect but only to block (at least this what I understood so far).

I thought that the only service usable for this was Maxmind. I don't see ipinfo mentioned here https://docs.opnsense.org/manual/aliases.html#geoip

Hi, I have a wan connection + 3 different VPNs (to external provider like nordvpn or similar).

The connection to outside is managed using a different priority of the gateways (each one can be the default gateway).

I use unbound DNS:
- I set to use as "Outgoing Network Interfaces" the wan + the 3 VPNs
- I start the test here dnsleaktest.com
- that site is able to identify the country of each of the three VPNs

Shouldn't Unbound dns use only one connection to authoritative DNS server?

Tried to select only one of the VPNs, and the dns leak test identify only that country (dns server located in that country).
I tried to create a gateway group and use that as outgoing interface, but it was not shown in the drop-down list.

Thank you for helping me understand this.

EDIT: @Franco could you provide a feedback on this? Otherwise I would say this is an unexpected behaviour/bug and I would open a bug on github.