Messages

I have netflow enabled and outputting to influx via telegraf. Seems to be working fine but...

I don't really capture the data i expected so I probably misunderstand and I was hoping to get some help here.

What I want to visualise is internet usage (data rate) for a single client - for testing I am using MB/hr.

To achieve this I am using bytes_in where dest = ip and bytes_out where source = ip (sum grouped by hour)

but I am only getting a fraction of the data rate I expect.

Has anyone set this up and can explain what I am doing wrong?

and I have tried many different combos of bytes_in bytes_out dest / source etc

Thanks. Will remove it from test. Not using it

Actually I see that the os-bind plugin is installed in my test opnsense.

Maybe I installed the package myself at some point for testing.

Should I have os-bind plugin on my prod system?

Hi all,

Just by coincidence I noticed that my prod (baremetal) opnsense 25.7.1 install does not have the bind920 (BIND DNS suite with updated DNSSEC and DNS64) while my testing opnsense setup (VM) has the package installed and the test system is very basic vanilla install without any plugins.

Thoughts?

Thanks.

Yes this all just for learning but I see that the setup WAN setup on the test network makes it tricky.

I thought it might be possible using an outbound NAT rule on the home network but I can't get it working.

Appreciate the help and thanks again.

I am a network / opnsense newbie and I am learning by using an isolated opnsense firewall/network using a VM environment.

I have this all working nicely - see architecture attached - don't laugh too much

I can easily access home network from test network (and i expected this as it is 'upstream).

What would I need to do to be able to access devices in test network from home?

Is a VPN the only way?

Using opnsense 25.7 with dnsmasq/unbound.

I have noticed that my wife's work laptop is spamming the dsnmasq log with a warning every 5 seconds.

I see this is related to the work laptop having a fqdn that is different to my home network. But why is this happening every 5 seconds?

Any way to turn off this type of log?

Warning    dnsmasq-dhcp    Ignoring domain au.xxxxx.net for DHCP host name xxxx

I think this is how I 'should' have set it up in the first place with ISC but I was a complete newbie then (still am haha).

Thanks again everyone who has chipped in to help.

I think I have now successfully migrated to 25.7 and dnsmasq.

thank you @cookiemonster!

That was it. I just needed to add the VLAN IP in the adguard config yaml - to the dns bind_hosts. See below

Code Select Expand

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:8083
  session_ttl: 720h
users:
  - name: [redacted]
    password: [redacted]
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 127.0.0.1
    - 192.168.1.1
    - 192.168.20.1
    - 192.168.30.1
  port: 53


Thanks all for help.

For testing I have both main network (VLAN1 192.168.1.1/24) and guest network (VLAN20 192.168.20.1/24) fully open with one rule (allow all to all). See screenshot.

Adguard is installed on the main network in opnsense so it is listening on the following addresses.
127.0.0.1
192.168.1.1

It was setup this way and working when using ISC for DHCP. I think I was able to configure ISC for the guest VLAN to use 192.168.1.1 as the gateway and DNS. So maybe this is the key difference that made it work using ISC but I need to change my setup for dnsmasq.

I will try editing the adgauard config file to include 192.168.20.1 as a listening address.

OK thanks. I will remove the dhcp options as suggested.

Is it expected that when I connect a client to the VLAN20 the dhcp network settings are showing 192.168.20.1 as gateway and for dns? I expected them to be 192.168.1.1 VLAN01 - lan?

What should I be looking for to fix DNS? I followed the dnsmasq and config example precisely (and everything was working correctly with ISC dhcp).

The main difference now is that I have the DNS query forwarding to dnsmasq from unbound - see screenshot attached

thanks for helping. Much appreciated.

dnsmasq.conf attached

I use a similar same configuration and do not need a gateway. First thing to check is under the DHCP options settings (Services->DNSmasq->DHCP options), did you set the "router [3]" option for VLAN 20 to your router's IP for that vlan and did you set the "dns-server[6]" option to the IP of AdGuard? If you are running AdGuard on OPNsense the IP address for the dns-server will be the same as the router IP for that vlan.

Also, confirm that you have firewall rules on VLAN 20 to allow port 53 traffic to pass to the AdGuard server.

This is what I have done. Using the two dhcp options as you have suggested.

Good that I am on the right track.

Looks like I have another issue where these dhcp options are not being set.

Can you post a screenshot of the gui showing the dhcp options please?

Done a bit more digging but I am really stuck. I don't think I can get dhcp options to be applied to an interface.

Using netstat command on my Mac when connected to the VLAN I only see the interface ip of the vlan (192.168.20.1) when I expect the dhcp option to be providing 192.168.1.1


Any ideas or obvious things I can check/do?

here is netstat on my VLAN (guest)

Destination        Gateway            Flags               Netif Expire
default            192.168.20.1       UGScIg                en0       
127                127.0.0.1          UCS                   lo0       
127.0.0.1          127.0.0.1          UH                    lo0       
169.254            link#11            UCS                   en0      !
192.168.20         link#11            UCS                   en0      !
192.168.20.1/32    link#11            UCS                   en0      !
192.168.20.1       60:be:b4:13:66:ab  UHLWIir               en0   1190
192.168.20.168/32  link#11            UCS                   en0      !
224.0.0/4          link#11            UmCS                  en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0       
255.255.255.255/32 link#11            UCS                   en0      !

and on my main network...

Destination        Gateway            Flags               Netif Expire
default            192.168.1.1        UGScg                 en0       
127                127.0.0.1          UCS                   lo0       
127.0.0.1          127.0.0.1          UH                    lo0       
169.254            link#11            UCS                   en0      !
192.168.1          link#11            UCS                   en0      !
192.168.1.1/32     link#11            UCS                   en0      !
192.168.1.169/32   link#11            UCS                   en0      !
224.0.0/4          link#11            UmCS                  en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0       
255.255.255.255/32 link#11            UCS                   en0      !

Maybe a stupid question, but: does dnsmasq provide an gateway for the guest net?

Not a stupid question. It is me probably stupid :-)

I have tried to add a gateway using dhcp options in dnsmasq but no dice so far...

here they are - not working though