Messages

I had it working and then i woke up the next day and the connection was down. 🤷�♂️

Have you gone down the Zenarmor/single-threaded rabbit hole, yet?

That's seems like a lot of power for OPNsense, not sure I would use an MS-A2 for this function unless I had a lot of clients and a lot of filtering setup. Maybe if I had a lot of VPN users I would want that much CPU, but that's a powerful computer for what most of us are doing.

👀

And how much power does that consume? My little Xeon (similar to an older i3) shows mostly the same CPU use, but I only have 16GB of ram. It's TDP is much lower as well.

The HP T740 showed very similar results when I was using it, and that would be at around 40 watts during use.

But again, depends on how many things you are trying to do with a firewall, if you have a lot of VPN, that extra power would certainly be justified over an n150.

haha, in my defense, my entire organization connects to that machine for our Wireguard VPN server. It's also running as a Tailscale exit node for me personally, as well as Unbound/DHCP,IPS,Reverse Proxy, Prometheus, several static IPs, and ZenArmor until I had to give it up because the the platform is single-threaded, and was crushing the LAN's bandwidth.

With that said, I have placed an order for two Minisforum MS-01 Work Station Refurbished (Core-i5-12600mh). Maybe it's good to be true, but the specs on these are unreal, then after you factor in the cost, it's very hard to pass up.

Given all the value I get from OPNsense, I don't mind running it on the PowerEdge R730, but having to run a second machine for H.A./CARP, makes me cry a little bit.

I still can't over how much machine you can get for $448 (i9 12th gen). You don't even miss out on U.2 capability, I guess the only major drawback is no ECC?

Thank you to whoever posted this, lol

i got tied up at work, but i'll check afterwards. I think i recall them using both one.one.one.one and cloudflare-dns.com; one as a backup and one as a primary.

We're going to be transitioning from Wireguard to Cloudflare's ZeroTrust/Access WARP platform by Q4, and then we'll have another DNS from them that comes with Carrier Grade NAT. I'll be practicing my captcha skills until then.

[one.one.one.one]

I think the official CN for Cloudflare DNS is "cloudflare-dns.com", not "dns.cloudflare.com", see: https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/. Thus, your certificate verification could fail, although IDK if Cloudflare uses multi-domain certificates.

they have so many it gets confusing but this is from the link you sent me:

kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com

Whoever told me that was incorrect was wrong because there are there are connectivity issues unless I'm i'm using `one.one.one.one`

Just confirmed. 🙃

It's worth mentioning I used to use `one.one.one.one` but I was told that is incorrect.

I'm using Unbound w/ Cloudflare for DNS over TLS. I just want to make sure there is nothing out of whack in my config.

Sometimes the clients on our VPN server have issues when this DNS over TLS config is activated:

Code Select Expand

[services.unbound.dns_over_tls]
use_system_nameservers = false

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "1.1.1.1"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv4 DoT"

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "1.0.0.1"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv4 DoT Backup"

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "2606:4700:4700::1111"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv6 DoT"

[[services.unbound.dns_over_tls.forwarding]]
enabled = true
domain = ""
server_ip = "2606:4700:4700::1001"
server_port = 853
forward_first = false
verify_cn = "dns.cloudflare.com"
description = "IPv6 DoT Backup"

That's seems like a lot of power for OPNsense, not sure I would use an MS-A2 for this function unless I had a lot of clients and a lot of filtering setup. Maybe if I had a lot of VPN users I would want that much CPU, but that's a powerful computer for what most of us are doing.

👀

OPNsense installs fine and works with various USB NICs, and it even recognizes the WiFi NIC; however, it does not see the built-in NICs.

Am I reading this right, I thought FreeBSD doesn't support WiFi?

Ah, yes, you know it's fun when it has two prefixes before -DNS .

Thank you.

I'm familiar with the firewall rules to force DoT. My concern right now is that I'm running a half-ass configured split-brain DNS and that is why I can't get any activity on port 853

[Current Configuration:]

I have not been able to verify my Unbound DNS over TLS is configured correctly. I've followed every tutorial to the letter, and every test I've run, port 853 is nowhere to be found.

Current Configuration:

• General DNS settings: All fields left blank
• DNS over TLS: Configured with Cloudflare's DNS over TLS servers

Background Context:
My local domain happens to be a legitimate domain that I own and have registered through Cloudflare. This configuration has been in place since my initial OPNsense installation, and I haven't implemented any advanced configurations like DNS overrides.

Question:
If I were to create DNS overrides for each VM in my network, would this ensure that local VM resolution uses DNS over TLS when accessed from my workstation?
I'm trying to understand if my current setup is preventing proper DNS over TLS functionality, and whether implementing local DNS overrides would resolve the issue.
Any guidance on troubleshooting DNS over TLS verification or recommendations for proper local domain handling would be greatly appreciated.

The /60 appears to only be used to satisfy some UI validation:
https://forum.netgate.com/post/962817 (post from deet)
The workaround in these threads is to request up to 8 /64 and manually assign them to interfaces...

The original thread started 5 years ago. AT&T has not "fixed" any of this yet???
This is definitely not following deployment recommendations...

My ISP is late deploying IPv6 (imminent according to some of their feeds) but at least they are doing it by the book.

Thanks for checking. There is probably not going to be some silver bullet, and I'm going to have to write some scripts to resolve the issue, which I'm sure will be a case of trial & error that I don't have time for 🙃

OK, that's great information, man, I'm going to have to copy/paste this in my workspace. My company is scattered throughout the globe, and there's zero humans on my LAN, aside from me, so I was considering just putting it on WG0 (wireguard) because I'm hosting a fairly substantial VPN server. They're the ones that need the protection of a NGFW the most.