Messages

The plugin was installed prior to the upgrade and then I removed it so I could boot without issue.  I am running Intel® Core™ i5 14500T vPro® (14 cores, up to 4.8GHz) 14th gen CPU. Thanks again for your speedy response.

Jim

What I am saying is that post upgrade OPNsense would hang at the message masks 0x00ff0000, 0x0000ff00, 0x000000ff, 0xff000000.  The only way to get it to boot fully was to boot with a previous kernel.  Once I did get it to boot fully, I uninstall the os-cpu-microcode-intel package.  After the package was removed I rebooted and OPNsense booted as expected.  I am running Intel® Core™ i5 14500T vPro® (14 cores, up to 4.8GHz) 14th gen CPU.  Not sure if there is a incompatibility with this package and a newer CPU.  Thanks for your help an patience with me.  I look forward to any insight you may have.

Jim

Good morning,
I upgraded from opnsense 25.1 to 25.7.1 this morning and post upgrade I get stuck with this message masks 0x00ff0000, 0x0000ff00, 0x000000ff, 0xff000000.  I can get my system up but I have to boot previous kernel.  How can I tell what is causing my issue from booting the new version?  Thanks in advance for your assistance as it is much appreciated.  I am running a newer Intel CPU.  Could it be the cpu microcode?

About a week ago I attempted an upgrade from 25.1 from the GUI, upon reboot I would receive a php error right after the firewall started loading.  I then downloaded a new image to USB and did a fresh install and restore and I was back up and running.  Today I noticed that some of my plugins wont update until I update OPNsense version.  I again attempted this , but again i would receive an error when the firewall was loading.  Luckily i had a snapshot and I reverted back to a working condition.  How can I find out what this is occurring?  How large should the config.xml be.  Am I allowed to post my xml to have someone take a look.  Should I do a factory reset, upgrade, and then restore?  I am lost ...

Good morning,
I am having issues getting DNSCrypt running.  I am seeing different things.  Why do folks not leverage the WebUI to configure DNScrypt? It seems like people are using the manual way to run DNScrypt why is that?  Are there issue with the WebUI correctly modifying the toml file?  It also appears that this service collects servers on the fly and you try to pair down the server list?  What is the difference between the server entries on the setup versus the servers on the servers tab for DNSCrypt.  Should one disable Unbound when leveraging DNSCrypt. My apologies as I am a newb.  Any information would be greatly appreciated.  Is there a definative guide on setting up DNSCrypt?

Thanks,
Jim

Going to bed, but the actual logs were from when I first started to try to get this running on 10-12.  No updates in the logs when I try to start the service.  I am confused and tired at this point.  DOT is running for now.  If there is a simple step by step you can refer me to.  If i can use the WEBui or manual way.

I tried to use this and it fails, I also renamed the ,sample to .toml and it does the same thing loads the servers then exists.
# DNSCrypt-proxy configuration file

# List of DNSCrypt or DoH servers to use
server_names = [
    # Primary unfiltered servers (Unfiltered, DNSSEC, No logging)
   
    # NextDNS (Unfiltered, DNSSEC, No logging)
    "sdns://AgcAAAAAAAAACjQ1LjkwLjMwLjAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkWYW55Y2FzdC5kbnMubmV4dGRucy5pbwovZG5zLXF1ZXJ5", 
   
    # DNSCry.pt Ashburn (Unfiltered, DNSSEC, No logging)
    "sdns://AQcAAAAAAAAACzQ1LjExLjIzMC44IMGyYyUUH-ohVO5gxPJoOoTQYe6WeqqivutZK9FR5v2eGTIuZG5zY3J5cHQtY2VydC5kbnNjcnkucHQ", 
   
    # DNSCry.pt Allentown (Unfiltered, DNSSEC, No logging)
    "sdns://AQcAAAAAAAAADTIzLjEzNy4yNTMuMjQg3Z0YI7udXIjKWcPC5GdTm4Uk6D1x2DuyYuj2OZz2cKQZMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeS5wdA", 
   
    # Plan9 DNS NJ (Unfiltered, DNSSEC, No logging)
    "sdns://AQcAAAAAAAAAEjIwNy4yNDYuODcuOTY6ODQ0MyCwmQlIDpKk8SiiyrJbPgKhHxCrBJLb8ZWlu6tvr1KvkyQyLmRuc2NyeXB0LWNlcnQua3Jvbm9zLnBsYW45LWRucy5jb20", 
   
    # Fallback server (Filtered, DNSSEC, No logging) - Quad9
    # Quad9 (Filtered, DNSSEC, No logging)
    "sdns://aqmaaaaaaaaaddkuos45ljk6odq0mybnyee4yhwm0sakvuo-dwdg3ztfhytac4xha2jfgh2gphkylmruc2nyexb0lwnlcnqucxvhzdkubmv0"
]

# Listen on these addresses for DNS queries (localhost on port 5353)
listen_addresses = ['127.0.0.1:5353']

# Max number of simultaneous clients
max_clients = 250

# Enable DNS caching for performance improvement
cache = true
cache_size = 512

# Enable DNSSEC to ensure all servers provide DNSSEC validation
require_dnssec = true

# Disable the use of IPv6 servers (optional)
ipv6_servers = false

# Set fallback resolver to avoid DNS outages if all selected servers fail
fallback_resolver = '9.9.9.9:53'

# Block IPv6 entirely if not in use
block_ipv6 = true

# Set the path for log files
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
log_level = 2  # Log only warnings and errors

# Use DNSCrypt with ephemeral keys for privacy
dnscrypt_ephemeral_keys = true

# Set load-balancing strategy (p2 = prefer lowest-latency servers)
lb_strategy = 'p2'

# Disable TLS session tickets for better security
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199]

# Optional: Enable anonymized DNS if you need extra privacy
anon_routes = []

# Control whether to block relays with malicious content
block_relay = true

i am having the same problem when I was trying to use the WebUi.  The service Starts finds 146 servers and then stops.  Am i missing something stupid ?

Most of my issues were relating to not understanding the service does dynamic server selection.  I was completing the server list in two places.  I was definitely confused by the reference material concerning this service.  I read through the forums and it looked like configuring via the Webui might be problematic.  During my reading it seemed as though going the manual route was the way to go.  Part of my reading I kept coming accross issues where the toml file gets overwritten so I actually leverage chatgpt with helping with this code.  I will do some research on the link you provided.  Thanks.  I updated the script a bit as there were some errors, but the script runs as expected.  I just have to figure out where to put it.

First I am very new to this stuff.  I am working on getting DNSCrypt working in opnsense.  I was having trouble getting it to work via the web interface.  I went through removing the GUI package and adding the package from the command line (pkg install dnscrypt-proxy2).  I was seeing that folks have potential issue with the toml file especially after firmware upgrades with the toml potentially being over written.

Would the following work.

1.  Make a backup of the working file.
     cp /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup

2.  Create a hash of this backup.
     sha256 /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup > /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash


3.  Create a script called pre-dsncrypt.sh  which essentially compare the hash of the backup to the current file and if they are different copy the backup file over the current file.
      #!/bin/sh

# Paths to the working config, backup, and hash in the correct directory
WORKING_FILE="/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
BACKUP_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup"
HASH_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash"

# Determine if sha256 or sha256sum is available
if command -v sha256 >/dev/null 2>&1; then
    HASH_CMD="sha256 -q"
elif command -v sha256sum >/dev/null 2>&1; then
    HASH_CMD="sha256sum"
else
    echo "Error: Neither sha256 nor sha256sum found on this system."
    exit 1
fi

# Generate the current hash of the working file
CURRENT_HASH=$($HASH_CMD "$WORKING_FILE" | awk '{print $1}')

# Retrieve the known-good hash from the backup
KNOWN_HASH=$(cat "$HASH_FILE")

echo "Current Hash: $CURRENT_HASH"
echo "Known Hash: $KNOWN_HASH"

# Compare the hashes
if [ "$CURRENT_HASH" != "$KNOWN_HASH" ]; then
    echo "DNSCrypt config is corrupted or overwritten, restoring from backup..."
    cp "$BACKUP_FILE" "$WORKING_FILE"
    # Regenerate the hash after restoring
    $HASH_CMD "$BACKUP_FILE" | awk '{print $1}' > "$HASH_FILE"
else
    echo "DNSCrypt config is valid, no need for restore."
fi


4.  Add this script to the startup script for /usr/local/etc/rc.d/dnscrypt-proxy
     start_cmd="${name}_start"

# Run the pre-startup script before starting DNSCrypt-proxy
/usr/local/bin/pre_dnscrypt_start.sh

dnscrypt_proxy_start()
{
    echo "Starting dnscrypt-proxy..."
    ${command} ${dnscrypt_proxy_flags}
}

Good afternoon,
I am using DOT and and using a NAT rule to forward from all interfaces any port any source to all interfaces.net port 53 to 127.0.0.1 port 53 [Redirect internal DNS to internal DNS Resolver].  I see a message in the firewall for 127.0.0.1 Redirect internal DNS to internal DNS Resolver but from the address of the interface it is blank.  Is this normal behavior?   Thanks in advance for any advice or assistance.  I am new to this, been a nice learning experience so far.

Jim

Good morning,
I have a question.  Is there a way to turn off IPv6?  Each interface is set to none for IPv6.  I dont see an option in Advanced to turn off Ipv6.  Is there a file(s) that can be modified to turn off IPv6?  Thanks in advance for your input.

Jim

good morning,
I am looking for a good recommendation for an m.2 a+e card to add an ethernet port to a new build.  I am thinking that the intel i225v b3 should be ok but the other option is RTL 8111e/f.  Any recommendations what will work right out of the box.  Thank you in advance for your assistance.

First let me say I am hot a html coder by any means, but I have been working with chat GPT for a bit on developing seasonal and holiday based pages for home guest network.  I actually with the help of chat gpt developed a calendar to display a theme or holiday based login page.  Went back and forth making modifications, but came down to making simple changes in the index and style file, but always seems to get a 404 once you click login.  I am unsure if it is some sort of redirection or coding being missed.  Any insight?

I will be connecting WAN to Xfinity and obtaining a public IP.