Messages

Ok, I'm back again. Apparently it still is not working. Same results as above. Now my white list contains the CNAME addresses. The CNAME is what is on the block list. But I'm still being blocked. Whitelist now:

Code Select Expand

www.patc.net.
www.patc.net
patc.net.
patc.net
s.multiscreensite.com
s.multiscreensite.com.
global.multiscreensite.com
global.multiscreensite.com.

Here's the dig for context. The domain multiscreensite[.]com is on the blocklist. So the query for www[.]patc[.]net is being blocked but I would like it to NOT be blocked.

Code Select Expand

%dig www.patc.net @8.8.8.8

; <<>> DiG 9.10.6 <<>> www.patc.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26938
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.patc.net.            IN    A

;; ANSWER SECTION:
www.patc.net.        300    IN    CNAME    s.multiscreensite.com.
s.multiscreensite.com.    300    IN    CNAME    global.multiscreensite.com.
global.multiscreensite.com. 60    IN    CNAME    a3c02b2530d6f27ca.awsglobalaccelerator.com.
a3c02b2530d6f27ca.awsglobalaccelerator.com. 49 IN A 99.83.169.22
a3c02b2530d6f27ca.awsglobalaccelerator.com. 49 IN A 75.2.0.180

;; Query time: 155 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 20 15:06:10 EST 2025
;; MSG SIZE  rcvd: 182


Solved. I had to dig into the domain a bit more. Found that it was actually a CNAME that was being blocked. Added that to the white list and it appears to be working now.

Hello,
Having some trouble figuring out the white list for Unbound. I'm using hagezi's blocklists and those are working great. However, I am trying to access patc.net (known good site) but it is blocked on the blocklists. No problem. I'll add it to the whitelist. However, I still can't get it to resolve. Here's what I'm seeing (Reporting -> Unbound -> Details):

Code Select Expand

2025-02-19 15:39:51    192.168.6.111    A    patc.net.    Pass    Recursion    NOERROR    331ms    600         
2025-02-19 15:39:51    192.168.6.111    CNAME    www.patc.net.    Block    Local    NXDOMAIN    150ms    0    [hagezi] Badware Hoster blocking   
2025-02-19 15:26:28    192.168.6.111    CNAME    www.patc.net.    Block    Local    NXDOMAIN    137ms    0    [hagezi] Badware Hoster blocking   
2025-02-19 15:26:27    192.168.6.111    A    patc.net.    Pass    Recursion    NOERROR    213ms    600         

Whitelist:

Code Select Expand

www.patc.net.
www.patc.net
patc.net.
patc.net


May be relevant, the ports I forwarded were 80, 443, and 32400. Since the webgui is still listening on 80/443, could that be the issue?

Hello, I have lost access to my webgui. My browser (Brave) says that

Code Select Expand

This site can't provide a secure connection
192.168.1.1 sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I've tried

Code Select Expand

configctl webgui restart renew

based on the guidance from https://docs.opnsense.org/troubleshooting/webgui.html but there was no effect.

Anything else I could try? This firewall is in production and I really don't want to have to restore from scratch because I don't have a good backup.

The last things I remember changing were some NAT Settings (enabling NAT reflection) and opening up port forwarding. Everything else appears to be working flawlessly, just can't access the gui....

When I try to restore from backup the farthest back I have is Thursday January 16 and my last known good was Monday January 13th.

EDIT: Sovled. The issues appears to have been caused by port forwarding 80/443. Changed the webgui port to 8443 and we are back in business. Thanks for listening!

Well, I appear to have corrected the issue. The solution appears to be.... a reboot.

I tried restarting the wireguard service multiple times. But for some reason that wasn't working. A full reboot of the device and everything is working great.

Thanks for the help!

Full config
https://nextcloud.reimerfamily.net/s/KosxLo6aLw7M4PL

Here's the log from the client

EDIT: Modified the log file to only include this connection.

I did try making the key pair a couple of times. I used the peer generator a couple of times and also made it manually in the wireguard client on ios.

Allowed IPs is 0.0.0.0/0, ::/0

I do see 1 packet in the firewall log. See screenshot.

I'm also attached the log from my client. But the error says that it did not receive

Does it make a difference that my VPN network is 10.0.0.0/24 and my other network is 192.168.1.0/24? Maybe there is some traffic that isn't going through because the 192.168.1 subnet isn't allowed somehow?

Have attached my client configuration screenshot to this post

Hello, new OPNSense user here. Having some trouble getting a wireguard connection configured. I have followed the guide here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Then I used the peer generator to create the config for my client (wireguard app on ios) but the handshake does not complete.

I have allowed the firewall for port 51820, and I have confirmed that the firewall is allowing the traffic by looking at the logs.

I've attached some screen shots of my OPNSense config. I'll edit the post and add my client config when I get to it.