Messages

Hello,

I set up a Wireguard "road warrior" server configuration on my Opnsense box a while ago using the guide at https://docs.opnsense.org/manual/how-tos/wireguard-client.html.  It works fine using IPv4.  Recently, I added IPv6 and changed my client configurations accordingly to assign IPv6 GUAs.  My iOS clients do not have any IPv6 connectivity, but my Windows clients do using the same Wireguard configuration.  For example, if I go to test-ipv6.com from a Windows client connected via the VPN, I can see the configured IPv6 GUA address.  However, if I do the same from an iOS client, that test site reports no IPv6 connectivity.

I suspect this is a peculiarity of the iOS Wireguard client; has anyone else had similar issues?

Thanks!

Hello,

I'm using Unbound on 24.7.12 with a mostly default configuration, and am seeing periodic and intermittent SERVFAILs fairly often in the log.  Here's a typical example from today's log:

Code Select Expand

2025-01-18T12:53:16-05:00 Error unbound [93701:2] error: SERVFAIL <v20.events.data.microsoft.com. A IN>: misc failure
2025-01-18T12:53:16-05:00 Error unbound [93701:1] error: SERVFAIL <v20.events.data.microsoft.com. A IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:49:19-05:00 Error unbound [93701:3] error: SERVFAIL <mobile.events.data.microsoft.com. A IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:49:18-05:00 Error unbound [93701:0] error: SERVFAIL <mobile.events.data.microsoft.com. A IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:49:18-05:00 Error unbound [93701:1] error: SERVFAIL <mobile.events.data.microsoft.com. A IN>: misc failure
2025-01-18T12:48:07-05:00 Error unbound [93701:0] error: SERVFAIL <download.windowsupdate.com. AAAA IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:48:07-05:00 Error unbound [93701:2] error: SERVFAIL <download.windowsupdate.com. AAAA IN>: misc failure
2025-01-18T12:36:38-05:00 Error unbound [93701:2] error: SERVFAIL <mobile.events.data.microsoft.com. A IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:34:27-05:00 Error unbound [93701:1] error: SERVFAIL <login.live.com. AAAA IN>: misc failure
2025-01-18T12:34:27-05:00 Error unbound [93701:0] error: SERVFAIL <login.live.com. AAAA IN>: misc failure
2025-01-18T12:33:39-05:00 Error unbound [93701:3] error: SERVFAIL <msedge.b.tlu.dl.delivery.mp.microsoft.com. A IN>: misc failure
2025-01-18T12:33:39-05:00 Error unbound [93701:2] error: SERVFAIL <msedge.b.tlu.dl.delivery.mp.microsoft.com. A IN>: misc failure
2025-01-18T12:33:03-05:00 Error unbound [93701:1] error: SERVFAIL <8-courier.push.apple.com. AAAA IN>: misc failure
2025-01-18T12:33:00-05:00 Error unbound [93701:2] error: SERVFAIL <displaycatalog.mp.microsoft.com. A IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:33:00-05:00 Error unbound [93701:1] error: SERVFAIL <fs.microsoft.com. A IN>: misc failure
2025-01-18T12:33:00-05:00 Error unbound [93701:1] error: SERVFAIL <fs.microsoft.com. AAAA IN>: misc failure
2025-01-18T12:33:00-05:00 Error unbound [93701:3] error: SERVFAIL <fs.microsoft.com. AAAA IN>: misc failure
2025-01-18T12:18:31-05:00 Error unbound [93701:2] error: SERVFAIL <nrdp-ipv6.prod.ftl.netflix.com. A IN>: exceeded the maximum nameserver nxdomains
2025-01-18T12:18:31-05:00 Error unbound [93701:0] error: SERVFAIL <nrdp-ipv6.prod.ftl.netflix.com. A IN>: exceeded the maximum nameserver nxdomains

Any ideas on how to resolve this?  The same domains resolve fine seconds or minutes later.  There doesn't seem to be a pattern of which domains fail; the reason why there are a lot of Microsoft domains above is simply because someone in my household booted a Windows PC and it reached out to Microsoft for updates, etc.  It also happens on other domains like Netflix, Amazon, etc. (you can see Netflix in the list for example).

Thank you!

Thank you, again!

Thanks Patrick, this put me on the right track.  The offending files seem to be the firewall logs in

/var/log/filter

There are huge (1 Gig +) daily files in that directory.  I have logging disabled for all of my firewall rules, but the automatically generated rules all have logging enabled and I see no way to disable it.  So I guess the only option is to decrease the logging retention interval in System > Settings > Logging.  I thought 31 days is reasonable, but I didn't realize that by default Opnsense has so much firewall logging enabled.

Hello,

I'm new to Opnsense and I've been using a new Opnsense installation for ~1.5 months.  During that time, the disk usage has been steadily increasing.  I have default settings for logging in System > Settings > Logging (Enabled, Maximum Preserved Files 31, no maximum size) which I understand should result in retaining only 31 days of logs.  My only significant plugin is AdGuardHome, which I've configured to retain the last 7 days of DNS requests and the last 24 hours of statistics.

My hardware is an HP T620 Plus thin client PC with a 16GB SSD that's currently 75% full and increasing.  At this rate, it will fill the disk in less than 2 weeks.  I also noticed that there's an 8GB swap partition set up by the Opnsense installer (which seems to be the default since I didn't configure it), resulting in only 8GB available to the system which doesn't help.  The "2GB Swap File" option under System > Settings > Miscellaneous is disabled; I'm not sure how this interacts with the 8GB swap partition that was automatically set up during installation.  File system is ZFS.

I don't mind buying a larger SSD if that's the solution, but not if it will simply delay the problem.  Any advice?

Thanks!

Hi all,

I noticed that in Services > Unbound DNS > Statistics, my Request Queue Exceeded counter is non-zero.  I assume this means DNS requests are occasionally being dropped during periods of high usage.  I'm running with default settings for Unbound except I've enabled Prefetch DNS Key Support, Harden DNSSEC Data, Aggressive NSEC, Serve Expired Responses, and Prefetch Support.  Unbound is using 4 threads on my quad-core system, which seems right.

Can I increase the size of the request queue, and what's the proper parameter for this?  The only potentially relevant one I see is Number of queries per thread, but that's not exactly the same thing.

Is there a set of best-practice settings for Unbound in OPNSense?  I have 8GB RAM so that shouldn't be a problem.

Thanks!

Thank you!!

Thanks!  I had read about private_networks in the unbound documentation, but I thought it applies only to the networks being looked up, not the origin of the request.  Does it apply to the origin?

Thanks.

Hello,

I've installed the Adguard Home package on my OPNSense box.  AGH listens on port 53 and forwards to the configured upstream 127.0.0.1:5335, where Unbound is listening.  My network is dual-stack IPv4 and IPv6 which is important for my problem.  The issue I'm having is that AGH does not forward reverse DNS lookups for private IP ranges (such as 192.168.0.0/16) to the configured upstream private reverse DNS server; instead, it returns NXDOMAIN.  Looking at the AGH DNS configuration, I think I know why.  The AGH configuration instructions for the reverse private DNS server state the following:

"A request is considered private if it asks for an ARPA domain containing a subnet within private IP ranges (such as "192.168.12.34") and comes from a client with a private IP address."

My client, a Windows PC, is making the reverse DNS request using its public IPv6 address; thus, the request doesn't "come from a client with a private IP address" and it seems that AGH doesn't consider it as a private rDNS request although it's for a private IP in the range 192.168.0.0/16.  Is there any way to fix this in AGH?  What would be needed is to not require that the request origin be a "client with a private IP address".

Thanks!