Messages

[RED]

My eyes hurt when I open that link... :(

You should have linked to : https://www.ipfire.org/blog/introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone

Still a lot of RED but just a fraction compared to the link above !!



Seems to work with Pi-Hole too, but not going to use it for now since a lot of websites/companies claim to have the best Block List out there and not all of them are actually that great...

Recently, however, I have noticed that new devices being added to the network (behind OpnSense) are not getting to the Internet for some reason.

All of my legacy devices work fine, however.

What kind of devices are we talking about ?

What does your network setup look like ?

In my X570 board, the PCIe 4.0 slots attached to the chipset have problems.

The X570 chipset was the first to use PCIe 4.0, so the implementation may be flaky.
At the time, nobody would have noticed, because most PCIe cards only supported PCIe 3.0 anyway.

IIRC there were plenty of websites that wrote a lot about that issue when the AMD Chipset was released ?!

IMHO a great part of the issues comes from the fact that ASMedia a.k.a. ASUS was involved in the design and manufacturing process of the Chipset at the time.

Do you have any Intel based systems to test with ?
I am pretty much done with buying AMD for about 15 years or so now...

I love that it's written in Golang.

Anything is better than Python... Really having a beef with that one the last couple of years ^_^

I love the paid (but cheap) mobile IOS app.

Don't need an app when the browser view adjusts itself accordingly :)

Also kind of expected you to be an UBPorts Ubuntu Touch or Jolla SailFish user considering your standpoints on privacy ?!

Me do me - you do you 🙂

Ofcourse! 🙂

Have a look at this DNSmasqd examples config file : https://github.com/imp/dnsmasq/blob/master/dnsmasq.conf.example

And start at line 328 for DHCP Option related configuration.

As you can see each option needs to be put on a new line so you can't have multiple options on the same line !!
You can however have multiple values for the same option on the same line.

My guess is that the OPNsense webGUI tries to simulate that logic too, but maybe not the way you are expecting it to do :)

It's missing a sound architecture and does too many things in a single tool. Like systemd.

Not a fan of SystemD either, but it is what it is and some things are even kind of cool to use so that "softens the blow" a bit...

Also it's "alien" to the FreeBSD ecosystem.

Why import a Linux centred single person project when there is standard software for the task.

From what I have heard/read so far Simon Kelly is often supported by many other developers so it's not really a single person project.
And he is also not the "Lead Developer of OpenBSD" kind of guy if you know what I mean, so any input someone has is actually being looked at and communicated about :)

Also provide in the UI only

- DHCP
- DNS
- RA

without even mentioning the products. Choice is not good in this firewall context. Choice means waisted effort on the development side.

And probably a lot of Support workhours too so I fully agree with you on that one!

Pi-Hole is again Linux centred and you need a separate system. I run AdGuard Home on my OPNsense for filtering.

I feel like AdGuard is a total Pi-Hole ripoff and do not like pretty much everything about it.

Having my DNS seperated from OPNsense is not a big deal for me either.

And the guys that develop Pi-Hole are really cool to talk with too! :)

My ISP (Freedom Internet NL)

- You have got one of, if not THE BEST ISP in The Netherlands.
- You have got one of, if not THE BEST Router Software in use.
- You have probably also got nice Managed Switches & Accesspoints in use.

Why the heck do you bother using a crappy Fritz!Box on your network ?!
Why not just a nice seperate VLAN for all the stuff you need seperated ?!



In the 20 years or so that I had xDSL from KPN that whole weird AVM company was THE BRAND TO AVOID for me and I always bought DrayTek Routers instead and never had any issue! :)

Surfing the internet is insane faster thanks to OPNSense running it instead of PiHoles (tiny VM)

I don't know what you are doing wrong but my setup :
- OPNsense KEA DHCP Server.
- Pi-Hole + Unbound that queries the Root DNS Servers as the DNS IP Address for the Clients.

Never let's me down! :)

When it comes to DNS Resolving speed there were multiple benchmarks that showed very little differences in the hardware used and even compared to DNS Servers that due to their larger "Client Pool" have a lot of addresses cached were not that faster than Pi-Hole + Unbound running on a simple Raspberry Pi 3B/3B+/4B at the time.

ping "s6.home.arpa" no longer works, I must move Unbound back to PiHole and manually set the local DNS there.

In my case everything is setup as following :
- Static DHCP IP Mappings based on MAC Address for ALL CLIENTS.
- Local DNS Records in Pi-Hole for all of them.

Works like a charm! :)

I am in the process of setting up dual-stack so it makes more sense to move things to OPNSense.

Dual-Stack in combination with Pi-Hole should not be an issue at all : What is your main issue at the moment ?

I absolutely dislike DNSmasq

Why ?!

Especially "boosted" by the Pi-Hole Team as their FTLDNS it's really nice to work with in general :)

Not to be argumentative but I have been using 5353 for a long time without ill effects. Some 'tutorials' also use it.

But I can see your point.

Just wanted to warn you, because the guys @ https://docs.pi-hole.net/guides/dns/unbound/ made that mistake many years ago and switched from 5353 to 5335 and my guess is OPNsense now uses by default 53053 because of the same reason :)

I have no idea why a port forward is in the mix. I don't use it and never have on either OPNsense or pfSense.  As I said , not problems, ever.

You don't use any Redirect DNS NAT rules then I am guessing ?

I like having them to catch "Naughty Clients" on my network just in case... :)

To repeat, sometimes there is only one way to do something, but with BSD software there are often lots of ways.

Actually if you talk about pure FreeBSD then the explanations written in the FreeBSD Handbook is pretty much the way to do it IMHO : https://docs.freebsd.org/en/books/handbook/
It has taught me a lot of things about 20+ years ago...



Hmm... I am getting old... LOL! ^_^

So I then tried playing around with random settings in the VPN setup.

I finally noticed a field called "DNS Server" so I thought I would give it a try.
I put in the IP of the server VPN interface and it worked! The local client took that interface as its DNS server.

I guess I could have told you that too... d0h! ^_^

But then again I have never used OpenVPN in OPNsense so I did not know the OpenVPN Interface is automatically included in the DNS configuration just like I would for example bind Pi-Hole also to tun0 or wg0 to have DNS available in OpenVPN or Wireguard ;)

I find it very strange that none of the tutorials I searched, including the one in OPNsense's own documentation here: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html mentioned anything about this field being required to make this work.  That cost me a lot of hours.

I then reinserted your code above and it made the local client's Internet connection keep its own DNS settings while the VPN connection kept the remote server as its DNS.  Mission accomplished.

This is why it's important to understand the stuff your working with and read the documentation of the software parts involved (in this case OpenVPN for example) instead of expecting to find someone else's Tutorial/HowTo and have it all figured out for you ;)

Thanks so much for your help.

You are welcome! :)

onboard Intel I219-LM adapter that might do funny things because it is equipped with Intel VPro.

That's why I always recommend to use the Onboard NIC for pure webGUI access in a Management VLAN and use the additional NIC for everything else :)

[Destination NAT]

Also, you do not need a port forward.

I can't even see how that idea got into the mix in the first place. It is probably a kluge that somehow worked so it became 'official'.

Ehm...

It's just this : https://forum.opnsense.org/index.php?topic=9245.0 ;)

Since 26.x.x it's called (correctly) Destination NAT but all old documents/HowTo's call it by it's old name Port Forward ;)

If you want to use Unbound, associate it with Not port 53. I used 5353 but anything will work. Inside Adguard Home Settings where it asks for DNS servers, enter 192.168.1.1:5353 (or whatever your router IP is).

Port 5353 is a bad idea because of mDNS traffic and a better idea would be 5335 or 53053 for example !!

With Unbound unchanged everything will work exactly as before, won't it?

Let's just say he sparked my curiosity and I want to see what the heck he is talking about ;)

IMHO the old setup should have been like this :
- ISC DHCP talking to Unbound for DNS Registration of Hostnames.

And the new setup should be like this according to OPNsense Documentation :
- DNSmasqd does the DNS Registration of Hostnames but all the Clients talk directly to Unbound so you need to tell Unbound about the existence of the DNSmasqd Hostnames DNS Registration Database/Cache.

TL;DR : The same but with a twist! :)

Furthermore:
If "host.domain.tld" is non-existent on the LAN but exists in the outside world:
Resolve it nevertheless - however, forward the query into the internet.

This works nicely (and is well implemented into unbound) if you use ISC.
I do not get it working if I have to use dnsmasq behind unbound (as is proposed for 26.1 onwards).

Post your old config for the ISC setup and I am sure someone can figure out how to convert it to the new setup :)

Now it's like : "Hey guys, I had this thing working which I am not going to tell you anything about and you guys have to guess the solution that I like to make sure it works again!"

And that's not very motivating for most people...

There are plenty of options :

- ZenArmor
- Suricata
- Pi-Hole

The first two are full IDS/IPS solutions and the last one is a DNS Blocklist based system which you can combine with this : https://forum.opnsense.org/index.php?topic=9245.0

I would say install a VM for each and have a look around in their webGUI :)