Messages

I'm fairly sure this is a HDHR issue. I had this problem years ago with HDHRPrime.  I couldn't find an easy solution at the time and had to have devices accessing HDHRP on the same subnet. Maybe SiliconDust have fixed this now.

All default settings with 0.opnsense.pool.ntp.org as the preferred.

Interfaces == All

[2025-02-17T03:41:27-08:00 Error opnsense /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '70', the output was 'daemon control: got EOF']

Greetings. I have multiple WireGuard endpoints setup and working without issue. However, I have noticed that after a reboot, NTD service doesn't start from looking at the Services dashboard. Pressing the start button to restart server never succeeded. I think this is the error I'm getting:

2025-02-17T03:41:27-08:00   Error   opnsense   /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '70', the output was 'daemon control: got EOF'

After stumbling around a bit, I found a way to restart NTD:

• VPN->WireGuard->Instances and disable all
• Go back to the dashboard and restart NTD
• Re-enable the WireGuard instances

(I can't remember whether toggling "Enable Wireguard" instead of the Instances worked or not. It's been awhile since I've tried that.)

NTD service will run as long as the fw is up. Once a reboot is required, then I have to go through the above process to restart it. I never had this problem with one single WireGuard endpoint setup (I think...it's been awhile, so I don't remember).

Any suggestions? Thank you.

YAY!!! This is working by removing that rule.

My only excuse is that I'm an OPNSense noob. Trying to be security conscious, I'm trying to protect the fw as much as possible. I already have System->Settings->Administration to only allow LAN as the listen interface. At some point, I thought that blocking rule would be an added layer. It's just my misunderstanding of how that works.

Thank you very much for solving this for me. I appreciate your help!

I can't ping 10.20.0.1 from UNSAFE clients.

I don't have any routing setup (if you mean System->Routes). Firewall rules block UNSAFE to "This Firewall" and allow internet access:
    x    IPv4    UNSAFE net    *    This Firewall    *    *    *
    >    IPv4    UNSAFE net    *    *                *    *    *
I have tried enable/disable:
    >    IPv4 TCP/UDP    UNSAFE net    *    172.0.0.1    53 (DNS)    *    *

"All" network interfaces are specified in Unbound as this was the default/recommended.

Additional info--

The following settings are checked:
    Services->Unbound DNS->General
            Enable Unbound
            Enable DNSSEC Support
            Register ISC DHCP4 Leases
            Register DHCP Static Mappings
    Services->Unbound DNS->Advanced   
            Hide Identity
            Hide Version
            Prefetch DNS Key Support
            Harden DNSSEC Dataa
            Strict QNAME Minimisation

Those VLANs currently don't exist...just LAN, and UNSAFE interfaces and their corresponding subnets.

I have removed all VLANs to simplify the setup for now.

On LAN:
    "nmcli dev list iface eno1 | grep IP4" points my IP4.DNS[1] to my OPNSense instance's IP.

On UNSAFE:
    Linux:
      "nmcli dev list iface eno1 | grep IP4" points DNS to UNSAFE's subnet 10.20.0.1
      can't ping - name does not resolve
      nslookup - timed out

    Win10:
      "ipconfig /all" also points DNS to UNSAFE'S subnet 10.20.0.1
      can't ping - name does not resolve
      nslookup - timed out

[a]

What is "a DNS server"? If you want Unbound to block anything, you have to direct all clients via DHCP to "your DNS server", i.e. your own Unbound instance.

If the VLANs are separated (and why would you have those if they are not?), each interface would probably have their 10.x.y.1 address being set as both gateway and DNS server. If you do not set the DNS server explicitely, the ones you use are influenced by several settings. You can end up using your ISP's DNS servers or others.

Also, bear in mind that most browsers circumvent local DNS by using DoT or DoH per default these days, so be wary what you test.

P.S.: The way you describe it, IDK if your VLANs are really VLANs or just subnets on the same physical interface. Usually, you would end up having a logical interface for each VLAN, not just two (LAN and UNSAFE).

Thank you for your reply, @meyergru.

I have removed all VLANs to simplify the setup for now. DNS Server is not specified in System->Settings->General nor Services->ISC DHCPv4->LAN and Services->ISC DHCPv4->UNSAFE. In this case, clients on the LAN network go through my ISP's DNS server. Clients on UNSAFE network cannot resolve websites unless I specify a DNS server (Cloudflare, Quad9, etc...) in Services->ISC DHCPv4->UNSAFE.

I'm using Firefox, and DoH is set to OFF DoT is not set.

Greetings. I would like some help setting up Unbound DNS Blocklist (DNSBL) with multiple physical interfaces.

I have a 4-port NIC and would like to utilize the "extra" ports. I have this working, but can't get DNSBL properly setup with multiple physical interfaces. DNSBL does work when I only use one interface for WAN and another for LAN. I followed both of these videos with success (just one technique or the other).

https://youtu.be/o12a2cFGopQ?si=P7tYFtYAZwS34qCM
https://youtu.be/C00L9ngsGsw?si=d8epbJ4IKOJJNRUe

DNSBL works with this configuration:
igb0: WAN
igb1: LAN
10.10.10.1/24 (1010 Home)
10.10.20.1/24 (1020 School)
10.10.30.1/24 (1030 Work)


When I add a second interface (UNSAFE on igb2), traffic on that interface doesn't seem to find a DNS server. If I add a DNS server in Services->DHCPv4->UNSAFE, then all the VLANS in UNSAFE interface can resolve domain names (thus, internet traffic), but not touched by Unbound's DNSBL. VLANS from the LAN interface continue to go through Unbound's DNSBL without any issue.

igb2: UNSAFE
10.20.10.1/24 (2010 Sarah)
10.20.20.1/24 (2020 Tom)
10.20.30.1/24 (2030 Walt)

Any suggestions for a neophyte is appreciated. Thank you.

Thank you, Patrick.

Hello. I'm a noob with OPNSense. My background is not IT related, but am proficient in tech.

My setup is a mini PC hardware with one internal mainboard 1GB NIC (em0), and have added a 4-port PCI NIC (igb0-3). This is running OPNSense on bare-metal.

On initial installation, the default interface assignment is WAN->igb1 and LAN->igb0. I have tried different permutations and they all seem to work including em0.

What problem(s) exist if I use em0 for either WAN or LAN?

Thank you.