"
@Patrick - thanks for that feedback and alternate approach, very helpful!!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Series / Re: [SOLVED] Remote firewall failed system update fallback approach question
June 17, 2025, 02:43:26 PM #2
25.1, 25.4 Series / Re: Remote firewall failed system update / upgrade fallback approach question
June 17, 2025, 02:23:35 PM
For those who may come across this post, I answered my own question by following the "Recommended Workflow" in the documentation here, with the following additions:
1. Create snapshot
2. SSH into firewall, create a script to activate the "known_good" snapshot, then reboot firewall.
3. Create an AT job to run the script in 30 minutes from now ==> echo scriptname | at now + 30 minutes
4. Back in UI, apply firmware updates, then let firewall reboot
5. Login and verify everything working as expected, and if it is, then SSH into firewall and cancel AT job
>> If for some reason you are not able to gain access to the remote firewall for any reason, it will fall back to the "known_good" snapshot. After that, you can debug as needed, resolve issue and retry updates.
1. Create snapshot
2. SSH into firewall, create a script to activate the "known_good" snapshot, then reboot firewall.
3. Create an AT job to run the script in 30 minutes from now ==> echo scriptname | at now + 30 minutes
4. Back in UI, apply firmware updates, then let firewall reboot
5. Login and verify everything working as expected, and if it is, then SSH into firewall and cancel AT job
>> If for some reason you are not able to gain access to the remote firewall for any reason, it will fall back to the "known_good" snapshot. After that, you can debug as needed, resolve issue and retry updates.
#3
25.1, 25.4 Series / [SOLVED] Remote firewall failed system update fallback approach question
June 16, 2025, 12:52:23 PM
Scenario - remote small business office with Opnsense firewall, with only handful of users, none tech savvy. No OOB remote management solution (budget constraints) for console access if remote connectivity is lost for any reason.
Background - I am familiar with and successfully used snapshots, manually falling back to a "known_good" snapshot from UI and CLI on a locally accessible firewall, following Snapshot documentation.
Goal - at remote site, manually create a "known_good" snapshot, create a cron job to run in 20 minutes to fallback (e.g. bectl) to "known_good" snapshot, perform system update (24.7.x to current 25.1.x), log back into remote firewall and cancel cron job if all is good. If for some reason I can't get back into remote system, it will fallback to the "knwon_good" snapshot.
Question - is this a capability that is already available in Opnsense natively (I didn't find anything in the doc) or is there already a working solution via available plugin (my searches didn't find a working solution, but a number described the approach I'm planning), before I create my custom cron job?
Background - I am familiar with and successfully used snapshots, manually falling back to a "known_good" snapshot from UI and CLI on a locally accessible firewall, following Snapshot documentation.
Goal - at remote site, manually create a "known_good" snapshot, create a cron job to run in 20 minutes to fallback (e.g. bectl) to "known_good" snapshot, perform system update (24.7.x to current 25.1.x), log back into remote firewall and cancel cron job if all is good. If for some reason I can't get back into remote system, it will fallback to the "knwon_good" snapshot.
Question - is this a capability that is already available in Opnsense natively (I didn't find anything in the doc) or is there already a working solution via available plugin (my searches didn't find a working solution, but a number described the approach I'm planning), before I create my custom cron job?
#4
25.1, 25.4 Series / Re: Dnsmasq possible feature request?
May 30, 2025, 08:16:32 PM
Monviech (Cedrik): Thank you again for your Dnsmasq responses.
I have a simple home network (4 VLAN) and with the following configuration, I am able to allow select subnets (I only needed one for my current needs) to not have the DNSBL apply:
- System | Settings | General, I have 2 public DNS servers setup
- Dnsmasq | DHCP Ranges for 4 VLAN and one of those VLAN with DHCP Option 6 (DNS Server) pointing to an external DNS Server (which could be the same one as what is in System | Settings | General.
Although this setup is not as advanced as Unbound, adguard or pinole, it does enable for allowing select subnets to bypass the DNSBL.
Hopefully this information may be helpful for others who may be interested in having a single DNS and DHCP solution with DNSBL capabilities.
I have a simple home network (4 VLAN) and with the following configuration, I am able to allow select subnets (I only needed one for my current needs) to not have the DNSBL apply:
- System | Settings | General, I have 2 public DNS servers setup
- Dnsmasq | DHCP Ranges for 4 VLAN and one of those VLAN with DHCP Option 6 (DNS Server) pointing to an external DNS Server (which could be the same one as what is in System | Settings | General.
Although this setup is not as advanced as Unbound, adguard or pinole, it does enable for allowing select subnets to bypass the DNSBL.
Hopefully this information may be helpful for others who may be interested in having a single DNS and DHCP solution with DNSBL capabilities.
#5
25.1, 25.4 Series / Dnsmasq possible feature request?
May 30, 2025, 04:09:07 AM
@Monviech (Cedrik): Are there any plans with Dnsmasq to have a WebUI option to add pre-defined DNSBL such as hagzei pro, oisd.big, ...?
Context
My goal is to run Dnsmasq standalone, for DHCP, local DNS (static and dynamic DHCP reservations/leases) + external DNS recursive servers (System | Settings | General), and having DNSBL capabilities for blocking "stuff" using pre-defined DNSBL, similar to what is in Unbound currently (pre-defined block lists in WebUI).
Current Understanding
I am familiar with Dnsmasq /usr/local/etc/dnsmasq.conf.d/*.conf capabilities and have successfully manually download (via curl) the hagzei pro DNSBL into a "dnsbl-hagezi-pro.conf) file under the .../dnsmasq.conf.d/ directory and have that file successfully incorporated into a running Dnsmasq configuration.
Reason for my feature request question
Before I go down the path of creating a cron job to periodically download updated DNSBL, write a script to consolidate different DNSBL, I wanted to see if this is a possible planned capability or if this could be considered for a feature request (I'll submit request if agreed to)??
Context
My goal is to run Dnsmasq standalone, for DHCP, local DNS (static and dynamic DHCP reservations/leases) + external DNS recursive servers (System | Settings | General), and having DNSBL capabilities for blocking "stuff" using pre-defined DNSBL, similar to what is in Unbound currently (pre-defined block lists in WebUI).
Current Understanding
I am familiar with Dnsmasq /usr/local/etc/dnsmasq.conf.d/*.conf capabilities and have successfully manually download (via curl) the hagzei pro DNSBL into a "dnsbl-hagezi-pro.conf) file under the .../dnsmasq.conf.d/ directory and have that file successfully incorporated into a running Dnsmasq configuration.
Reason for my feature request question
Before I go down the path of creating a cron job to periodically download updated DNSBL, write a script to consolidate different DNSBL, I wanted to see if this is a possible planned capability or if this could be considered for a feature request (I'll submit request if agreed to)??
#6
25.1, 25.4 Series / Re: dnsmasq and query forwarding
May 29, 2025, 03:27:49 AMQuote1. Reverse lookups: dig -p 53053 @192.168.31.1 -x 192.168.31.20
your reverse resolution forward entries in unbound are probably wrong: I guess you wanna change *.198.* to *.192.in-addr.arpa . Furthermore your are probably better off with a single 168.192.in-addr.arpa. as I doubt you want to individually configure this on host level in your setup.
@medivh: thanks for pointing out my mistake (case of tired eyes on my part), everything working as expected with that correction.
2. Short name resolutions - I also realized, after stepping away for a bit, that short name digs were not going to work no matter what.
3. With the patches applied and the Unbound query forwarding address correction, I have not received any intermittent resolution errors in the past hour.
@Patrick: Having Dnsmasq as an available option is good thing, at least for my needs - once it is stable here, my goal is to retire Unbound and rely only on Dnsmasq for DHCP and DNS, with DNS blackhole capabilities added in (coming from an Asuswrt-Merlin home setup, I have been using Dnsmasq blackhole functionality for many years successfully and comfortably).
Thank you to all who have responded and provided very useful information!!
#7
25.1, 25.4 Series / Re: dnsmasq and query forwarding
May 28, 2025, 01:35:43 PM
@monviech and @meyergru thank your for your responses and will wait for next release
kind regards
kind regards
#8
25.1, 25.4 Series / Re: dnsmasq and query forwarding
May 28, 2025, 03:00:26 AM
@meyergru post #13 - querying dnsmasq directly using "dig" from my laptop (MacBook) with the port (53053) and server (192.168.31.1 in my case) worked as expected, short and fully qualified names, including reverse lookups. I confirmed /var/etc/dnsmasq-hosts contain the expected static assignments as well.
√ ~ % dig -p 53053 @192.168.31.1 kmbpro
; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 kmbpro
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36073
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro. IN A
;; ANSWER SECTION:
kmbpro. 1 IN A 192.168.31.20
;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:02:40 EDT 2025
;; MSG SIZE rcvd: 51
dig -p 53053 @192.168.31.1 kmbpro.mgmt.internal
; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 kmbpro.mgmt.internal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22263
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.mgmt.internal. IN A
;; ANSWER SECTION:
kmbpro.mgmt.internal. 1 IN A 192.168.31.20
;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:42:43 EDT 2025
;; MSG SIZE rcvd: 65
dig -p 53053 @192.168.31.1 -x 192.168.31.20
; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 -x 192.168.31.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10355
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;20.31.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.31.168.192.in-addr.arpa. 1 IN PTR kMBPro.mgmt.internal.
;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:02:06 EDT 2025
;; MSG SIZE rcvd: 89
doing the same query without pointing directly to dnsmasq always fails on short names and reverse lookups, whereas FQDN works occasionally, otherwise also fails with NXDOMAIN
dig kmbpro
; <<>> DiG 9.10.6 <<>> kmbpro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53396
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro. IN A
;; AUTHORITY SECTION:
. 1562 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025052702 1800 900 604800 86400
;; Query time: 17 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:45:49 EDT 2025
;; MSG SIZE rcvd: 110
dig kmbpro.mgmt.internal
; <<>> DiG 9.10.6 <<>> kmbpro.mgmt.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22874
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.mgmt.internal. IN A
;; ANSWER SECTION:
kmbpro.mgmt.internal. 1 IN A 192.168.31.20
;; Query time: 11 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:47:56 EDT 2025
;; MSG SIZE rcvd: 65
√ ~ % dig -x 192.168.31.20
; <<>> DiG 9.10.6 <<>> -x 192.168.31.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43607
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;20.31.168.192.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800
;; Query time: 16 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:48:10 EDT 2025
;; MSG SIZE rcvd: 114
I believe I have things configured consistent with the online doc examples (see screenshots below)
Am I missing something in unbound configuration or is this a possible bug?
√ ~ % dig -p 53053 @192.168.31.1 kmbpro
; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 kmbpro
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36073
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro. IN A
;; ANSWER SECTION:
kmbpro. 1 IN A 192.168.31.20
;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:02:40 EDT 2025
;; MSG SIZE rcvd: 51
dig -p 53053 @192.168.31.1 kmbpro.mgmt.internal
; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 kmbpro.mgmt.internal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22263
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.mgmt.internal. IN A
;; ANSWER SECTION:
kmbpro.mgmt.internal. 1 IN A 192.168.31.20
;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:42:43 EDT 2025
;; MSG SIZE rcvd: 65
dig -p 53053 @192.168.31.1 -x 192.168.31.20
; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 -x 192.168.31.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10355
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;20.31.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.31.168.192.in-addr.arpa. 1 IN PTR kMBPro.mgmt.internal.
;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:02:06 EDT 2025
;; MSG SIZE rcvd: 89
doing the same query without pointing directly to dnsmasq always fails on short names and reverse lookups, whereas FQDN works occasionally, otherwise also fails with NXDOMAIN
dig kmbpro
; <<>> DiG 9.10.6 <<>> kmbpro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53396
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro. IN A
;; AUTHORITY SECTION:
. 1562 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025052702 1800 900 604800 86400
;; Query time: 17 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:45:49 EDT 2025
;; MSG SIZE rcvd: 110
dig kmbpro.mgmt.internal
; <<>> DiG 9.10.6 <<>> kmbpro.mgmt.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22874
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.mgmt.internal. IN A
;; ANSWER SECTION:
kmbpro.mgmt.internal. 1 IN A 192.168.31.20
;; Query time: 11 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:47:56 EDT 2025
;; MSG SIZE rcvd: 65
√ ~ % dig -x 192.168.31.20
; <<>> DiG 9.10.6 <<>> -x 192.168.31.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43607
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;20.31.168.192.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800
;; Query time: 16 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:48:10 EDT 2025
;; MSG SIZE rcvd: 114
I believe I have things configured consistent with the online doc examples (see screenshots below)
Am I missing something in unbound configuration or is this a possible bug?
#9
25.1, 25.4 Series / Re: dnsmasq and query forwarding
May 27, 2025, 03:17:40 PM
Yes, I have Dnsmasq DNS do not forward reverse + system dns servers (no dns servers are configured at system level) and Unbound custom forwards configured for each of my subnets.
What i have also observed is that the forward and reverse lookups work initially after service restarts or firewall reboot only for a short time, then I start receiving NXDOMAIN.
Pending your response, I'm thinking I may need to redo my configs from scratch to make sure I haven't misconfigured something since I have been trying to get this working over the past week (static and dynamic leases are working as expected, it's just the name resolution are not).
What i have also observed is that the forward and reverse lookups work initially after service restarts or firewall reboot only for a short time, then I start receiving NXDOMAIN.
Pending your response, I'm thinking I may need to redo my configs from scratch to make sure I haven't misconfigured something since I have been trying to get this working over the past week (static and dynamic leases are working as expected, it's just the name resolution are not).
#10
25.1, 25.4 Series / Re: dnsmasq and query forwarding
May 27, 2025, 02:39:49 PM
Should the two patches @Monviech mentioned also correct reverse lookups? In my case, following the configuration (Dnsmasq and Unbound) in the doc, reverse lookups are failing still (forwards are now working tho).
#11
25.1, 25.4 Series / Re: DNSMasq Leases UI questions/wishlist
May 24, 2025, 04:55:14 PM
@Monviech thanks for the response and will do on the feature requests
#12
25.1, 25.4 Series / DNSMasq Leases UI questions/wishlist
May 24, 2025, 01:28:32 PM
Will the DNSMasq Leases UI have the following abilities similar to ISC DHCP or is it there somewhere and I'm missing it?
- show the status of a lease (e.g., online (green) or offline (red))
- add a static mapping for a dynamic lease
- delete a lease
- show the status of a lease (e.g., online (green) or offline (red))
- add a static mapping for a dynamic lease
- delete a lease
Pages1
