Messages

Problem solved - turned out to be an electrical issue and not equipment or configuration related. Moved the cable modem and firewall appliance to a different outlet and everything working again. Contacted an electrician to investigate and fix.

Thank you all for the input and suggestions

Yea - I got the same findings from Google AI about it possibly being a grounding issue. Curious tho other devices I tried do not have the issue, but it could be something about the Protectli appliance.

UI interface Overview details for the given interface and ifconfig igc# (also no errors) show 100/fdx auto negotiated and interface never receives an IP address. Hard coding the speed/duplex and the interface fails to come up.

nothing in dmesg I could glean.

Unshielded cables only used. I had heard about the shielded cable issues previously as well. Protectli support is stumped as well, but have offered to send a replacement unit which is encouraging.

[Setup]

WAN Interface on my Protectli v1210 fails to negotiate speed/duplex correctly when ISP coax is connected to cable modem, but does negotiate properly (2500/fdx) when I disconnect the ISP coax.

I'm fairly certain this is an ISP issue, but would appreciate some advice on how to collect meaningful information to help with ISP tech support

Setup
- Cox ISP 2Gbps Internet
- Motorola SB8611 cable modem
- Protectli V1210, 2 Intel® I226-V 2.5Gigabit Ethernet NIC ports, RJ-45
- OpnSense 26.1.9

ISP---(coax)---[modem]---(cat6)---[Protectli/OpnSense bare metal]---

Issue
- WAN Interface fails to autonegotiate to 2500 and fails to get WAN IP (same issue if I hard configure 2500-t)
- Same issue with either interface (igc0 or igc1)
- Same issue with multiple cables
- Same issue with two different cable modems (Motorola SB861))
- Removing the ISP coax from cable modem, then WAN interface negotiates properly and receives default IP (192.168.100.x) from cable modem
- Factory reset / default OpnSense does not resolve nor does CMOS reset on Protectli
- Replacing OpnSense firewall with an older Asuswrt router (gt-ax6000) and the WAN interface on the router does negotiate properly to 2500/fdx and obtain WAN IP from ISP

Questions
1. Are there any interface settings and/or tunable I can configure to resolve this
2. What cli command can I run to help diagnose this + information I should capture to bring to ISP, so I can avoid the "simple" questions (change the cable, reset the router, ...)

@Patrick - thanks for that feedback and alternate approach, very helpful!!

For those who may come across this post, I answered my own question by following the "Recommended Workflow" in the documentation here, with the following additions:

1. Create snapshot
2. SSH into firewall, create a script to activate the "known_good" snapshot, then reboot firewall.
3. Create an AT job to run the script in 30 minutes from now ==> echo scriptname | at now + 30 minutes
4. Back in UI, apply firmware updates, then let firewall reboot
5. Login and verify everything working as expected, and if it is, then SSH into firewall and cancel AT job
>> If for some reason you are not able to gain access to the remote firewall for any reason, it will fall back to the "known_good" snapshot. After that, you can debug as needed, resolve issue and retry updates.

[Scenario]

Scenario - remote small business office with Opnsense firewall, with only handful of users, none tech savvy. No OOB remote management solution (budget constraints) for console access if remote connectivity is lost for any reason.

Background - I am familiar with and successfully used snapshots, manually falling back to a "known_good" snapshot from UI and CLI on a locally accessible firewall, following Snapshot documentation.

Goal - at remote site, manually create a "known_good" snapshot, create a cron job to run in 20 minutes to fallback (e.g. bectl) to "known_good" snapshot, perform system update (24.7.x to current 25.1.x), log back into remote firewall and cancel cron job if all is good. If for some reason I can't get back into remote system, it will fallback to the "knwon_good" snapshot.

Question - is this a capability that is already available in Opnsense natively (I didn't find anything in the doc) or is there already a working solution via available plugin (my searches didn't find a working solution, but a number described the approach I'm planning), before I create my custom cron job?

Monviech (Cedrik): Thank you again for your Dnsmasq responses.

I have a simple home network (4 VLAN) and with the following configuration, I am able to allow select subnets (I only needed one for my current needs) to not have the DNSBL apply:

- System | Settings | General, I have 2 public DNS servers setup
- Dnsmasq | DHCP Ranges for 4 VLAN and one of those VLAN with DHCP Option 6 (DNS Server) pointing to an external DNS Server (which could be the same one as what is in System | Settings | General.

Although this setup is not as advanced as Unbound, adguard or pinole, it does enable for allowing select subnets to bypass the DNSBL.

Hopefully this information may be helpful for others who may be interested in having a single DNS and DHCP solution with DNSBL capabilities.

[Context]

@Monviech (Cedrik): Are there any plans with Dnsmasq to have a WebUI option to add pre-defined DNSBL such as hagzei pro, oisd.big, ...?

Context
My goal is to run Dnsmasq standalone, for DHCP, local DNS (static and dynamic DHCP reservations/leases) + external DNS recursive servers (System | Settings | General), and having DNSBL capabilities for blocking "stuff" using pre-defined DNSBL, similar to what is in Unbound currently (pre-defined block lists in WebUI).

Current Understanding
I am familiar with Dnsmasq /usr/local/etc/dnsmasq.conf.d/*.conf capabilities and have successfully manually download (via curl) the hagzei pro DNSBL into a "dnsbl-hagezi-pro.conf) file under the .../dnsmasq.conf.d/  directory and have that file successfully incorporated into a running Dnsmasq configuration.

Reason for my feature request question
Before I go down the path of creating a cron job to periodically download updated DNSBL, write a script to consolidate different DNSBL, I wanted to see if this is a possible planned capability or if this could be considered for a feature request (I'll submit request if agreed to)??

[thanks]

1. Reverse lookups: dig -p 53053 @192.168.31.1 -x 192.168.31.20
your reverse resolution forward entries in unbound are probably wrong: I guess you wanna change *.198.* to *.192.in-addr.arpa . Furthermore your are probably better off with a single 168.192.in-addr.arpa. as I doubt you want to individually configure this on host level in your setup.

@medivh: thanks for pointing out my mistake (case of tired eyes on my part), everything working as expected with that correction.

2. Short name resolutions - I also realized, after stepping away for a bit, that short name digs were not going to work no matter what.

3. With the patches applied and the Unbound query forwarding address correction, I have not received any intermittent resolution errors in the past hour.

@Patrick: Having Dnsmasq as an available option is good thing, at least for my needs - once it is stable here, my goal is to retire Unbound and rely only on Dnsmasq for DHCP and DNS, with DNS blackhole capabilities added in (coming from an Asuswrt-Merlin home setup, I have been using Dnsmasq blackhole functionality for many years successfully and comfortably).

Thank you to all who have responded and provided very useful information!!

@monviech and @meyergru thank your for your responses and will wait for next release

kind regards

[dig -p 53053 @192.168.31.1 kmbpro]

@meyergru post #13 - querying dnsmasq directly using "dig" from my laptop (MacBook) with the port (53053) and server (192.168.31.1 in my case) worked as expected, short and fully qualified names, including reverse lookups. I confirmed /var/etc/dnsmasq-hosts contain the expected static assignments as well.

√ ~ % dig -p 53053 @192.168.31.1 kmbpro

; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 kmbpro
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36073
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.                IN    A

;; ANSWER SECTION:
kmbpro.            1    IN    A    192.168.31.20

;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:02:40 EDT 2025
;; MSG SIZE  rcvd: 51

dig -p 53053 @192.168.31.1 kmbpro.mgmt.internal

; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 kmbpro.mgmt.internal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22263
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.mgmt.internal.        IN    A

;; ANSWER SECTION:
kmbpro.mgmt.internal.    1    IN    A    192.168.31.20

;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:42:43 EDT 2025
;; MSG SIZE  rcvd: 65

dig -p 53053 @192.168.31.1 -x 192.168.31.20

; <<>> DiG 9.10.6 <<>> -p 53053 @192.168.31.1 -x 192.168.31.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10355
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;20.31.168.192.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
20.31.168.192.in-addr.arpa. 1    IN    PTR    kMBPro.mgmt.internal.

;; Query time: 9 msec
;; SERVER: 192.168.31.1#53053(192.168.31.1)
;; WHEN: Tue May 27 20:02:06 EDT 2025
;; MSG SIZE  rcvd: 89

doing the same query without pointing directly to dnsmasq always fails on short names and reverse lookups, whereas FQDN works occasionally, otherwise also fails with NXDOMAIN
dig kmbpro

; <<>> DiG 9.10.6 <<>> kmbpro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53396
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.                IN    A

;; AUTHORITY SECTION:
.            1562    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2025052702 1800 900 604800 86400

;; Query time: 17 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:45:49 EDT 2025
;; MSG SIZE  rcvd: 110

dig kmbpro.mgmt.internal

; <<>> DiG 9.10.6 <<>> kmbpro.mgmt.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22874
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kmbpro.mgmt.internal.        IN    A

;; ANSWER SECTION:
kmbpro.mgmt.internal.    1    IN    A    192.168.31.20

;; Query time: 11 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:47:56 EDT 2025
;; MSG SIZE  rcvd: 65

√ ~ % dig -x 192.168.31.20   

; <<>> DiG 9.10.6 <<>> -x 192.168.31.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43607
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;20.31.168.192.in-addr.arpa.    IN    PTR

;; AUTHORITY SECTION:
168.192.in-addr.arpa.    10800    IN    SOA    localhost. nobody.invalid. 1 3600 1200 604800 10800

;; Query time: 16 msec
;; SERVER: 192.168.31.1#53(192.168.31.1)
;; WHEN: Tue May 27 20:48:10 EDT 2025
;; MSG SIZE  rcvd: 114

I believe I have things configured consistent with the online doc examples (see screenshots below)

Am I missing something in unbound configuration or is this a possible bug?

Yes, I have Dnsmasq DNS do not forward reverse + system dns servers (no dns servers are configured at system level) and Unbound custom forwards configured for each of my subnets.

What i have also observed is that the forward and reverse lookups work initially after service restarts or firewall reboot only for a short time, then I start receiving NXDOMAIN.

Pending your response, I'm thinking I may need to redo my configs from scratch to make sure I haven't misconfigured something since I have been trying to get this working over the past week (static and dynamic leases are working as expected, it's just the name resolution are not).

Should the two patches @Monviech mentioned also correct reverse lookups? In my case, following the configuration (Dnsmasq and Unbound) in the  doc, reverse lookups are failing still (forwards are now working tho).

@Monviech thanks for the response and will do on the feature requests