Messages

1

Hardware and Performance / Re: PCENGINES APU[1-5] Bios

« on: May 10, 2019, 08:41:53 pm »

The most recent mainline BIOS versions for the APU1 trough APU5 platforms are out.

v4.9.0.5

https://pcengines.github.io

2

19.1 Production Series / Re: Revert unbound to 18.7.7 - not possible?

« on: March 06, 2019, 10:22:05 pm »

How and for what reasons your OPNsense box is deployed, dictates your freedom of action of cause. In my case, I'm the only user.

I started with a fresh backup of the configuration file. With it you can always return to the previous known good state. However, it will take longer than 5 min. Don't let anyone rush you.

Useful tools:
Putty
WinSCP
Notepad++


Then you can ask your boss for a raise :-)


miroco

3

19.1 Production Series / Re: Revert unbound to 18.7.7 - not possible?

« on: March 04, 2019, 10:33:11 pm »

It's working for me. These following notes are an extract of the "directnupe" guide. They helped me get a better overview of the process. However I do strongly advise you to read up on his guide prior to making the installation/configuration.

miroco


GetDNS and Stubby

# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libidn-1.34_1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libuv-1.26.0.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/libev-4.24,1.txz
# pkg add https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/MINT/19.1.2/LibreSSL/All/getdns-1.5.1.txz

# su -m unbound -c /usr/local/sbin/unbound-anchor

# mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh

Make it executable - I run two commands - it works for me:
# chmod 744 /usr/local/etc/rc.d/stubby.sh
# chmod a+x /usr/local/etc/rc.d/stubby.sh

Yes must enable Stubby Daemon in the file -  open file by: nano /usr/local/etc/rc.d/stubby.sh
go to line 27  -

: ${stubby_enable="NO"}  change the setting to  : ${stubby_enable="YES"}

That is all you have to do to this file. It comes pre-configured. Save and exit.

Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 128

edns_client_subnet_private : 1

round_robin_upstreams: 1

idle_timeout: 60000 # keep-alive for 1 min, for better performance

listen_addresses:
  - 127.0.0.1@8053   ## Stubby / Unbound ## Default Address/Port

https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example

upstream_recursive_servers:
# IPV4 Servers
# The getdnsapi.net Server
  - address_data: 185.49.141.37
    tls_port: 853
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
# The Fondation RESTENA Server
  - address_data: 158.64.1.29
    tls_auth_name: "kaitain.restena.lu"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
### Test servers ###
## Surfnet/Sinodun Servers
  - address_data: 145.100.185.17
    tls_port: 853
    tls_auth_name: "dnsovertls2.sinodun.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
# The securedns.eu Server
  - address_data: 146.185.167.43
    tls_auth_name: "dot.securedns.eu"
    tls_port: 443
    tls_pubkey_pinset:
      - digest: "sha256"
        value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
# The dns.cmrg.net Server
  - address_data: 199.58.81.218
    tls_port: 443
    tls_auth_name: "dns.cmrg.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
# DNSPRIVACY.at Primary DNS TLS Server
  - address_data: 94.130.110.185
    tls_port: 853
    tls_auth_name: "ns1.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
# DNSPRIVACY.at Secondary DNS TLS Server
  - address_data: 94.130.110.178
    tls_port: 853
    tls_auth_name: "ns2.dnsprivacy.at"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
# The dns.neutopia.org Server
  - address_data: 89.234.186.112
    tls_port: 443
    tls_auth_name: "dns.neutopia.org"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
### Anycast services ###
#Tenta ICANN DNS TLS Primary Server
  - address_data: 99.192.182.200
    tls_auth_name: "iana.tenta.io"
    tls_port: 853
    tls_pubkey_pinset:
      - digest: "sha256"
        value: nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0=

## End of Sample File  /

Save and Exit


In order to have Opnsense use default start up script (  /usr/local/etc/rc.d/stubby.sh ) at boot time,
you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :
# nano /etc/rc.conf.d/stubby   -   in the new file enter the following two lines:

stubby_enable="YES" 
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"

Save and exit

Then make the file executable - once again - works for me:

# chmod 744 /etc/rc.conf.d/stubby
# chmod a+x /etc/rc.conf.d/stubby

----

Now you must configure your  Unbound DNS Server to use Stubby for DNS Over TLS.

UNBOUND GENERAL SETTINGS
Network Interfaces =   WAN LAN ( all of your LAN interfaces if you have more than one )
And You Must Select  Localhost - repeat -  You Must Select  Localhost!

Under Custom options enter the following :

server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr:127.0.0.1@8053

## END OF ENTRY

Outgoing Network Interfaces  =  Localhost

Make Sure to NOT CHECK - DO NOT CHECK -  the box for DNS Query Forwarding.

Save and Apply Settings

Next -Under System > Settings  > General Settings

Set the first DNS Server to 127.0.0.1   with no gateway selected  /   
Make sure that DNS server option:

A - Allow DNS server list to be overridden by DHCP/PPP on WAN -  Is Not I repeat - Is Not Checked !

and DNS server option

B -  Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not  - I repeat - Is Not Checked !

I now only run  127.0.0.1  ( Localhost ) configured as the only DNS SERVER on my WAN interface.
If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried.
I  only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision.

4

19.1 Production Series / Re: Revert unbound to 18.7.7 - not possible?

« on: March 04, 2019, 09:54:52 pm »

@chemlud

I've experienced your exact predicament and I took the "Stubby" rout after the 19.1 release following the "directnupe" guide. As far as I can tell it's working very well. I'm on 19.1.2 LibreSSL flavour.

https://forum.opnsense.org/index.php?topic=10062.0

miroco

5

Hardware and Performance / Re: PCENGINES APU[1-5] Bios

« on: February 13, 2019, 09:08:01 pm »

Hi till,

As far as I can tell, 3mdeb is a company specialized in embedded systems, particular firmwares. The lightly scenario is that PCengines contracted 3mdeb for the development of firmares for their APU series products.

http://www.pcengines.info/forums/?page=post&id=4C472C95-E846-42BF-BC41-43D1C54DFBEA&fid=6D8DBBA4-9D40-4C87-B471-80CB5D9BD945&pageindex=2

https://calendly.com/3mdeb


miroco

6

Hardware and Performance / Re: PCENGINES APU[1-5] Bios

« on: February 13, 2019, 01:03:19 pm »

It was perhaps a glich or an outage of some sort. However, all five BIOS-versions are/was accessable as of 13:00 CET.


miroco

7

Hardware and Performance / Re: PCENGINES APU[1-5] Bios

« on: February 12, 2019, 08:05:18 pm »

The most recent BIOS versions for the APU1 trough APU5 platforms are out.

v4.9.0.2 - Mainline
v4.0.24 - Legacy

https://pcengines.github.io


miroco

8

19.1 Production Series / Reverting to an earlier version of unbound over branches

« on: January 30, 2019, 01:56:38 pm »

Is it safe to assume that OPNsense 19.1 will be using Unbound ver. 1.8.3? If so, and I need to revert to an earlier version, like ver. 1.8.1 (I'm using DNS-over-TLS), can I when 19.1 goes live use Unbound from the 18.7 branch to do so?

opnsense-revert -r 18.7.8 unbound


Thanx

miroco

9

Hardware and Performance / Re: APU2 Bios

« on: January 22, 2019, 09:25:57 am »

Jan. 12th saw the most recent release of the APUx firmware range, including a new channel for announcing future releases.

v4.9.0.1 - Mainline
v4.0.23 - Legacy

http://www.pcengines.info/forums/?page=post&id=4C472C95-E846-42BF-BC41-43D1C54DFBEA&fid=6D8DBBA4-9D40-4C87-B471-80CB5D9BD945&pageindex=3


miroco

10

Hardware and Performance / Re: APU2 Bios

« on: December 15, 2018, 09:54:38 pm »

There seems to have been a substantial breakthrough in the development of the PC Engines firmware, the apu1 trough apu5 range. The latest test builds have a 05_ prefix and can be found here: https://cloud.3mdeb.com/index.php/s/ssRQPSjYG8Ek6mD

The upcoming official release is expected around January 10th. as v4.8.0.8

https://github.com/pcengines/apu2-documentation/issues/64

https://pcengines.github.io


miroco

11

18.7 Legacy Series / DNS TLS encryption using Quad9 and Cloudflare DNS servers (18.7)

« on: December 15, 2018, 12:00:27 pm »

Unbound surprisinly quit after an update to 18.7.9. I've been using DNS-over-TLS for a long time now without issues and was surprised over the fact. Reverting to the previous Unbound version 1.8.1 solved the problem.

Dec 13 21:43:04   kernel: -> pid: 86093 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Dec 13 21:43:04   kernel: [HBSD SEGVGUARD] [unbound (86093)] Suspension expired.
Dec 13 21:43:04   kernel: pid 86093 (unbound), uid 59: exited on signal 11
Dec 13 21:24:43   kernel: -> pid: 1801 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Dec 13 21:24:43   kernel: [HBSD SEGVGUARD] [unbound (1801)] Suspension expired.
Dec 13 21:24:43   kernel: pid 1801 (unbound), uid 59: exited on signal 10

miroco

12

19.1 Production Series / Re: 19.1 development milestones

« on: November 03, 2018, 03:18:22 pm »

How about ad-blocking, is it on the 19.1 roadmap?

13

Hardware and Performance / Re: APU2 Bios

« on: October 20, 2018, 12:22:46 am »

Looking at these test results, the mainline v4.8.0.5 seems more promising, even without the ECC capability, then the legacy v4.0.20, but YMMW.

https://docs.google.com/spreadsheets/d/1_uRhVo9eYeZONnelymonYp444zYHT_Q_qmJEJ8_XqJc/edit#gid=0

https://docs.google.com/spreadsheets/d/1_uRhVo9eYeZONnelymonYp444zYHT_Q_qmJEJ8_XqJc/edit#gid=1817105926

14

Hardware and Performance / Re: APU2 Bios

« on: October 18, 2018, 10:46:06 am »

ECC is fixed on the APU-platform effective 2018-10-04 BIOS v4.8.0.5 Mainline release.

https://pcengines.github.io

https://3mdeb.com/firmware/enabling-ecc-on-pc-engines-platforms/#.W8eUoKeHKuM

15

Hardware and Performance / Re: PC Engines APU2 1Gbit traffic not achievable

« on: October 18, 2018, 10:40:21 am »

An unintentional dubble post.