"
From the changelog of 24.1.2 there's a mentioning of the "recent DNS denial of service attack mitigation". Could this have anything to do with the fact that my configuration stopped working after applying it? 5 months on and I'm still scratching my head.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
General Discussion / Re: Support completing firewall rules and fix wireguard dns issues
July 29, 2024, 12:03:56 PM #2
General Discussion / Re: Support completing firewall rules and fix wireguard dns issues
July 27, 2024, 12:44:33 AM
Hi!
I have a very similar experience with a configuration that's also based on Schnerring's OPNSense Baseline Guide. I used it for a little more than a year without issues. I think it was the 24.1.2 upgrade that broke it. After that I couldn't access the Internet from any client computer (except through VLAN40), oddly enough it seems as if the firewall itself can resolve DNS requests. I've been able to upgrade OPNsense and other services like Let's Encrypt and ClamAV has been able to stay updated. Most of the Firewall > Log Files > Live View is in red. As per the guide there are 4 Vlan's, VLAN10 is used for management. VLAN20 is the main access over Wireguard (in my case Mullvad) which uses Unbound and resolves DNS requests by DNS root servers. VLAN30 is a backup access path and uses Dnsmasq. VLAN40 is a guest network and isolated from the 3 other Vlan's and uses a public DNS server configured in the DHCP server. Access through VLAN40 has been working uninterrupted. I include an image of the DNS-arcitecture from the site. I hope Schnerring doesn't mind.
Miroco
I have a very similar experience with a configuration that's also based on Schnerring's OPNSense Baseline Guide. I used it for a little more than a year without issues. I think it was the 24.1.2 upgrade that broke it. After that I couldn't access the Internet from any client computer (except through VLAN40), oddly enough it seems as if the firewall itself can resolve DNS requests. I've been able to upgrade OPNsense and other services like Let's Encrypt and ClamAV has been able to stay updated. Most of the Firewall > Log Files > Live View is in red. As per the guide there are 4 Vlan's, VLAN10 is used for management. VLAN20 is the main access over Wireguard (in my case Mullvad) which uses Unbound and resolves DNS requests by DNS root servers. VLAN30 is a backup access path and uses Dnsmasq. VLAN40 is a guest network and isolated from the 3 other Vlan's and uses a public DNS server configured in the DHCP server. Access through VLAN40 has been working uninterrupted. I include an image of the DNS-arcitecture from the site. I hope Schnerring doesn't mind.
Miroco
Code Select
https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/
#3
Virtual private networks / Re: Proton VPN two gateways
March 11, 2024, 04:47:28 PM
What if you switch the port on one of the Instances to anything other than 51820, like 51821?
https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#remote-peers
miroco
https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#remote-peers
miroco
#4
22.7 Legacy Series / Re: Laptop & Managed Switch (TL-SG10) & VLANs
January 16, 2023, 12:50:38 PM
I found this video helpful.
Netgear GS108Ev3 Review and Setup
https://www.youtube.com/watch?v=VY6WPrMZjyk
Admittedly it covers a Netgear 8 port GS108Ev3 and not a TP-Link. Though I'm pretty convinced that TP-Link took more than a casual glance at the Netgear counterpart.
If you are about to buy a switch, don't just pick one with enough ports to satisfy your immediate use case. With VLANs this is specially true. I made this mistake myself by buying a 5 port Netgear GS105Ev2. You'll outgrow a switch faster than you think.
Netgear GS108Ev3 Review and Setup
https://www.youtube.com/watch?v=VY6WPrMZjyk
Admittedly it covers a Netgear 8 port GS108Ev3 and not a TP-Link. Though I'm pretty convinced that TP-Link took more than a casual glance at the Netgear counterpart.
If you are about to buy a switch, don't just pick one with enough ports to satisfy your immediate use case. With VLANs this is specially true. I made this mistake myself by buying a 5 port Netgear GS105Ev2. You'll outgrow a switch faster than you think.
#5
General Discussion / Re: Help choosing wireless access points
January 11, 2023, 01:52:34 PM
Has anyone tried a "Power Line Phase Coupler" to mitigate the problem caused by three phase wiring?
https://www.newegg.com/sedna-se-hp-phc-1-up-to-200mbps/p/1BV-0001-00002
"Transfer PCL signal across different phase in a 3 phase power system. Home Plugs connected in different phase can now communicate."
https://www.newegg.com/sedna-se-hp-phc-1-up-to-200mbps/p/1BV-0001-00002
"Transfer PCL signal across different phase in a 3 phase power system. Home Plugs connected in different phase can now communicate."
#6
22.7 Legacy Series / Re: Wireguard NAT rules required?
October 23, 2022, 11:41:16 AM
Here is a guide I found useful and it doesn't use a NAT rule.
[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)
https://www.youtube.com/watch?v=b58PpuIsQ3A
[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)
https://www.youtube.com/watch?v=b58PpuIsQ3A
#7
General Discussion / Re: How to ensure DoT is working correctly?
August 07, 2022, 01:08:53 PM
This is from memory. I think I came across this from the forum some time ago, but I can't find it again. Give it a shot.
Go to - Interfaces -> Diagnostics -> Packet capture
Interface -> WAN
Set port to 853 and press "Start". Take your box for a spin and then press "Stop" and "View Capture" below.
Go to - Interfaces -> Diagnostics -> Packet capture
Interface -> WAN
Set port to 853 and press "Start". Take your box for a spin and then press "Stop" and "View Capture" below.
#8
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
August 02, 2022, 10:23:14 PM
9 h later and Unbound is till behaving. :) Thank you Franco.
#9
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
August 02, 2022, 01:21:14 PM
I applied the patch and rebooted the machine to get a reference point.
I don't have any instance of [Restart of Unbound 1.16.1] after 10:05:26
Nor do I have any instance of [IPv4 renewal is starting on 'igb0'] after 10:14:35
However, the 30 min IP renewal seems to continue normally
Code Select
2022-08-02T10:12:12 Notice shutdown reboot by root:I don't have any instance of [Restart of Unbound 1.16.1] after 10:05:26
Nor do I have any instance of [IPv4 renewal is starting on 'igb0'] after 10:14:35
However, the 30 min IP renewal seems to continue normally
Code Select
2022-08-02T13:11:28 Notice dhclient Creating resolv.conf
2022-08-02T12:43:18 Notice dhclient Creating resolv.conf
2022-08-02T12:13:18 Notice dhclient Creating resolv.conf
2022-08-02T11:43:18 Notice dhclient Creating resolv.conf
2022-08-02T11:13:18 Notice dhclient Creating resolv.conf
2022-08-02T10:43:17 Notice dhclient Creating resolv.conf
2022-08-02T10:13:17 Notice dhclient Creating resolv.conf
2022-08-02T10:05:24 Notice dhclient Creating resolv.conf
#10
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
August 01, 2022, 04:45:31 PM
This is my contribution
Code Select
root@opnsense:~ # opnsense-log | grep plugins_configure.\*unbound
<13>1 2022-08-01T00:17:50+02:00 xyz.ddns.net opnsense 2016 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T00:47:50+02:00 xyz.ddns.net opnsense 54016 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T01:15:36+02:00 xyz.ddns.net opnsense 10061 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T01:45:36+02:00 xyz.ddns.net opnsense 64671 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T02:14:25+02:00 xyz.ddns.net opnsense 63640 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T02:44:04+02:00 xyz.ddns.net opnsense 22639 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T03:12:10+02:00 xyz.ddns.net opnsense 85320 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T03:40:11+02:00 xyz.ddns.net opnsense 22974 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T04:10:11+02:00 xyz.ddns.net opnsense 1829 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T04:38:55+02:00 xyz.ddns.net opnsense 90592 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T05:06:43+02:00 xyz.ddns.net opnsense 11486 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T05:36:44+02:00 xyz.ddns.net opnsense 22493 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T06:06:45+02:00 xyz.ddns.net opnsense 9184 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T06:36:44+02:00 xyz.ddns.net opnsense 33091 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T07:06:45+02:00 xyz.ddns.net opnsense 87989 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T07:36:03+02:00 xyz.ddns.net opnsense 76252 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T08:04:28+02:00 xyz.ddns.net opnsense 76523 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T08:33:24+02:00 xyz.ddns.net opnsense 58550 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T09:03:24+02:00 xyz.ddns.net opnsense 35992 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T09:33:18+02:00 xyz.ddns.net opnsense 96828 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T10:03:19+02:00 xyz.ddns.net opnsense 38573 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T10:32:38+02:00 xyz.ddns.net opnsense 83571 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T11:02:39+02:00 xyz.ddns.net opnsense 34587 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T11:32:38+02:00 xyz.ddns.net opnsense 4381 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T12:01:54+02:00 xyz.ddns.net opnsense 66697 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T12:31:55+02:00 xyz.ddns.net opnsense 6420 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T13:01:54+02:00 xyz.ddns.net opnsense 60180 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T13:31:55+02:00 xyz.ddns.net opnsense 24014 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T14:01:55+02:00 xyz.ddns.net opnsense 91467 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T14:30:05+02:00 xyz.ddns.net opnsense 26010 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T14:58:37+02:00 xyz.ddns.net opnsense 13911 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T15:28:11+02:00 xyz.ddns.net opnsense 36178 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T15:58:12+02:00 xyz.ddns.net opnsense 50632 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
<13>1 2022-08-01T16:27:48+02:00 xyz.ddns.net opnsense 36874 - [meta sequenceId="6"] plugins_configure hosts (execute task : unbound_hosts_generate())
#11
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
August 01, 2022, 04:18:03 PM #12
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
August 01, 2022, 02:26:25 PM
This is my sanitized contribution
Code Select
root@opnsense:~ # opnsense-log | grep "On (IP address:"
<11>1 2022-08-01T00:17:49+02:00 xyz.ddns.net opnsense 2016 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T00:47:50+02:00 xyz.ddns.net opnsense 54016 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T01:15:35+02:00 xyz.ddns.net opnsense 10061 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T01:45:36+02:00 xyz.ddns.net opnsense 64671 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T02:14:25+02:00 xyz.ddns.net opnsense 63640 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T02:44:04+02:00 xyz.ddns.net opnsense 22639 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T03:12:09+02:00 xyz.ddns.net opnsense 85320 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T03:40:11+02:00 xyz.ddns.net opnsense 22974 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T04:10:11+02:00 xyz.ddns.net opnsense 1829 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T04:38:55+02:00 xyz.ddns.net opnsense 90592 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T05:06:43+02:00 xyz.ddns.net opnsense 11486 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T05:36:44+02:00 xyz.ddns.net opnsense 22493 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T06:06:45+02:00 xyz.ddns.net opnsense 9184 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T06:36:44+02:00 xyz.ddns.net opnsense 33091 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T07:06:45+02:00 xyz.ddns.net opnsense 87989 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T07:36:03+02:00 xyz.ddns.net opnsense 76252 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T08:04:28+02:00 xyz.ddns.net opnsense 76523 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T08:33:24+02:00 xyz.ddns.net opnsense 58550 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T09:03:24+02:00 xyz.ddns.net opnsense 35992 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T09:33:18+02:00 xyz.ddns.net opnsense 96828 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T10:03:19+02:00 xyz.ddns.net opnsense 38573 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T10:32:38+02:00 xyz.ddns.net opnsense 83571 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T11:02:39+02:00 xyz.ddns.net opnsense 34587 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T11:32:38+02:00 xyz.ddns.net opnsense 4381 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T12:01:54+02:00 xyz.ddns.net opnsense 66697 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T12:31:55+02:00 xyz.ddns.net opnsense 6420 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T13:01:54+02:00 xyz.ddns.net opnsense 60180 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T13:31:55+02:00 xyz.ddns.net opnsense 24014 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
<11>1 2022-08-01T14:01:54+02:00 xyz.ddns.net opnsense 91467 - [meta sequenceId="3"] /usr/local/etc/rc.newwanip: On (IP address: 83.x.y.z) (interface: WAN[wan]) (real interface: igb0).
#13
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
July 31, 2022, 04:26:00 PM #14
22.7 Legacy Series / Re: Unbound Restarting every 2 hours after upgrade to 22.7
July 31, 2022, 11:11:35 AM
In my case Unbound restart with a 30 min intervall. Wan uses DHCP on IPv4.
#15
General Discussion / Re: Unbound fails to start on boot
February 25, 2022, 09:20:57 AM
Does the Unbound 1.15.0 change log offer any new insights on the matter?
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
miroco
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
miroco
