Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Curly060

Pages1
#1
22.7 Legacy Series / Wireguard autostart
September 06, 2022, 10:26:09 PM
Hi!

I am having trouble to get Wireguard auto started in the following scenarios:
- at boot
- WAN changes from offline => online (e.g. PPPoE finally connects)

So pretty much the same like in https://forum.opnsense.org/index.php?topic=18956.0

However, I did not like the proposed solutions of this thread (late rc hook/static unbound mapping) because they are just awkward workarounds and actually do not help in my case at all (endpoints have dynamic IP addresses).

The last post in this thread states that the Wireguard implementation of OPNsense does not use the newannip event listener. I wondered why and simply created a patch to support just that and applied it via
Code Select
opnsense-patch -a Curly060 -c plugins -r opnsense-plugins -V d97ec27df00 and voila:
Wireguard comes up after a reboot and whenever the WAN ip changes! Perfect!

Now the question is: Is it really that simple? If so, why isn't this implemented yet? ;)
Are there any drawbacks from this solution that I am not aware of?

For my purposes it looks like a robust and reliable solution to get Wireguard started.


Cheers, Curly060 =;->
#2
17.7 Legacy Series / dnsmasq: cannot resolve external hosts
August 11, 2017, 12:48:19 AM
Hi,

first of all thanks a lot for the new release. Everything works like a charm, except DNS resolving of external hosts. I am using dnsmasq DNS. My settings are as follows:

  • System: Settings: General: no manual DNS server entries
  • System: Settings: General:  [X] Allow DNS server list to be overridden by DHCP/PPP on WAN

Now I make a query to an external host:
Code Select
ingo@router:~ % drill google.de
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 36706
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.de. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Aug 11 00:35:47 2017
;; MSG SIZE  rcvd: 27


Why am I getting rcode: REFUSED?

For hosts in the LAN everything works as expected.

If I manually add DNS servers in "System: Settings: General" then it also works, however, I did not have to do this in the 17.1 version.

Any suggestions (apart from switching to Unbound which currently is not yet an option for me).

Cheers, Ingo =;->
#3
16.7 Legacy Series / Firewall Alias for adblocking
January 24, 2017, 04:43:25 PM
Hi,

I migrated from OpenWRT to OPNSense in the past couple of weeks and can't believe that all these years I wasn't aware of pfSense/OPNSense! I am very happy with pretty much everything, except for the adblocking situation (and perhaps the google rank situation  ;)).

What I would really like to see is DNS based adblocking. I have searched the forum, but the resolution always seems to be transparent proxy (really not an option for me) or some firewall rule with a set of IPs (alias). The latter I am trying to implement:
So I have created a very big list of IP addresses and Domains from various sources (PI-Hole, OpenWRT adblock plugin etc.). The list contains about 120000 entries. Then I created an alias like this:

  • Name: Adblock
  • Type: URL Table (IPs)
  • URL: URL to my list (not public)

Now I do have some questions about this:

  • Is it ok to have a mixture of IPs and domain names in my list? I would say yes, OPNSense seems to resolve domains in the background and creates a text file in /var/db/aliastables/Adblock.txt which contains only IPs.
  • Is there a limit as to how many IPs I can have for an alias?
  • What is a healthy amount of IPs inside an alias? Would it be
  • When I look in /var/db/aliastables/Adblock.txt file I notice a lot of duplicate IPs. Should this maybe optimized or does it not matter?
  • What is OPNSense's strategy when the file changes? Will it only look at differences or parse the file fully each time?
  • My Alias does not show up under Firewall: Diagnostics: pfTables. However, if I create the alias with a non capital first letter, then it will appear there. Bug?
  • Firewall: Diagnostics: pfTables tells me that there are no entries in my alias. However, when I make my list smaller, suddenly it will show the IP addresses. I have experimented a little: 5000 entries were fine, 10000 already not. So it looks there is indeed a limit somewhere.
  • Are there any plans to integrate DNS based adblocking? Sure I can set up a Pi next to my OPNSense with PI-Hole on it, but I'd prefer the all-in-one solution. Would the DNS based adblocking not be far, far more efficient? I mean, only when a resource is actually requested, the DNS resolver would have to check against the black list (might be costly, but can be cached). As firewall rule with, say 5000 entries, this needs to be checked for pretty much every packet, no? Transparent proxy adblock is IMHO far too complex (CA certificate on every client, maintaing no-ssl-bump list,...)

Sorry for the sheer volume of the questions, I hope someone takes time to answer them. I have been googling a lot (which is painful because google always returns results for pfSense. OPNSense must get more popular to drive pfSense off the first ranks ;)) and the forum has only like 2-3 posts about adblocking...


Cheers, Curly060 =;->
Pages1