Topics

1

20.1 Production Series / Unbound Plus Plugin and DoT hostname validation?

« on: May 08, 2020, 06:11:18 am »

I had a question for @mimugmail or anyone else that may know how the Unbound Plus plugin is doing hostname validation for DoT implementations?

Currently, I'm using regular Unbound with the following entries in the Advanced section:

Code: [Select]

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#1dot1dot1dot1.cloudflare-dns.com
forward-addr: 1.0.0.1@853#1dot1dot1dot1.cloudflare-dns.com
I would like to convert to using Unbound Plus plugin and input my DoT servers there. However, it does not appear to use the hostname for validation? Only the IP and Port?

2

19.7 Legacy Series / Python 3.7 using max memory and filling disk space

« on: December 14, 2019, 05:31:27 pm »

I noticed this morning that Python 3.7 seems to be maxing out my memory and is filling up the disk space on my SSD. I have not made any config changes to the firewall for the last week, the last config change that I made a week ago was to change the firewall optimization from "standard" to "aggressive". The firewall has been very stable for weeks without rebooting until today. It is currently passing traffic for now.

Is there a reason why Python 3.7 would fill the disk like this? This seems like a major problem in how it is functioning.

Firewall specs are as follows:
Intel J3455 (bare metal install)
16GB RAM
120GB SSD
Dual Broadcom NICs
OPNsense 19.7.7-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019

Below are the screenshots showing the problem.

3

19.7 Legacy Series / upgraded from 19.1.10 to 19.7r1, NetFlow data is not working

« on: July 11, 2019, 02:34:52 pm »

Upgraded from 19.1.10 to 19.7r1. NetFlow data is no longer working. I have tried resetting NetFlow and also repairing it.

The interface totals graph continues to work and I can see activity. However the lower graph for port usage and sources is blank and does not populate connection information.

Screenshot is attached to show the issue.

4

19.1 Legacy Series / OPNsense 19.1.x and DNSoverTLS with Hostname Verification

« on: June 15, 2019, 06:16:49 pm »

Greetings OPNsense users. I had previously opened a thread last spring when DNS over TLS was first available through CloudFlare and Quad9. This thread is available here and discussed some initial configurations that we could use to enable DNS over TLS with the version of OPNsense that was currently available back then. OldThread: https://forum.opnsense.org/index.php?topic=7811.0

Today I'd like to post this as more of a Howto for the current version (19.1.9) of OPNsense on x86-64. There are some additional features that we can use to ensure better security while using DNS over TLS.

This example shows Quad9 and also shows the hostname verification for those DNS servers. We also have to tell Unbound to use the TLS cert bundle to verify that the hostname matches the certificate.
The following text can be copy/pasted in to your Custom unbound options:

Code: [Select]

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853#quad9.net
forward-addr: 149.112.112.112@853#quad9.net   
Another item I have noticed is that if we are going to use Unbound in forwarding mode (using the code above puts Unbound in forwarding mode), you DO NOT need to enable DNSSEC with CloudFlare or Quad9. They already do DNSSEC verification on their results and if we configure Unbound to forward through those services, we do not need to do extra work to create more DNSSEC traffic on DNS entries that are already receiving DNSSEC from our forwarding location. We can verify that DNSSEC continues to work here: http://www.dnssec-or-not.org/

Below is also an example for CloudFlare, if you prefer to us them as well. I have tested both of these configurations and they work very well with OPNsense 19.1.9 x86-64. If using the CloudFlare code below, you can also test that it is working by visiting this link after applying the code: https://1.1.1.1/help

Code: [Select]

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#1dot1dot1dot1.cloudflare-dns.com
forward-addr: 1.0.0.1@853#1dot1dot1dot1.cloudflare-dns.com
Finally, I have attached some screenshots to show further optimizations that I have done within Unbound General and Unbound Advanced configuration pages. The Advanced settings further tune Unbound to enable better caching response (serve expired), and to also enable better privacy. If you like, you can also set your Unbound Advanced to the same settings as shown in these screenshots and you should see snappier performance as a result of Unbound doing better caching.

Also ensure that when using forwarding mode, the System DNS is blank. Navigate to System/Settings/General, if any DNS servers are specified there they should be removed. Then, ensure that "allow DHCP override on WAN" is also unchecked. This will make the router use the local Unbound service with our chosen settings to forward DNS over TLS.

As always, would love to see if other folks are also seeing positive results with these settings or if there are even better options that we can use, please post them here!

5

18.1 Legacy Series / "Routes" logfile getting filled with strange data

« on: May 10, 2018, 03:20:08 am »

Hello, I'm here to see if any other users are also seeing similar activity. I'm using OPNsense X64 OpenSSL 18.1.7_1 with an IPV6 prefix being assigned through my WAN (using Track Interface for LAN DHCP6). I have not previously checked logs on prior versions of OPNsense, and I have not made any configuration changes for months. So I don't suspect a change on my end.

If I check System/Routes/Log File, I see the following data:

Code: [Select]

May 9 20:08:52 rtsold[22044]: <rtsol_check_timer> there is no timer
May 9 20:08:52 rtsold[22044]: <rtsock_input> rtmsg type 1, len=240
May 9 20:08:49 rtsold[22044]: <rtsol_check_timer> there is no timer
May 9 20:08:49 rtsold[22044]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb3)
May 9 20:08:43 rtsold[22044]: <rtsol_check_timer> there is no timer
May 9 20:08:43 rtsold[22044]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb3)
May 9 20:08:43 rtsold[22044]: <rtsol_check_timer> there is no timer
May 9 20:08:43 rtsold[22044]: <make_rsid> rsid = [igb0:slaac]
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_len = 4
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_type = 3
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo = 0x6082a0
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_len = 4
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_type = 3
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo = 0x608280
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_len = 4
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_type = 3
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo = 0x608260
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_len = 4
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_type = 3
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo = 0x608240
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_len = 1
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_type = 5
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo = 0x608238
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_len = 1
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo->nd_opt_type = 1
May 9 20:08:43 rtsold[22044]: <rtsol_input> ndo = 0x608230
May 9 20:08:43 rtsold[22044]: <rtsol_input> Processing RA
May 9 20:08:43 rtsold[22044]: <rtsol_input> received RA from fe80::217:10ff:fe8b:9403 on igb0, state is 0
May 9 20:08:43 rtsold[22044]: <rtsol_check_timer> there is no timer
May 9 20:08:43 rtsold[22044]: <rtsock_input> rtmsg type 1, len=240
May 9 20:08:35 rtsold[22044]: <rtsol_check_timer> there is no timer
This data literally fills the log file, it's constantly updating. Is this a normal or intended function? Most of these messages seem related to Router Advertisements as a function of IPV6 but, I'm not sure if this is common or not? I'm hoping to get input from some other users here to see if they are seeing similar data in their logfile.

6

18.1 Legacy Series / ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 04, 2018, 12:54:02 am »

Call out for testing DNS over TLS with the new Quad9 and Cloudflare DNS servers that have been discussed recently. I wanted to see if we could get the default Unbound instance in OPNsense to use these new DNS encrypted and privacy oriented DNS providers.

I’m currently using these and this appears to be working because I can see all of the outbound queries in the pfTop view on OPNsense. I see outbound DNS queries on port 853 going to the addresses that I have specified in the custom options. Internal LAN queries come in over port 53 as per usual but outbound queries to the WAN now happen on Port 853 to the DNS TLS providers listed below.

Here are the settings I have configured to get Unbound to send DNS over TLS to Quad9 and Cloudflare.

OPNsense x86_64 18.1.5
UnboundDNS/General

Code: [Select]

Enable DNS resolver (checked)

Code: [Select]

Enable DNSSEC support (checked)

Code: [Select]

Enable Forwarding mode (UNCHECKED, had to do this to get these to work)
Paste these values in to the custom options field. Save/Apply settings.
Custom Options:

Code: [Select]

ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6
You should now have DNS queries going to Port 853 using TLS to the addresses specified in the custom options field. Obviously, if you aren’t using ipv6, you can omit some of the addresses. If you only want to use Quad9 or Cloudflare, you can omit whichever provider you don’t want to use.
I’d love to have other folks try this out and report their findings.

As far as I can tell this seems to be working very well and it was quite easy to configure. However, I don't consider myself an "advanced" user and I would like to see feedback from others here just to ensure that this is a good setup to use going forward.

7

17.7 Legacy Series / issue with disk corruption after power loss/FlowD not starting

« on: January 17, 2018, 08:58:50 pm »

Greetings, unfortunately an extended power loss caused my UPS battery to fully drain and my OPNsense box lost power as a result. The OPNsense box boots up fine after the outage however, I noticed that the NetFlow/Insight graphing feature is no longer working.

I checked the logs and noticed this error:

Code: [Select]

Jan 17 11:34:07 flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 148, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 79, in aggregate_flowd stream_agg_object.add(flow_record_cpy) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 70, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 260, in add self._update_cur.execute(self._insert_stmt, flow) DatabaseError: database disk image is malformed
Jan 17 11:31:08 configd.py: [fe7f64c6-c9d4-4c36-b09b-e086ab0df1c1] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:31:06 configd.py: [1d50babb-6223-4bc8-a773-971ae9d3a83e] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:30:48 configd.py: [cbd6107d-581c-4bee-9635-ca0ac8756cb0] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:13:09 configd.py: [05bd1a67-c19b-44a7-bea4-85cb83f2064f] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:12:59 configd.py: [a58562cc-04a9-444a-b5cb-0aff086f3b3c] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:12:56 configd.py: [3ce79efa-f2be-4fa6-ba24-7d129adda701] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:12:53 configd.py: [196a3b94-54d7-403a-a91b-541b0b55a882] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:12:51 configd.py: [945799ac-c0d0-4ba3-9ea9-9915654bcc32] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:12:48 configd.py: [11080cc3-73aa-488b-aa4a-35370304ba3c] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:11:53 configd.py: [dd158559-3de8-419c-a2ab-7ab6348d8ad8] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 11:11:27 pkg: flowd reinstalled: 0.9.1_3 -> 0.9.1_3
I have tried re-installing the the FlowD package but this does not fix the issue.

If I click on NetFlow and then click on "Apply" in an attempt to reset NetFlow, I see the following log output:

Code: [Select]

Jan 17 13:56:42 flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 148, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 79, in aggregate_flowd stream_agg_object.add(flow_record_cpy) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 70, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 260, in add self._update_cur.execute(self._insert_stmt, flow) DatabaseError: database disk image is malformed
Jan 17 13:56:40 configd.py: [263dcf1e-5cc6-47f5-b017-eae4161ad501] request netflow data aggregator top usage for FlowInterfaceTotals
Jan 17 13:56:40 configd.py: [ab58cec3-e55c-41f0-b84c-9f0f30b28be7] request netflow data aggregator metadata
Jan 17 13:56:40 configd.py: [3691858b-b78f-4673-b964-7d9aba0a150f] request netflow data aggregator top usage for FlowDstPortTotals
Jan 17 13:56:40 configd.py: [a555a9e0-31ba-4378-8b2f-4ea3fddaf771] request netflow data aggregator top usage for FlowInterfaceTotals
Jan 17 13:56:40 configd.py: [5300170f-445a-45be-804e-66d765d297fa] request netflow data aggregator top usage for FlowSourceAddrTotals
Jan 17 13:56:40 configd.py: [1f3cc143-1c76-404f-9bf6-5021ef6a211c] request netflow data aggregator timeseries for FlowInterfaceTotals
Jan 17 13:56:36 configd.py: [9fd5aec5-5f19-477a-bcb6-b2df58b6034a] restart netflow data aggregator
Jan 17 13:56:36 configd.py: [42b348f2-e423-4bfc-9d23-7133f065c5ce] request status of netflow collector
Jan 17 13:56:34 configd.py: [c1c38d21-f5d0-4553-9d9e-fa82e5d6bd17] start netflow
Jan 17 13:56:34 configd.py: [cb188c53-dec4-4fa6-a181-235c1a7b52bf] stop netflow
What else can I check or reinstall to get NetFlow working again? This is on OPNsense 17.7.11.

8

17.7 Legacy Series / Possible bug with Reporting graphs

« on: October 15, 2017, 06:05:54 am »

Greetings, I have a strange issue with 17.7.5 AMD64 and the Reporting graphs. I have performed a fresh install of 17.7 and have not restored any configs or previous RRD graphs.

What I am noticing is that the long term graphing resolution does not appear to be working correctly. For instance, if I select the last 6 days of usage data, I can only see 1 hour granular details in both of the Low and Medium options. If I select the "high" option, no detailed data is displayed and the graph appears to revert to a very low resolution.

I've included screenshots to show examples of what I am seeing. Is anyone else able to duplicate this? I have tried using the option to reset "Reset RRD Data" in the Reporting Settings and I waited a few days for graph data to rebuild. Unfortunately this didn't resolve the issue.

9

17.1 Legacy Series / Disable HDD power management in OPNsense

« on: April 26, 2017, 07:23:31 pm »

Greetings, another thread was posted about a Seagate hard drive that was constantly making a clicking noise when using OPNsense. I also experienced a similar problem with my OPNsense installation, I am using a laptop HDD by Western Digital. I previously did not have an issue with this same hardware when running pfSense.

What I discovered was that the HDD was constantly loading/unloading the head. Watching the SMART statistics on the HDD, I could see the load cycle count increase several hundred times in just a few minutes! This caused a massive amount of load/unload cycles on this disk.

Code: [Select]

193 Load_Cycle_Count        0x0032   111   111   000    Old_age   Always       -       267890
I was able to stop this activity by issuing the following command to disable APM within OPNsense:

Code: [Select]

camcontrol cmd ada0 -a "EF 85 00 00 00 00 00 00 00 00 00 00" - disables APM
I have rebooted the router since issuing this command and APM is still showing disabled. Hopefully this will help other people that may have a similar issue with extreme load/unload cycles on some HDDs. I had to SSH in to the OPNsense firewall and run these commands at the console. Is it possible to have an option to configure this in the GUI?

10

17.1 Legacy Series / [SOLVED] unbound-control error in OPNsense 17.1.4

« on: April 22, 2017, 11:28:23 pm »

I am encountering what looks to be a "bug" of some sort after updating to OPNsense 17.1.4.

When I SSH to OPNsense and I run "unbound-control stats_noreset", I get the following error:

Code: [Select]

/var/unbound/unbound.conf:28: error: unknown keyword 'serve-expired'
/var/unbound/unbound.conf:28: error: stray ':'
/var/unbound/unbound.conf:28: error: unknown keyword 'no'
read /var/unbound/unbound.conf failed: 3 errors in configuration file
[1492895555] unbound-control[90280:0] fatal error: could not read config file
Line 28 corresponds to a new "serve expired" checkbox that became available for me after installing 17.1.4. I've taken a screenshot of the corresponding checkbox that is also causing the config file error.

Is anyone else able to re-produce this on OPNsense 17.1.4?

11

17.1 Legacy Series / guide to using fq_codel on 17.1

« on: February 28, 2017, 07:44:57 pm »

Hello and first post for me! Love the software and great work by this community on OPNsense! I was excited to see that fq_codel is available in 17.1 however, I can't figure out how to get this working.

Is there a guide available or a walkthrough on how to use fq_codel in OPNsense?