Topics

I want to configure monit to alert (email) me when the unbound service restarts.

I have configured monit (via the GUI) and have this resultant configuration (shown from the CLI)

Code Select Expand

check file resolver.log with path "/var/log/resolver.log"
   if match "info: start of service (unbound" then alert

However I don't think I'm looking at the correct log file.

When I look via the GUI (via Services: Unbound DNS: Log File), these are examples of the entries in the unbound log file:

Code Select Expand

2021-07-18T14:30:15 unbound[34317] [34317:0] info: start of service (unbound 1.13.1).
2021-07-18T14:28:46 unbound[88879] [88879:0] info: service stopped (unbound 1.13.1).

When I look in resolver.log I don't see those entries.  I've looked around at other log files and can't find that information anywhere.  Any guidance appreciated.

I have OPNSense running on a Pico PC (Intel® E3845 4xLAN) and it's been rock-solid for months with one very big notable exception.  This is relating to my dual WAN setup.  I have 2 x VDSL circuits (both providing c.20Mbps downstream) both of these services are using the providers original routers and these two units are connected upstream to 2 x Ethernet interfaces on my OPNsense.

When I have a single gateway in OPNsense enabled (either WAN1 or WAN2 doesn't matter), everything is rock solid.  However if I configure any load-balancing then things seem to get unpredictable and unreliable, i.e. loss of Internet connectivity.  I've even had some issues when I have OPNSense configured for just failover.

I even resorted to using each of the single broadband connections each from their local subnet as a test (so no OPNsense) and both circuits are stable, no errors and long up times.

In OPNsense, I've double checked my configuration but I'm thinking I must have done something stupid...

My gut feel is it's something to do with the "Monitor IP" configuration on the gateways.  In that regard I have tried using different IPs for the monitoring (I originally used 8.8.8.8 & 8.8.4.4).  I even tried disabling this yesterday and that didn't seem to help.

I have even changed my downstream WAN2 router to be in bridge mode (thus eliminating the WAN2 router) so now I have OPNsense configured for PPPoE.  In this configuration the gatway is showing Down in OPNSense but it is actually up and working.

Any thoughts/guidance appreciated.

I have OPNsense running as my main router in my SOHO with clients on a directly connected LAN.  Downstream from the OPNsense router there are two Ethernet WAN connections.  These are each connected to VDSL routers (via 2 separate private networks), so I have doube-NAT.

Currently I do not have any load balancing enabled so all outbound (Internet) traffic is using a single WAN connection.

All is good with a single exception.  I have have a work PC which has a Cisco AnyConnect client which is used to establish a VPN towards an external destination.  This VPN client always prompts for the credentials but rarely establishes a connection.  I would say that 1 connection in 10 is successful, if that.

If I connect from one of the private networks 'behind' the OPNsense router then I have no such issue, so I assume it's something within the OPNsense configuration which is causing the issue.

Thoughts appreciated.

I've been fault finding ntp (running as a service on OPNsense).  I thought I would use the Live View feature in the Firewall settings to diagnose.  However I am not seeing any ntp traffic in relation to the traffic I am generating towards OPNsense using w32tm or Angry IP Scanner).  If I use the latter and scan for ports 80,443 & 123 I do see the 80/443 in the Live View but nothing relating to the 123.

I assume I'm missing something obvious.  Any thoughts appreciated.

I have a brand new PICO PC (MNHO-073) with 2G RAM (soon to be upgraded to 4GB) and a 120GB SSD.  I have downloaded 20.7 and used Rufus to write it to a USB memory stick.  When I turn the solution on it boots fine, getting to the normal/initial dialogue.  However it crashed soon after, consistently (n the same place).  Once crashed it's completely dead (caps lock on/off not responding).  After a power cycle the same happens.

See attached for the output prior to the crash.  Any thoughts appreciated.

Thanks in advance.

I have previously used OPNsense in a home setting on a PC Engines board and am looking for recommendations, hardware wise this time around.  FYI, I moved from OPNsense to Mikrotik then to a Unifi USG, the latter being simply that it matched my LAN/APs them all being UniFi too.  Bottom line, the USG is all very pretty (fancy look in the controller GUI) but limited in actual functionality, IMO.

So my use case for OPNsense is a SOHO setting with 2 x VDSL WAN connections (Ethernet connectivity to upstream routers).  I expect to be using a wide range of feature and functions of OPNsense including inbound client VPN, IPS, Captive Portal, Proxy, monit etc.

Are the APU2E4/APU4D4 devices still fit for purpose and a good fit (and good value)?  I want something which is small and fanless.  I've seen mention of alternative Intel based boards and am wondering if I should go down that route.  For example, this, Jetway JNF692G6-420 or the many Celeron/Atom units on eBay (if you search for "pfsense Intel").

Thanks in advance.

I have a strange issue with the System:Gateways:Group web GUI.

All was fine until I decided to reconfigure the groups (since I was changing a PPPoE WAN connection to Ethernet).

Now whilst I can see the gateways in each group in one view if I edit any of the groups I can see the members.

Newly created ones seem to be ok.

I'm running OPNsense 17.7.10 FreeBSD 11.0-RELEASE-p17 OpenSSL 1.0.2n 7 Dec 2017

I have a gap in my understanding in relation to DNS on OPNsense...

I'm using Dnsmasq with DNS Forwarder enabled.  As I understand it (because I have set the OPNsense DHCP DNS server to be my OPNsense IP address) this will mean that my clients using DHCP will use OPNsense to resolve and it in turn will use the addresses in System/Settings/General?

All the above is fine to me but what I'd like to understand if I have a static (non-DHCP) client and I set it to use some-other public DNS server will that be honoured or does OPNsense "catch" the UDP/53 request and rewrite it to use the forwarder?  Assuming this is not the case, how could I configure this?

Also, a separate question, when using DHCP if I set a different DNS server for a specific lease will that override the default configuration?

Thanks in advance.

I have OpenVPN on OPNsense installed and working with the Redirect Gateway option enabled in the server so all traffic from my clients (iPhone & Mac) is routed via the VPN connection.  This is what I want when I'm connected to public Wi-Fi services etc.  However I have another use case when I just want specific traffic to route via the VPN and other "Internet" traffic not not do this.

Is there any way to set this from the client side (I'm using the OpenVPN client on my iPhone & Viscosity on my Mac).  I'm sure I could achieve this "manually" on Mac by manipulating the routing table but not on the iPhone?

One messy/alternative solution I thought of is having two OpenVPN servers configured on OPNsense, one configured each way.

I've used this guide (https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html) to set up OpenVPN road warrior on my OPNsense router  which is connected to the internet via a vDSL modem.

Having followed the guide, I can't get it working (I've even deleted everything and started again a couple of times too).

This is the error I'm getting, well it's the thing I spotted in the VPN logs that looks like an error to me!

Oct 30 06:45:59   openvpn[50808]: 82.132.230.13:44960 TLS Error: TLS handshake failed
Oct 30 06:45:59   openvpn[50808]: 82.132.230.13:44960 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

The WAN interface on my OPNsense is a public address and I'm using dynamic DNS.

Any thoughts appreciated.

I have SkyQ in the UK and have a strange issue every since changing my router to OPNsense.  The SkyQ box is working fine at a basic level, i.e. I'm able to watch TV and also download some content so I know that the basic IP/Internet connectivity is fine.  Even the self-test on the SkyQ box works fine.

However when I try to look at services like Sky Store I get this helpful message:

"To enjoy this service we must have an active connection to your internet."

But I definitely do have an internet connection from the SkyQ box.

I'm wondering if it's something like a DNS issue (I have the OPNsense box handling DNS along with opendns.

I'm going to put a Wireshark trace on the SkyQ box to see what it's trying to do and failing at, but just wondered if anyone else has had this.