Topics

1

23.1 Legacy Series / block incoming wan on dest IP and allow domain names

« on: June 11, 2023, 01:52:07 pm »

I have a fixed external IP, I own a domain name and I have setup several services I run from home, almost all of them behind an nginx reverse proxy with SNI setup based on sub domains.

My current port forwarding rules are set to destination WAN address, port 80/443 with a forward to nginx.

It gets hammered, obviously and nginx stops it, so no real issues. I could possibly setup fail2ban as well but I was wondering if I could setup opnsense to stop direct hits on IP address only? Same way nginx identifies fqdn's via SNI could opnsense possibly do the same and stop it if the destination domain is not allowed?

Thanks!

2

23.1 Legacy Series / unbound deleting custom-options.conf

« on: May 18, 2023, 09:56:21 am »

I need to add the following to unbound config:

Code: [Select]

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.2.3.4#bla.dns.nextdns.io
  forward-addr: 1234:1234::#bla.dns.nextdns.io
  forward-addr: 1.2.3.5#bla.dns.nextdns.io
  forward-addr: 1234:1235::#bla.dns.nextdns.io

I tried to create the file /var/unbound/etc/custom-config.conf and add the above, but the file gets deleted.
I tried to add it to /var/unbound/unbound.conf, and that config gets removed.

How do I add the above, which file do I edit or create?

I did find this:
https://forum.opnsense.org/index.php?topic=13978.0

But the custom box (as found in previous versions and in pfsense) is nowhere to be found.

Thanks

3

23.1 Legacy Series / Help with rollback

« on: May 12, 2023, 09:11:52 pm »

Ive seen and read https://docs.opnsense.org/manual/opnsense_tools.html

I understand which tool does what, but I need to revert all updates I received this morning and go back to last night state.

If this is possible, can someone please help me out?

4

23.1 Legacy Series / 23.1.7_3 dhcp seems to no longer hand out dns and search domains

« on: May 12, 2023, 01:39:50 pm »

OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

Since the updates I installed this morning, clients that renew no longer receive settings other than an IP address, subnet mask and default gateway. No DNS servers or search domains seem to get passed on to clients.

I've noticed this behavior on mobile phones, macos clients, linux clients and windows.

I've seen some other issues recently mentioned on the forums, about dynamic dns, unbound restarting.

Perhaps we can add this to the pile of issues .

if theres a quick fix I'd love to hear it, for now Im setting DNS manually.

Thanks.

5

22.7 Legacy Series / igmpproxy stops due to interface link down

« on: November 29, 2022, 07:56:39 am »

I am running opnsense on dedicated hardware with 4 intel nics. 2 are for wan/lan and 1 is used for an iptv settop box. All AV hardware in the livingroom is powered off (standby killer), and with that, the stb which brings down the link on the firewall. When that link goes down, igmpproxy stops as well as that subnet is a configured downstream. Igmpproxy does not start when the link comes back up, so every time I need to manually start igmpproxy.

For now, I have taken the stb out of the group that powers off so it stays on standby.

I am looking for a solution that allows me to power off the stb and brings igmpproxy back up when the link comes back up.

- is it possible to configure actions on link activation? Like in an ifup script or something?
- is there a watchdog service to monitor crashed/stopped services and bring them back up?
- Is monit cabable of monitoring a network link, and start igmpproxy when a link comes alive? It looks like it but I couldnt figure it out?

Im not sure if one the above is possible, if there are other/better ways I'm all ears.

Thanks!

6

22.7 Legacy Series / unbound bind to localhost

« on: November 26, 2022, 12:55:30 pm »

Hi, I am moving my pfsense over to OPNsense.

I am using another primary DNS service, which listens on LAN on 53 and forwards internal domain queries to 127.0.0.1:5353.

I can configure unbound on 5353, but I can only select my LAN or WAN interfaces, I cannot select (as with pfsense) localhost. Screenshot should make clear what I mean. pfsense then does not listen on other interfaces.

In OPNsense, when I select LAN, it listens on both the LAN and localhost, but I would really prefer it does not listen on LAN as well.

Any chance I can set this the same in OPNsense?

Thanks!

7

General Discussion / troubleshooting dhcpv6

« on: February 20, 2022, 12:35:27 pm »

Hello everyone,

I read https://forum.opnsense.org/index.php?topic=7149.0 and the links it refers to. My situation is a little different. Ive setup dhcpv6 on pfsense before but then it pfsense was the router and firewall as well.

My router is a Unifi UDM pro. I don't like how it does dhcp/dns so I disabled that. Its WAN interface has a provider ipv6 address in a /56. Lets say its ipv6 address is 2001:abcd:1234:0:0443:7e37:7caa:4acb.

I have opnsense running in a vm with a single interface, firewall is disabled and I am only using LAN with DHCP, DHCPv6, Unbound and NTP server.

I configured the LAN interface with a fixed ipv6 in a /64 within the /56 of the WAN interface.
Let's say its 2001:abcd:1234:1:192:168:1:1

I configured DHCPv6, enabled it and it picks up the subnet /64 and shows the correct available range. I configured the range as:
2001:abcd:1234:1:192:168:1:ff - 2001:abcd:1234:1:192:168:1:ffff

Prefix delegation range is empty, delegation size is 64.
I entered a DNS server, NTP server with ipv6 addresses. The rest is default.

For router advertisement I chose:
RA: Assisted
Prio: High
Source address: auto
advertise: enabled
DNS servers: 1 address
The rest is default.

The problem is, my clients get an ipv6 address, but its outside the range of what I configured. Opnsense never shows a lease and the logs are empty. I suspect its getting an address from my ISP via the router WAN interface, but I don't have logging to confirm that.

On the UDM, there is no DHCP running, no ra daemon.

Im not sure whats happening, I can ping the router and opnsense on v6  but how do I get it to use opnsense dhcpv6?

Thanks for the help!