Topics

[cloudservices.roku.com]

Used to be, if you were setting up an alias for a Dnsmasq host entry, it was entered in a Hosts line of its own.  At some point recently, an update changed that behavior, and now you set up host override aliases in an edit field for the main entry being aliased.

So far so good, except when the transition to the new format happened, it doubled all the alias hostnames.  So for example, what was previously an alias cloudservices.roku.com wound up being cloudservices.roku.com.cloudservices.roku.com.  This broke all my aliases, and because they're now hidden in the edit popup and not visible in the main Hosts list anymore, it took me a while to track it down.

Is this a known issue?

I have two networks defined in the UniFi controller, one for the main subnet and another for a VLAN subnet (to isolate IOT devices).

After the 24.7.1 upgrade, nothing on either wi-fi network can reach the internet.  Wired connections are fine.

I can't spare the network downtime to troubleshoot it right now, so I reverted to 24.7 and reloaded the same configuration, and everything works again.  If anyone has any thoughts, it'd be welcome for when I can look at it. 

First I manually set up one Kea reservation to serve as an example. Then I saved my config, and in a text editor I copied all the old <static> blocks and used find and replace to update their xml tags to Kea values. I deleted <cid> tags, and server tags <dnsserver/>, <winserver/>, and <ntpserver/>.

Each Kea reservation has its own uuid, so for each reservation I incremented the example value by 1, figuring it didn't matter if they were consecutive as long as they were unique. I added the subnet tag to each with cut and paste, saved all the reservation blocks into the Kea section of the config, and loaded the config back into OPNSense.

Worked perfectly and saved me a lot of setup time.

After upgrading to 24.7, half my network didn't work. So the last few days have been back and forth between my backup opnsense box and the production box, trying different things as time allowed.

I tried a clean install of 24.7 and applied backup config. No help. Then I remembered the upgrade notes mentioned some function had been removed from old DCHP for backward compatibility with Kea. So I switched to Kea on my 24.7 install. No help there. I migrated the same Kea setup back to 24.1.10. That worked.

Some more investigating and I determined all the problem devices were trying to connect through a VLAN interface I have set up to keep IOT devices isolated. I tried connecting to that network with my phone and it failed, telling me it couldn't get an IP. So I still thought it was a DCHP issue, but I decided to check the VLAN setup anyway, and in the Interfaces summary page, the parent interface was unpopulated. I opened the edit popup, and the parent WAS populated there. Saved it, and the summary page then showed that field populated, and everything started working normally.

So maybe this is an upgrade bug. The upgrade killed my VLAN but resaving its configuration fixed it.

After upgrading to 24.1.10_2, OPNSense started rejecting all inbound traffic. Every incoming connection is blocked by Default deny / State violation rule. The version is 24.1.10_2-amd64.  ISP is Comcast Business USA.

I reverted to 24.1 with a fresh install (from a fresh download), loaded the same config from a backup, and everything worked again with the same config. Because I am apparently a glutton for punishment, I upgraded the new installation to 24.1.10_2 to see if it would break. Result: it broke. All inbound connections were again blocked with Default deny / State violation rule.  So I rebuilt again with 24.1, reloaded the same config (again), and that works (again).

Not sure where to look to figure out what's going on.  Right now I'm running 24.1 because the update process would take me right to 24.1.10_2 again.

Recently I switched to an Awow AZ51 micro PC for OPNSense.  This device has two 2.5Gb ports, and most users report having to change settings to get full throughput.  When I set it up initially, I got limited throughput, and found I needed to set the Speed and Duplex setting for each interface to 1000BaseT, and got full speed.

Today, to troubleshoot a different issue, I had to revert to an older saved configuration, which did not have the Speed and Duplex setting.  After a reboot, imagine my surprise when I got full speed without changing the Speed and Duplex setting from "Default."

I'm happy about it, but I don't understand it.  Could the hardware interface have remembered the setting?

If you use a Roku, and you have dnsmasq enabled on your OPNsense box, you can add the following hosts and aliases to the dnsmasq hosts section of your xml configuration to block the annoying Roku ads.

Code Select Expand

    <hosts>
      <host>zp.ads.roku.com</host>
      <domain>zp.ads.roku.com</domain>
      <ip>127.0.0.1</ip>
      <descr>Block Roku ads</descr>
      <aliases>
        <item>
          <description>Block Roku ads</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>bif.sr.roku.com</domain>
          <host>bif.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>traces.sr.roku.com</domain>
          <host>traces.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>cloudservices.roku.com</domain>
          <host>cloudservices.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>d2n3pv3l9r5wp5.cloudfront.net</domain>
          <host>d2n3pv3l9r5wp5.cloudfront.net</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amarillo.sb.roku.com</domain>
          <host>amarillo.sb.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>p.ads.roku.com</domain>
          <host>p.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>ads.roku.com</domain>
          <host>ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amarillo.logs.roku.com</domain>
          <host>amarillo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amoeba-plus.web.roku.com</domain>
          <host>amoeba-plus.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>austin.logs.roku.com</domain>
          <host>austin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>bryan.logs.roku.com</domain>
          <host>bryan.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>camden.logs.roku.com</domain>
          <host>camden.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>cloudservices.roku.com</domain>
          <host>cloudservices.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>customer-feedbacks.web.roku.com</domain>
          <host>customer-feedbacks.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>digdug-g2.logs.roku.com</domain>
          <host>digdug-g2.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>digdug.logs.roku.com</domain>
          <host>digdug.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>display.ravm.tv</domain>
          <host>display.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>esp.logs.roku.com</domain>
          <host>esp.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>giga.logs.roku.com</domain>
          <host>giga.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>gilbert.logs.roku.com</domain>
          <host>gilbert.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>griffin.logs.roku.com</domain>
          <host>griffin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>hereford.logs.roku.com</domain>
          <host>hereford.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>i.ads.roku.com</domain>
          <host>i.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>identity-dev.ads.roku.com</domain>
          <host>identity-dev.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>identity.ads.roku.com</domain>
          <host>identity.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>lagrange.logs.roku.com</domain>
          <host>lagrange.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>liberty.logs.roku.com</domain>
          <host>liberty.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>littlefield.logs.roku.com</domain>
          <host>littlefield.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>logs.roku.com</domain>
          <host>logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>longview.logs.roku.com</domain>
          <host>longview.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>midland.logs.roku.com</domain>
          <host>midland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>mobile.logs.roku.com</domain>
          <host>mobile.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>p.ads.roku.com</domain>
          <host>p.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>paolo.logs.roku.com</domain>
          <host>paolo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>raps-perf.ravm.tv</domain>
          <host>raps-perf.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>raps.ravm.tv</domain>
          <host>raps.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>ravm.tv</domain>
          <host>ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>richmond.logs.roku.com</domain>
          <host>richmond.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>rollingwood.logs.roku.com</domain>
          <host>rollingwood.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>rxr.ravm.tv</domain>
          <host>rxr.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>samples.voice.cti.roku.com</domain>
          <host>samples.voice.cti.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>sugarland.logs.roku.com</domain>
          <host>sugarland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>traces.sr.roku.com</domain>
          <host>traces.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>track.sr.roku.com</domain>
          <host>track.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>tyler.logs.roku.com</domain>
          <host>tyler.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>victoria.logs.roku.com</domain>
          <host>victoria.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>windsor.logs.roku.com</domain>
          <host>windsor.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>wwwimg.roku.com</domain>
          <host>wwwimg.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</domain>
          <host>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>d2n3pv3l9r5wp5.cloudfront.net</domain>
          <host>d2n3pv3l9r5wp5.cloudfront.net</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>dc7eeru7ckgwe.cloudfront.net</domain>
          <host>dc7eeru7ckgwe.cloudfront.net</host>
        </item>
      </aliases>
    </hosts>
    <hosts>
      <host>zz.cooper.logs.roku.com</host>
      <domain>zz.cooper.logs.roku.com</domain>
      <ip>0:0:0:0:0:0:0:1</ip>
      <descr>Block Roku IPV6</descr>
      <aliases>
        <item>
          <description>Block Roku IPV6</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>amarillo.logs.roku.com</domain>
          <host>amarillo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>amoeba-plus.web.roku.com</domain>
          <host>amoeba-plus.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>austin.logs.roku.com</domain>
          <host>austin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>bryan.logs.roku.com</domain>
          <host>bryan.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>camden.logs.roku.com</domain>
          <host>camden.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>cloudservices.roku.com</domain>
          <host>cloudservices.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>customer-feedbacks.web.roku.com</domain>
          <host>customer-feedbacks.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>digdug-g2.logs.roku.com</domain>
          <host>digdug-g2.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>digdug.logs.roku.com</domain>
          <host>digdug.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>display.ravm.tv</domain>
          <host>display.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>esp.logs.roku.com</domain>
          <host>esp.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>giga.logs.roku.com</domain>
          <host>giga.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>gilbert.logs.roku.com</domain>
          <host>gilbert.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>griffin.logs.roku.com</domain>
          <host>griffin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>hereford.logs.roku.com</domain>
          <host>hereford.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>i.ads.roku.com</domain>
          <host>i.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>identity-dev.ads.roku.com</domain>
          <host>identity-dev.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>identity.ads.roku.com</domain>
          <host>identity.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>lagrange.logs.roku.com</domain>
          <host>lagrange.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>liberty.logs.roku.com</domain>
          <host>liberty.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>littlefield.logs.roku.com</domain>
          <host>littlefield.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>logs.roku.com</domain>
          <host>logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>longview.logs.roku.com</domain>
          <host>longview.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>midland.logs.roku.com</domain>
          <host>midland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>mobile.logs.roku.com</domain>
          <host>mobile.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>p.ads.roku.com</domain>
          <host>p.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>paolo.logs.roku.com</domain>
          <host>paolo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>raps-perf.ravm.tv</domain>
          <host>raps-perf.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>raps.ravm.tv</domain>
          <host>raps.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>ravm.tv</domain>
          <host>ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>richmond.logs.roku.com</domain>
          <host>richmond.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>rollingwood.logs.roku.com</domain>
          <host>rollingwood.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>rxr.ravm.tv</domain>
          <host>rxr.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>samples.voice.cti.roku.com</domain>
          <host>samples.voice.cti.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>sugarland.logs.roku.com</domain>
          <host>sugarland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>traces.sr.roku.com</domain>
          <host>traces.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>track.sr.roku.com</domain>
          <host>track.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>tyler.logs.roku.com</domain>
          <host>tyler.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>victoria.logs.roku.com</domain>
          <host>victoria.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>windsor.logs.roku.com</domain>
          <host>windsor.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>wwwimg.roku.com</domain>
          <host>wwwimg.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</domain>
          <host>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>d2n3pv3l9r5wp5.cloudfront.net</domain>
          <host>d2n3pv3l9r5wp5.cloudfront.net</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>dc7eeru7ckgwe.cloudfront.net</domain>
          <host>dc7eeru7ckgwe.cloudfront.net</host>
        </item>
      </aliases>
    </hosts>


I notice recently that some sites (linode.com and nerdwallet.com for example) are inaccessible from a desktop browser while intrusion detection is enabled.  Turn it off, they come right up.  From a mobile device on the same network, they come right up.  But from a desktop browser with detection enabled, no dice. There is nothing relevant to those connection attempts in the alert log.  I've tried to narrow down what ruleset might be responsible by turning off rulesets in groups, and it doesn't look like it matters what rules are active.

Anyone else have this problem?

I know I'm not the only one using EOL Watchguard XTM hardware for my OPNsense firewall.  There are a lot of guides out there for how to do it.  The Watchguard OS is on a CF card mounted on the system board (!) but there are SATA ports on the board and unused SATA power connectors on the power supply harness, so most people install an SSD.

There are four mounting posts in an unused area of the case, but they don't line up with drive mounting holes.  It's like Watchguard intended to offer an SSD or HDD option at some point but never did it.  So there is no available bracket to mount the drive.  Most people just use foam tape to affix the drive to the case, but I prefer to fabricate a mounting plate, like so:









It's just a piece of thin sheet metal (galvanized flashing, in this case) with holes and cutouts in the necessary places.  Works like a charm and prevents having to peel off foam tape if you need to get the drive out later. 

Just thought I'd show it in case anyone can use the idea.

The other day I noticed some internet access slowdowns and logged in to OPNsense to check things.  The GUI was extremely slow and blocky drawing up, and subsequently slow to navigate, as if something else was using all the resources.  But CPU usage was very low.  I suspect whatever was causing it was also behind the slowdowns I was investigating.

It was not totally frozen, so I was able to do an update to the final version of 21.1, which didn't help anything, and then to 21.7.1, which also didn't solve anything.That's a total of three reboots, so "have you tried turning it off and back on again" wasn't helping either.  I decided the hardware (Watchguard XTM 5) must be getting flaky and removed it from service for diagnosis.

As an experiment, I wiped the SSD's partition table, did a fresh 21.7.1 install, and applied my backup.  Because I believed it to be the hardware, I expected this would not help, but it completely fixed the issue.

What could have gone wrong here?  The SSD seems fine; it's relatively new, and passes SMART with no issues.  I no longer think the hardware was the issue, and clearly my configuration is not the cause.  What could have gone amiss with OPNSense itself that would not have been fixed by a version upgrade and multiple reboots?

Recently Google Voice calls from the web interface started failing in the sense that the call would seemingly drop before it was connected, or just after connection.  Experimentally I turned off intrusion detection, and that solved it, so I turned on detection again and watched the alerts, identifying a couple of specific rules that were being tripped.  Turning them off solved the problem.

However, I foolishly did not note which rules they were, and now I would like to know.  Is there any way to identify what rules have been manually turned off most recently?

Does every individual upstream DNS-over-TLS query do a new handshake and authentication?  Or is there some amount of persistence to the connection?

To evade my ISP's transparent DNS proxying, I configured Unbound to use upstream DNS-over-TLS on port 853.  This mostly works fine, except my logs still show some traffic to 8.8.8.8 on port 53.  It appears to be originating from the firewall's own IP.  8.8.8.8 is not configured anywhere in the firewall anymore (I checked this by downloading the config and searching through it, and by logging in using SSH and grepping the /etc/ directory).  I do not understand where the firewall is getting 8.8.8.8 and why it wants to keep querying it on port 53.  There are no DNS servers specified in Settings > General; I removed them when I configured Unbound DNS-over-TLS. 

My next idea was to set up a firewall rule to block outbound port 53.  I figured I could do that and see what it breaks.  But that's not working because the traffic is being explicitly passed by the automatically generated floating rule "let out anything from firewall host itself (force gw)".  Because this is an automatically generated rule, I can't place my manual rule ahead of it, and because it's a floating rule, it gets evaluated before the LAN rules, so placing my manual rule there does no good either.

Any suggestions?

I have Unbound configured with two Cloudflare and two Google upstream DNS-over-TLS servers: 1.1.1.1@853, 1.0.0.1@853, 8.8.8.8@853, and 8.8.4.4@853, in that order.

Watching the logs, it seems to use all four of them, although it favors Cloudflare.  How does it choose?  Does it select randomly, or is there a logic to it that I'm not seeing?

When I configured Unbound for the first time the other day, there was a load of gibberish in the Custom Options box, like this:



(This is not the actual gibberish, just a reasonable approximation.)

What is that?  It looks like an SSL key or something.  I removed it before activating Unbound and it doesn't seem to have made any difference.

Is it possible, using either Unbound or Dnsmasq, to proxy DNS to an upstream server using a port other than 53?

My ISP is transparently proxying DNS.  Any query on port 53 to any IP is being intercepted.  To get around this I'd like to use OpenDNS on their alternate port, 5353.  But both Unbound and Dnsmasq use the upstream servers set in System: Settings: General, and I don't see how to specify port 5353.  I've tried 208.67.222.222:5353, but it throws an error and won't save.

Could I accomplish this with port forwarding?  Set OpenDNS's servers as the only ones in System: Settings: General, and then forward everything that goes out on WAN for 53 to 5353 with a port forwarding rule?

Currently everything on my network is on the same 192.168.1.x subnet.  I want to segregate traffic from IoT devices to their own subnet.  All the IoT devices are wi-fi, so here is what I'm hoping to do:

1) Set up another physical interface on my OPNsense box as OPT1 with a different subnet, maybe 176.16.0.x, and physically connect it to the wi-fi access point (a UniFi AP).
2) Set up VLAN on OPT1 with another subnet, say 10.0.0.x.
3) Set up DHCP for both.
4) Configure the UniFi controller with two new wi-fi networks: one regular network pointing to 176.16 subnet (let's call it SSID1), and one network tagged as a VLAN, with its VLAN ID matching what was set up in step 2 (let's call it SSID2).
5) Set up an alias containing those three subnets.
6) Set up default pass-all firewall rules for OPT1.
7) Set up default pass-all firewall rules for VLAN with an inverse match on the alias set up in step 5.

If I have thought this out right, this should allow the 192.168 and 176.16 subnets to see the internet and the other subnets, but the 10.0 subnet to only see the internet, so wi-fi clients connected to SSID2 are prevented from contacting the rest of the network.

Did I miss anything?

Setting up a new firewall using a saved configuration from the old one, I ran into a problem with GeoIP.  In spite of having a working MaxMind license (verified by manual download using the link), it kept popping up "In order to use GeoIP, you need to configure a source in the GeoIP settings tab."  I searched the forum for that error and saw conflicting advice, which I tried to follow.  I deleted and recreated my aliases and nothing changed; I created new MaxMind licenses with every available option and still got nowhere.  Every time I visited the Aliases page or the GeoIP tab, anything I'd do would give me the popup again.

Finally I changed my search terms in the forum and found one other person with this problem and someone advising him to just wait a while and the issue would clear itself.  So I did, and that seems to be the answer.

I'd consider this error message to be a bug.  It's misleading and erroneous; you get it even though the source is configured in the settings tab, so the message doesn't give the user a proper idea of what the actual problem is.  If it's not an actual configuration problem then it shouldn't be putting up an error message at all.

Opinions?  Should I report this as a bug in the development forum?

Opnsense running on custom hardware, built on a used 8-core Xeon Supermicro server motherboard.  We'll call this device "Box" for short.

Everything has been fine, fine, fine for months and months, and then out of the blue I start seeing intermittent service dropouts.  When it's happening I can't resolve DNS, sites time out.  When I log in to Box, it is unexpectedly painfully slow to draw up; but once the dashboard is actually showing, the displayed throughput looks normal.  Navigation through Box's OPNsense interface is just generally horrible and slow.  SMART reports drive is fine.  CPU utilization has occasional unexpected spikes. 

If not for the CPU utilization, it would look like a network I/O problem.  I don't know if I/O dropouts can cause CPU spikes.  I removed Box from service and replaced it with the previous device (a converted WatchGuard) and so far everything has been stable.  I'm plugged into the same port on the LAN switch, so to my mind that eliminates the switch as the cause; this leaves the cable, or Box's network port, or some other internal Box failure (hardware or software).

My best guess is the network port on that Supermicro motherboard.  Does anyone have any other suggestions?

Is there a way to suppress that widget from showing loopback traffic?  It looks like the interface choices are LAN, WAN, or all.  LAN and WAN are useful but I don't need to see the firewall talking to itself.