Topics

Hi all,

So basically I'm trying to get WG setup with Mullvad VPN purely for a few devices.
As such I followed: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

But for whatever reason when this is setup all internet on my LAN ceases to work. I'm not 100% sure if its just DNS not working or actual packets being let out.

Disclaimer: I do have WG setup to allow remote access to home from my phone/laptop.
This works perfectly and I setup a NEW Interface and new Local/Endpoints for Mullvad.

I am not sure where I am going wrong with my setup that it kills my internet when Mullvad gets enabled.
I have double checked and triple checked I followed the guide.
I am using AdGuard DNS plugin, and have that setup.

So unless its something in my DNS setup that I need to tweak?
But not sure why it's affecting my entire network instead of just the new Mullvad VPN I setup.

Gateway is alive and up, and monitoring is enabled and its able to reach out, and I can see the handshake is successful.
My Server that is setup with Mullvad gets access and works fine and can see its connected to Mullvad.
But everything else is just dead.

Hey all,

So I'm trying to setup WG via my phone.
I have I think all internal setup done correctly.

When I put in the ipv4 address of my WAN, and connect it auto changes to a IPv6 address.

Is there a work around to point it to an ipv4 address?
I tried adding a wg.domain.com to my WAN ip via A Record and it still changed it to IPv6

Hi all,

I'm wondering if there is a guide out there somewhere that I can follow.
My current setup is I'm running dual WAN with 2x ISP's and added to a GW group.

I would like to get a VPN service and route the traffic through both WAN's while maintaining my dual WAN setup as in so that I still get the dual GW load balance.

Can someone advise on a guide on this?

Also which VPN service?
I was looking at NordVPN or ProtonVPN. Any others I should consider?

Hi all,

So I tried to follow the Road Warrior guide.
Got it all created and all.
I do have Dual WAN first thing to note, but I just used the 1 WAN connection.
As such I used this guide: https://docs.opnsense.org/manual/how-tos/multiwan.html
Note I had to setup DNS via DHCP for each interface

I have my WG client setup on my iPhone, it has the IPv4 external IP of that WAN connection.
So Endpoint: 212.69.45.xx:51820

I click connect, I can see transfer: 1.16 KiB received, 736 B sent increasing.
But if I look back at my client (iPhone) instead of the IPv4 endpoint address you see above its now showing a IPv6 address.
And I do not get a handshake.
Once it connects it goes from IPv4 WAN to IPv6 WAN even tho I do not have IPv6 setup on my OPNsense router.
And I cannot get it to handshake for the life of me.

Hi all.
I'm looking to run Pihole but looking online there is about 50 ways to configure it.

Does anyone have an up to date guide with the best/most correct way to set this up together?

Hi all,

So I got a Helium HNT Bobcat miner.
It needs port 44158

So I went into FIREWALL: NAT: PORT FORWARD

I did a clone of this for my other WAN address (I run dual wan)

In FIREWALL: SETTINGS: ADVANCED
Under Network Address Translation
I ENABLED:
Reflection for port forwards
Reflection for 1:1
Automatic outbound NAT for Reflection

Under FIREWALL: NAT: OUTBOUND
I switched to Hybrid

Cloned this rule for the other WAN address too.

When I check on my miner it keeps saying:
    "10.0.0.240:44158": "closed/timeout",

Also when I scan my external IP with that specific port it says Timed-Out
Or closed , incoming traffic denied.

Can someone help me to get this working?

I thought HAProxy config issues were fixed in 21.7.5?

I just cloned a different real server, change its port.
Created all the backend pools and stuff for it, but its still using the port from the copied setup.

I know there were issues in 21.7.4 and there was a patch for it, so I thought in .5 it was resolved?
Do I have to re-apply that same patch?

EDIT I was being dumb, I forgot to change the Server on the backend :(

[NO]

So I am trying to get DNS over TLS to work, and I must be going wrong somewhere and seeking a bit of guidance.
I really wish there was a proper guide somewhere but there are so many little ways to do things.
Bit of background I run Dual WAN so I have setup the rule for DNS as per the guide for that.

Ok first: SYSTEM: SETTINGS: GENERAL
I left DNS servers blank
Unticked Allow DNS server list to be overridden by DHCP/PPP on WAN
Unticked Do not use the local DNS service as a nameserver for this system
And I did tick Allow default gateway switching (due to dual wan)

Next DNS:
SERVICES: UNBOUND DNS: GENERAL


SERVICES: UNBOUND DNS: DNS OVER TLS
I used 9.9.9.9 for IP
853 for Port
dns.quad9.net for CN Hostname

FIREWALL: RULES: LAN
IPv4 TCP/UDP   *   *   10.0.0.1   53 (DNS)   *   *   Local Route DNS   
As per the Dual WAN guidance.
I did try to clone this rule and use port 853 but to no avail.

If I use https://tenta.com/test/ or https://1.1.1.1/help
Both say DNS over TLS NO

So I'm wondering where in my setup is it incorrect that DNS over TLS doesnt engage?

So I have HA running on 10.0.0.9:8123.
I spun up a new VM and change the IP address of the Real Server from 10.0.0.9 to 10.0.0.12.
All good shows correct IP in Real Servers tab.

BUT its still using the old IP.

I look in maintenance tab and it still shows 10.0.0.9...
I have restarted OPNsense, I've disabled HAProxy and re-enabled.
I've tried disabling the service, changing IP address to something random and back to 10.0.0.12, but ye its still linking to the .9 IP.

HOW can I get the change to take effect?

Hi all,

I have 2x PPPoE WAN connections.
For the most part they have been working perfectly fine for the last month, few niggles here and there.

Last week I got an alert during the night, one of the WANs was down. This wasn't true or it was just high packet loss or something, and then like 2mins later it was back and re-added to the gateway group.
But then when it was re-added anything that was using this line was just dead.
No sites would load, nothing would function.
Messed around for ages, called ISP they said its up but there is 1) No connection to us
So ended up putting in my ISP password again and boom now I have a connection, and then 2) OK we can see a connection but its not serving any traffic through it.

Disabling and re-enabling gateways eventually it worked.
Today the same thing. Just dead.
Right now I've just disabled the gateway that is causing me issues and working on 1 connection.

But I'd really like to get to the bottom of it as why it's not serving traffic even tho it says it's up.
fast.com was reporting I couldn't hit some servers which is accurate as it was only transmitting traffic through 1 link.

I don't know the best way forward now either, how do I get this 2nd WAN connection to actually function.
Obviously I've reset everything...
I've changed it now to instead of Gateway down for Packet Loss or High Latency, I've changed it to Member Down in the hopes of it not resetting the Gateways so much.

I really need both WAN connections functioning and functioning well... Can anyone help?

Hi all,

I've just got 2x WAN connections.

I'm having issues getting my port forwarding to work correctly, ie I cant get it to work at all.

I just moved from pfSense, does anyone have any ideas?

How do I get port forwarding to work when using multi wan environment?

I tried using just WAN1 and WAN1 Address like I would previously but nothing work, inside or outside my network.

Hey guys,

I am looking to set different DNS TLS names for each gateway.
How can I add DNS-over-TLS "dns.nextdns.io" to each gateway?

So WAN1 45.90.28.124 and 123.dns.nextdns.io
and WAN2 45.90.30.43 and 567.dns.nextdns.io

In pfSense under System -> General Setup
I added 2x DNS like the above as it has a TLS Hostname option and then a select which gateway option and jobs a goodun.

If I look at the router setup guide for NextDNS it says:
Unbound
Use the following in unbound.conf:

Code Select Expand

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#xx.dns1.nextdns.io

So I can add this for each dns, but how do I add it in unbound on a per Gateway option?

Or if I set each DNS server in General on OPNsense and chose the gateway there.
Under unbound can I just add:

Code Select Expand

server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#123.dns1.nextdns.io
  forward-addr: 45.90.30.0#567.dns2.nextdns.io

Would that config work for each separate gateway?

Hi guys,

I'm trying to add: https://block.energized.pro/basic/formats/hosts

Energized Basic block list to my Unbound Blocklist.

Every time I add it I get error reloading unbound.

Code Select Expand

unbound-checkconf /var/unbound/unbound.conf
/var/unbound/etc/dnsbl.conf:561149: error: unknown keyword ','
/var/unbound/etc/dnsbl.conf:561149: error: unknown keyword 'A'
/var/unbound/etc/dnsbl.conf:561149: error: unknown keyword '0.0.0.0'
/var/unbound/etc/dnsbl.conf:561149: error: stray '"'
/var/unbound/etc/dnsbl.conf:2050091: error: unknown keyword 'A'
/var/unbound/etc/dnsbl.conf:2050091: error: unknown keyword '0.0.0.0'
/var/unbound/etc/dnsbl.conf:2050091: error: stray '"'
read /var/unbound/unbound.conf failed: 7 errors in configuration file
I get this when checking conf for unbound.

If I remove this block list it works fine. I have tried all the options for Energized basic, RAW, Domain, Hosts same error every time I add it.

Can someone let me know where I'm going wrong or how to add a blocklist successfully?

I can see it pulling and dnsbl.conf growing before it errors out.

[Setup for a physical AdGuard (Raspberry Pi or something)]

So I've been looking around and been unable to get a good AdGuard or PiHole setup.

I figured it out, and it seems to be working well, so I'm writing this for mainly my own future reference.

--------------------
Setup for a physical AdGuard (Raspberry Pi or something)

I installed AdGuard Home on a Raspberry Pi with the IP 10.0.0.12.
Settings -> DNS Settings
Chose and configure to your desired setup.

On OPNsense:
System -> General Setup
Set '10.0.0.12' as DNS server
Tick: Do not use the local DNS service as a the only nameserver for this system

Optional, but recommended:
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward

Code Select Expand

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 10.0.0.12
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

Unbound -> Untick 'Enable Unbound'. (So its turned off)
Or you can follow the steps below to use a router_ip:5353 to loopback to OPNsense unbound as a backup.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: 10.0.0.12

If you have VLANs or other LANs you may need to do some Firewall rules to allow traffic through to the DNS server IP on Port 53 (DNS)

That is pretty much it.

--------------------
Setup for using AdGuard via the OPNsense community repo

Firstly install the Community repo from: https://www.routerperformance.net/opnsense-repo/
Then install AdGuard Home via Plugins.

Navigate to router_ip:3000 to setup AdGuard.
I set Admin interface to my main LAN as the only listen interface and via port 81 (OPNsense uses port 80 and 443 so select something other than this for AdGuard listen port and if you configure AdGuard's SSL settings)

DNS Server listen interface select 'All' on Port 53.

Setup DNS as you would like it with your own providers.
Settings -> DNS settings -> Bootstrap DNS servers -> Add router_ip:5353

On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

Services -> Unbound DNS -> General
Enable Unbound (it could be disabled if you'd prefer, then remove the Boostrap DNS setup as above)
Add port 5353 (instead of default 53)
Only select: 'Register DHCP leases' & 'Register DHCP static mappings'

Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward

Code Select Expand

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

If you have multiple VLANs or LANs then duplicate the rule and change it to the relevant Interface and address.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: router_ip

And the same for any VLANs, just set the route IP for each VLAN.
eg. 192.168.107.1 is my IoT VLAN

That should pretty much do it.

--------------------

Please let me know if you see any tweaks or better settings that you think can improve this, I'm more than happy to improve this and make this into a good guide.

*NOTE* I did find that running AdGuard via OPNsense router to lower the processing time by more than half.
9ms via router setup, compared to around 45ms via Raspberry Pi 3B+

So here is my setup:
Router with 4x 1gbe LAN ports split like:
1x WAN
1x LAN
1x IoT
1x Guest

Now my Shield TV and other bits are on IoT, and my server is on LAN.
Which works well, but I see a lot of traffic especially when playing 4k passing between IoT and LAN networks...

I have fully managed Unifi switches so can setup VLAN's better.
I'm wondering if it would be better to keep then physically separate ie each VLAN has its own physical NIC or to use LAGG and do like 2x NIC's to Switch.
My internet is atm only 45mb down, so I dont need LAGG from Router to Switch.
I do hope to get 1gb up/down in the next 6 months.

I'm just curious to all those proper network people if my setup is good or not.
Physically separate networks or to utilise VLANs better?
If its better to make use of VLANs, is it worth setting up LAGG and say 2x NICs to Switch?
Or just stick with 1x WAN and 1x LAN/IOT/Guest?

EDIT: I also want to point out that I set it up like this as it was simple.
I didnt have much setup to do it just kinda works.
On the Unifi switch I set 3 ports to their specific networks. So it matches the 3x LAN/IoT/Guest networks I have.

Hey all,

So I've moved over from pfSense, and miss pfBlocker.

I dont want to use any addons or adguardhome or anything. I want to use the built in unbound blacklists which I setup (at least I think via the Energized blocklist) and all seems well.

But I want to see how I can track blocked sites, or have some sort of live report so that I can see if a site isnt working which domain to whitelist?

Is there any good way to do this?

Hey all,
So I did a new OPNSense build yesterday, and its all setup nicely.
I use Zen and have IPv6 enabled. I have it setup using DHCP right now as no need for anything else.
If I restart OPNSense then dpinger for WAN_DHCP6 is down and dhcpd6.
I left it all night it never starts.
If I check https://ipv6-test.com/ IPv6 fails and isn't working even tho my devices get IPv6 local addresses.

As soon as I click start on those 2 services boom https://ipv6-test.com/ Starts to report as working right away...

Is there any reason why those services are not auto starting?

Also as a side note I don't think the IPv6 gateways work nicely/right.
So for instance on my LAN and WAN interfaces if I disable or turn off IPv6 so its set to none, there is still a IPv6 GW.
If I click delete on that gateway it says apply and never gets deleted.
Basically its always there even if I don't want to use it anymore, its kinda janky and buggy to remove.
I even tried once to remove the gateway from the config but it came right on back.

Hey guys,

So recently setup OPNsense again, and using the blocklist function.

But how do I check what is blocked, lets say I'm trying to diagnose a blocked site or something and want to check its the DNSBL block list that's the culprit?

How can I see a report or something?

Hey guys,

So I'm trying to forward port 443 to 1443 and 10.0.0.10.

I have it setup and working kinda.
If I toggle the nat settings I can get it to work with the port forward, but then all other pages break.
So I cannot get it to port forward and keep internet working on any page.
I don't know what I have done wrong, and I've tried to toggle it every which way and its either one or the other.
Either get my pages to forward correctly but then cannot access any other webpage, or get web pages and cannot get my port forward to work right.

For what its worth its forwarding to a SWAG (LetsEncrypt) docker.

Hey all, I just this evening installed 20.7.7 as a clean/fresh install.
Installed the NUT plugin and then tried to start it and it doesn't start, I see this in logs:

/usr/local/etc/rc.d/nut: WARNING: failed precmd routine for nut   

Anyone know how to resolve this? Or why its not working?