Topics

1

General Discussion / DoT for dns Local/LAN / adguard home and bind

« on: October 19, 2024, 05:05:47 pm »

Hi, I am wondering if this is possible:
I am running Opnsense with Adguard Home (plugin) and Bind (plugin). So that every DNS/port 53 goes to Adguard home. Adguard Home has 127.0.0.1:5354 as upstream (Bind), bind has no DNS Forwarders. This way every lookup will go to the dns root servers, if not yet unknown/cache. As I have learned in the past from this forum, this gives more privacy while no root dns "has it all" and better than trusting the 1.1.1.1 server or your ISP encrypted dns server who "has it all". This is working great.

However, every local/LAN dns lookup is plain dns / unencrypted. Is there a way to make LAN also DoT? e.g. Adguard Home DoT to Bind? Maybe plain dns is a small risk on LAN, but if it can be secured, why not doing so.

I am eager to learn your solution(s) for this.

2

24.7 Production Series / WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 26, 2024, 02:18:07 pm »

I have just updated to OPNsense 24.7.5-amd64
FreeBSD 14.1-RELEASE-p5
OpenSSL 3.0.15

Now WireGuard does not work/does not get an ipv4 address, only showing ipv6 when https://www.whatismyip.com/

Others having this issue also? Is there a Quick fix?

3

24.7 Production Series / *SOLVED* Update opnsense to 24.7.4 broke my box! Help needed

« on: September 12, 2024, 06:55:55 pm »

I just updated my box to opnsense 24.7.4. Reboot hung so I did a manual power off and on,
Opnsense won’t start. Connected a monitor to it and I see: failed to load kernel.
What should I do to get it back ?

Thank you very much for the help!

4

General Discussion / Postfix relay on opnsense for sending email port 587 from local email server?

« on: September 07, 2024, 09:27:00 am »

Hi,
I have my own email server running and I use postfix on opnsense as a mail gateway as described here:
https://docs.opnsense.org/manual/how-tos/mailgateway.html
This works great for port 25 SMTP to enable communication between the sending and receiving servers to my local hosted email server.

Now I wonder if opnsense-postfix can (and should?) also be used for port 587 (SMTP-STARTTLS), so that all email clients (pc, iphone, laptop, etc) can sent email by first going to port 587/postfix and sending emails from our local email server.

Currently I have port 25 pointing to and using postfix, while for port 587 and IMAP i use a port forward to the local email server. Can this be postfix also for the same reason of using port 25? And if so, how can I configure that using the postfix-GUI?

Thanks for explaining and help in advantage

5

24.7 Production Series / [SOLVED] APCUPSD won't start after updating to OPNsense 24.7.2

« on: August 21, 2024, 06:26:57 pm »

Hi, I have just updated my applience to OPNsense 24.7.2 and noticed the red square / not running of APCUPSD. pressing the start or doing start in the plugin menu using - Enabled check, does not help.

in the log I see this error:

2024-08-21T18:22:47   Error   apcupsd   apcupsd error shutdown completed   
2024-08-21T18:22:47   Error   apcupsd   Lock file data error:   
            please stop it and run this program again.   
            If apcupsd or apctest is already running,   
            Unable to create UPS lock file.   
2024-08-21T18:22:47   Error   apcupsd   apcupsd FATAL ERROR in apcupsd.c at line 221   
2024-08-21T18:22:47   Error   apcupsd   Lock file data error: 

Others having this issue also?

6

23.7 Legacy Series / BIND error checkhints

« on: December 22, 2023, 03:20:39 pm »

Hi, I am using Bind plugin and noticed this error in the log:

2023-12-22T14:58:37.242000   general   Warning   checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
2023-12-22T14:58:37.241000   general   Warning   checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
2023-12-22T14:58:37.241000   general   Warning   checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
2023-12-22T14:58:37.241000   general   Warning   checkhints: b.root-servers.net/A (170.247.170.2) missing from hints

I updated the /usr/local/etc/namedb/named.root file with this latest one:
https://www.internic.net/domain/named.root

and got the error fixed. Others using Bind experienced the same error? seems that our default 2017 named.root file in opnsense needed an update?

7

General Discussion / Solved - Bind DNSSEC localdomain

« on: December 16, 2023, 06:54:42 pm »

I have Bind running and Adguard home. In Adguard I get a green-lock when an external domain of mine is validated with dnssec.
Is there an how to, on thow to do this with localdomain in bind? for localdomain.com ?
I would like this to avoid dns sniffing on local connections, has someone experience with this?

thanks for the help!

8

23.7 Legacy Series / cosmetic bug virtual ip's IPv4 not showing on interfaces overview (?)

« on: September 16, 2023, 02:00:25 pm »

I just noticed that on the interfaces-overview page - wan the virtual ip's of IPv4 are not showing there under the main wan IP (under IPv4 address), where the virtual ip's of IPv6 are still all mentioned as used to be (IPv6 address).
It looks like the virtual ipv4 virtual ip's are gone on this overview. The virtual ip's are working perfect, so it is a cosmetic bug. Others have this issue also?

p.s. I used this https://forum.opnsense.org/index.php?topic=21207.0 as my interface setup PPPoE

9

General Discussion / solved - Postfix IPv6 TLS error with OPNsense 23.7.4

« on: September 15, 2023, 12:30:11 pm »

I have, for some weeks now, running Postfix on opnsense. It was working perfectly with IPv4 and IPv6.
Now after the update to OPNsense 23.7.4, postfix IPv6 is not working. IPv4 is still good
I checked with https://www.hardenize.com

And there I saw the error with TLS. See attached picture.
Others using Postfix and ipv6 have the same errors? Or is there something changed with the update to 23.7.4 or something that broke my config wat was working perfectly before 23.7.4?

When I do the port forward to my mailsever directly instead of postfix, the mail is working. So it has something to do with postfix or opnsense(?)

Solved it: somehow my trusted network ipv6 was missing.

10

23.7 Legacy Series / Bug? Interface error? - OPNsense 23.7.3 - Bind and IPV6 both restarting

« on: September 02, 2023, 04:43:50 pm »

Hi,

I have a weird DHCP and BIND problem running on:
OPNsense 23.7.3-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023

I see on the main GUI screen of OPNsense about every minute that DHCPv6 Server turns RED and than restarts and is back up to green. After that BIND Daemon turns RED and than restarts.

In the DHCP log i see this every time:
Informational   dhcpd   Server starting service.   
Informational   dhcpd   Sending on Socket/8/igb1/2a10:xxxx:xxxx:1::/64   
Informational   dhcpd   Listening on Socket/8/igb1/2a10:xxxx:xxxx:1::/64   
Informational   dhcpd   Bound to *:547   
Informational   dhcpd   Wrote 0 NA, 0 TA, 0 PD leases to lease file.   
Informational   dhcpd   Wrote 0 new dynamic host decls to leases file.   
Informational   dhcpd   Wrote 0 deleted host decls to leases file.   
Informational   dhcpd   For info, please visit https://www.isc.org/software/dhcp/   
Informational   dhcpd   All rights reserved.   
nformational   dhcpd   Copyright 2004-2022 Internet Systems Consortium.   
Informational   dhcpd   Internet Systems Consortium DHCP Server 4.4.3-P1   
Informational   dhcpd   PID file: /var/run/dhcpdv6.pid   
Informational   dhcpd   Database file: /var/db/dhcpd6.leases   
Informational   dhcpd   Config file: /etc/dhcpdv6.conf

In the BIND log i see this:

general   Notice   running
general   Notice   all zones loaded
zoneload   Informational   zone x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.ip6.arpa/IN: loaded serial 2308140935
zoneload   Informational   zone 0.ip6.arpa/IN: loaded serial 42
zoneload   Informational   zone localhost/IN: loaded serial 42
zoneload   Informational   zone mydomain.com/IN: loaded serial 2308182130
zoneload   Informational   zone 1.168.192.in-addr.arpa/IN: loaded serial 2308182144
zoneload   Informational   zone x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.ip6.arpa/IN: loaded serial 2308151502
zoneload   Informational   zone 127.in-addr.arpa/IN: loaded serial 42
zoneload   Informational   zone 10.x.xin-addr.arpa/IN: loaded serial 2308140934
zoneload   Informational   managed-keys-zone: loaded serial 6493
general   Notice   exiting
network   Error   automatic interface scanning terminated: end of file
general   Notice   stopping command channel on 127.0.0.1#9530
general   Informational   shutting down: flushing changes
network   Informational   no longer listening on 127.0.0.1#5354
network   Informational   no longer listening on 2a10:xxxx:xxxx:1::#5354
general   Informational   received control channel command 'stop'

Others having this issue also? Any clues on how to fix this?

11

General Discussion / Postfix - Backscatter prefent config gui how to

« on: August 31, 2023, 06:58:41 pm »

This week I have been setting up and tested with Postfix / Rspamd / Redis.
The system is running and I have the Rspamd GUI available for tweaking and monitoring (thanx to this thread: https://forum.opnsense.org/index.php?topic=17569.msg119574 )

Now I came across this site with info about spammers/backscatter : http://www.postfix.org/BACKSCATTER_README.html

How to config this

To block such backscatter I use header_checks and body_checks patterns like this:

    /etc/postfix/main.cf:
        header_checks = pcre:/etc/postfix/header_checks
        body_checks = pcre:/etc/postfix/body_checks

    /etc/postfix/header_checks:
        # Do not indent the patterns between "if" and "endif".
        if /^Received:/
        /^Received: +from +(porcupine\.org) +/
            reject forged client name in Received: header: $1
        /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
            reject forged client name in Received: header: $2
        /^Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^Message-ID:.* <!&!/ DUNNO
        /^Message-ID:.*@(porcupine\.org)/
            reject forged domain name in Message-ID: header: $1

    /etc/postfix/body_checks:
        # Do not indent the patterns between "if" and "endif".
        if /^[> ]*Received:/
        /^[> ]*Received: +from +(porcupine\.org) /
            reject forged client name in Received: header: $1
        /^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
            reject forged client name in Received: header: $2
        /^[> ]*Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^[> ]*Message-ID:.* <!&!/ DUNNO
        /^[> ]*Message-ID:.*@(porcupine\.org)/
            reject forged domain name in Message-ID: header: $1

How to config this in Postfix GUI on opnsense?
Does it work as:

    Services: Postfix: Header Checks

adding e.g. Expression: .* <!&!/ DUNNO REJECT
for [while receiving mail]

or how should i do this?

12

23.7 Legacy Series / Checking integrity... done (23 conflicting)

« on: August 12, 2023, 05:17:57 pm »

Just did a [run an audit - Upgrade] and noticed the below conflicts. How to solve this?

Checking integrity... done (23 conflicting)
- php82-pear-Crypt_CHAP-1.5.0_1 [OPNsense] conflicts with php81-pear-Crypt_CHAP-1.5.0_1 [installed] on /usr/local/share/pear/Crypt/CHAP.php
- php82-zlib-8.2.8 [OPNsense] conflicts with php81-zlib-8.1.20 [installed] on /usr/local/etc/php/ext-20-zlib.ini
- php82-dom-8.2.8 [OPNsense] conflicts with php81-dom-8.1.20 [installed] on /usr/local/etc/php/ext-20-dom.ini
- php82-pdo-8.2.8 [OPNsense] conflicts with php81-pdo-8.1.20 [installed] on /usr/local/etc/php/ext-20-pdo.ini
- php82-mbstring-8.2.8 [OPNsense] conflicts with php81-mbstring-8.1.20 [installed] on /usr/local/etc/php/ext-20-mbstring.ini
- php82-ldap-8.2.8 [OPNsense] conflicts with php81-ldap-8.1.20 [installed] on /usr/local/etc/php/ext-20-ldap.ini
- php82-phpseclib-3.0.19 [OPNsense] conflicts with php81-phpseclib-3.0.19 [installed] on /usr/local/share/phpseclib/Common/Functions/Strings.php
- php82-gettext-8.2.8 [OPNsense] conflicts with php81-gettext-8.1.20 [installed] on /usr/local/etc/php/ext-20-gettext.ini
- php82-ctype-8.2.8 [OPNsense] conflicts with php81-ctype-8.1.20 [installed] on /usr/local/etc/php/ext-20-ctype.ini
- php82-pear-1.10.13 [OPNsense] conflicts with php81-pear-1.10.13 [installed] on /usr/local/bin/pear
- php82-session-8.2.8 [OPNsense] conflicts with php81-session-8.1.20 [installed] on /usr/local/etc/php/ext-18-session.ini
- php82-simplexml-8.2.8 [OPNsense] conflicts with php81-simplexml-8.1.20 [installed] on /usr/local/etc/php/ext-20-simplexml.ini
- php82-curl-8.2.8 [OPNsense] conflicts with php81-curl-8.1.20 [installed] on /usr/local/etc/php/ext-20-curl.ini
- php82-pecl-radius-1.4.0b1_2 [OPNsense] conflicts with php81-pecl-radius-1.4.0b1_2 [installed] on /usr/local/etc/php/ext-20-radius.ini
- php82-phalcon-5.2.3 [OPNsense] conflicts with php81-phalcon-5.2.2 [installed] on /usr/local/etc/php/ext-30-phalcon.ini
- php82-google-api-php-client-2.4.0 [OPNsense] conflicts with php81-google-api-php-client-2.4.0 [installed] on /usr/local/share/google-api-php-client/CODE_OF_CONDUCT.md
- php82-sockets-8.2.8 [OPNsense] conflicts with php81-sockets-8.1.20 [installed] on /usr/local/etc/php/ext-20-sockets.ini
- php82-8.2.8 [OPNsense] conflicts with php81-8.1.20 [installed] on /usr/local/bin/php
- php82-sqlite3-8.2.8 [OPNsense] conflicts with php81-sqlite3-8.1.20 [installed] on /usr/local/etc/php/ext-20-sqlite3.ini
- php82-xml-8.2.8 [OPNsense] conflicts with php81-xml-8.1.20 [installed] on /usr/local/etc/php/ext-20-xml.ini
- php82-pecl-mcrypt-1.0.6 [OPNsense] conflicts with php81-pecl-mcrypt-1.0.6 [installed] on /usr/local/etc/php/ext-20-mcrypt.ini
- php82-opcache-8.2.8 [OPNsense] conflicts with php81-opcache-8.1.20 [installed] on /usr/local/etc/php/ext-10-opcache.ini
- php82-filter-8.2.8 [OPNsense] conflicts with php81-filter-8.1.20 [installed] on /usr/local/etc/php/ext-20-filter.ini

13

Virtual private networks / Wireguard-go VS Wireguard-kernel plugin

« on: August 02, 2023, 07:00:13 am »

I have been running wireguard-go for quite some time with no problems at all. I use it as always on, on our mobile devices like the iPhones (iOs) (everywhere using dns/adguard home).

Now I have been trying to use the wireguard-kernel version. At first it works flawlessly. But after some time (after the mobile device / iphone have not been used for some time / 10 mins, and start using again) the vpn connection is still there, but there is no data, no internet data. Seems like the tunnel stalls..

I found out that when configuring Endpoints - Keepalive Interval set at 25, the wireguard-kernel keeps working (just like the go version).

Now I wonder, why is it I have to add a keepalive in the kernel version? Is this a bug? The go version has, i think, the default setting of Keepalive Interval = 0, but i can not enter 0 in the endpoint config.

If the only solution is using a Keepalive Interval, what is the best interval setting to use? e.g. 25 or other number?

Others having this issue also? Thanks for the help!

14

23.1 Legacy Series / after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 11:32:32 am »

After updating to OPNsense 23.1.10-amd64 and a forced reboot, nginx wont start.
First it was because of Naxsi rules (1500, 1000 etc) after disabling them, it still wont start:

nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
nginx: [emerg] unknown directive "vhost_traffic_status_zone" in /usr/local/etc/nginx/opnsense_http_vhost_plugins/vts.conf:1

But.I do not know what is meant by this. Before OPNsense 23.1.10-amd64 it was working and no changes in config other dan now disabling some Naxsi rules....

Others having issues with nginx after updating also?

15

General Discussion / Does a virtual-ip with firewall rule -this firewall- not work?

« on: June 21, 2023, 05:30:19 pm »

I have nginx installed op opnsense with: firewall - rules - wan - destination "this firewall" port 80 and one with port 443.
This works with the opnsense-router/ISP ip and with ipv6, but I have added a virtual-ip (VIP) ipv4 and ipv6 to opnsense, this firewall rule does not work for the VIP ipv4?
Is that normal behavior? I would have expected it to work since virtual ip bind to the wan?

I have made a workaround for this by adding a firewall-NAT-portforward rule- with destination "Virtual ip" and port 80 and one for port 443 both to Redirect target IP [Opnsense LAN ip / 192.168.1.1], that works...
But is that how it should be?

Anybody else with this behavior? or knows how to fix this with VIP ipv4?