Topics

Good morning,
I upgraded from opnsense 25.1 to 25.7.1 this morning and post upgrade I get stuck with this message masks 0x00ff0000, 0x0000ff00, 0x000000ff, 0xff000000.  I can get my system up but I have to boot previous kernel.  How can I tell what is causing my issue from booting the new version?  Thanks in advance for your assistance as it is much appreciated.  I am running a newer Intel CPU.  Could it be the cpu microcode?

About a week ago I attempted an upgrade from 25.1 from the GUI, upon reboot I would receive a php error right after the firewall started loading.  I then downloaded a new image to USB and did a fresh install and restore and I was back up and running.  Today I noticed that some of my plugins wont update until I update OPNsense version.  I again attempted this , but again i would receive an error when the firewall was loading.  Luckily i had a snapshot and I reverted back to a working condition.  How can I find out what this is occurring?  How large should the config.xml be.  Am I allowed to post my xml to have someone take a look.  Should I do a factory reset, upgrade, and then restore?  I am lost ...

Good morning,
I am having issues getting DNSCrypt running.  I am seeing different things.  Why do folks not leverage the WebUI to configure DNScrypt? It seems like people are using the manual way to run DNScrypt why is that?  Are there issue with the WebUI correctly modifying the toml file?  It also appears that this service collects servers on the fly and you try to pair down the server list?  What is the difference between the server entries on the setup versus the servers on the servers tab for DNSCrypt.  Should one disable Unbound when leveraging DNSCrypt. My apologies as I am a newb.  Any information would be greatly appreciated.  Is there a definative guide on setting up DNSCrypt?

Thanks,
Jim

First I am very new to this stuff.  I am working on getting DNSCrypt working in opnsense.  I was having trouble getting it to work via the web interface.  I went through removing the GUI package and adding the package from the command line (pkg install dnscrypt-proxy2).  I was seeing that folks have potential issue with the toml file especially after firmware upgrades with the toml potentially being over written.

Would the following work.

1.  Make a backup of the working file.
     cp /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup

2.  Create a hash of this backup.
     sha256 /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup > /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash


3.  Create a script called pre-dsncrypt.sh  which essentially compare the hash of the backup to the current file and if they are different copy the backup file over the current file.
      #!/bin/sh

# Paths to the working config, backup, and hash in the correct directory
WORKING_FILE="/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
BACKUP_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup"
HASH_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash"

# Determine if sha256 or sha256sum is available
if command -v sha256 >/dev/null 2>&1; then
    HASH_CMD="sha256 -q"
elif command -v sha256sum >/dev/null 2>&1; then
    HASH_CMD="sha256sum"
else
    echo "Error: Neither sha256 nor sha256sum found on this system."
    exit 1
fi

# Generate the current hash of the working file
CURRENT_HASH=$($HASH_CMD "$WORKING_FILE" | awk '{print $1}')

# Retrieve the known-good hash from the backup
KNOWN_HASH=$(cat "$HASH_FILE")

echo "Current Hash: $CURRENT_HASH"
echo "Known Hash: $KNOWN_HASH"

# Compare the hashes
if [ "$CURRENT_HASH" != "$KNOWN_HASH" ]; then
    echo "DNSCrypt config is corrupted or overwritten, restoring from backup..."
    cp "$BACKUP_FILE" "$WORKING_FILE"
    # Regenerate the hash after restoring
    $HASH_CMD "$BACKUP_FILE" | awk '{print $1}' > "$HASH_FILE"
else
    echo "DNSCrypt config is valid, no need for restore."
fi


4.  Add this script to the startup script for /usr/local/etc/rc.d/dnscrypt-proxy
     start_cmd="${name}_start"

# Run the pre-startup script before starting DNSCrypt-proxy
/usr/local/bin/pre_dnscrypt_start.sh

dnscrypt_proxy_start()
{
    echo "Starting dnscrypt-proxy..."
    ${command} ${dnscrypt_proxy_flags}
}

Good afternoon,
I am using DOT and and using a NAT rule to forward from all interfaces any port any source to all interfaces.net port 53 to 127.0.0.1 port 53 [Redirect internal DNS to internal DNS Resolver].  I see a message in the firewall for 127.0.0.1 Redirect internal DNS to internal DNS Resolver but from the address of the interface it is blank.  Is this normal behavior?   Thanks in advance for any advice or assistance.  I am new to this, been a nice learning experience so far.

Jim

Good morning,
I have a question.  Is there a way to turn off IPv6?  Each interface is set to none for IPv6.  I dont see an option in Advanced to turn off Ipv6.  Is there a file(s) that can be modified to turn off IPv6?  Thanks in advance for your input.

Jim

good morning,
I am looking for a good recommendation for an m.2 a+e card to add an ethernet port to a new build.  I am thinking that the intel i225v b3 should be ok but the other option is RTL 8111e/f.  Any recommendations what will work right out of the box.  Thank you in advance for your assistance.

First let me say I am hot a html coder by any means, but I have been working with chat GPT for a bit on developing seasonal and holiday based pages for home guest network.  I actually with the help of chat gpt developed a calendar to display a theme or holiday based login page.  Went back and forth making modifications, but came down to making simple changes in the index and style file, but always seems to get a 404 once you click login.  I am unsure if it is some sort of redirection or coding being missed.  Any insight?

Background, just built a m720q tiny intel 8500t 16 mb ram 256gig SSD and bringing up Tplink TL-SG1016DE.  I am a newb and scheduling cut over before my family wakes up on Saturday morning.  I need to make sure Plex, IP CAM, printing, and Consoles work as expected.  Once wired network is verified working I will convert ASUS GT AX 11000 to AP Mode.  OPNsense will be connected to Xfininty Internet and get a public IP.

So far created VLANs with some rules
Lan :192.168.1.1/24      Where network equipment will reside - main PC will be moved once all working to USER Vln
Plex:192.168.10.1/24    This is where my Plex server will reside created Alias called Plex
User:192.168.20.1/24   This is where all PC equipment will be located
IOT: 192.168.30.1/24    This is where all my phones, streaming devices, printer, and gaming consoles live Alias for consoles and printer
Guest: 192.168.40.1/24  All Guest devices will connect here
IPCam: 192.168.50.1/24 IP camera lives here alias IPCam
https://photos.app.goo.gl/3syMwEqEujLw6Mbg8    LAN
https://photos.app.goo.gl/9FzFpDpLALsahjzX8    User VLAN
https://photos.app.goo.gl/peZFfcdAbdiy5sqX6     Plex VLAN
https://photos.app.goo.gl/edGse7WBfuAaL7fJ8   IOT VLAN   
https://photos.app.goo.gl/3ESN8CXKLrhVjRqA6   Guest VLAN     
https://photos.app.goo.gl/LujiihVcQqmH8cGM7    IPCam VLAN


https://photos.app.goo.gl/kK9z6zJyk1Y5nw7u5   NAT Type 2 Rule     

The next question is DNS should I start open and then try DOT?
DOT https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/
Force local resolver https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/     

After I verify that all is working should I attempt to implement:
Antivirus https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
IP Block and GEO Block https://windgate.net/opnsense-ip-blocklists-and-geo-ip-block-to-enhance-security-against-malicious-attacks/           

First thanks for verifying my thinking as I am really new and trying to learn things quickly.  Thanks for taking the time and sharing your knowledge with me.  Lastly my apologies as I could not figure out how to get the images to post so I added links to them.  Again I greatly appreciate your help so will my family when things are working.

First let me say that I am a first time to creating my own router and network setup.  I am going with a lenovo m720q 8500t 16gm RAM, ASUS AX11000(WAP mode), and tplink tl-sg1016de setup.  I am going to setup a few Vlans as such:
1-default, 10 Server, 20 User, 30 IOT, 40 Guest, 50 IPCam.  My first question is the LAGG protocol.  From my reading of this switch it will only support a static LAGG as it does not support LACP so I would chose loadbalance protocol.  Can someone explain if I am interpreting this correctly and the benefits of doing so.
My next question is that I select tagged port on the switch being 1 UPlink port, the two LAGG ports, the WAP port and untagged port(s) for the specific VLAN. 

I appreciate your response and thanks in advance for the insight.  Forgive my ignorance as I am a NEWB.