Messages

Check if Unbound resolves to the correct IP address: nslookup [OPNsense FQDN] [OPNsense MGMT Interface IP]
If yes, than the PiHole seems to have an (static) record which resolves to the wrong IP address.

I've enabled the "Do not register system A/AAAA records" under Services: Unbound DNS: General, and created a static record in Unbound for my OPNsense.

If "Do not register system A/AAAA records" is disabled, Unbound registers the configured name under "System: Settings: General" for all listening interfaces.

Remove the "Quick" setting in the automation rule. Then the rule will match last.

Or create an Internet alias for all non-privat addresses and add it as destination in the rule:

IPv4

Code Select Expand


!192.0.2.0/24
!198.51.100.0/24
!203.0.113.0/24
!169.254.0.0/16
!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16
!0.0.0.0/8
!100.64.0.0/10
!127.0.0.0/8
!192.0.0.0/24
!192.88.99.0/24
!198.18.0.0/15
!233.252.0.0/24
!224.0.0.0/4
!240.0.0.0/4
0.0.0.0/0

IPv6

Code Select Expand


!2001:db8::/32
!::/0
!::/128
!::1/128
!::ffff:0:0/96
!::ffff:0:0:0/96
!64:ff9b::/96
!64:ff9b:1::/48
!100::/64
!2001:0000::/32
!2001:20::/28
!2002::/16
!fc00::/7
!fe80::/64
2000::/3


Same issue.

It seems that whitelisting of a wildcard domain from the OISD list doesn't work.

I added different domains from the OISD list (https://big.oisd.nl/domainswild) to the whitelist as example. When I try to resolve them I'm still getting 0.0.0.0 for A records, and an empty response for CNAMEs from the server.

The Unbound Report shows the A query as blocked, but the button at the end of the line says "Block Domain" instead of "Whitelist Domain".
Whitelisted CNAME queries are not shown in the report.

Bug? Expected behaviour?

No one?  :-\

YAY! It's working again!  :)

WG traffic is inspected and blocked as before the OPNsense update. Thanks a lot for your support!

Any news regarding this issue? I also have the same here, no wireguard traffic in Zenarmour, engine stops with same alert "Cannot validate interface:..." so I always have to restart...

Opnsense 23.7.3
os-wireguard 2.0_2
os-sensei 1.14.5

Thanks a lot!

If you want to use Zenarmor with WG, you've to install Wireguard Go instead of Wireguard (remove os-wireguard, install os-wireguard-go (System: Firmware -> Packages))

Zenarmor is currently not able to detect the WG Kernel Module interfaces. I guess this will resolve your "Cannot validate interface" issue.

The issue that we have is, that Zenarmor is able to detect the WG interfaces, but it can't inspect the traffic due to the missing TUN  patch.

Who should I talk to instead?  8)

I guessed it was a question for another dev. Because I understood your presumption, but I don't know how to check if the missing patch is the reason for the issue.

Anyway, thank you guys for taking care of it.

Yep, with the emulated mode the downtime is near zero, and no errors appear in the log ( found no suitable IPv4 address )

Uhm, is this a question to us users? I hope not  ;D

Can we test it or provide logs to check this?

Hi mb.

IPv6 is enabled for all interfaces in tracking mode.

Hi,

Since some month I noticed that my OPNsense needs a long time until all services are fully up after a complete reboot (up to 10 minutes).
The other day I noticed the same behaviour when I restart the Zenarmor engine.

Today I found some time to digging into this.

When I restart the Zenarmor engine several services like Unbound and NTP stop and start several times immediatly after Zenarmor is up again.
The log shows a lot of the following errors for this range of time:

/usr/local/etc/rc.linkup: dhcpd_dhcp4_configure() found no suitable IPv4 address on INTERFACE_NAME

When all calmed down, everything works fine.

I played arround and found out, that this issue is solved as soon as I choose the emulated netmap driver for Zenarmor.
The interfaces of my system are all Intel I211.

Is this an expected behaviour when the hardware/driver doesn't support the native netmap driver? Or did I configured something wrong?


Jas Man

Same issue at my OPNsense.
I can see the traffic load on the dashboard, but no connection details in the live view.
The rules don't applied to the Wireguard traffic.  :(

Hi,

I'm curious if there's a syntax for the log filters in OPNsense, or if I can filter for a single character / word / phrase only?

Currently I want to filter for todays warning messages in the dashboard system log widget to save space. Is it possible? I can't find any documentation about the filter syntax.

Jas Man

I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).

Hi all,

I had an issue after my ISP changed the IPv6 prefix of my Internet line. None of my clients was able to establish a IPv6 connection.

I did a packet capture and noticed, that my clients received always four DHCPv6 advertisments in respone of their solicit. Three of them contained the previous IPv6 address with the old prefix. Only one contained the new address/prefix.

The clients requested the address of the first advertisment, which was always the old address. The request was (of course) denied by OPNsense, because of the wrong prefix (status code 13, NotOnLink). Result: no IPv6 connection.

I was wondering why the clients got always four advertisments. Then I noticed that the process list showed four DHCPv6 instances. That's the same number of enabled IPv6 interfaces on my OPNsense (one static, three with DHCP enabled).
I decided to disable IPv6 on one of the interfaces, and after that the clients received "only" three advertisements.

I'm pretty sure that this is a bug, because I see only one DHCPv4 instance for my five IPv4 interfaces. I guess that only one DHCPv6 instance was notified about the new prefix, and the other ones used the old one. After I rebooted OPNsense, all advertisments contained the new prefix/address.

If I#m right and this is a bug, I'm wondering why nobody else has noticed this before, because many users would have the same issue then after a prefix change.

I would like to be sure that this isn't a configuration issue. Therefore, could somebody please check if her/his OPNsense has also more than one DHCPv6 instance running, if more than one interface uses IPv6? Would be great :-)

Thank you.
Jas