Messages

106

24.1 Legacy Series / Re: Unbound keep crashing

« on: February 18, 2024, 10:13:27 pm »

While I don't run all of the blocklists, I do run several as well as my own custom lists.

What are you seeing in the logs?  What symptoms are you seeing?  What plugins are you using?

107

24.1 Legacy Series / Re: can not reach web UI from different subnet than LAN

« on: February 18, 2024, 10:11:32 pm »

Post a screenshot of your rules.

108

General Discussion / Unbound, DNSSEC, and Resolution Weirdness

« on: February 17, 2024, 03:58:11 pm »

Ran into an interesting situation yesterday.  Was researching switches and when I attempted to go to www.trendnet.com it didn't work.  Unbound was returning NXDOMAIN.  trendnet.com resolved, but since it redirects to www.trendnet.com I still couldn't get to the site.

After a bit of troubleshooting, here's what appears to have happened.  One of the IPv4 resolvers of Quad9 wasn't resolving the domain.  The other IPv4 resolver and both IPv6 resolvers both worked correctly.  Looking through the Unbound logs, the only reference I can find is where the problem resolver shows "nodata proof failed" for the domain.

I have Quad9 set up via DOT and DNSSEC support turned on.  While digging through Quad9 site, they mention that they don't recommend enabling DNSSEC as it can cause false BOGUS responses.  https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-dnssec-validation  Turning off DNSSEC did allow Unbound to start returning an IP for the domain.

Today the oddness continues.  Now the other IPv4 resolver isn't returning a result for the domain.  But only on 53.  DoT returns a valid IP.  Delv shows that the NXDOMAIN is a valid result.  I'm not sure how to get it to validate DoT.

Code: [Select]

; <<>> DiG 9.18.18-0ubuntu2.1-Ubuntu <<>> @9.9.9.9 www.trendnet.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11260
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.trendnet.com. IN A

;; AUTHORITY SECTION:
trendnet.com. 2257 IN SOA NS65.WORLDNIC.com. namehost.WORLDNIC.com. 123110920 10800 3600 604800 3600

;; Query time: 15 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Feb 17 09:41:11 EST 2024
;; MSG SIZE  rcvd: 104

Code: [Select]

;; resolution failed: ncache nxdomain
; negative response, fully validated
; www.trendnet.com. 2426 IN \-ANY ;-$NXDOMAIN
; trendnet.com. SOA NS65.WORLDNIC.com. namehost.WORLDNIC.com. 123110920 10800 3600 604800 3600
; trendnet.com. RRSIG SOA ...
; trendnet.com. RRSIG NSEC ...
; trendnet.com. NSEC trendnet.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CAA

Code: [Select]

; <<>> DiG 9.18.18-0ubuntu2.1-Ubuntu <<>> @9.9.9.9 www.trendnet.com +tls
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64722
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.trendnet.com. IN A

;; ANSWER SECTION:
www.trendnet.com. 6704 IN A 38.122.20.251

;; Query time: 35 msec
;; SERVER: 9.9.9.9#853(9.9.9.9) (TLS)
;; WHEN: Sat Feb 17 09:42:22 EST 2024
;; MSG SIZE  rcvd: 61

I'm not sure what mechanism Unbound uses to choose from the results provided by upstream resolvers, especially when DNSSEC is enabled.  I have the validation logging set to 2 but the general log at the default 1 and there's not anything indicating what the issue is.  I've increased the logging to the maximum to see if I can determine the cause.

Has anyone else encountered something similar or do you have any additionally troubleshooting suggestions?  Unfortunately, it's a bit of a moving target as I don't know why or when Quad9 is going to return a valid result or not.

109

Tutorials and FAQs / Re: Possible way to Automate gateway switching according to IP Bandwidth usage?

« on: February 16, 2024, 08:36:04 pm »

I'm wondering how well that would work.  With the prevalence of things like AWS it could be painful to try and determine what software needs what.

110

Tutorials and FAQs / Re: Possible way to Automate gateway switching according to IP Bandwidth usage?

« on: February 14, 2024, 03:47:39 pm »

https://lancache.net/

I've never really looked into it as I don't have a need for it.

111

General Discussion / Re: Single Network Interface Card (NIC) Correct VLAN Setup

« on: February 14, 2024, 03:45:27 pm »

I am repurposing a mini PC for the task which has just one NIC. I did purchase a USB 3.0 NIC ( UGREEN model ‎FBA_20256)  but it was totally unreliable and caused everything to hang.

This single NIC solution is working with test speeds comparable with what I had with my ISP's router so it seems viable provided it is secure.  Do you feel that my setup is not secure?

NICs are cheap enough that I just prefer the reduced complexity of not having to worry if I have the VLANs configured correctly, etc.  One less thing to think about.

112

Tutorials and FAQs / Re: Possible way to Automate gateway switching according to IP Bandwidth usage?

« on: February 13, 2024, 06:43:41 pm »

Hello CJ

We’ve been running a 3 Multiwan setup due to the very slow speed and instability of internet provided in Egypt.
We are a simple gaming cafe, however due to instability and a lot of limitations on internet usage and speed from our ISPs we thought of using multiwan setup

This helps us put some of our  clients on whichever optimal connection
For example:
Some of our clients get into ranked/competitive games but the ping is unplayable on a certain connection. So we can transfer this client to another WAN which gives better results for ping.

Also due to restricted amount of gigabytes to use through the month (limited quota )
We figured that if we use this multiwan setup to merge or loadbalance all 3 wans that would give us better speed and less usage on each individual WAN.

That’s the whole idea. It’s not that we want to do crazy things but we’re just trying to make what we have better.

Ah, that makes total sense.  Thanks for providing the info.

On a side note, I assume you are using things like lancache in order to speed up your installs and reduce your quota usage, but if not, you should definitely look into that.

113

Hardware and Performance / Re: Upgrade path from quad port 1G Intel NIC

« on: February 13, 2024, 06:40:42 pm »

I understand the 2.5Gb FoMo, but you will be disappointed...

That 1G AP ethernet port will be sufficient for many years to come in an average (power) home network. Not that much AX (6) or BE (7) WiFi client chipsets yet and most are max 2x2 MIMO. I'm using an (old) MacBook from 2015 which actually does 3x3 MIMO AC (5) and so connects with full 1300Mb on a AX (6) AP. Well, it's wireless so it max out at around 700Mb, more than enough for 1Gb.

Your 10Gb plans makes much more sense, even if you need some more time to deal with the costs. It will make you happier in the long run... 

Oh, I freely admit that moving from 1G to 2.5G on a home AP will likely have negligible impact on my experience.   I still think it wrong for companies to put out APs that support these faster standards and only include a 1G port.  Same with TV and STB companies only putting 100M ports on things.

I'm already running 10G on my wired LAN, but it's all unmanaged.  Part of this whole situation is me completely redesigning the network from the ground up to take advantage of VLANs, etc.

My big concern with the AP is more making sure all of the various devices aren't fighting over the same 1G pipe.  Just because I might only see 700M max on one device doesn't mean I won't have bandwidth contention when connecting two of them to the same AP.

114

General Discussion / Traffic Shaper Troubleshooting

« on: February 13, 2024, 06:29:04 pm »

I have a server in a DMZ with 443 forwarded to it.  I have a Shaper rule configured to limit it's bandwidth to the internet but allow full speed locally.  Previously the pipe limit was 10Mbps but after upgrading my connection speed I've increased it to 50Mbps.

However, I was initially only seeing 8-10Mbps transfers.  I'm looking at the Shaper status page but it's not exactly clear as to what it's doing and how well it's working.

115

Tutorials and FAQs / Re: Possible way to Automate gateway switching according to IP Bandwidth usage?

« on: February 13, 2024, 06:17:31 pm »

I don't have any advice to provide you as I've not worked with multi-WAN setups, but I'm really curious as to what caused you to end up with 3 different WANs.  Would you mind elaborating on that?

116

General Discussion / Re: How to connect to Wifi connected printer on other LAN network?

« on: February 13, 2024, 06:15:37 pm »

Double NAT is exactly what's happening here.

Unless there's a reason that I'm unaware of, you want the TPLink configured as an AP, not a router.  Move the cable from the WAN port on the TPLink to one of the LAN ports and disable the DHCP server on it.  There may be a few other tweaks needed but I don't recall offhand.  After that, the TPLink and printer should both have  192.168.10.x addresses.

Double check your firewall rules, as the first LAN created will automatically have rules allowing it access to anything.  You want to make sure that's your trusted network (LAN2 in your case, I believe).  Right now it's unclear as to who has access to what.  If you post your rules we can help make sure they're correct.

One thing to keep in mind is that some devices and services don't work well when not on a flat network.  They expect everything in one subnet.  There are usually ways to get them working, but it can add additionally complexity that you might not be prepared for.

117

General Discussion / Re: Restricting plugin dashboard access from outside of the OPNsense UI

« on: February 13, 2024, 06:05:22 pm »

What are you attempting to do?  Why would you want to access maltrail from outside of your network?

Is there a reason you're not using a VPN?

118

General Discussion / Re: Single Network Interface Card (NIC) Correct VLAN Setup

« on: February 13, 2024, 06:03:26 pm »

Is there a reason that you're doing a router on a stick?  While it can be made to work, I prefer to avoid the complexity and like to know for sure that my WAN is physically separated from everything else.

119

Virtual private networks / Re: Wireguard to home lan DNS issues

« on: February 13, 2024, 04:54:10 pm »

Hi all,

I am quite new to opnsense moved over from pfsense.
So I followed this great guide for my setup https://forum.opnsense.org/index.php?topic=23339.0

What are you doing with HAProxy?  Are the sites you're trying to access through that?

Wireguard is working I can connect to my home lan and access my services however its via ip address only I do not have DNS resolution that's what I am trying to fix.

I am using Unbound split DNS from the first tutorial listed to resolve internal addresses and it works great except for through wireguard

On the wireguard client on my phone I have 10.0.0.1 and 192.168.13.254 as my dns servers

I am not sure how proceed or debug it really.

Thanks

What are 10.0.0.1 and 192.168.13.254?

Remove the Wireguard ACL from Unbound and just switch it to Allow as the default action.

120

24.1 Legacy Series / Re: i lost internet after a shutdown

« on: February 13, 2024, 04:47:37 pm »

I'm a little unclear as to your network setup and what problem you're seeing.  Are you saying that you're not getting a DHCP address on WAN until you configure it to static and then back to DHCP?  What address is the WAN showing on reboot?

If you can post a network diagram and the model of your swisscom, that would help.