Messages

I'm sorry, i got your point. There are no nameservers added in Opnsense System|Settings|General.
As i wanted to use Unbound as resolver.

Also these are unchecked
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the local DNS service as a nameserver for this system

In Unbound this is unchecked
Enable Forwarding Mode

Your query is it for Opnsense or Unbound or AGH setting. I will have look
By the way in Opnsense i have setup hostname and domain
In Unbound  DNS Query Forwarding is unchecked

Do you wish to use AGH in this setup?  If yes, then 853 and your DNS service need to be setup in AGH not Unbound.   If you are using Unbound then yes of course you need to set that up.
[/quote]

I want to use Unbound + AGH.
In AGH
upstream DNS servers
192.168.50.254:5353(Opnsense LAN)
192.168.10.254:5353 (Wifi Interface)

parallel requests

bootstrap dns servers
192.168.50.254:5353(Opnsense LAN )
192.168.10.254:5353 (Wifi Interface)

private reverse dns servers
192.168.10.254:5353 (Wifi Interface)
192.168.50.254:5353(Opnsense LAN )


The only issue i have now is DNS not working if AGH protection enabled.

Any further troubleshooting lead?

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

As per some of the tutorials for redirecting DNS, i had these NAT port forward rules.
If i disable on specific interface NAT rule then with any manual DNS IPs request are passing through, else with the rule i could see in Firewall RDR log which host is using which DNS IP, any how manual DNS IPs requests are timed out.

Rest for AGH i have done most of the configuration as you mentioned and from tutorials.

AGH still does not work with protection features enabled.

Is there any specific DNS configuration i might be missing in Opnsense or Unbound or AGH?

@RamSense, thanks.
I tried changing NAT from 127.0.0.1 to WiFi interface IP. But what should be selected for Filter Rule Association under NAT rule, by default if there is no description it shows Rule. If description added then it shows the description. Should it be default or Pass or None?

I tested AGH again after adding WiFi interface IP and enable
browsing security web services
parental control web services
No more Internet (connected host shows DNS request timed out)

For now i cannot use these AGH 2 protection options.

Additionally i checked if WiFi host DNS is modified to DNS provider like 1.1.1.1
Then host can use this DNS instead of getting blocked and DNS requests are successful.

I then changed to 127.0.0.1 in WiFi interface NAT rule as before then host with DNS provider IP address cannot have internet. NAT rule working as needed.

Can anyone help here to trace and fix the issue.

@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?

I can't get AGH working properly for parental control and threat protection.

I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).

I could not get any indication from Unbound logs or FW logs yet.

Not sure if anyone using Unbound+AGH has faced such issue.

@cookiemonster Thanks for your response.
I've gone through some of the tutorials and posts to understand the configuration for DNS+Unbound+Adguard

So i have Unbound (5353) with NAT Port Forward Rule(see attached).
In System-General- No DNS set(see attached)
DNS over TLS- Using Cleanbrowsing(see attached)
Adguard- configuration not complete as i want to understand how that works and get right configuration.

One concern is about NAT Port Forward Filter rule association (see attached) what should be the selection and why?

I need to understand DNS request/response flow when ISP Router+ Opnsense+ Unbound + Adguard + Wireless AP involved

If my host either on LAN and/or Wifi requests for google.com How is request flows and who responds?
If badsite.com requested how the DNS request/response flow works?
What about Opnsense WAN Interface? do WAN also uses DNS. Im not sure how many Opnsense interfaces involve in DNS traffic in/out?

I'm getting lost in forum by searching for how should be DNS configured for the first time Opnsense is up and running.
If Unbound plugin is installed then what should be the correct configuration in Opnsense and Unbound.
I have ISP router with CGNAT
Opnsense WAN port (igb1) is set to DHCP
Opnsense LAN port (igb0) is only used for managing Opnsense (SSH,GUI,etc)
Opnsense (igb2) Wifi port is connected to Wifi-Router/AP- Here Opnsense leases IPv4 addresses to wifi clients

With this setup,
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
3. Should enforce safe search
4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)

I'm not sure what is the correct configuration if i want to use only Opnsense with my ISP router as DNS
What is the correct configuration if i want to use Opnsense + Unbound Plugin with DNS filtering.

I have read many post and tutorials its all confusing with DNS configuration.
I'm trying AdGuard that is not working as given in few tutorials and forum member's working setups.

Anyone could point to right direction would be appreciated.

I'm running AdGuardHome recently with Unbound
Seems there is slowness in DNS requests.
Everyday processing time is above 250ms(attached screen print)
I see some errors(attached), it started after enabling encryption, not sure what network error.
Although all settings under Encryption and certs are ok with no errors on GUI.
How to reduce DNS query average processing time?
Where are the logs to see error generated

Also nslookup error for parental_block_host and safebrowsing_block_host
DNS timeout occurs if I enable either of these
-Security web service
-Parental control

>nslookup
Default Server:  UnKnown
Address:  192.168.10.254

> family-block.dns.adguard.com
Server:  UnKnown
Address:  192.168.10.254

*** UnKnown can't find family-block.dns.adguard.com: Non-existent domain
> family-block.dns.adguard.com
Server:  UnKnown
Address:  192.168.10.254

*** UnKnown can't find family-block.dns.adguard.com: Non-existent domain

Request for community assistance

I have installed AdGuard with Unbound enabled.

In AdGuard-General Settings, 

Use AdGuard browsing security web service

Use AdGuard parental  control web service

single or both enabled, clients get DNS time out.

Under DNS settings - Upstream DNS servers are added IPs of Opnsese LAN and Wifi Interfaces and loopback:5353

Encryption settings not enabled so far

How to remove or add listening interfaces that were added during initial setup.

anyone can help to resolve this issue.

I'm still having issue with internet speed.
For testing i have single 5G WAN.
As seen in attched screenprint Opnsense speedtest Report max down speed is 94.33Mbps
If i connect laptop directly to 5G router, down speed is between 800-900Mbps
During test
Unbound=disabled
IPS=disabled
System: Settings: General= NextDNS IPs

Can anyone assist to identify where is the issue and why down speed is low via opnsense

Thanks

Thanks Tong2x,
I rebooted both opnsense and router. Now both GW status is online.
Just to test i disabled unbound and run the speed test. The speed is improved 467Mbps
In Unbound under Misc i was using Clearbrowsing DNS IPs 185.228.168.168@853 and 185.228.168.168@853

Is Unbound or clearbrowsing DNS is reducing speed. I cannot find the root cause.

I'm thinking to use NextDNS and disable Unbound. But not sure Port Forwarding rNAT rules to disable as i was using while Unbound is in use to prevent DNS baypassing.

Any help to troubleshoot this issue.

I have 5G router with 1Gbps Internet speed, with LAN directly connected to 5G router internet speed is between 800-950Mbps. If test is performed through LAN port of Opnsense max speed i could get is around 101Mbps(Down) and 109Mbps(up).
5G router and Opnsense are connected via L2 Managed Switch.
Additionally, i have 2nd ISP fiber with 100Mbps speed.
Configured Load Balancing with MultiWan (no improvement in speed)
IPS = Not enabled
Unbound = Enabled

Currently, i could see in GW status 5GWAN is offline. Not sure why its offline. Attached status screen print.

Need help to fix the issue

Thanks

Top output below
root@fwsoho:~ # uname -rv
12.1-RELEASE-p19-HBSD FreeBSD 12.1-RELEASE-p19-HBSD #0  0c59842367b(stable/21.1)       -dirty: Mon Jul  5 15:08:43 CEST 2021     root@sensey:/usr/obj/usr/src/amd64.amd       64/sys/SMP
root@fwsoho:~ # top
last pid: 72660;  load averages:  1.32,  1.27,  1.21    up 0+15:35:43  12:15:23
65 processes:  65 sleeping
CPU:  0.6% user,  0.6% nice,  0.6% system,  0.6% interrupt, 97.4% idle
Mem: 382M Active, 4165M Inact, 888M Wired, 442M Buf, 2662M Free
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
36111 ntopng       64  20    0   472M   417M nanslp   1 249:30   3.42% ntopng
31535 root          1  20    0  1042M  8808K select   3   0:00   0.12% sshd
24200 netdata      21  52   19   138M    90M pause    2  12:26   0.08% netdata
75407 root          3  20    0  1057M    11M select   3   1:16   0.06% zerotier
81930 redis         4  20    0    21M  5580K kqread   0   1:57   0.05% redis-se
49567 root          1  20    0    30M    20M select   2 150:15   0.02% python3.
63461 netdata       4  39   19    62M    42M select   3  11:26   0.00% python3.
74409 root          1  20    0  1036M  3400K select   0   5:36   0.00% syslogd
25853 root          4  20    0    33M    11M kqread   2   3:20   0.00% syslog-n
47093 squid         1  20    0  1379M   222M kqread   1   1:48   0.00% squid
  529 root          1  52    0    57M    35M accept   2   1:08   0.00% python3.
37595 unbound       4  20    0   188M   159M kqread   1   0:47   0.00% unbound
78210 netdata       1  39   19    18M  7476K nanslp   3   0:29   0.00% apps.plu
31851 root          1  20    0    20M    11M select   2   0:11   0.00% python3.
49678 root          1  20    0    21M    11M select   3   0:10   0.00% python3.
23439 root          1  52    0    52M    32M accept   2   0:09   0.00% php-cgi
67667 root          1  52    0    50M    30M accept   0   0:08   0.00% php-cgi

I'm testing Full Tunnel by allowing default route in ZT network to route all my external devices internet traffic via Opnsense zt interface. Internet works well by using Google DNS
0.0.0.0/0 via 192.168.194.250

But as soon as i enable Firewall rule and NAT Port forwarding
ZeroTier   TCP/UDP   *   *   ! ZeroTier address   53 (DNS)   127.0.0.1   53 (DNS)   Redirtect DNS to Local

Internet either slow downs or web page not reachable.
In fact i want stop using all other DNS, except Unbound for ZT

For internal network all works well.

Currently tested with IOS device with latest ZT 1.6.1

Anyone can assist to fine tune the configuration in Unbound or NAT or FW rules.