241
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - 192.168.1.1 or 127.0.0.1?
« on: November 28, 2020, 08:58:09 pm »
No I do not - it is OUT going ONLY. I have no IN rules at all.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
242
General Discussion / Is Multi-WAN + Whitelist firewall + DNS-over-TLS possible?
« on: November 28, 2020, 07:53:19 pm »
So I have been struggling a bit more than I expected...
Let's start with what was: I used to have a 6-ethernet OPNsense box, and used OPNsense 20.1 - most of what I listed in the subject worked, except failover in multi-wan. I never got to solve that problem, which I think was an firewall problem, since my hardware simply died for me one day.
It took some time to replace that hardware, and now I'm using a Qotom-Q878GE. Way over-powered for my usage but I am a nerd after all, so that is ok
Anyway with 20.7 installed, and trying to rebuild my old OPNsense from scratch, I feel I am struggling more than I like. It is simple things like multi-wan failover that does not work (yes I did the misstake to connect two ethernet cables to the same switch to simulate failover a bit more easily - corrected that with my LTE modem installed), or DNS resolution that simply refuses, or I have to reboot OPNsense for every firewall rule change I make since just applying it will make no difference, and don't even start talking about trying to forward all DNS requests from clients on LAN to Unbound inside OPNsense - and never mind that DNS-over-TLS that I am trying to get to working.
And to top it all I like to keep a tight network so I like to white list what goes out from the WAn interfaces. I just learned that is not possible since internal stuff don't pass the packet filter firewall. But dpinger seems to.
Anyway, what I need to know so to speak is: Have anyone else even tried what I am doing? Or am I alone?
PS! My old ASUS RX88 firewall router, which for the moment handles my network here at home, does all of the above - so I know that it is possible, just don't know if OPNsense can?
Let's start with what was: I used to have a 6-ethernet OPNsense box, and used OPNsense 20.1 - most of what I listed in the subject worked, except failover in multi-wan. I never got to solve that problem, which I think was an firewall problem, since my hardware simply died for me one day.
It took some time to replace that hardware, and now I'm using a Qotom-Q878GE. Way over-powered for my usage but I am a nerd after all, so that is ok
Anyway with 20.7 installed, and trying to rebuild my old OPNsense from scratch, I feel I am struggling more than I like. It is simple things like multi-wan failover that does not work (yes I did the misstake to connect two ethernet cables to the same switch to simulate failover a bit more easily - corrected that with my LTE modem installed), or DNS resolution that simply refuses, or I have to reboot OPNsense for every firewall rule change I make since just applying it will make no difference, and don't even start talking about trying to forward all DNS requests from clients on LAN to Unbound inside OPNsense - and never mind that DNS-over-TLS that I am trying to get to working.
And to top it all I like to keep a tight network so I like to white list what goes out from the WAn interfaces. I just learned that is not possible since internal stuff don't pass the packet filter firewall. But dpinger seems to.
Anyway, what I need to know so to speak is: Have anyone else even tried what I am doing? Or am I alone?
PS! My old ASUS RX88 firewall router, which for the moment handles my network here at home, does all of the above - so I know that it is possible, just don't know if OPNsense can?
243
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?
« on: November 28, 2020, 07:06:28 pm »
Hmmm I am not 100% sure, since well I did a test (sorry 
) and well I added a few rules to both my WAN interfaces, to control whats goes out... It killed both.
I think it is about dpinger not being able to connect since both gateways goes offline, and I have added rules for ICMP <any>, no difference...
However, if I disable all rules - and that is ALL rules - on one of my WAN interfaces, it starts to work again. So if Unbound is considered "local", why is not dpinger? And what is dpinger using so I could open a rule for it?
) and well I added a few rules to both my WAN interfaces, to control whats goes out... It killed both. I think it is about dpinger not being able to connect since both gateways goes offline, and I have added rules for ICMP <any>, no difference...
However, if I disable all rules - and that is ALL rules - on one of my WAN interfaces, it starts to work again. So if Unbound is considered "local", why is not dpinger? And what is dpinger using so I could open a rule for it?
244
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - 192.168.1.1 or 127.0.0.1?
« on: November 28, 2020, 03:20:57 pm »
Okay - new challenge or question:
The Multi WAN guide says rule on DNS port to destination 192.168.1.1/32
The rule I seem to need for handling all DNS by OPNsense and Unbound on DNS port to destination 127.0.0.1/32
Not sure it is any difference in the real world so to speak?
The Multi WAN guide says rule on DNS port to destination 192.168.1.1/32
The rule I seem to need for handling all DNS by OPNsense and Unbound on DNS port to destination 127.0.0.1/32
Not sure it is any difference in the real world so to speak?
245
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - can not recover from fail
« on: November 28, 2020, 09:06:43 am »
My plan is to close port 53 on OPNsense out, and only allow 853.
So forward all port 53 to 127.0.0.1 internal.
In Unbound custom option:
server:
local-zone: "use-application-dns.net." always_nxdomain
This should, in theory, stop my firefox from DoT out, and only use OPNsense for DNS requests.
And any DNS requests should be handled by Unbound, which should use DoT, no matter what gateway is used.
Or am I doing some sort of error in my thinking?
So forward all port 53 to 127.0.0.1 internal.
In Unbound custom option:
server:
local-zone: "use-application-dns.net." always_nxdomain
This should, in theory, stop my firefox from DoT out, and only use OPNsense for DNS requests.
And any DNS requests should be handled by Unbound, which should use DoT, no matter what gateway is used.
Or am I doing some sort of error in my thinking?
246
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - can not recover from fail
« on: November 28, 2020, 07:51:24 am »Both Gateways have the same IP??? This cant work
Correct - it does not. My fault, I grabbed my LTE router (I have only one) from my current firewall (I lost my previous OPNsense firewall due to hardware error = it just died one day, so had to go back to my trusty old Asus AX88 router...) and connected it. Works directly! Perfect, on less problem.
That being said: The LTE router is ALSO on 10.x.x.x network - so there is of course a risk in that I could get the same 10.x.x.x IP from both at the same time......
I will now move onto DoT - however I am not entirely sure how to validate DoT, since NAT will let anything out...
247
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - can not recover from fail
« on: November 27, 2020, 09:23:33 pm »
And one final screenshot...
248
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - can not recover from fail
« on: November 27, 2020, 09:23:00 pm »
A few screenshots then :-)
249
20.7 Legacy Series / Re: Multi WAN in combination with DNS-over-TLS (Unbound)?
« on: November 27, 2020, 05:11:41 pm »
Okay - I think I got what is not working for some reasone:
WAN_FTTH (Primary) - Fiber To The Home
WAN_LTE (Secondary) - LTE mobile modem as backup
Default Gateway Switching IS active for this test.
Starting from reboot, WAN_FTTH marked as active (under System -> Gateway -> Settings) - everything works.
Pulling the ethernet cable for the interface for WAN_FTTH, failover to WAN_LTE is marked as active - everything works.
Attaching the ethernet cable I just pulled, WAN-FTTH is marked as active - DNS resolution does not work.
Pulling the ethernet cable for WAN_LTE - NOW everything works on WAN_FTTH.
I could also reboot the firewall to get it working - but that seems a bit wrong in my book.
So yes it fails over, but it can not recover - what am I doing wrong? And I am sure everything is as the how-to describes it. I can take screendumps if requested, just tell me what?
Oh and NO I have not gotten to DoT yet...
WAN_FTTH (Primary) - Fiber To The Home
WAN_LTE (Secondary) - LTE mobile modem as backup
Default Gateway Switching IS active for this test.
Starting from reboot, WAN_FTTH marked as active (under System -> Gateway -> Settings) - everything works.
Pulling the ethernet cable for the interface for WAN_FTTH, failover to WAN_LTE is marked as active - everything works.
Attaching the ethernet cable I just pulled, WAN-FTTH is marked as active - DNS resolution does not work.
Pulling the ethernet cable for WAN_LTE - NOW everything works on WAN_FTTH.
I could also reboot the firewall to get it working - but that seems a bit wrong in my book.
So yes it fails over, but it can not recover - what am I doing wrong? And I am sure everything is as the how-to describes it. I can take screendumps if requested, just tell me what?
Oh and NO I have not gotten to DoT yet...
250
20.7 Legacy Series / Re: Multi WAN in combination with DNS-over-TLS (Unbound)?
« on: November 27, 2020, 04:46:48 pm »
Not sure I follow, or rather if I do the "gateway switching active where system default gateway always points to primary" I will lose DNS. And I have not even tried DoT yet. Turning gateway switching on, fail DNS requests - turning off, DNS requests works. However if I play around, back forth and back again or something, DNS simply never works again. And everytime I make a change Unbound takes 53 second to restart before anything can happen (if it will happen that is).
I simply do not get this to work - and I am just trying to get this working with everything in default settings. Just followed the how-to multiwan (which also mentions Default Gateway Switching) - and I still fail....
I simply do not get this to work - and I am just trying to get this working with everything in default settings. Just followed the how-to multiwan (which also mentions Default Gateway Switching) - and I still fail....
251
20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?
« on: November 27, 2020, 07:26:40 am »
So I read the web page documentation about Multi-WAN:
https://docs.opnsense.org/manual/how-tos/multiwan.html
And then I started to think about DNS settings and DoT (DNS over TLS within Unbound), and I just got into that it is not possible from my point of view to enter the correct information either on the DNS settings on " System %u2023 Settings %u2023 General " (does not allow @853 after IP address so no way to enter correct info about DoT servers) and in the web settings for Unbound " Services: Unbound DNS: Miscellaneous " there is no way to set the gateway as described in MultiWAN page above.
So how am I supposed to set up: Multi-WAN (failover from fiber to LTE in my case) and DoT - or is this combo not possible?
https://docs.opnsense.org/manual/how-tos/multiwan.html
And then I started to think about DNS settings and DoT (DNS over TLS within Unbound), and I just got into that it is not possible from my point of view to enter the correct information either on the DNS settings on " System %u2023 Settings %u2023 General " (does not allow @853 after IP address so no way to enter correct info about DoT servers) and in the web settings for Unbound " Services: Unbound DNS: Miscellaneous " there is no way to set the gateway as described in MultiWAN page above.
So how am I supposed to set up: Multi-WAN (failover from fiber to LTE in my case) and DoT - or is this combo not possible?
252
General Discussion / "Remove DNS" and only use a few good URLs that I decide is OK?
« on: September 24, 2020, 03:42:41 pm »
So I am using Unbound in 20.7 - one of my, most likely wildest, ideas is to only allow a certain number of URLs. Like a private DNS setup - nothing else. Now I know this will be pain to set up, a few will simply not cover it at all. I guess 1000 or more will not even be enough? However from a technical point of view, what would I need? A "hostlist" I guess with the sites I like (!) and then what do I do?
253
20.7 Legacy Series / Re: Firewall Live View: OR operator
« on: September 21, 2020, 08:55:44 am »
I would love this to happen - since I am still trying to figure out one or more things about my config that behaves not perfect to say the least.
254
Development and Code Review / Re: DNSBL and additional features Plugin for Unbound
« on: September 05, 2020, 04:33:45 pm »
Well if I remove my 4 DoT servers (1.1.1.1@853 , 1.0.0.1@853 , 9.9.9.9@853 and 114.112.112.112@853) if will not fix my WAN failover issue, and more importent, when I added them all back I lost some of the URL (DNS) lookups (read: some web sites was not resolved). Something a reboot solved.
I have been thinking alot about this issue I seem to have, and I am convinced it is some sort of rule problem.
For example I have a rule that only allows 853 to pass out of the WAN interfaces (FTTH and LTE), even with that active, after removing the four DoT servers from Unbound, I still get 100% name resolution working - I kind of did not expect that to happen....
So something got to be screwed up on my firewalls rules...
I have been thinking alot about this issue I seem to have, and I am convinced it is some sort of rule problem.
For example I have a rule that only allows 853 to pass out of the WAN interfaces (FTTH and LTE), even with that active, after removing the four DoT servers from Unbound, I still get 100% name resolution working - I kind of did not expect that to happen....
So something got to be screwed up on my firewalls rules...
255
Development and Code Review / Re: DNSBL and additional features Plugin for Unbound
« on: September 05, 2020, 12:24:24 pm »
Well that is just that, I know my current config does not work when it comes to failover (although it did once upon a time, and I have verified that with a separate config (which I have backed up of course) that seem to work - however that config makes my printer to not work... so I restored the config where the printer works and failover does not...) - everything else works.
So my idea was to check the config backup that works, and compare it to my non working failover - nothing turned up to help me. So now I am just trying to figure out if anyone else has WAN failover and DoT over Unbound?
So my idea was to check the config backup that works, and compare it to my non working failover - nothing turned up to help me. So now I am just trying to figure out if anyone else has WAN failover and DoT over Unbound?