Messages

You can pretty much accomplish everything you want with an Unbound redirect to AdGuard plugin.  That's the setup I have (with a Unifi switch/AP downstream) and it works great.

Initially I used Unbound strictly with a selection of blocklists, but I found my use case changed as my kids got older and I wanted better control.  Adguard does that for me and I've even setup a Wireguard tunnel back to home....which they haven't yet figured out...lol.

Either way, check around (I think Reddit has some good tutorials on Adguard/Unbound setup)....

+1 to this issue...I myself just updated via GUI to 21.7.6...although I would normally do it via CL but it said there was nothing to do.

After update, asking for another check causing a hang and time out.  And trying to install another plugin (in my case I wanted to install the unifi plugin) hangs as well.

Graphically the Update tab just continues to spin even after the update request has stopped.

Hi guys,

I'm running 21.7.5 in a vm on ESXi and I'm trying to understand why the update checks are taking so long when I check in both the gui & cli.

From what I can tell my GUI checks are slow because fetch is timing out connecting to pkg.opnsense.org, but I have confirmed I can ping\ping6 that host in an ssh session. The GUI eventually exits with this message:

pkg: Repository OPNsense cannot be opened. 'pkg update' required

There are some other topics here that come close to this problem, one suggested this command:

sh -x /usr/local/opnsense/scripts/firmware/changelog.sh fetch

Which results in fetch timing out.

Running an update from the console results in this error:

pkg-static: Repository OPNsense missing. 'pkg update' required
pkg-static: No package database installed.  Nothing to do!

Running "pkg update" from the CLI seems to start the same dialog as the GUI web update.

I saved my config & spun up a 21.7.1 vm, which I was able to update to 21.7.5 as expected. I can't say if I imported my config first or updated, but I was able to run the plug-in resolution tool & get my plug-ins all installed.

Any idea what's going on here?

-Will

Thank you....this helps immensely.  Another question that then spring to mind is APs.  In my case, there is only one (tagged) VLAN I have setup that would require a physical connection directly to the managed switch (for my Xbox's).

My other (tagged) VLANs are all strictly WIFI that deals with IoT gear and the kids with their gear.  So for a given AP, there would certainly multiple VLANs (and LAN) traffic on that one AP physically connected to the one switch port.....and because of my stupidity, I can't see a way around this....lol  Any more thoughts?  I am certainly missing something....

Use one interface for untagged and a separate physical interface for tagged traffic.
A port connected to a switch carrying tagged traffic should carry only tagged traffic.

Of course the idea is not fundamentally wrong or technically impossible. The general advice I give here is mostly about edge cases and possible failure situations. For example you cannot put a VLAN on top of a bridge in FreeBSD. So if you want to have more than one interface in your untagged "LAN" to use the OPNsense device as a cheap switch - bad luck for the tagged VLANs. You can of course put a bridge on top of a VLAN which is the ways this is supposed to work.

Then the IDS/IPS components (Sensei/Suricata) frequently fail in non-intuitive ways in a setup like this.

There are reported cases in which dhcpd does not work on the tagged VLANs if it is also serving the untagged one.

So, it's complicated. I cannot claim to state "it is bad and will not work because ..." - it only has a high probability of "weird" failure modes depending on your setup and hardware.

So repeating my advice: simply don't. Access ports are access ports (untagged only), trunk ports are trunk ports (tagged only). Even Cisco's documentation explicitly states: you should not use VLAN 1 for anything. VLAN 1 is the default untagged VLAN on trunk (tagged) ports.

HTH,
Patrick

I'm nowhere near competent to understand why.....but if this is indeed true, and I have no reason at all to doubt you.....are all of the Youtube videos that exist on how to setup VLANs on OPN and pFSense wrong in their approach?

If yes....then can you point to a proper approach to separate church from state?

You should never mix tagged and untagged frames on the same interface. Never. Seriously.

+1 to this....I was wondering the same.....I have a number of VLANs tagged to my LAN interface and it's been working fine....with firewall rules restricting cross-talk between them and LAN itself....or so I thought....

Is what is being said that general rules allow full access between VLANs on the LAN interface?

And if so, do you need to physically connect an alternate NIC port to create VLANs on them?  I have two spares just sitting dormant but never thought I needed them.....I use Ubiquiti switches and APs.....

Create an alias named 'Kids' wich contains all the IP adresses of kid's devices (PCs, game consoles, ...)
Create a schedule named 'AccessDenied' with the denied timeframes
Create some rules on the firewall to block/reject any connection to/from 'Kids' during 'AccessDenied'


https://forum.netgate.com/topic/62073/internet-access-restricts-for-kids/5

You just need to add your router ip in the upstream and bootstrap fields in the AdGuard DNS Setup menu with the appropriate port if you're still using UnBound...I am.  So I set up Unbound to listen on port 53530 and then added the below in AdGuard

eg. 192.168.1.1:53530

Adguard now processes and listens on all interfaces.

Works well....

I'm sorry for my ignorance, but is this setup using the DNS over TLS function in Unbound?  It appears yes.

If it is, why use that when you can use Unbound by itself for DNS resolving?  I thought the point of using Unbound was to not have to worry about DNS lookups from companies like Cloudflare??

Thanks in advance!

Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

- No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

- In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

- Active Unbound in port 5353

- In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption

Thank you.....I did have a policy set up, but the alerts log still seemed to show that it wasn't blocked or dropped.

But I deleted that one and created a new one just in case.  FWIW, I ran a speedtest and my performance goes WAY down....since the 21.1 migration, suricata isn't playing nice....not sure why.

Under Services > Intrusion Detection > Administration is there an easy way to set all enabled to Drop, I have spent the best part of an hour searching to no avail, the list 60814 entries and I can show max 1000 per page, and if I select Filters > status/enabled nothing changes.

I'm sure I'm missing something obvious but just can't find it.

Thanks all.

In Tab Downloads per category should be one

I was searching for the same functionality since the 21.1 migration.  I haven't found one yet and there is nothing shown in the Downloads tab of note.....has anyone solved this yet?  Seems pointless that an IDS/IPS can't prevent without hours of mindless clicking 'enable'.....

Posted in the Suricata sub-board, but it certainly appears that Suricata performance has degraded with the 21.1 upgrade.

In my case, my Xbox access to Gamepass basically became Null with Suricata enabled and back to normal (~500MBit/s) disabled....no performance issues prior to the OPN upgrade, same rules (ALL) etc.

I tried disabling the new policy approach but it didn't seem to matter.

FWIW....

+1 to this issue.

Updated to 21.1 without issue...however noticed the Xbox X had issues with DLing from Gamepass on attempt last night.  Thought it was a MS issue, but today the same.

Turned Suricata off and all is back to normal....turn it back on and DL hangs.....turn it back off and DL resumes.

Worked flawlessly prior to 21.1 upgrade so I would say that something broke in the back end.  FWIW

Hi all,

Apologies for the simpleton question, however I'm the proud owner of a new XSX and am looking to set it up with Live.

I have a VLAN created but am having issues in breaking the lease from the stock LAN DHCP service and associating it with my XBOX service (so then I can create a static address for DMZing).

What am I missing....any thoughts or help would be appreciated!  Thanks in advance

FWIW...I'm using 82575 based cards and no issues so far....that said, just built my box and just recently started using OPN so who knows at this point.....wanted better/newer cards, but couldn't force myself to spend the extra money on the newer ones.....maybe that'll come back to bite me   :P

Thanks all.....I think the topic deviated a bit to the email stream (I myself use Protonmail, through Thunderbird, the bridge works quite well!).

That said, I'm still a bit confused on the AV use on http(s) based stuff...since if Clam doesn't scan http(s) sites or files based on them, and most modern browsers force https then what value does Clam really provide....any thoughts?