Messages

91

Virtual private networks / Re: Understanding VPNs in OPNsense

« on: March 24, 2021, 11:26:25 pm »

Not sure clients behind CGNAT is a showstopper: https://itectec.com/superuser/site-to-site-vpn-with-cgnat/

I read that same thing over on StackExchange. I am just trying to see what options are available to me so that I can choose one which is the least hassle.

Would ZeroTier work for me in this case?  Maybe even forego VPN completely and just use ZeroTier networks to connect the 3 sites together? I see that a plugin for zerotier is available in Opnsense as well...

How is Zerotier different than VPN -- does all the traffic go via ZeroTier servers if I were to sign up for a free account? More impontantly is this traffic encrypted and does it follow Zero Trust?

I am learning so much new stuff about different types of networking terminologies and technologies, that my head is swimming. Seems like I go into the rabbit hole of reading up on a million things but still nowhere closer to the actual goal of "being able to access the LAN networks of the 3 sites seamlessly"

92

Virtual private networks / Re: Understanding VPNs in OPNsense

« on: March 24, 2021, 09:42:45 pm »

Right, the devices are with me and I will configure them before I deploy.

Just confirmed that my parent's ISP uses CGNAT for IPv4-- so that's a roadblock for Site-to-Site VPN. Will have to see what can be done for it.

• Change ISP -- but usually the choice is very limited
• Ask ISP for a public IPv6 address (apparently free as per online forums) -- problem would then be translation from my IPv4 as I use IPv4 exclusively
• VPS maybe and then have the 3 sites connect to the VPS as the VPN server possibly

Need to read up and understand a lot more, I guess.

93

21.1 Legacy Series / Re: Can not install 21.1 from USB Stick

« on: March 24, 2021, 06:08:31 pm »

Yes, you should even try creating the install USB when connected to USB2. IIRC, I had trouble with my USB only because I created it when connected to USB3.

94

21.1 Legacy Series / Re: Can not install 21.1 from USB Stick

« on: March 24, 2021, 04:12:04 pm »

Have you tried using a different USB stick? I remember I had some issues with a particular USB and it just would get stuck during installation at 38%.

Once I created a different install USB, it worked. You can also try creating the USB with a different program. I was using Linux, so I just dd'ed the img file onto the USB.

95

21.1 Legacy Series / Re: Moving config

« on: March 24, 2021, 04:05:38 pm »

In addition to the console, wouldn't your APU have different NICs and therefore drivers as compared to your PC?

You would usually need to also change the interfaces-- say from igb0 to em0 or re0 etc etc. -- in the XML file. What NICs do you have on the APU and the PC?

96

21.1 Legacy Series / Re: pfsense migrant with a few issues.

« on: March 24, 2021, 03:53:27 pm »

For the UPS, make sure that all the other drivers are not enabled. I use the SNMP driver, but for some reason, my usbhid driver was also enabled. It might not be the case with you, but still might be worthwhile double checking.

Alternatively, have you tried connecting to the appropriate port instead of using auto?

Code: [Select]

port=/dev/ttyXX
For SNMP, I had to explicitly set

Code: [Select]

port=<UPS network card IP> even though my UPS continuously broadcasts it's presence on that IP. Auto didn't work for me in SNMP.

97

Virtual private networks / Re: Understanding VPNs in OPNsense

« on: March 24, 2021, 03:37:49 pm »

Thanks Bart for the detailed response.

Site-to-site is easier if you have a lot of clients (i.e. devices) that are fixed to the site. E.g. if your family mainly connect from fixed desktop PC's. If everybody uses phones, laptops, tablets, etc. to connect, then a road warrior VPN gives them freedom to roam.

That's great. One more aim is to set up a backup TrueNAS server at either or both houses with replication. I guess Site-to-Site would be better the more I read and understand it.

You only need to set one location with dynamic DNS (yours most obviously) as the VPN hub. All other endpoints can be VPN clients. If you only have one public IP address, you need to set different port numbers for the OpenVPN servers.

Great. I will use different ports for each site to connect via.

You don't need to redirect their default gateway to the VPN tunnel. You can push out a route to your subnet(s) to the VPN client and they will only send traffic for those subnets over the VPN.

Of course... I should have thought about that. Late night when I posted.. so brain wasn't fully functional.

If so, would a Site-to-Site VPN be an "always-on" solution or can it be connected/disconnected by clicking a button(family is not into IT at all)?

Site-to-site is easier, provided you have access to the remote OPNsense interface. More video calls

Not quite clear on this. If the VPN is not connected, I wouldn't have access to my family's opnsense interface. So they would have to initiate the VPN connection. Are you suggesting that I just do an "always-on" Site-to-Site such that they can access my services whenever they want without intervention? Does it even make sense to use the connect/disconnect model, given that they would be using their bandwidth for all other stuff except when they are using the services that I host?

• Finally, for the given use case, would it be better to use OpenVPN or IPSec for Site-to-Site VPN setup?
  

OpenVPN is much easier to set up, whereas IPSec benefits from being included in many OS as standard. YMMV

Take a good look at the LAN subnet ranges. This may prove impossible if everybody has 192.168.0.0/24 set on their routers 

Bart...

inclusion in the OS is not huge criteria because I want them to be able to access my network only when they are on their local network -- not when they are on the road (too technical for them to comprehend). So if the routes are pushed through such that their Opnsense instance can communicate to mine then all the devices behind that instance should be able to connect too.

As for the LAN subnet ranges, I will be replacing their ISP provided routers with opnsense -- so I can control what IP ranges they will be on after deployment. I have already set up their opnsense with a different subnet.... the last piece of the puzzle is this VPN setup before deployment.


Thanks again.[/list]

98

Virtual private networks / Understanding VPNs in OPNsense

« on: March 24, 2021, 07:57:25 am »

Having moved over to OPNsense, I am now providing OPNsense boxes to my family half way across the world. There would be a total of 3 sites --

• Mine
• my parents' house
• my sister's house

I was thinking of setting up VPN access such that it would allow them to connect to a bunch of my servers like nextcloud, bitwarden etc and they can use these services that I host on my local network. It would also allow me to remotely login to their networks in case I need to "fix" something on their networks

• I already have Road-warrior VPN server set up for when I want to access my network from the road, I could create user names for my family members to be able to log into my VPN server. Similarly I  could set up a VPN server on their opnsense and do the same. Would that work or would a Site-to-Site VPN be better than the Road-warrior style solution for this?
• Secondly, because this is all home networks, there's no question of static IPs. How would this work with dynamic IPs. Would all 3 sites need to have separate DynDNS accounts so that any changes in the WAN IP wouldn't require someone to manually go in and change the IP addresses in the VPN server and client settings?
• Thirdly, I have a 100 down / 5 up cable connection. Once they connect to my VPN Server -- whether Road-Warrior style or Site-To-Site -- would they be using my bandwidth for anything that they do on their end -- even internet browsing?  If so, would a Site-to-Site VPN be an "always-on" solution or can it be connected/disconnected by clicking a button(family is not into IT at all)?
• Finally, for the given use case, would it be better to use OpenVPN or IPSec for Site-to-Site VPN setup?

I know these questions are basic but I can't find definitive answers or maybe my google-fu is weak today.

Thanks for your time.

99

General Discussion / Re: Unbound --- fatal error: Could not set up local zones

« on: March 18, 2021, 03:48:57 pm »

I disabled all the built-in blocklists and started Unbound and that worked. I have 4 additional blocklists. Then I enabled the built-in lists one after the other, and reloaded Unbound. Each time, it started up just fine. I now have all the blocklists enabled just the way I had it before Unbound crashed.

I guess, due to my cron job, it updated the blocklists and either

• one of them had some bad data which caused an issue. That must have been resolved by the list maintainer OR
• my local DNS cache had some bad data which got flushed when I removed all the blocklists

100

General Discussion / Re: Unbound --- fatal error: Could not set up local zones

« on: March 18, 2021, 03:23:53 pm »

I've got a smiliar issue - https://forum.opnsense.org/index.php?topic=22092.0

Will try this weekend what @Fright suggested.

Thanks @hushcoden, it was a blocklist issue. I removed all blocklists and Unbound starts up. I will now try to set 1 at a time to see which blocklist is problematic.

Will update this thread....

101

General Discussion / Re: Unbound --- fatal error: Could not set up local zones

« on: March 18, 2021, 06:49:23 am »

I also tried updating from 21.1.2 --> 21.1.3_3. The update went fine, but after the reboot, I disabled DNSMasq and tried enabling Unbound, but it still does not want to start up

Please help....

102

General Discussion / Unbound --- fatal error: Could not set up local zones

« on: March 17, 2021, 04:43:15 pm »

I set up a cron job last night for auto updating the Unbound DNSBLs but did not set any parameters (should I have?)

Cut to 8AM -- time for a work meeting and I find out that I don't have internet access. I try to get to my firewall using the host name and I cannot. Then I just use the IP and I get in to find out that Unbound is not running. Clicked start a few times but no luck. Rebooted the firewall -- still the same.

I checked the logs and I see that it was running fine until 6AM -- the time set for the auto update of Unbound DNSBLs. Here's the log from a little before 6AM onwards.

Code: [Select]

2021-03-17T08:35:50 unbound[67148] [67148:0] fatal error: Could not set up local zones
2021-03-17T08:35:50 unbound[67148] [67148:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:35:50 unbound[67148] [67148:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:26:37 unbound[70411] blacklist download done in 219.86 seconds (3167171 records)
2021-03-17T08:26:30 unbound[70411] blacklist download https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt (lines: 368 exclude: 0 black: 357
2021-03-17T08:26:30 unbound[70411] blacklist download https://phishing.army/download/phishing_army_blocklist_extended.txt (lines: 24673 exclude: 0 black: 24661
2021-03-17T08:26:29 unbound[70411] blacklist download https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt (lines: 254 exclude: 0 black: 243
2021-03-17T08:26:26 unbound[70411] blacklist download https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt (lines: 2053 exclude: 0 black: 2053
2021-03-17T08:26:26 unbound[70411] blacklist download http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext (lines: 3575 exclude: 0 black: 3561
2021-03-17T08:26:25 unbound[70411] blacklist download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt (lines: 254 exclude: 0 black: 248
2021-03-17T08:26:25 unbound[70411] blacklist download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt (lines: 538 exclude: 0 black: 532
2021-03-17T08:26:24 unbound[70411] blacklist download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt (lines: 382 exclude: 0 black: 376
2021-03-17T08:26:24 unbound[70411] blacklist download https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (lines: 73832 exclude: 5 black: 67412
2021-03-17T08:26:23 unbound[70411] blacklist download https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt (lines: 38 exclude: 0 black: 34
2021-03-17T08:26:23 unbound[70411] blacklist download https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt (lines: 2705 exclude: 0 black: 2701
2021-03-17T08:26:23 unbound[70411] blacklist download https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list (lines: 11868 exclude: 0 black: 11868
2021-03-17T08:26:22 unbound[70411] blacklist download https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt (lines: 689 exclude: 0 black: 689
2021-03-17T08:26:22 unbound[70411] blacklist download https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt (lines: 11087 exclude: 0 black: 11087
2021-03-17T08:26:22 unbound[70411] blacklist download https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt (lines: 16657 exclude: 0 black: 16657
2021-03-17T08:26:22 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/youtube.txt (lines: 24295 exclude: 0 black: 24280
2021-03-17T08:26:22 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/youtube.txt (lines: 24295 exclude: 0 black: 24280
2021-03-17T08:26:21 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/tracking.txt (lines: 15083 exclude: 0 black: 15057
2021-03-17T08:26:21 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/torrent.txt (lines: 2204 exclude: 0 black: 2187
2021-03-17T08:26:21 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/tiktok.txt (lines: 38 exclude: 0 black: 23
2021-03-17T08:26:21 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/scam.txt (lines: 1191 exclude: 0 black: 1176
2021-03-17T08:26:11 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/redirect.txt (lines: 108661 exclude: 1 black: 108644
2021-03-17T08:25:59 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/ransomware.txt (lines: 1918 exclude: 0 black: 1903
2021-03-17T08:25:49 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/porn.txt (lines: 1906837 exclude: 0 black: 1906820
2021-03-17T08:25:18 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/piracy.txt (lines: 2143 exclude: 0 black: 2128
2021-03-17T08:25:07 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/phishing.txt (lines: 189988 exclude: 0 black: 189956
2021-03-17T08:24:55 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/malware.txt (lines: 456347 exclude: 1 black: 456265
2021-03-17T08:24:40 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/gambling.txt (lines: 2353 exclude: 0 black: 2338
2021-03-17T08:24:30 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/facebook.txt (lines: 22477 exclude: 0 black: 22461
2021-03-17T08:24:19 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/fraud.txt (lines: 196047 exclude: 0 black: 196026
2021-03-17T08:24:07 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/drugs.txt (lines: 26605 exclude: 0 black: 26590
2021-03-17T08:24:02 unbound[16212] [16212:0] fatal error: Could not set up local zones
2021-03-17T08:24:02 unbound[16212] [16212:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:24:02 unbound[16212] [16212:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:23:57 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/crypto.txt (lines: 23813 exclude: 0 black: 23779
2021-03-17T08:23:46 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/ads.txt (lines: 154715 exclude: 1 black: 154612
2021-03-17T08:23:34 unbound[70411] blacklist download https://blocklistproject.github.io/Lists/abuse.txt (lines: 455123 exclude: 1 black: 455045
2021-03-17T08:23:19 unbound[70411] blacklist download https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt (lines: 37377 exclude: 0 black: 37377
2021-03-17T08:23:08 unbound[70411] blacklist download https://adaway.org/hosts.txt (lines: 12854 exclude: 2 black: 8677
2021-03-17T08:22:57 unbound[70411] blacklist download : exclude domains matching nordvpn.com|.*localhost$|^(?![a-zA-Z\d]).*
2021-03-17T08:20:33 unbound[85818] [85818:0] fatal error: Could not set up local zones
2021-03-17T08:20:33 unbound[85818] [85818:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:20:33 unbound[85818] [85818:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:20:13 unbound[73962] [73962:0] fatal error: Could not set up local zones
2021-03-17T08:20:13 unbound[73962] [73962:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:20:13 unbound[73962] [73962:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:19:29 unbound[42707] [42707:0] fatal error: Could not set up local zones
2021-03-17T08:19:29 unbound[42707] [42707:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:19:29 unbound[42707] [42707:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:16:45 unbound[37842] [37842:0] fatal error: Could not set up local zones
2021-03-17T08:16:45 unbound[37842] [37842:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:16:45 unbound[37842] [37842:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:16:22 unbound[68453] [68453:0] fatal error: Could not set up local zones
2021-03-17T08:16:22 unbound[68453] [68453:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:16:22 unbound[68453] [68453:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:15:53 unbound[50217] [50217:0] fatal error: Could not set up local zones
2021-03-17T08:15:53 unbound[50217] [50217:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:15:53 unbound[50217] [50217:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:12:10 unbound[65526] [65526:0] fatal error: Could not set up local zones
2021-03-17T08:12:10 unbound[65526] [65526:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:12:10 unbound[65526] [65526:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:06:54 unbound[51151] [51151:0] fatal error: Could not set up local zones
2021-03-17T08:06:54 unbound[51151] [51151:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:06:54 unbound[51151] [51151:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:05:41 unbound[52358] [52358:0] fatal error: Could not set up local zones
2021-03-17T08:05:41 unbound[52358] [52358:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:05:41 unbound[52358] [52358:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:05:32 unbound[74165] [74165:0] fatal error: Could not set up local zones
2021-03-17T08:05:32 unbound[74165] [74165:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:05:32 unbound[74165] [74165:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:04:03 unbound[94369] [94369:0] fatal error: Could not set up local zones
2021-03-17T08:04:03 unbound[94369] [94369:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:04:03 unbound[94369] [94369:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:01:50 unbound[7195] [7195:0] fatal error: Could not set up local zones
2021-03-17T08:01:50 unbound[7195] [7195:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:01:50 unbound[7195] [7195:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T08:00:14 unbound[88755] [88755:0] fatal error: Could not set up local zones
2021-03-17T08:00:14 unbound[88755] [88755:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T08:00:14 unbound[88755] [88755:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T07:59:31 unbound[35216] [35216:0] fatal error: Could not set up local zones
2021-03-17T07:59:31 unbound[35216] [35216:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T07:59:31 unbound[35216] [35216:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T06:01:09 unbound[86390] [86390:0] fatal error: Could not set up local zones
2021-03-17T06:01:09 unbound[86390] [86390:0] error: Bad local-data RR clinicatraña.com A 0.0.0.0
2021-03-17T06:01:09 unbound[86390] [86390:0] error: error parsing local-data at 33 'clinicatraña.com A 0.0.0.0': Syntax error, could not parse the RR's TTL
2021-03-17T06:01:06 unbound[86390] [86390:0] notice: Restart of unbound 1.13.1.
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 32.000000 64.000000 5
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 4.000000 8.000000 1
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 2.000000 4.000000 6
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 1.000000 2.000000 11
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.524288 1.000000 53
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.262144 0.524288 200
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.131072 0.262144 782
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.065536 0.131072 1362
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.032768 0.065536 1322
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.016384 0.032768 1020
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.008192 0.016384 169
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.004096 0.008192 51
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.002048 0.004096 32
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.001024 0.002048 18
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000512 0.001024 5
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000256 0.000512 3
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000128 0.000256 2
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000064 0.000128 1
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000032 0.000064 1
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000000 0.000001 94
2021-03-17T06:01:06 unbound[86390] [86390:0] info: lower(secs) upper(secs) recursions
2021-03-17T06:01:06 unbound[86390] [86390:0] info: [25%]=0.030977 median[50%]=0.0618428 [75%]=0.120173
2021-03-17T06:01:06 unbound[86390] [86390:0] info: histogram of recursion processing times
2021-03-17T06:01:06 unbound[86390] [86390:0] info: average recursion processing time 0.142660 sec
2021-03-17T06:01:06 unbound[86390] [86390:0] info: server stats for thread 1: requestlist max 28 avg 0.751369 exceeded 0 jostled 0
2021-03-17T06:01:06 unbound[86390] [86390:0] info: server stats for thread 1: 21594 queries, 16456 answers from cache, 5138 recursions, 525 prefetch, 0 rejected by ip ratelimiting
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 8.000000 16.000000 1
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 4.000000 8.000000 1
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 2.000000 4.000000 10
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 1.000000 2.000000 11
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.524288 1.000000 45
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.262144 0.524288 203
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.131072 0.262144 1097
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.065536 0.131072 1732
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.032768 0.065536 1655
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.016384 0.032768 1374
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.008192 0.016384 626
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.004096 0.008192 29
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.002048 0.004096 18
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.001024 0.002048 14
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000512 0.001024 6
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000256 0.000512 3
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000128 0.000256 4
2021-03-17T06:01:06 unbound[86390] [86390:0] info: 0.000000 0.000001 92
2021-03-17T06:01:06 unbound[86390] [86390:0] info: lower(secs) upper(secs) recursions
2021-03-17T06:01:06 unbound[86390] [86390:0] info: [25%]=0.027572 median[50%]=0.0583983 [75%]=0.117365
2021-03-17T06:01:06 unbound[86390] [86390:0] info: histogram of recursion processing times
2021-03-17T06:01:06 unbound[86390] [86390:0] info: average recursion processing time 0.095083 sec
2021-03-17T06:01:06 unbound[86390] [86390:0] info: server stats for thread 0: requestlist max 23 avg 0.573792 exceeded 0 jostled 0
2021-03-17T06:01:06 unbound[86390] [86390:0] info: server stats for thread 0: 23701 queries, 16780 answers from cache, 6921 recursions, 573 prefetch, 0 rejected by ip ratelimiting
2021-03-17T06:01:03 unbound[86390] [86390:0] info: service stopped (unbound 1.13.1).
2021-03-17T06:00:56 unbound[93084] blacklist download done in 55.49 seconds (3167151 records)
2021-03-17T06:00:48 unbound[93084] blacklist download https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt (lines: 368 exclude: 0 black: 357
2021-03-17T06:00:48 unbound[93084] blacklist download https://phishing.army/download/phishing_army_blocklist_extended.txt (lines: 24673 exclude: 0 black: 24661
2021-03-17T06:00:48 unbound[93084] blacklist download https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt (lines: 254 exclude: 0 black: 243
2021-03-17T06:00:47 unbound[93084] blacklist download https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt (lines: 2053 exclude: 0 black: 2053
2021-03-17T06:00:47 unbound[93084] blacklist download http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext (lines: 3575 exclude: 0 black: 3561
2021-03-17T06:00:46 unbound[93084] blacklist download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt (lines: 254 exclude: 0 black: 248
2021-03-17T06:00:46 unbound[93084] blacklist download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt (lines: 538 exclude: 0 black: 532
2021-03-17T06:00:46 unbound[93084] blacklist download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt (lines: 382 exclude: 0 black: 376
2021-03-17T06:00:46 unbound[93084] blacklist download https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (lines: 73832 exclude: 5 black: 67412
2021-03-17T06:00:45 unbound[93084] blacklist download https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt (lines: 38 exclude: 0 black: 34
2021-03-17T06:00:44 unbound[93084] blacklist download https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt (lines: 2705 exclude: 0 black: 2701
2021-03-17T06:00:44 unbound[93084] blacklist download https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list (lines: 11868 exclude: 0 black: 11868
2021-03-17T06:00:43 unbound[93084] blacklist download https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt (lines: 689 exclude: 0 black: 689
2021-03-17T06:00:43 unbound[93084] blacklist download https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt (lines: 11072 exclude: 0 black: 11072
2021-03-17T06:00:43 unbound[93084] blacklist download https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt (lines: 16651 exclude: 0 black: 16651
2021-03-17T06:00:43 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/youtube.txt (lines: 24295 exclude: 0 black: 24280
2021-03-17T06:00:42 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/tracking.txt (lines: 15083 exclude: 0 black: 15057
2021-03-17T06:00:42 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/torrent.txt (lines: 2204 exclude: 0 black: 2187
2021-03-17T06:00:42 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/tiktok.txt (lines: 38 exclude: 0 black: 23
2021-03-17T06:00:42 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/scam.txt (lines: 1191 exclude: 0 black: 1176
2021-03-17T06:00:42 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/redirect.txt (lines: 108661 exclude: 1 black: 108644
2021-03-17T06:00:40 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/ransomware.txt (lines: 1918 exclude: 0 black: 1903
2021-03-17T06:00:40 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/porn.txt (lines: 1906837 exclude: 0 black: 1906820
2021-03-17T06:00:20 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/piracy.txt (lines: 2143 exclude: 0 black: 2128
2021-03-17T06:00:20 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/phishing.txt (lines: 189988 exclude: 0 black: 189956
2021-03-17T06:00:17 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/malware.txt (lines: 456347 exclude: 1 black: 456265
2021-03-17T06:00:12 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/gambling.txt (lines: 2353 exclude: 0 black: 2338
2021-03-17T06:00:12 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/facebook.txt (lines: 22477 exclude: 0 black: 22461
2021-03-17T06:00:12 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/fraud.txt (lines: 196047 exclude: 0 black: 196026
2021-03-17T06:00:09 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/drugs.txt (lines: 26605 exclude: 0 black: 26590
2021-03-17T06:00:09 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/crypto.txt (lines: 23813 exclude: 0 black: 23779
2021-03-17T06:00:09 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/ads.txt (lines: 154715 exclude: 1 black: 154612
2021-03-17T06:00:07 unbound[93084] blacklist download https://blocklistproject.github.io/Lists/abuse.txt (lines: 455123 exclude: 1 black: 455045
2021-03-17T06:00:02 unbound[93084] blacklist download https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt (lines: 37362 exclude: 0 black: 37362
2021-03-17T06:00:01 unbound[93084] blacklist download https://adaway.org/hosts.txt (lines: 12854 exclude: 2 black: 8677
2021-03-17T06:00:00 unbound[93084] blacklist download : exclude domains matching ^(?![a-zA-Z\d]).*|.*localhost$|nordvpn.com
2021-03-16T22:03:29 unbound[86390] [86390:0] info: generate keytag query _ta-4f66. NULL IN
2021-03-16T11:14:44 unbound[86390] [86390:0] info: generate keytag query _ta-4f66. NULL IN

The re-download of the blacklists at 8:24 AM is because I disabled Unbound and enabled DNSMasq and then switched back to Unbound again. But even that didn't work

As of right now, I have DNSMasq enabled, so I have internet access but I cannot access any of my internal services (nextcloud etc) using the host names -- even though the DNSMasq logs indicate that it is reading 26 addresses from the /var/etc/dnsmasq-hosts

Code: [Select]

2021-03-17T11:03:20 dnsmasq[4489] read /etc/hosts - 2 addresses
2021-03-17T11:03:20 dnsmasq[4489] read /var/etc/dnsmasq-hosts - 26 addresses
2021-03-17T11:03:20 dnsmasq[4489] read /etc/hosts - 2 addresses
2021-03-17T11:02:02 dnsmasq[4489] read /var/etc/dnsmasq-hosts - 26 addresses

• How do I flush DNS cache and get Unbound to start up again?
• Was the cron job responsible for killing Unbound? If so, how would I set up the cron job so that the blacklists would be updated but not kill Unbound at the same time?

I have already tried to start Unbound & rebooted the firewall without any luck. I have also ssh'ed into the firewall, but any command I try for unbound using

Code: [Select]

unbound-control reload/start/status/flush_bogus etc simply results in a timeout because the unbound service just doesn't start up.

Thank you for your time...

103

General Discussion / Re: firewall allowing WAN to connect to Google DNS servers

« on: March 05, 2021, 03:43:59 am »

Thanks again @Greenlan

104

General Discussion / Re: Migrating to opnsense

« on: March 05, 2021, 12:53:24 am »

In the same boat !!  I am into day 4 of my migration from pfSense to Opnsense. What are you migrating from?

As for your question, you can definitely access your OPT1 via your LAN as long as you set up the correct rule. I do it reverse. I keep my NVR on the LAN itself, and the cameras & ROKU on separate VLANs. I have my IOT devices connect to my media server on the LAN. and also my CCTV (cameras) connect to my NVR on the LAN
 Here's an example of my rules for the IOT VLAN to be able to connect to my media server


So you should have 2 Allow rules on you OPT1 network:
Protocol: IPv4 TCP+UDP
Source: Single address -- 192.168.1.118
Port: any
Destination: Single address -- 192.168.2.3
Port: 22 (you can select the SSH option which will default to 22 -- but if you are using port obfuscation then put in the correct port where your SSH server listens on the NVR.

Create another for Dest Port 80 (http) or 443(https) and you should be able to access the NVR from your PC on 192.168.1.118

105

General Discussion / Re: firewall allowing WAN to connect to Google DNS servers

« on: March 05, 2021, 12:34:01 am »

Bit hard to tell without seeing all the relevant bits of the setup, packet traces etc (and I don’t want to see them lol). Bear in mind that what unbound is doing depends on whether it is a recursive or forwarding resolver. If recursive, it won’t just be contacting the root servers, but a whole array of nameservers out there as it recursively resolves names. So will you see requests to Google, Cloudflare etc etc

That probably is what it is then. I have unbound set up as a resolver and not a forwarder.

Last question: I know that Automatic rules have higher priority, but are auto-generated Non-Quick Floating rules matched before the Quick rules on any interface?