Messages

I'll put it here in case someone finds it useful:

IDS (Suricata) in promiscuous mode and VLANs work under 21.7.1, if you (1) disable VLAN hardware filtering AND (2) reboot.

The latter (reboot) is often not explicitly stated and has caused me woes ...

I also had more success with

content<space>=<space>alert

i.e. without using quotation marks ""

Yeah, behaviour is the same -- Unbound is a resolver by nature, whether running on pfsense or opnsense (or any other OS). It won't "forward" unless you tell it to.

Further I am pretty curious about the dns behavior If I start using Unbound DNS: DNS over TLS - Does this overrule all other dns rel. settings and if in which way ?

Yes - In my (limited but existing) experience, DNS over TLS mode turns unbound into a forwarder (via DNS-over-TLS) and causes it to ignore the other settings.

FYI, I have opened a bug on the issue tracker: https://github.com/opnsense/core/issues/5150

I would delete the following two directories (via SSH access):

Code Select Expand

/usr/local/etc/suricata/opnsense.rules
/usr/local/etc/suricata/rules

Then reboot and download again.

Thank you -- downloading works (same as before) but the IDS -> Administration -> Rules tab still shows

Code Select Expand

No results found!

and enabling Suricata shows GUI error "Error loading IDS rules" (or something like that, copy&pasting the error did not work)

Log does not help:

Code Select Expand

2021-08-08T13:46:09 suricata[49327] [100545] <Notice> -- Stats for 'igb3': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2021-08-08T13:46:09 suricata[49327] [100545] <Notice> -- Stats for 'igb2': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2021-08-08T13:46:09 suricata[49327] [100545] <Notice> -- Stats for 'igb1': pkts: 22674, drop: 0 (0.00%), invalid chksum: 227
2021-08-08T13:46:08 suricata[49327] [100545] <Notice> -- Signal Received. Stopping engine.

problems here as well -- after upgrade to 21.7, I wanted to try IDS again.

rulesets are apparently downloaded, but the "rules" tab shows no rules, suricata throws error messages about being unable to import rules and the log shows

Code Select Expand

2021-08-08T13:27:54 suricata[49327] [100545] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
2021-08-08T13:27:54 suricata[49327] [100545] <Warning> -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /usr/local/etc/suricata/opnsense.rules/suricata.rules

Same issue here - unbound would not start automatically and the GUI button did not start it either.  Working configuration imported from 21.1 and unbound-checkconf does not complain.

The GUI "start" button only generated the following unbound log entry:

Code Select Expand

2021-08-08T13:16:31 unbound[57542] daemonize unbound dhcpd watcher.

whereas running

Code Select Expand

unbound -c /var/unbound/unbound.conf
caused Unbound to start up fine.

Reboot did  not solve the issue:

Initially, Unbound started up - GUI showed it as running and log entries seem to confirm startup, but then it died again:

Code Select Expand


2021-08-08T13:28:07 unbound[2474] daemonize unbound dhcpd watcher.
2021-08-08T13:28:05 unbound[2663] daemonize unbound dhcpd watcher.
2021-08-08T13:28:00 unbound[38473] daemonize unbound dhcpd watcher.
2021-08-08T13:27:52 unbound[60119] daemonize unbound dhcpd watcher.
2021-08-08T13:27:52 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:52 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:52 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:52 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:52 unbound[25826] [25826:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:51 unbound[25826] [25826:0] info: service stopped (unbound 1.13.1).
2021-08-08T13:27:51 unbound[25826] [25826:0] info: control cmd: dump_cache
2021-08-08T13:27:45 unbound[25826] [25826:0] info: start of service (unbound 1.13.1).
2021-08-08T13:27:45 unbound[25826] [25826:0] notice: init module 2: iterator
2021-08-08T13:27:45 unbound[25826] [25826:0] notice: init module 1: validator
2021-08-08T13:27:45 unbound[25826] [25826:0] notice: init module 0: dns64
2021-08-08T13:27:39 unbound[25826] [25826:0] notice: Restart of unbound 1.13.1.
2021-08-08T13:27:39 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:39 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:39 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:39 unbound[25826] [25826:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:39 unbound[25826] [25826:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:38 unbound[25826] [25826:0] info: service stopped (unbound 1.13.1).
2021-08-08T13:27:38 unbound[25826] [25826:0] info: start of service (unbound 1.13.1).
2021-08-08T13:27:38 unbound[25826] [25826:0] notice: init module 2: iterator
2021-08-08T13:27:38 unbound[25826] [25826:0] notice: init module 1: validator
2021-08-08T13:27:38 unbound[25826] [25826:0] notice: init module 0: dns64
2021-08-08T13:27:31 unbound[66648] daemonize unbound dhcpd watcher.
2021-08-08T13:27:31 unbound[2967] [2967:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:31 unbound[2967] [2967:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:31 unbound[2967] [2967:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:31 unbound[2967] [2967:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
2021-08-08T13:27:31 unbound[2967] [2967:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2021-08-08T13:27:31 unbound[2967] [2967:0] info: service stopped (unbound 1.13.1).
2021-08-08T13:27:31 unbound[2967] [2967:0] info: control cmd: dump_cache
2021-08-08T13:27:19 unbound[2967] [2967:0] info: control cmd: list_local_data
2021-08-08T13:27:19 unbound[2967] [2967:0] info: start of service (unbound 1.13.1).
2021-08-08T13:27:19 unbound[2967] [2967:0] notice: init module 2: iterator
2021-08-08T13:27:19 unbound[2967] [2967:0] notice: init module 1: validator
2021-08-08T13:27:19 unbound[2967] [2967:0] notice: init module 0: dns64
2021-08-08T13:27:12 unbound[87717] daemonize unbound dhcpd watcher.
[*** REBOOT ***]

This recurs several times in the log, thereafter it is only the

Code Select Expand

unbound[57542] daemonize unbound dhcpd watcher.

Manually starting unbound works.

Could this be an issue with Unbound having issues with running on a different port than 53 (I have adguard home running as general DNS server), even though Unbound does not complain about ports?

roughly similar experience here, too:
1. update -> 100% CPU on one core, some Python 3.7 process.
2. reboot solved the issue instantly, normal CPU usage since.

Have you disabled / port remapped your unbound / dnsmasq / bind DNS server usually running on Opnsense?

Lots of ways to achieve your goal, but certainly recommend a second look at adguard home as it has developed a lot over the last year

Not likely, see e.g. https://forum.netgate.com/topic/149722/source-os-android

Now I can use NAT port forwarding for individual hosts - forwarding

• protocol: TCP/UDP
• source: specific host
• destination: interface address
• destination port: 53
• redirect target: 127.0.0.1:53530

bypassing AdGuard and blacklisting this way.

That seems overly complicated and unnecessary (edit: because you then have DNS settings all over the firewall rather than just in your DNS server):

If you already use adguard Home, just go there and use a "client" setting and disable DNSBL for that client and it necessary specify a specific upstream DNS server for that client.

On Unbound, check whether ACL could be used to specify a different (non-DNSBL) upstream/forward server?

Finally, just wondering what has been unstable about unbound DNSBL - too many lists?

Adguard Home in Opnsense:
+ you can use the path to the Opnsense/letsencrypt certificate directly in adguard
- exposing port 443 to allow DoH also exposes the Opnsense web GUI. May be an issue e.g. for IoT or guest vlans. You can always move the GUI to another port of course, or block access from the insecure vlans.

Thanks allebone.

DHCP leases & logfile and ARP table show that a DHCP lease (specifically: the existing DHCP lease!) has been send to, and accepted by, the Windows laptop. It then loses access to OPNsense.

I have setup a static entry and will check tomorrow whether that alleviates the issue.

[Connection and upload test succeeded.]

My automation for copying the Let's Encrypt certificate to my local ESXI server fails:

1. automation task set up and "test connection" claims everything is fine: Connection and upload test succeeded.

Naming "cert.pem" --> rui.crt
Naming "key.pem" --> rui.key
Naming "ca.pem" --> ca.pem
Naming "fullchain.pem" --> castore.pem

2. Manually SCP'ing the files to ESXi works. ESXi finds and uses the copied certificate:

Code Select Expand

  # scp ./cert.pem root@esxi.XXX.de:/etc/vmware/ssl/rui.crt
  # scp ...

(for the avoidance of doubt, no password needs to be entered when doing scp, i.e. key authentication has been set up and is working)

3. Running automation from the "certificate" submenu fails to copy the certificate and yields the following errors in the logfile:

Code Select Expand

opnsense[82577] /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Command execution failed, exit code 2. Last input was: {"host":"esxi.XXX.de","host-key":"","port":"22","identity-type":"rsa","user":"root","remote-path":"/etc/vmware/ssl","chgrp":"","chmod":"","chmod-key":"","cert-name":"rui.crt","key-name":"rui.key","ca-name":"ca.pem","fullchain-name":"castore.pem","certificates":"xxx","automation-id":"xxx"}
opnsense[82577] /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed on {"source":"/tmp/sftp-upload-3UmGMx","target":"ca.pem","mode":"0440","group":false,"delete_source":true}
opnsense[82577] /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed uploading file '/tmp/sftp-upload-3UmGMx' to 'ca.pem' ; Cause: {"file_not_found":true,"error":"Couldn't fsetstat: No such file or directory"}
opnsense[69190] AcmeClient: running automation: uploadESXI
opnsense[69190] AcmeClient: running automation: restartGUI
opnsense[69190] AcmeClient: running automations for certificate: *.xxx.de


Strangely, ca.pem is the only file that is actually copied over to ESXi when running this ...!

Is this an error in my setup, or is upload_sftp.php broken?