Messages

Adguard Home in Opnsense:
+ you can use the path to the Opnsense/letsencrypt certificate directly in adguard
- exposing port 443 to allow DoH also exposes the Opnsense web GUI. May be an issue e.g. for IoT or guest vlans. You can always move the GUI to another port of course, or block access from the insecure vlans.

Thanks allebone.

DHCP leases & logfile and ARP table show that a DHCP lease (specifically: the existing DHCP lease!) has been send to, and accepted by, the Windows laptop. It then loses access to OPNsense.

I have setup a static entry and will check tomorrow whether that alleviates the issue.

[Connection and upload test succeeded.]

My automation for copying the Let's Encrypt certificate to my local ESXI server fails:

1. automation task set up and "test connection" claims everything is fine: Connection and upload test succeeded.

Naming "cert.pem" --> rui.crt
Naming "key.pem" --> rui.key
Naming "ca.pem" --> ca.pem
Naming "fullchain.pem" --> castore.pem

2. Manually SCP'ing the files to ESXi works. ESXi finds and uses the copied certificate:

Code Select Expand

  # scp ./cert.pem root@esxi.XXX.de:/etc/vmware/ssl/rui.crt
  # scp ...

(for the avoidance of doubt, no password needs to be entered when doing scp, i.e. key authentication has been set up and is working)

3. Running automation from the "certificate" submenu fails to copy the certificate and yields the following errors in the logfile:

Code Select Expand

opnsense[82577] /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Command execution failed, exit code 2. Last input was: {"host":"esxi.XXX.de","host-key":"","port":"22","identity-type":"rsa","user":"root","remote-path":"/etc/vmware/ssl","chgrp":"","chmod":"","chmod-key":"","cert-name":"rui.crt","key-name":"rui.key","ca-name":"ca.pem","fullchain-name":"castore.pem","certificates":"xxx","automation-id":"xxx"}
opnsense[82577] /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed on {"source":"/tmp/sftp-upload-3UmGMx","target":"ca.pem","mode":"0440","group":false,"delete_source":true}
opnsense[82577] /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed uploading file '/tmp/sftp-upload-3UmGMx' to 'ca.pem' ; Cause: {"file_not_found":true,"error":"Couldn't fsetstat: No such file or directory"}
opnsense[69190] AcmeClient: running automation: uploadESXI
opnsense[69190] AcmeClient: running automation: restartGUI
opnsense[69190] AcmeClient: running automations for certificate: *.xxx.de


Strangely, ca.pem is the only file that is actually copied over to ESXi when running this ...!

Is this an error in my setup, or is upload_sftp.php broken?

I'm using OPNsense 21.1.5 (amd64) to route DNS requests to AdGuard Home (v0.106.1) installed on a raspberry pi (address 10.x.x.240) with Quad 9 as the upstream DNS resolver.

Why don't you install AdGuard Home (v0.106.1) directly on the OPNsense and do away with the Pi?

(1) Install minugmail's repo (see https://www.routerperformance.net/opnsense-repo/), (2) install AdGuard Home plugin in OPNsense, (3) set your OPNsense unbound resolver to another port than 53, (4) go to adguard home webpage to configure, (5) define your OPNsense unbound resolver:customport as a PTR / upstream DNS server in adguard home (for resolution of local names).

(6) Firewall: create floating rules to allow DNS requests to DNS (53), DoQ (784) and DoT (853); consider carefully whether to open DoH (443). NAT rules should be created automatically (I think).

once it works, re-create the redirection of DNS requests to your local DNS.

--

as to why your original setup isn't working for UDP, not sure, but have you tried to set the "Block all external DNS" rule to Destination: !LAN1_address or temporarily disabling it? Otherwise, that rule might be blocking all traffic to ports 53 (including your pihole). Try to remove that.

Can your LAN1 ping your Pi?
Is traffic back from the Pi to your LAN1 network permitted?

Hi, strange behaviour that I have come across on 21.1.5, and not sure where to begin to troubleshoot:

I have one(!) laptop that loses connection to the OPNsense gateway intermittently since a few days:

Setup:

WAN -> Cable Modem -> OPNsense -> Unifi switch - LAN clients / wifi clients

Issue:

My work laptop suddenly loses connection to the gateway: It can still ping all LAN devices, as well as the switch, but no longer access the OPNsense IP (nor WAN of course). A reboot of OPNsense fixes this - for a few minutes and then connection _for this client_ fails again.

All other devices (LAN and wifi) continue to be able to access OPNsense and WAN. So the problem seems to be either in OPNsense or the switch.

How could I narrow down the issue? Is it ...
- related to RSTP issues?
- related to routing (I have the FRR routing plugin installed)?
- related to firewall / shaping (why do the other 192.168.1.0/24 clients have access though)?
- ...?
-

Some people might suggest you AdGuard plugin within OPNSense. They both have the same purpose but they work totally different, AdGuard has some weird way to deal with things. Just compare both communities to see the posts. Anyways  :)

That is bullshit.

Both piHole and adguard home(!) work as a DNS server with DNS blacklists.

Using an app based DNS blocking - such as "adguard" app - is different, but don't confuse it with adguard home.

There are a lot more options, most of them free and built in:
1. Built-in: Services -> Unbound DNS -> Blacklist
2. Install Adguard Home _on your OPNsense_ - very similar to pihole. (a) install community repo https://www.routerperformance.net/opnsense-repo/, (b) install plugin adguard home, (3) configure via web-GUI on port 3000
3. Use free NextDNS service (nextdns.io)
4. Use Squid / SquidGuard plugin to filter ads. (may be slow)
5. ...

Apologies for hijacking this thread, but I experience similar issues on 21.1:

The "live view" shows wrong labels, e.g. for my "plex forward rule" (port forward anything to :32400 to my internal Plex server) it shows my "Block_IP_INGRESS" IP block rule and vice versa.

I have done no changes to "firewall optimization".

I do have changed my rules and deleted some; I will need to check whether this disappears after a reboot (but I think not as it keeps bugging me for the past few weeks).