Messages

https://www.routerperformance.net/opnsense-repo/

Has an additional Repo that can be added and a custom Unbound option addition. You could try it. I prefer creating the additional .conf file. This way upgrades haven't caused me any issues so far.

I put custom conf files into directory "/usr/local/etc/unbound.opnsense.d"

If you look at /usr/local/etc/unbound.conf" you'll see that it has a wildcard *.conf include statement.

When the unbound service is started, it copies *.conf from above directory into /var/unbound/etc

I believe this is covered in the unbound document section. I use custom conf files to perform some additional blocks myself.
UPDATE: Forgot the link
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

I've been blocking using unbound/dnsbl , not using nxdomain, so I'll have to try it and see how it works.

Another option that should work. I use ProtonVPN and several weeks ago the DNS stopped resolving for us-free-01 thru us-free-08 and nl-free-01 thru nl-free-11 for some strange reason. Once the DNS resolv issue was corrected, pulled all the IP address's via nslookup/dig and put them into a file "/usr/local/etc/unbound.opnsense.d/protonvpncom.conf" using a different hostname for each. As you can see in the attachment us-free and nl-free was used as to not interfere with external resolution.

I think this could be used in a similar fashion to create upto 64 hostnames with multiple IP's, plus this would survive any kind of software update. I've modified file(s) in the past and they were wiped out with update/upgrades, so keeping the info somewhere that it doesn't get erased.

Just another idea to consider.

This is marked as SOLVED, did you get it working? I have/had this working until the last day or so. I have a connection to US that has stopped working, the second connection to NLseems to be working at this time.

I will add this specifies what unbound to respond with. This configuration has 10 VLAN's and the goal was a user on a vlan to a device that's on multiple vlans to get the subnet ip
VLAN100 = ping NAS respond 10.0.133.2
VLAN101 = ping NAS respond 10.1.133.2
to
VLAN109 = ping NAS respond 10.9.133.2

same with FW's and other devices that are multi-homed.

I think it would be easier to mgmt if another DNS server was used. If you want to try the Unbound route, here's a snipet of an additional unbound.conf file that I use to configure split-dns/split horizon. In your case, I would assume VLAN101 as your vlan and replace the IP's with 0.0.0.0 like DNSBL does. It will be interesting to see which is easier to mgmt.

server:
access-control-view: 10.0.0.0/16 "VLAN100"
access-control-view: 10.1.0.0/16 "VLAN101"

view:
name: "VLAN100"
view-first:yes
local-zone: "OPNsenseVM.xyz.zyx." transparent
local-data-ptr: "10.0.255.254 FWmain.xyz.zyx."
local-data: "FWmain.xyz.zyx. A 10.0.255.254"
local-data: "FWmain. A 10.0.255.254"
local-data-ptr: "10.0.91.255 OPNsenseVM.xyz.zyx."
local-data: "OPNsenseVM.xyz.zyx. A 10.0.91.255"
local-data: "OPNsenseVM. A 10.0.91.255"

view:
name: "VLAN101"
view-first:yes
local-zone: "OPNsenseVM.xyz.zyx." transparent
local-data-ptr: "10.1.255.254 FWmain.xyz.zyx."
local-data: "FWmain.xyz.zyx. A 10.1.255.254"
local-data: "FWmain. A 10.1.255.254"
local-data-ptr: "10.1.91.255 OPNsenseVM.xyz.zyx."
local-data: "OPNsenseVM.xyz.zyx. A 10.1.91.255"
local-data: "OPNsenseVM. A 10.1.91.255"

May I ask what command is being executed to show the unsupported? when I use sysctl -a I dont see anything reported as unsupported.

Atom C3758 QAT support
OPNsense 2.1.2 shows the following:

kldstat -v | grep qat
20    1 0xffffffff82904000    16308 qat.ko (/boot/kernel/qat.ko)
                541 pci/qat
21    1 0xffffffff8291b000    a13f8 qat_c3xxxfw.ko (/boot/kernel/qat_c3xxxfw.ko)
                542 qat_c3xxxfw_fw

dmesg | grep qat
qat0: <Intel C3000 QuickAssist PF> mem 0xdf340000-0xdf37ffff,0xdf300000-0xdf33ffff at device 0.0 on pci1


So it see's it, it has been selected under System -> Settings -> Misc -> Hardware acceleration.

As Franco said earlier, Does it work? No Idea... I can tell my IPSEC tunnel is working...


the openVPN client connections to ProtonVPN are up and working.

@KHE, great idea I'll try this out on test FW before I change the main FW. Thanks

If you are using port forwarding rules, you should consider to create interface groups in Firewall: Groups.
One for Adguard interface(s) and one for the unbound interface(s). For each group a net will be available to use in the Firewall rules, so you can create in Firewall: NAT: Port Forward a Port forward rule with the destination from that group net to Adguard and one for the the other group to unbound.
You can also apply firewall rules then in the groups, which will appear in Firewall: Rules: <GroupName>.

Keep in mind that this group rules are processed before the interface rules.

KH

Sure, I've attached a screen capture, in case it's hard to read here's the text of the options changed/set:

Interfaces:   <Select interfaces for rule>

Protocol:      TCP/UDP
(click Source Advanced to see additonal options)
Source/invert:   checked
(In my case did this to exclude my internal Domain/DNS Servers from being filtered)
Source:      <selected alias containing internal Domain/DNS Servers)

(If no internal DNS Servers need to be excluded from this, set Source=any and DON'T check Source/Invert)

Destination
  port range:   DNS to DNS
 
Redirect
  target IP:   Single host or network
            value = 127.0.0.1
            
Redirect
  target port:   DNS
 
Description: External attempts to DNS forwarded to localhost

I did something of this sort with Unbound and AdGuardHome. I kept Unbound on 9 of my VLANs plus localhost. (10.0 thru 10.8, and localhost) The 10th VLAN (which is streaming TV i.e. Roku and Apple) has AdGuard listening on port 53 and forwarding to localhost:53 for upstream. I did this lazy approach so I could see what the streaming TV's are doing. Also did an outbound NAT port 53 into localhost:53 to stop the Roku going to 8.8.8.8. Next step is looking at ZenArmor to stop DoT & DoH from getting out, as I see my iPhone when on Wifi goes to some dns-apple.com site it looks like for resolution. So far it's working good. The only gotcha, I had to modify my floating rule to reverse/ignore via an alias my domain/dns to allow them outside access (no blocking of anykind) as backup/testing of name resolution.

firewall has been updated to build 005 which contains v1.3 of the crowdsec engine. The crowdsec portal has updated itself and shows the correct versions.

My understanding of enabling RSS will only show improvement when under heavy load. Speedtest doesn't really count as heavy load. you need multiple devices running to really stress the firewall. Also all the software components running within the FW need to be multi threaded (not single threaded)

you do not want to install the 21.7 kernel if you are on 22.1

my atom firewall 8core 16GB

net.inet.rss.bits              2   
net.inet.rss.enabled           1
net.isr.bindthreads      1   
net.isr.dispatch              hybrid   
net.isr.maxthreads      -1   
net.isr.numthreads      2

results via netstat -Q
Setting                        Current        Limit
Thread count                         8            8
Default queue limit                256        10240
Dispatch policy                 hybrid          n/a
Threads bound to CPUs          enabled          n/a


Protocols:
Name         Proto   QLimit    Policy Dispatch Flags
ip                 1     1000        cpu   hybrid   C--
igmp            2       256      source  default   ---
rtsock         3       256      source  default   ---
arp                   4       256      source  default   ---
ether            5       256          cpu   direct   C--
ip6                  6     1000          cpu   hybrid   C--
ip_direct          9       256          cpu   hybrid   C--
ip6_direct        10      256          cpu   hybrid   C--

Do you have powerD enabled?? Is it possible that powerD is powering it down?