Topics

I don't know when it started, I just noticed that my DoT configuration no longer works and my ISP has been getting my unencrypted DNS requests for God knows how long. Great, exactly what I didn't want to happen. Maybe it stopped working since the upgrade to 25.7 (I use 25.7.2 atm), I don't know. What I do know is that it worked just fine before and I didn't touch anything that should have any influence on how my OPNsense sends DNS traffic of any kind to the internet.

Unbound on my OPNsense is my DNS resolver. This is my DoT configuration:


Afaik there's nothing more to it than that, right? In the past this made all outbound DNS requests use DoT. My OPNsense no longer sent unencrypted DNS traffic to the internet. Did something change about that?

It's me again, testing dnsmasq DHCP again, now that 25.1.7 is out.

My dnsmasq DHCP configuration didn't change from when I was on 25.1.6, but now on 25.1.7 my clients don't get a new DHCPv4 lease anymore. DHCPv6 is working fine though. In the logs I see the following:

Code Select Expand

2025-05-19T17:20:30 Informational dnsmasq-dhcp DHCP, IP range 10.0.0.20 -- 10.0.0.254, lease time 1dThat indicates it should work, right? I tested it on an Android client and a Linux PC. A reboot of my OPNsense didn't fix the issue.

Here's my range configuration for DHCPv4:


Let me know if I can provide more information to help you fix this.

Since OPNsense 25.1 supports the selection of multiple hosts for firewall rules, I thought it would be a good idea to get rid of my nested aliases, but it's currently not working correctly.

Setup to reproduce:
I have a firewall rule with a nested alias as source and activated the checkbox for source inversion. I use this rule to route all traffic of all hosts through a specific gateway with that firewall, except for the hosts in that nested alias for the source (hence the inversion). With the nested alias everything works as intended, but when I instead multi-select the hosts in the nested alias (instead of the nested alias, which should have the same effect, right?) it does not work. Then even the traffic of the selected hosts in the source of the firewall rule is routed through that gateway. To me it looks like it's a bug, but maybe I'm just misinterpreting the multi-selection?

First some facts about my network(s) and my goal(s):

• LAN net: 10.0.0.0/24, dynamic /56 Prefix from my ISP
• Dual Stack setup
• WireGuard net: 10.0.1.0/24
• I want full LAN net access over WireGuard to my LAN net with IPv4 and IPv6
• All traffic from WireGuard clients should go over WireGuard connection
• To access the internet with active WG configuration, there's a specific gateway on my OPNsense the WG clients must use
• OPNsense version 24.7.11_2

WireGuard instance on my OPNsense:


Example of a peer configuration on my OPNsense:


Example of a WireGuard configuration of one of my clients:



WAN firewall rule to allow inbound WireGuard connections from WAN:


WireGuard firewall rules:



I tried this configuration, but all I could achieve so far is getting a connection between my OPNsense and the WG client, so that the WG client could access the internet from my OPNsense over the default gateway (but that's not what I want) and that only with IPv4. The LAN net isn't accessible at all.

Looks like I'm too blind to see why it isn't working. Would appreciate some help from more experienced people to tell me what I did wrong.

Thanks in advance.

Now that OPNsense also supports Tailscale, I've been working on it.

My goal is to use my smartphone on the go as if I were in my home network. To do this, I set up OPNsense as an exit node on my smartphone.

So far, that works to some extent, but I have a special case that unfortunately doesn't work yet:
Devices in my home network that communicate with the internet do so via a VPN gateway. To make this happen, I created a firewall rule for my LAN network that routes traffic accordingly through this gateway.

These are the rules on my LAN interface:


My idea was to achieve the same result for my smartphone by rebuilding the firewall rule in the same way on the Tailscale interface. However, there is a rule above it that allows network traffic into the LAN network via the default gateway. This allows me to access every device in my home network via my smartphone, and the traffic to the internet should be routed through the VPN gateway.

Here are the rules on my Tailscale interface:


Unfortunately, this didn't work in my test. When I check on my smartphone which public IP I have, it has the IP of the WAN interface of my OPNsense, and I don't understand why.

Can someone please tell me where the problem is here?

I need some help from someone who is experienced with firewall rules and has worked with the advanced features.

Context:
I have a NAS in my home LAN which hosts some docker containers like Vaultwarden and other stuff. Traffic from most of my devices (not my NAS) is routed through a WireGuard VPN tunnel, which is configured on my OPNsense. To achieve this I use firewall rules that use the VPN gateway for outgoing traffic. The reason why my NAS's outgoing traffic is not routed through the VPN tunnel is of course, because connection from the WAN to my NAS won't work anymore (I already tested that).

So I'm looking for a solution like this:

• Connections initiated by my NAS go through the VPN tunnel to the WAN.
• Answers to connection requests from the WAN to my NAS use the gateway, the initiated connection request came from.

I feel like the "reply-to" option in the advanced rule features could be something here, but I think all replies then will use the set gateway, even when the initiated connection from my NAS was routed through the VPN tunnel.

Is this even possible? If the answer is yes: Could you please explain to me how?

Just wanted to point something out in case that needs a fix.

After a reboot of my OPNsense hostnames are only resolved by IPv4. Only if I restart Unbound it works again with IPv6.
So my wild guess is, that after a reboot the queue in which the services are started is the problem here. Unbound gets started first, then ISC DHCPv6 which is why Unbound doesn't know about the host's IPv6 adresses yet and hence won't register them.

Do you need further information about my setup?

I just found this article: IPS Bypass local traffic from inspection

It made me curious to try Suricata again. You see, I depend on a PPPoE connection from my ISP for WAN and I get a dynamic IPv6 prefix. The PPPoE connection means that I can't use my WAN port in Suricata. Now I'd like to let Suricata bypass any traffic from any local machine to any other local machine in my home LAN. The article linked above explains what to do to make it work for IPv4, which is good. The problem here is the IPv6 part. The article states to create a rule with my prefix. But because my prefix is dynamic, the rule won't work any longer after a reboot or reset of the PPPoE connection. So what options do I have here? Aliases don't work.

So I've been thinking a lot about this option and think it's a nice feature. But I always come back to two questions: "Do I really need this?" and "Why isn't this enabled by default?"

You see, I've used this feature for about a year now to speed up DNS resolution. Afaik the (main) reason why this exists is to still resolve some domain names in case the upstream DNS server is offline. But since DNS servers are pretty much always available and I'm using NextDNS with anycast it's highly unlikely that I'd need the serve expired option for its (main) purpose.
DNS resolution is very fast anyway so it begs the question if I as a human even feel the difference between a freshly resolved domain name from an upstream DNS server or an expired serve from Unbound. On the other hand I never experienced a moment where I wanted to access a website and Unbound served an expired DNS entry where the IP for that domain changed so I couldn't load the website. So I don't see any disadvantages in enabling this option. But why isn't the serve expired option enabled by default if you never experience any negative impact?

Maybe I'm overthinking all this or underthinking it but I never come to a conclusion whether to enable or disable this feature. I'd love to hear your thoughts about this.

This tutorial assumes you have installed AGH through mimugmail's community repo (tutorial link).

The gist of this tutorial is to install updates of AGH and restart its running instance with a cronjob automatically.

ATTENTION: You'll need AdGhuard Home v0.107.22 er newer to make this work. In earlier versions the update parameter didn't exist yet or was buggy.

------------------------------------------------------------------

1. Connect to your OPNsense via SSH

2. To make life easier use

Code Select Expand

# sudo -i

3. In the menu where you have to choose an option use "8" (Shell)

4. Edit the following config (I chose vi to do that):

Code Select Expand

# vi /usr/local/opnsense/service/conf/actions.d/actions_adguardhome.conf

5. In this config you need to add the [update] part. See below:

Code Select Expand

[start]
command:/usr/local/etc/rc.d/adguardhome start
parameters:
type:script
message:starting Adguardhome

[stop]
command:/usr/local/etc/rc.d/adguardhome stop
parameters:
type:script
message:stopping Adguardhome

[restart]
command:/usr/local/etc/rc.d/adguardhome restart
parameters:
type:script
message:restarting Adguardhome
description:Restart AdGuardHome service

[status]
command:/usr/local/etc/rc.d/adguardhome status;exit 0
parameters:
type:script_output
Message:request Adguardhome status

[update]
command:/usr/local/AdGuardHome/./AdGuardHome --update
parameters:
type:script
message:updating Adguardhome
description:Update AdGuard Home


6. Restart configd

Code Select Expand

# service configd restart
This will add a new selectable option in the drop down menu for "Command" in the web UI under System > Settings > Cron. Add a cronjob with this option for when you want AGH to update.


7. Install AGH as a service. You will need this to make AGH automatically restart after a new update was installed. The "--no-check-update" is optional and should hinder AGH from searching for new updates. Somehow this doesn't work in my case.

Code Select Expand

# /usr/local/AdGuardHome/./AdGuardHome -s install --no-check-update

8. Make the AGH service start at boot. For this we need to create a new file.

Code Select Expand

# touch /usr/local/etc/rc.syshook.d/start/50-adguardhome
# chmod 755 /usr/local/etc/rc.syshook.d/start/50-adguardhome
# vi /usr/local/etc/rc.syshook.d/start/50-adguardhome

Now paste the following in this file and save:

Code Select Expand

#!/bin/sh

/usr/local/AdGuardHome/./AdGuardHome -s start


9. In the web UI you need to disable AGH or you'll have two instances of AGH running after a reboot. For this navigate to Services > Adguardhome > General. Uncheck the checkmark for "Enable" and hit "Save".

10. Reboot your OPNsense to confirm the AGH service is starting on boot. After the reboot you should be able to access the web UI of AGH. Give AGH a few seconds to start. The CLI of your OPNsense should output "service: running" when you execute this command:

Code Select Expand

# /usr/local/AdGuardHome/./AdGuardHome -s status

11. Done!

------------------------------------------------------------------

I couldn't find out which file to edit to make the checkmark in the web UI start the AGH service, not an individual instance. Maybe someone more experienced than me can help me out and I'll add it to the tutorial.

Upfront: Right after 22.7 was released was when I for the first time ever used OPNsense. This means I don't know yet how things will be when upgrading to a big new version.

In the latest patch notes it says the following:

As always the upgrade path from the community version will be added as a hotfix shortly after the final release annoucement is published.

Does this mean we must update to that hotfix first before we can finally upgrade to 23.1?
The reason I'm asking this question is because I'm currently waiting for a new mini PC that will become my new OPNsense hardware and I wanted to stick with the last version released for 22.7 for a while before upgrading to 23.1. But I'm not sure if I'll be forced to use 22.7.0 (when installing OPNsense with the 22.7 ISO) or 23.1.0 when 23.1.0 is released before the new hardware arrives.

I'm using AdGuard Home on my OPNsense and use Unbound for reverse DNS. It works fine so far but thanks to DHCP some devices get a new IP address sooner or later. The problem here is that AGH does not release old rDNS entries.

Example:
Let's say I have a device "Device1" which is configured to use DHCP and got the IP 10.0.0.20. AGH got it right and through rDNS saves that the IP 10.0.0.20 belongs to Device1. Now the lease expires and Device1 gets the IP 10.0.0.21. AGH makes a reverse DNS lookup and sees that Device1 now has the IP 10.0.0.21.
But now I have two entries for Device1:
• 10.0.0.20 → Device1 (deprecated but still there)
• 10.0.0.21 → Device1

Is there a way to clear the rDNS entries so AGH starts over to lookup up clients' IP addresses? Sooner or later this will just be a big mess with many devices changing IP addresses.

I just checked my OPNsense's dashboard and saw that the RAM usage is much higher than usual. Usually about 25% to 30% of my total memory is being used, now it's at 42%. I've never seen such a high RAM usage on my OPNsense before.
So I checked the console and used the top command to find out which process is the culprit. This is the result.


A reboot didn't help to fix the problem. Does anybody have a clue why these processes use so much of my RAM?

Edit:
I'm now back at 29% which is normal. I saw it go up to 58%. Makes me wonder what went wrong.

I installed AdGuard Home on my OPNsense and now I want to force every device in my LAN to use it for DNS queries. One of my devices uses Google's DNS server ( 8.8.8.8 ) probably because it's hard coded somewhere. The DNS server in DHCP settings is set correctly.
I've been trying around to create a port forward NAT rule that forces every packet with destination port 53 to go to my AdGuard Home but it just won't work no matter what I try. When I (for example) set Cloudflare's DNS servers in my IP configuration on my Windows machine it always skips AdGuard Home.

So how do I have to configure this NAT rule to make it work for IPv4 and IPv6?

So with ZFS file system and bectl we can easily create snapshots of our system and always go pack to the point of time when we took the snapshot. I am familiar with snapshots with BTRFS but on OPNsense I'm very confused about them.

Here's the thing. In my experience all changes after the latest snapshot are saved and the latest snapshot + changes is the current status after a reboot. When I create a new snapshot with bectl, the active snapshot stays the currently running snapshot - not the latest snapshot.
What happens if I take a snapshot, do some changes on the system, then activate the new snapshot and reboot? Are my changes gone because I bootet into the snapshot I made before rebooting the system? Or are the changes applied to the latest snapshot? Or are my changes maybe gone?

I just can't wrap my head around it. It gives me headache the more I think about it and try to understand. Could you please explain to me how this works? In case I ever have to revert back to an old snapshot I wanna make sure to make it right.

Greetings!

I've been using DoT for a while now... or let's say: I think I've been using DoT for a while now.

Under...
Services > Unbound DNS > DNS over TLS
... I set up some DoT compatible DNS servers as you can see in the following image.


To test my settings I first blocked outgoing traffic with destination port 53 --> name resolution still works
Then I did the same for port 853 --> name resolution does not work anymore

So far so good. But does just that prove that it's working correctly? There are websites like this one that checks if DoT is working. For me it says that it does not work. Also there's Cloudflare's help site, that tells me it's working for all my upstream DNS servers except the Quad9 ones.
I can't tell how reliable those sites are. Is the use of destination port 853 for DNS queries enough to say that it's working correctly?