"Recent posts
#1
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by pseudonym3k - Today at 09:47:15 PMThanks. At a high level I understand the practical functions of each- as they apply to my practical use of the internet.
I do realize I grabbed OPNsense, an appliance meant for large enterprises, as my choice for a small no make that tiny home network. I did that because I'm disgusted with the direction consumer routers have gone and taking all control of what comes in and goes out. I ran DD-WRT for years (and Dnsmasq) and quite comfortable with how it functions for me, without knowing specific components or what does what. (Including a delete lease option which I'm aware can't be ported to OPNsense which prompted the entire suggestion for me to consider KEA.)
I had trouble with Unbound and disabled it, moved my DNS servers into System Settings, and voila it's all good. I thought that was enough no matter what I used for DHCP. Quite honestly, at almost 85 years old, I'm not likely to get much more knowledgable nor am I really interested. If it's no longer allowed to post here for help because of that, then I'll find something else.
I do realize I grabbed OPNsense, an appliance meant for large enterprises, as my choice for a small no make that tiny home network. I did that because I'm disgusted with the direction consumer routers have gone and taking all control of what comes in and goes out. I ran DD-WRT for years (and Dnsmasq) and quite comfortable with how it functions for me, without knowing specific components or what does what. (Including a delete lease option which I'm aware can't be ported to OPNsense which prompted the entire suggestion for me to consider KEA.)
I had trouble with Unbound and disabled it, moved my DNS servers into System Settings, and voila it's all good. I thought that was enough no matter what I used for DHCP. Quite honestly, at almost 85 years old, I'm not likely to get much more knowledgable nor am I really interested. If it's no longer allowed to post here for help because of that, then I'll find something else.
#2
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by Patrick M. Hausen - Today at 09:39:20 PMYou need a DHCP (well, most of the time) server and a DNS server for your network to work. Essentially these are two separate services that at first have nothing in common.
DHCP tells client systems about their network environment. How to number themselves, how to reach the Internet, what DNS servers to use.
DNS tells a client an IP address for a name. At least that's the primary use.
- DHCP can be run locally or not at all (configure everything manually).
- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.
- DNS can be run locally or not at all.
- If not at all you can point your clients to e.g. 8.8.8.8 or 1.1.1.1 via DHCP and "Internet" will work without any problems.
- If run locally you can use Unbound, DNSmasq or BIND (plugin) for that job.
- DNSmasq for both DHCP and DNS is tightly integrated but some (including me) don't like the architecture and still prefer Kea for DHCP.
- If you use Kea for DHCP you can go with no local DNS at all (8.8.8.8) or use Unbound or ... use DNSmasq for DNS only while using Kea for DHCP.
- Or use BIND. Or use ADGuard Home while forwarding to an upstream DoT service, which some (few) users here on the forum seem to do.
- Or ...
Admittedly us network professionals sometimes take that knowledge for granted but making sense out of that puzzle is still up to you. Bring a separate DNS filtering solution like PiHole (on a separate device) or AdGuard Home (on OPNsense) into the mix and complexity again increases.
So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.
Canonical well established alternatives are:
- Kea & Unbound
- DNSmasq for both
Start from one of those, then consider a filtering plugin, upstream encryption or not, etc. But only after you have the fundamentals well understood and working.
HTH,
Patrick
DHCP tells client systems about their network environment. How to number themselves, how to reach the Internet, what DNS servers to use.
DNS tells a client an IP address for a name. At least that's the primary use.
- DHCP can be run locally or not at all (configure everything manually).
- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.
- DNS can be run locally or not at all.
- If not at all you can point your clients to e.g. 8.8.8.8 or 1.1.1.1 via DHCP and "Internet" will work without any problems.
- If run locally you can use Unbound, DNSmasq or BIND (plugin) for that job.
- DNSmasq for both DHCP and DNS is tightly integrated but some (including me) don't like the architecture and still prefer Kea for DHCP.
- If you use Kea for DHCP you can go with no local DNS at all (8.8.8.8) or use Unbound or ... use DNSmasq for DNS only while using Kea for DHCP.
- Or use BIND. Or use ADGuard Home while forwarding to an upstream DoT service, which some (few) users here on the forum seem to do.
- Or ...
Admittedly us network professionals sometimes take that knowledge for granted but making sense out of that puzzle is still up to you. Bring a separate DNS filtering solution like PiHole (on a separate device) or AdGuard Home (on OPNsense) into the mix and complexity again increases.
So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.
Canonical well established alternatives are:
- Kea & Unbound
- DNSmasq for both
Start from one of those, then consider a filtering plugin, upstream encryption or not, etc. But only after you have the fundamentals well understood and working.
HTH,
Patrick
#3
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by pseudonym3k - Today at 09:24:40 PMQuote from: nero355 on Today at 07:54:23 PMIt's all a matter of readingYour comment is not nice and not necessary in a helpful context. Please be kind.
FWIW I do read the docs, and I absolutely don't understand everything there. There's a lot that doesn't apply to me, and it's possible I won't understand there's something there that does. I thought this forum exists to provide help when needed and so I asked and got my answer.
I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.
#4
26.1 Series / Re: Netflow - again high I/O
Last post by nero355 - Today at 08:26:23 PMQuote from: Patrick M. Hausen on Today at 08:23:06 PMNetflow is a behemoth designed for large ISPs. It will scrub your SSD to death in weeks if you log locally and have some considerable amount of traffic.Good to know! Thnx! :)
The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.
They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)
#5
26.1 Series / Re: Netflow - again high I/O
Last post by Patrick M. Hausen - Today at 08:23:06 PMNetflow is a behemoth designed for large ISPs. It will scrub your SSD to death in weeks if you log locally and have some considerable amount of traffic.
It was designed from the start to just collect the data on the (at the time) seriously underpowered control plane of the (Cisco) device and get it off the box to some collector as fast as possible.
The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.
Repeating myself - you don't want that on OPNsense proper.
But it works as advertised. I get the same beautiful graphs from my OPNsense to my Ubuntu VM running the stack. And noticed as written in that other post some odd traffic on UDP/1194 immediately ;-)
They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)
Kind regards,
Patrick
It was designed from the start to just collect the data on the (at the time) seriously underpowered control plane of the (Cisco) device and get it off the box to some collector as fast as possible.
The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.
Repeating myself - you don't want that on OPNsense proper.
But it works as advertised. I get the same beautiful graphs from my OPNsense to my Ubuntu VM running the stack. And noticed as written in that other post some odd traffic on UDP/1194 immediately ;-)
They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)
Kind regards,
Patrick
#6
26.1 Series / Re: 26.1.6 migrated from 25.7 ...
Last post by nero355 - Today at 08:18:50 PMQuote from: stefan21 on Today at 11:42:00 AMDid an upgrade to the latest OPNsense version.That does not mean you had to do this too :
QuoteMigrated to NEW firewall rules.Because it does bring some changes along you might not like and the migration is not something you must do for now !!
QuoteMigrated from ISC to KEA.That's something you could have done in 25.7 too first and then upgrade afterwards once you were sure everything is still working as it should ;)
But for now my best guess is that some Firewall Rule does not do what you want it to do...
#7
26.1 Series / Re: Netflow - again high I/O
Last post by nero355 - Today at 08:14:15 PMQuote from: Patrick M. Hausen on Today at 01:36:32 PMDon't save netflow data on OPNsense. Export to a netflow collector like Elastiflow and save your SSD 🙂Looks seriously sweet as far as I can tell from your other recent post : https://forum.opnsense.org/index.php?msg=264974
Should I need something like that I will definitely consider it! :)
For now I have got almost all logging disabled in OPNsense since I barely need any of it.
#8
26.1 Series / Re: Multicast TV Init7 with OP...
Last post by nero355 - Today at 08:10:23 PMQuote from: JamesFrisch on Today at 01:32:58 PMSorry, I should have been clearer in my writing. This is not the setting I have, this is the setting my ISP recommends.I see now :)
Here ist the link: https://www.init7.net/en/support/faq/mit-welchen-uebertragungsarten-funktionieren-die-tv-streams/
On the buttom left, you have to activate nerdmode. That shows you the "Rules for multicast streaming" which are the rules I posted.
But it could very well be that these settings are just some old leftovers. I contacted support and asked them exactly this.
Maybe they are long gone to IGMPv3. I would also assume that the mentioned old servers are no longer running, but they are still described there.
Then I would just wait for their reply and double check everything with them first!
QuoteI even tried something similar like you linked. I created a whole seperate VLAN just for the AppleTV Box, but still no luck.AFAIK most modern IPTV setups require Quickleave anyway so I don't see that as being wrong to be honest.
My current setting is this:Code Select##------------------------------------------------------As you can see, this is not exactly what my ISP recommends, since it has quickleave enabled.
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint cxl1 upstream ratelimit 0 threshold 1
altnet 77.109.129.0/24
phyint vlan0.51 downstream ratelimit 0 threshold 1
phyint wg0 disabled
phyint cxl0 disabled
phyint vlan0.25 disabled
phyint vlan0.50 disabled
phyint vlan0.52 disabled
...
...
...
But this was something I forgot to ask :
Quote from: jonm on Today at 02:39:42 PMThere's a reasonably active init7 sub on Reddit, it may be worth also asking your question there?Aren't there any "German Tech Community Forums" that talk about this stuff very often ?
Should give you the right information if there are any IMHO :)
Did you also check the German sub-forum : https://forum.opnsense.org/index.php?board=6.0 ??
#9
26.1 Series / Re: DNS Confusion
Last post by nero355 - Today at 08:01:56 PMQuote from: disorganise on Today at 02:45:09 PMHowever, DNS is confusing me in several ways.
First confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
QuoteI even migrated to KEA DNS for a bit and moved back when it didn't solve anything.All a matter of reading : https://docs.opnsense.org/manual/dhcp.html
HINT : There is no such thing as KEA DNS and in OPNsense everything is basically built around Unbound DNS-wise !!
QuoteI have a wireguard set up to another OPNSense 900km away. They each have their own domain; ie, mg.home.arpa and dy.home.arpa.My guess is you told DNSmasqd about it instead of Unbound but again : Read the documentation and go through everything step-by-step ;)
I can't seem to resolve clients in the other domain. I've cheated for the time being by adding my Emby box as a static. On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work.
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.
#10
26.1 Series / Re: Tried moving from Dnsmasq ...
Last post by nero355 - Today at 07:54:23 PMQuote from: pseudonym3k on Today at 03:37:04 PMThat's a deal breaker for me then, for unknown reason Unbound isn't stable in my config and that's why it's disabled. (Have whole thread here about it.)Just fix this bug :
QuoteUnbound, PiHole... and I'm not using any of those.By using this : https://docs.pi-hole.net/guides/dns/unbound/
;)
A life without Pi-Hole combined with Unbound on my network is not worth living at all !!! :P
QuoteThank you, had no idea.It's all a matter of reading https://docs.opnsense.org/manual/dhcp.html before making any huge changes to your OPNsense.
