Recent posts

#1
Hardware and Performance / Re: PPPoE performance with cur...
Last post by mattuz - Today at 07:57:53 PM
Quote from: pfry on Today at 02:22:07 AMEdit: For the heck of it (quoting myself), you might try "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad. I'm not sure if these will provide useful data for a PPPoE device.

Thanks I will try these commands and update the thread with the results.

Quote from: meyergru on Today at 09:14:29 AMDid you use the Realtek vendor or the FreeBSD native driver on OpnSense?
I'm using os-realtek-re drivers. The card plugged in without those didn't even show the interfaces on the GUI. I had "pci3: <network, ethernet> at device 0.0 (no driver attached"
#2
Sorry it feels like we are hijacking this thread now. If this needs to be discussed further best create a new thread.
#3
General Discussion / Re: How do predefined net alia...
Last post by Bob.Dig - Today at 07:21:39 PM
Thanks for pointing to that discussion. My English ain't that good, so I have the feeling, that I still might miss something. Let's say I have two WANs, for both I block RFC1918 outgoing, so I used one floating rule. But for one WAN, I have an allow rule for WAN_network before that. Now I am forced to do things differently.

Quotein which you can move rules at any spot you want
That sounds like more freedom but yet we will get less. :)
I kinda think that you could achieve that goal in the same time without that floating-decision, I can't see that benefit, yet. ;) And some people hate any friction.
#4

Configuration
- OPNsense with AdGuard Home as a plugin (`os-adguardhome-maxit`), Unbound as the upstream resolver at `127.0.0.1:5335`
- LAN `192.168.188.0/24`, IoT VLAN `192.168.20.0/24`
- WireGuard active on port 51820, 3 peers (iPhone, iPad, MacBook)

Problem
In the AdGuard Home query log, I see constantly repeated DNS queries (multiple per second, active for hours/days) to four seemingly random domains:

```
setrol.com
holodisks.com
randomchoice.org
eletricalsheet.com
```

All queries are logged with **client IP `60.168.131.252`**, a public IP address in China (WHOIS: CHINANET-AH, Anhui).

Raw data from `/usr/local/AdGuardHome/data/querylog.json`:
```json
{"T":"2026-06-29T12:07:57.804291543+02:00","QH":"eletricalsheet.com","QT":"A","QC":"IN","CP":""," IP":"60.168.131.252","Result":{"Rules":[{"Text":"||eletricalsheet.com^$important"}],"Reason":3,"IsFiltered":true},"Elapsed":99867}
```

What I've already ruled out
1. **Open DNS resolver on the WAN**: Found a WireGuard firewall rule that was too broad (UDP, source `*`, destination port `*` to WAN address) which accidentally allowed external requests on port 53 as well. I restricted this to destination port 51820 (the WireGuard port). Confirmed with `nslookup google.com <WAN-IP>` from an external network → now correctly times out.
   - **Result: Queries in the AdGuard query log continue unabated, even after this fix.** However, I now see "Blocked" instead of "Processed" since I manually added the 4 domains to the custom filter rules—so AdGuard is still actively receiving these queries.

2. **WireGuard as a relay**: checked via VPN → WireGuard → Status. None of the 3 peers have a recent handshake (oldest was 4–6 days ago), and all peers currently show 0 or very little traffic. This rules out an active WireGuard tunnel as the direct source.

3. **Local device sending the queries**: packet capture on the LAN interface (igc1), filter `udp port 53`, over 100 packets captured—none of the four suspicious domain names appeared in the capture, even though they did appear in the AdGuard query log during the same period.

4. **IPv6 as an alternative path**: checked via Interfaces → Overview on the WAN interface (OdidoWAN). Only an IPv4 address is present; no routable IPv6 address. This rules out an IPv6 leak alongside the IPv4 WireGuard rule as an explanation.

## The Question
How can AdGuard Home log queries with an external (Chinese) source IP when:
- WAN port 53 is no longer accessible from the outside (confirmed with an nslookup test),
- there is no active WireGuard session,
- a packet capture on the LAN interface does not show these queries?

Is there a mechanism in AdGuard Home (e.g., EDNS Client Subnet, or something related to how the plugin/Unbound integration works) that could cause an external IP address to appear in the query log without it actually being an incoming request? Or is there another vulnerability I haven't found yet (for example, another open port, IPv6 instead of IPv4, or a tunnel/proxy I haven't checked)?

Any suggestions on where to look next are welcome.
#5
26.1, 26,4 Series / Re: Problem with shutdown/rebo...
Last post by mrzaz - Today at 06:53:08 PM
I have now changed from Divert (IPS) to Netmap (IDS) and let it run for 24-36h and now tried a normal reboot and at least this time it rebooted normally.
Only took a few seconds for suricata PID to stop and continue with rest of the shutdown/reboot.

I will keep this under wrap and test it again in a few days.

If it now is Divert setting that causes it, we need to try to find the culprit.

//Dan Lundqvist
#6
Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...
Last post by kbthomelab88 - Today at 06:52:41 PM
Quote from: kbthomelab88 on Today at 06:30:14 PMThis my lan network setup for sonos



This my sonos network setup for sonos




#7
Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...
Last post by fastboot - Today at 06:50:18 PM
Quote from: kbthomelab88 on Today at 06:41:10 PMi have upload the picture

We're still waiting for the picture. At the moment I am troubleshooting an non existing attachment rather than your network.
#8
Updated the script with an alternatuve method
====
#!/bin/bash
#Alternative
shopt -s extglob

# Test the wg0 connection state using monit ZeroStatus test
# RC =1 is the connection state which defaults the wg0 as being connected -> exit 1
# reports as 'status =1'

RC=1

# If no wg0 packets are received, it needs to be restarted with RC =0 -> exit 0
# Important: need to report 'status =0' to the opnsense monit ZeroStatus test
# which will re-start the wg0 connection

# in-line command
#[[ $(netstat -i | grep -F -- "          0     - " | grep "100.80.224.94"  | wc -l) -eq "1" ]] \
#&& RC=0 && echo "!connected"   $(date +"%Y-%m-%d %H:%M:%S") && exit $RC \
#|| echo "connected"  $(date +"%Y-%m-%d %H:%M:%S") && exit $RC


RC=`netstat -i | grep -F -- "          0     - " | grep "100.80.224.94" | wc -l`
#echo $RC
[$RC -eq  1 ] && RC="0" || RC="1"

case $RC in
0) printf "wg0 !connected  $(date +"%Y-%m-%d %H:%M:%S") \n" && exit 0;;
1) printf "wg0  connected  $(date +"%Y-%m-%d %H:%M:%S") \n" && exit 1;;
*) printf "Issue with wg0_monit_start.sh \n";;
esac



====
#9
It solves that it slowly paths the way to a unified ruleset without special hardcoded prorities in which you can move rules at any spot you want.

At least thats my wish for the long run:
https://github.com/opnsense/core/issues/9652#issuecomment-4274523794

Demystifying floating plays well into that strategy.
#10
Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...
Last post by kbthomelab88 - Today at 06:41:10 PM
i have upload the picture