"Recent posts
#1
Hardware and Performance / Re: PPPoE performance with cur...
Last post by mattuz - Today at 07:57:53 PMQuote from: pfry on Today at 02:22:07 AMEdit: For the heck of it (quoting myself), you might try "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad. I'm not sure if these will provide useful data for a PPPoE device.
Thanks I will try these commands and update the thread with the results.
Quote from: meyergru on Today at 09:14:29 AMDid you use the Realtek vendor or the FreeBSD native driver on OpnSense?I'm using os-realtek-re drivers. The card plugged in without those didn't even show the interfaces on the GUI. I had "pci3: <network, ethernet> at device 0.0 (no driver attached"
#2
General Discussion / Re: How do predefined net alia...
Last post by Monviech (Cedrik) - Today at 07:45:15 PMSorry it feels like we are hijacking this thread now. If this needs to be discussed further best create a new thread.
#3
General Discussion / Re: How do predefined net alia...
Last post by Bob.Dig - Today at 07:21:39 PMThanks for pointing to that discussion. My English ain't that good, so I have the feeling, that I still might miss something. Let's say I have two WANs, for both I block RFC1918 outgoing, so I used one floating rule. But for one WAN, I have an allow rule for WAN_network before that. Now I am forced to do things differently.
I kinda think that you could achieve that goal in the same time without that floating-decision, I can't see that benefit, yet. ;) And some people hate any friction.
Quotein which you can move rules at any spot you wantThat sounds like more freedom but yet we will get less. :)
I kinda think that you could achieve that goal in the same time without that floating-decision, I can't see that benefit, yet. ;) And some people hate any friction.
#4
Intrusion Detection and Prevention / Suspicious repeated DNS traffi...
Last post by Dutchman - Today at 06:54:14 PMConfiguration
- OPNsense with AdGuard Home as a plugin (`os-adguardhome-maxit`), Unbound as the upstream resolver at `127.0.0.1:5335`
- LAN `192.168.188.0/24`, IoT VLAN `192.168.20.0/24`
- WireGuard active on port 51820, 3 peers (iPhone, iPad, MacBook)
Problem
In the AdGuard Home query log, I see constantly repeated DNS queries (multiple per second, active for hours/days) to four seemingly random domains:
```
setrol.com
holodisks.com
randomchoice.org
eletricalsheet.com
```
All queries are logged with **client IP `60.168.131.252`**, a public IP address in China (WHOIS: CHINANET-AH, Anhui).
Raw data from `/usr/local/AdGuardHome/data/querylog.json`:
```json
{"T":"2026-06-29T12:07:57.804291543+02:00","QH":"eletricalsheet.com","QT":"A","QC":"IN","CP":""," IP":"60.168.131.252","Result":{"Rules":[{"Text":"||eletricalsheet.com^$important"}],"Reason":3,"IsFiltered":true},"Elapsed":99867}
```
What I've already ruled out
1. **Open DNS resolver on the WAN**: Found a WireGuard firewall rule that was too broad (UDP, source `*`, destination port `*` to WAN address) which accidentally allowed external requests on port 53 as well. I restricted this to destination port 51820 (the WireGuard port). Confirmed with `nslookup google.com <WAN-IP>` from an external network → now correctly times out.
- **Result: Queries in the AdGuard query log continue unabated, even after this fix.** However, I now see "Blocked" instead of "Processed" since I manually added the 4 domains to the custom filter rules—so AdGuard is still actively receiving these queries.
2. **WireGuard as a relay**: checked via VPN → WireGuard → Status. None of the 3 peers have a recent handshake (oldest was 4–6 days ago), and all peers currently show 0 or very little traffic. This rules out an active WireGuard tunnel as the direct source.
3. **Local device sending the queries**: packet capture on the LAN interface (igc1), filter `udp port 53`, over 100 packets captured—none of the four suspicious domain names appeared in the capture, even though they did appear in the AdGuard query log during the same period.
4. **IPv6 as an alternative path**: checked via Interfaces → Overview on the WAN interface (OdidoWAN). Only an IPv4 address is present; no routable IPv6 address. This rules out an IPv6 leak alongside the IPv4 WireGuard rule as an explanation.
## The Question
How can AdGuard Home log queries with an external (Chinese) source IP when:
- WAN port 53 is no longer accessible from the outside (confirmed with an nslookup test),
- there is no active WireGuard session,
- a packet capture on the LAN interface does not show these queries?
Is there a mechanism in AdGuard Home (e.g., EDNS Client Subnet, or something related to how the plugin/Unbound integration works) that could cause an external IP address to appear in the query log without it actually being an incoming request? Or is there another vulnerability I haven't found yet (for example, another open port, IPv6 instead of IPv4, or a tunnel/proxy I haven't checked)?
Any suggestions on where to look next are welcome.
#5
26.1, 26,4 Series / Re: Problem with shutdown/rebo...
Last post by mrzaz - Today at 06:53:08 PMI have now changed from Divert (IPS) to Netmap (IDS) and let it run for 24-36h and now tried a normal reboot and at least this time it rebooted normally.
Only took a few seconds for suricata PID to stop and continue with rest of the shutdown/reboot.
I will keep this under wrap and test it again in a few days.
If it now is Divert setting that causes it, we need to try to find the culprit.
//Dan Lundqvist
Only took a few seconds for suricata PID to stop and continue with rest of the shutdown/reboot.
I will keep this under wrap and test it again in a few days.
If it now is Divert setting that causes it, we need to try to find the culprit.
//Dan Lundqvist
#6
Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...
Last post by kbthomelab88 - Today at 06:52:41 PMQuote from: kbthomelab88 on Today at 06:30:14 PMThis my lan network setup for sonos
This my sonos network setup for sonos
#7
Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...
Last post by fastboot - Today at 06:50:18 PMQuote from: kbthomelab88 on Today at 06:41:10 PMi have upload the picture
We're still waiting for the picture. At the moment I am troubleshooting an non existing attachment rather than your network.
#8
Virtual private networks / Re: Automatic WireGuard inital...
Last post by Monju0525 - Today at 06:49:26 PMUpdated the script with an alternatuve method
====
#!/bin/bash
#Alternative
shopt -s extglob
# Test the wg0 connection state using monit ZeroStatus test
# RC =1 is the connection state which defaults the wg0 as being connected -> exit 1
# reports as 'status =1'
RC=1
# If no wg0 packets are received, it needs to be restarted with RC =0 -> exit 0
# Important: need to report 'status =0' to the opnsense monit ZeroStatus test
# which will re-start the wg0 connection
# in-line command
#[[ $(netstat -i | grep -F -- " 0 - " | grep "100.80.224.94" | wc -l) -eq "1" ]] \
#&& RC=0 && echo "!connected" $(date +"%Y-%m-%d %H:%M:%S") && exit $RC \
#|| echo "connected" $(date +"%Y-%m-%d %H:%M:%S") && exit $RC
RC=`netstat -i | grep -F -- " 0 - " | grep "100.80.224.94" | wc -l`
#echo $RC
[$RC -eq 1 ] && RC="0" || RC="1"
case $RC in
0) printf "wg0 !connected $(date +"%Y-%m-%d %H:%M:%S") \n" && exit 0;;
1) printf "wg0 connected $(date +"%Y-%m-%d %H:%M:%S") \n" && exit 1;;
*) printf "Issue with wg0_monit_start.sh \n";;
esac
====
====
#!/bin/bash
#Alternative
shopt -s extglob
# Test the wg0 connection state using monit ZeroStatus test
# RC =1 is the connection state which defaults the wg0 as being connected -> exit 1
# reports as 'status =1'
RC=1
# If no wg0 packets are received, it needs to be restarted with RC =0 -> exit 0
# Important: need to report 'status =0' to the opnsense monit ZeroStatus test
# which will re-start the wg0 connection
# in-line command
#[[ $(netstat -i | grep -F -- " 0 - " | grep "100.80.224.94" | wc -l) -eq "1" ]] \
#&& RC=0 && echo "!connected" $(date +"%Y-%m-%d %H:%M:%S") && exit $RC \
#|| echo "connected" $(date +"%Y-%m-%d %H:%M:%S") && exit $RC
RC=`netstat -i | grep -F -- " 0 - " | grep "100.80.224.94" | wc -l`
#echo $RC
[$RC -eq 1 ] && RC="0" || RC="1"
case $RC in
0) printf "wg0 !connected $(date +"%Y-%m-%d %H:%M:%S") \n" && exit 0;;
1) printf "wg0 connected $(date +"%Y-%m-%d %H:%M:%S") \n" && exit 1;;
*) printf "Issue with wg0_monit_start.sh \n";;
esac
====
#9
General Discussion / Re: How do predefined net alia...
Last post by Monviech (Cedrik) - Today at 06:43:10 PMIt solves that it slowly paths the way to a unified ruleset without special hardcoded prorities in which you can move rules at any spot you want.
At least thats my wish for the long run:
https://github.com/opnsense/core/issues/9652#issuecomment-4274523794
Demystifying floating plays well into that strategy.
At least thats my wish for the long run:
https://github.com/opnsense/core/issues/9652#issuecomment-4274523794
Demystifying floating plays well into that strategy.
#10
Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...
Last post by kbthomelab88 - Today at 06:41:10 PMi have upload the picture
