"Recent posts
#81
German - Deutsch / UnboundDNS und lokaler Host-/D...
Last post by knebb - November 27, 2025, 10:29:08 AMMoin,
meine OPNSense ist Teil der lokalen Domain, nennen wir sie "beispiel.de". Im LAN steht für diese (und eine wertere "example.de") Domain ein authoritativer DNS (Bind9 auf Debian), der ALLE DNS-Einstellungen für die Domains beinhaltet.
Jetzt möchste ich, dass aber auch die OPNSense einen Teil der DNS-Anfragen übernimmt und parallel zu dem eigentlichen DNS-Anfragen beantwortet. Also haben alle LAN-Clients ZWEI DNS-Resolver Einträge;
192.168.42.1 <--- OPNSense/ Unbound
192.168.42.15 <--- Debian Bind
Klappt auch gut, die Clients können DNS-Abfragen nach öffentlichen Domains über beide Resolver erfoolgreich durchführen.
Der Unbound auf OPNSense ist so eingestellt, dass er via Forwarding die lokale Zone (beispiel.de) an den lokalen bind9 weiterleiten soll. D.h. alles was diese Zone betrifft soll der 42.15er Debian Bind9 beantworten.
Funktioniert soweit auch prima:
Also kurz:
Abfrage nach irgendeinem Namen in der lokalen Domain ---> Unbound forwarded an lokalen DNS. RICHTIG.
Abfrage nach dem Namen der OPNSense.lokale.domain --> Unbound beantwortet selbst mit einer willkürzlich gewählten Interface-IP (MIST)
Das muss doch irgendwie möglich sein, dem Unbound zu sagen, dass er für diese Domain echt KEINE NAmensanfragen selbst beantwortet, sondern einfach IMMER weiterleitet, odeR?
Wie kriege ich das hin?
Danke& Grüße
/KNEBB
meine OPNSense ist Teil der lokalen Domain, nennen wir sie "beispiel.de". Im LAN steht für diese (und eine wertere "example.de") Domain ein authoritativer DNS (Bind9 auf Debian), der ALLE DNS-Einstellungen für die Domains beinhaltet.
Jetzt möchste ich, dass aber auch die OPNSense einen Teil der DNS-Anfragen übernimmt und parallel zu dem eigentlichen DNS-Anfragen beantwortet. Also haben alle LAN-Clients ZWEI DNS-Resolver Einträge;
192.168.42.1 <--- OPNSense/ Unbound
192.168.42.15 <--- Debian Bind
Klappt auch gut, die Clients können DNS-Abfragen nach öffentlichen Domains über beide Resolver erfoolgreich durchführen.
Der Unbound auf OPNSense ist so eingestellt, dass er via Forwarding die lokale Zone (beispiel.de) an den lokalen bind9 weiterleiten soll. D.h. alles was diese Zone betrifft soll der 42.15er Debian Bind9 beantworten.
Funktioniert soweit auch prima:
Code Select
root@opnsense:~ # host -v lanhost.beispiel.de
Trying "lanhost.beispiel.de"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 642
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;lanhost.beispiel.de. IN A
;; ANSWER SECTION:
lanhost.beispiel.de. 3600 IN CNAME lanhost.example.de.
lanhost.example.de. 3600 IN A 192.168.42.114
Received 90 bytes from 127.0.0.1#53 in 1 ms
Trying "lanhost.beispiel.de"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36936
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;lanhost.beispiel.de. IN AAAA
;; AUTHORITY SECTION:
example.de. 2972 IN SOA ns.beispiel.de. admin.beispiel.de. 1763729903 3600 1800 604800 86400
Received 119 bytes from 127.0.0.1#53 in 0 ms
Trying "lanhost.beispiel.de"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36801
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;lanhost.beispiel.de. IN MX
;; AUTHORITY SECTION:
example.de. 2972 IN SOA ns.beispiel.de. admin.beispiel.de. 1763729903 3600 1800 604800 86400
Received 119 bytes from 127.0.0.1#53 in 0 ms
Einzig und allein die DNS-Sachen für den Namen der OPNSense selbst werden anhand der lokalen Interfaces aufgelöst:Code Select
root@opnsense:~ # host opnsense.beispiel.de
opnsense.beispiel.de has address 192.168.32.254
Das ist die IP eines der OPNSense-Interfaces, aber der DNS-Server verweist nur auf das "Haupt-Interface".Also kurz:
Abfrage nach irgendeinem Namen in der lokalen Domain ---> Unbound forwarded an lokalen DNS. RICHTIG.
Abfrage nach dem Namen der OPNSense.lokale.domain --> Unbound beantwortet selbst mit einer willkürzlich gewählten Interface-IP (MIST)
Das muss doch irgendwie möglich sein, dem Unbound zu sagen, dass er für diese Domain echt KEINE NAmensanfragen selbst beantwortet, sondern einfach IMMER weiterleitet, odeR?
Wie kriege ich das hin?
Danke& Grüße
/KNEBB
#82
General Discussion / Re: TUI for viewing and analys...
Last post by patient0 - November 27, 2025, 10:24:48 AMThanks for posting the viewer, I gave it a go and do like it. I like the navigation in the TUI.
If I could have a wish :) or two:
If I could have a wish :) or two:
- my screen is quite small (1280x800) and not all columns fit on the screen. It would be helpful if I could scroll horizontally with e.g. either the left/right arrow keys and/or 'h'/'l' (like in vim).
- right now filtering for 'proto ip6' doesn't show any results. But filtering for 'proto ip' shows only the ip6 traffic. I would prefer if 'proto ip' would show the ipv4 entries and 'proto ip6' the ipv6. Maybe even a shortcut like in 'pftop' 'ip' and 'ip6' showing the ipv4 and ipv6 entries.
#83
General Discussion / Re: new setup cannot reach lin...
Last post by meyergru - November 27, 2025, 10:14:31 AMDid you also take a look at this, especially the section about 'Network "hardware"'?
IDK how to exactly do the "multiqueue" setting on your platform, in Proxmox, it results in "queues=4" in the tap interface settings. I think this should be used with RSS on OpnSense itself.
IDK how to exactly do the "multiqueue" setting on your platform, in Proxmox, it results in "queues=4" in the tap interface settings. I think this should be used with RSS on OpnSense itself.
#84
General Discussion / Re: OPNsense does not generate...
Last post by meyergru - November 27, 2025, 10:01:25 AMIDK how you got the <WAN_GATEWAY_IP> into that rule at all, since I do not see where you could select that from the UI. Out of curiosity: How did you do that?
Your rule will never fire this way, because you do not see the packets your rule would select.
The target of a ping would be the WAN IP, which you can select from the dropdown as "WAN address". You could also use "this firewall". Your rule should simply be:
You cannot view this attachment.
If you want to be sure, create it in Floating Rules and move it to the top of the list.
Your rule will never fire this way, because you do not see the packets your rule would select.
The target of a ping would be the WAN IP, which you can select from the dropdown as "WAN address". You could also use "this firewall". Your rule should simply be:
You cannot view this attachment.
If you want to be sure, create it in Floating Rules and move it to the top of the list.
#85
25.7, 25.10 Series / Re: 25.7.8 Reporting -> Unboun...
Last post by Patrick M. Hausen - November 27, 2025, 10:00:20 AMDoesn't the FreeBSD port download the source from github and compile with golang locally? That should work in poudriere just as well?
#86
General Discussion / Re: use traffic shaper in fire...
Last post by saleh - November 27, 2025, 09:50:22 AMThank you so much for your quick reply, Seimus.
For Queue-any-any-UP or Queue-any-any-DOWN, do we need to configure the interface, source, destination, and direction as well, or is it enough to simply create them and attach them to their respective pipes?
Best regards,
Saleh
For Queue-any-any-UP or Queue-any-any-DOWN, do we need to configure the interface, source, destination, and direction as well, or is it enough to simply create them and attach them to their respective pipes?
Best regards,
Saleh
#87
25.7, 25.10 Series / Re: Code quality reminder for ...
Last post by franco - November 27, 2025, 09:25:42 AMI'm sorry to say you are, but for an unexpected reason: you haven't given a single example of what you are talking about.
I'd like to comment, but this feels hollow.
Cheers,
Franco
I'd like to comment, but this feels hollow.
Cheers,
Franco
#88
Web Proxy Filtering and Caching / Squid Proxy | Allow only speci...
Last post by bpill - November 27, 2025, 08:59:49 AMHello there!
i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)
I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything
The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.
What am i doing wrong? Is there another better way?
Thanks!
Benjamin
i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)
I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything
The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.
What am i doing wrong? Is there another better way?
Thanks!
Benjamin
#89
General Discussion / Re: OPNsense does not generate...
Last post by patient0 - November 27, 2025, 08:48:39 AMWhat's the order of firewall rules on WAN, any other rules on WAN (ignoring the automatically generate ones)? Does the rule get executed at all (press 'Inspect' on the firwall WAN page)?
Setting a gateway for that rules does not work in my case, not sure if that is expected.
Setting a gateway for that rules does not work in my case, not sure if that is expected.
#90
25.7, 25.10 Series / Re: 25.7.8 Reporting -> Unboun...
Last post by Monviech (Cedrik) - November 27, 2025, 08:29:58 AMThe main reason for that is to give users an alternative to adguard home since the binary of that cannot be built in the opnsense built servers and its operation is located in russia.
Also if people do not install custom code I assume there will be less support noise in general.
But this realisation will need some time to spread, the adguard home suggestion is just too present.
Also if people do not install custom code I assume there will be less support noise in general.
But this realisation will need some time to spread, the adguard home suggestion is just too present.
