Announce: new OPNsense community repository

[juliocbc]

Hello Michael! I got realized how it works!! Thank you very much!

I was struggling with poudriere to make it work!

Many thanks!

[security_geek]

This is very cool and hope to try out soon! Great work!

[ooompa]

Howdy, OPNsense noob here. I am using Pop OS and I am getting this error:

Code Select Expand

fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Command 'fetch' not found, did you mean:
  command 'efetch' from deb acedb-other (4.9.39+dfsg.02-4build1)
  command 'efetch' from deb ncbi-entrez-direct (13.7.20200713+dfsg-1)
  command 'sfetch' from deb biosquid (1.9g+cvs20050121-12)
  command 'afetch' from deb biosquid (1.9g+cvs20050121-12)
  command 'ifetch' from deb ifetch-tools (0.18.2-1)
Try: sudo apt install <deb name>


I am obviously missing something simple. Thanks for help!

[Patrick M. Hausen]

@oompa `fetch` is a FreeBSD command line tool that is more or less the equivalent of Linux' `wget`.
You are supposed to enter this command on your OPNsense firewall.

[ooompa]

Ha! I was pretty sure I successfully SSH'd into the router but upon checking, it never established connection (and I used SSH only once before), hence the error. All good now.

It seems like the install went through just fine, but I can't see Adguard Home in services. Is it supposed to show up there or somewhere else?

Thanks!

Edit: I checked a bit later and Adguard Home finally showed up in services. I enabled it.
Can you please provide easy to follow instructions on how to configure it?

I (a noob to remind everyone) tried accessing my router address with 3000 port, lets say 192.168.1.1:3000 and nothing happens.

[ooompa]

OK, quick update. I am in the middle of setting a Wireguard client with Mullvad and for some reason I can now access the 3000 port on my router leading to AGH config page.

Is there a guide on how to set it up?

I am coming from Brume, which had an excellent AGH app, with easy to import blacklists. It was working great (with Wireguard, AGH and packet inspection) until it wasn't (lots of hangups probably due to the overheating because of high CPU load) so I returned it and now I am trying OPNsense on HP T730.

Thanks!

[Tubs]

I am using AdGuard from this repo. Installation and set-up all fine. I can resolve from my "normal" networks. But I do not get DNS resolution from my client connected through Wireguard.

Before with unbound on port 53 it was working. No other change I did than installing AdGuard on port 53 and switched off Unbound.

Any idea where to search?

[the-mk]

unbounddns > access list, I guess you didn't add your WireGuard network there...

[Tubs]

unbounddns > access list, I guess you didn't add your WireGuard network there...

Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.

With my unbound set-up before, Wireguard was working. After change to AdGuard DNS, Wireguard was not working any more. On the AdGuard configuration page, the Wireguard network was listed as listening.

But it is solved now. It was any kind of UDP routing issue. The DNS setting on Wiregurd client was not pointing to the Wireguard interface IP. It was pointing to another network on OPNsense. With Unbound this worked. With AdGuard UDP access was not working. By using a test tool and TCP port it also worked. After I changed the DNS IP on Wireguard client to the Wireguard interface IP it also worked with AdGuard.

[the-mk]

Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.

Sorry I should have read your post twice before trying to answer... missed the fact that it does not work with AdGuard...

[tusc]

Is anyone using Adguardhome as a DHCP server? I cannot get it to respond to dhcp requests. The service does start up and it's listening on the port as I've disabled the dhcp server within OPNsense.

Code Select Expand

root@OPNsense:/usr/local/AdGuardHome # lsof -i :67
lsof: WARNING: compiled for FreeBSD release 12.2-RELEASE-p3; this is 12.1-RELEASE-p13-HBSD.
COMMAND     PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
AdGuardHo 35588 root   11u  IPv4 0xfffff801181f8ac0      0t0  UDP *:bootps


But it's not responding to dhcp client requests:

Code Select Expand

root@OPNsense:/usr/local/AdGuardHome # tcpdump -i igb1 port bootps
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:56:50.074579 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:56:51.651994 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:56:51.987743 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 74:83:c2:bf:18:b5 (oui Unknown), length 302
11:56:54.047915 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:56:58.008635 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:62:6e:53:ae:22 (oui Unknown), length 277

DNS on adguardhome runs fine as I've disabled unbound but cannot get DHCP services to work.

[mimugmail]

When you disable the local DHCP service you have to allow DHCP packets as these auto rules are removed

[tusc]

When you disable the local DHCP service you have to allow DHCP packets as these auto rules are removed

Thanks for the quick reply mimugmail. I didn't realize about the auto rules and went ahead and created them manually for the Adguard dhcp server. This still didn't resolve the issue.

I see the requests coming through from the client but no replies:

Code Select Expand

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:24:35.356678 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 74:83:c2:bf:18:b5 (oui Unknown), length 302
11:24:39.550372 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:24:40.623400 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:24:43.004900 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300
11:24:47.879591 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 4e:0d:31:ec:8c:4a (oui Unknown), length 300

There are no drops in the firewall logs for DHPC traffic.

I'm uploading my firewall rule lists for DHCP which I copied from the auto rules.

[Patrick M. Hausen]

Just a guess, but does the AdGuard server have the privilege and the code to put the LAN interface in promiscuous mode on FreeBSD?

@tusc, if you look with ifconfig, you should see a "promisc" for the network interface in question. If that is missing, you can configure that manually with e.g. ifconfig igb0 promisc.

HTH,
Patrick

[tusc]

@tusc, if you look with ifconfig, you should see a "promisc" for the network interface in question. If that is missing, you can configure that manually with e.g. ifconfig igb0 promisc.
HTH,
Patrick

Thanks for the idea Patrick. I checked and the LAN interface settings remain the same after I disable the OPNsense dhcp server. It doesn't appear that promiscious mode is disabled. I assume because I'm also running Sensei and NetFlow/Insight?

Code Select Expand

igb1: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500