starting apt-get updateIgn:1 https://pkgs.tailscale.com/stable/debian bookworm InRelease. [More PvE sites get blocked here - cut out so this post isn't a mile long]Err:2 http://security.debian.org/debian-security bookworm-security InRelease Temporary failure resolving 'security.debian.org'Err:1 https://pkgs.tailscale.com/stable/debian bookworm InRelease Temporary failure resolving 'pkgs.tailscale.com'Ign:4 http://download.proxmox.com/debian/ceph-quincy bookworm InReleaseIgn:3 http://ftp.debian.org/debian bookworm InReleaseIgn:6 http://ftp.debian.org/debian bookworm-updates InReleaseIgn:5 http://download.proxmox.com/debian/pve bookworm InReleaseErr:4 http://download.proxmox.com/debian/ceph-quincy bookworm InRelease Temporary failure resolving 'download.proxmox.com'Err:3 http://ftp.debian.org/debian bookworm InRelease Temporary failure resolving 'ftp.debian.org'Err:5 http://download.proxmox.com/debian/pve bookworm InRelease Temporary failure resolving 'download.proxmox.com'Err:6 http://ftp.debian.org/debian bookworm-updates InRelease Temporary failure resolving 'ftp.debian.org'Reading package lists...W: Failed to fetch http://ftp.debian.org/debian/dists/bookworm/InRelease Temporary failure resolving 'ftp.debian.org'W: Failed to fetch http://ftp.debian.org/debian/dists/bookworm-updates/InRelease Temporary failure resolving 'ftp.debian.org'. [More get blocked here - cut out so this post isn't a mile long]W: Failed to fetch https://pkgs.tailscale.com/stable/debian/dists/bookworm/InRelease Temporary failure resolving 'pkgs.tailscale.com'W: Some index files failed to download. They have been ignored, or old ones used instead.TASK OK
lan 2024-06-25T12:19:05 192.168.1.190:41641 172.29.80.1:41641 udp Default deny / state violation rule lan 2024-06-25T12:19:05 192.168.1.190:41641 192.168.56.1:41641 udp Default deny / state violation rule lan 2024-06-25T12:19:05 192.168.1.190:41641 192.168.77.75:41641 udp Default deny / state violation rule lan 2024-06-25T12:19:05 192.168.1.190:41641 172.29.144.1:41641 udp Default deny / state violation rule lan 2024-06-25T12:19:05 192.168.1.190:41641 172.21.112.1:41641 udp Default deny / state violation rule lan 2024-06-25T12:19:05 192.168.1.190:41641 172.23.48.1:41641 udp Default deny / state violation rule lan 2024-06-26T11:51:09 192.168.1.169:50811 192.168.1.1:1900 udp Default deny / state violation rule lan 2024-06-26T11:51:09 192.168.1.169:50811 192.168.1.1:5351 udp Default deny / state violation rule lan 2024-06-26T11:51:09 192.168.1.169:50811 192.168.1.1:5351 udp Default deny / state violation rule lan 2024-06-26T11:51:55 192.168.1.192:34320 192.168.1.1:1900 udp Default deny / state violation rule lan 2024-06-26T11:51:55 192.168.1.192:34320 192.168.1.1:5351 udp Default deny / state violation rule lan 2024-06-26T11:51:55 192.168.1.192:34320 192.168.1.1:5351 udp Default deny / state violation rule lan 2024-06-26T11:51:55 192.168.1.192:43553 192.168.1.1:5351 udp Default deny / state violation rule lan 2024-06-26T11:51:55 192.168.1.192:43553 192.168.1.1:5351 udp Default deny / state violation rule
IPv4 TCP/UDP LAN net * LAN address 53 (DNS) * * Allow access to DNS server on LAN interface IPv4 * LAN net * ! PrivateNetworks * * * Allow access to the internet, but block access to private networks
IPv4 * Blocked_Devices * * * * * Blocks the Blocked_Network Alias List from OUT Traffic. IPv4 * Special_Allowed * * * * * Rule that allows Special_Allowed group through WAN.
[✗] DNS resolution is currently unavailable [i] Time until retry: 120
IPv4 * * * * * * * IPv4 * Blocked_Devices * * * * * Blocks the Blocked_Network Alias List from OUT Traffic. IPv4 * Special_Allowed * * * * * Rule that allows Special_Allowed group through WAN.
Jun 27 00:00:02 dnsmasq[9114]: query[A] myipv4.p1.opendns.com from 192.168.1.191Jun 27 00:00:04 dnsmasq[9114]: query[A] pkg.opnsense.org from 192.168.1.1Jun 27 00:00:04 dnsmasq[9114]: reply pkg.opnsense.org is 89.149.222.99
*** [ DIAGNOSING ]: Network routing table default via 192.168.1.1 dev eth0 onlink 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.192 *** [ DIAGNOSING ]: Networking[✓] IPv4 address(es) bound to the eth0 interface: 192.168.1.192/24[✓] IPv6 address(es) bound to the eth0 interface: fe80::be24:11ff:febd:cc00/64[i] Default IPv4 gateway(s): 192.168.1.1 * Pinging first gateway 192.168.1.1...[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)[i] Default IPv6 gateway(s):*** [ DIAGNOSING ]: Ports in use udp:0.0.0.0:55030 is in use by tailscaled[✓] udp:0.0.0.0:53 is in use by pihole-FTL udp:0.0.0.0:67 is in use by pihole-FTL udp:100.113.249.128:123 is in use by ntpd udp:192.168.1.192:123 is in use by ntpd udp:127.0.0.1:123 is in use by ntpd udp:0.0.0.0:123 is in use by ntpd udp:0.0.0.0:41641 is in use by tailscaled[✓] udp:[::]:53 is in use by pihole-FTL udp:[fe80::2387:b1cb:1db9:1f5b]%tailscale0:123 is in use by ntpd udp:[fd7a:115c:a1e0::c871:f980]:123 is in use by ntpd udp:[fe80::be24:11ff:febd:cc00]%eth0:123 is in use by ntpd udp:[::1]:123 is in use by ntpd udp:[::]:123 is in use by ntpd udp:[::]:547 is in use by pihole-FTL udp:[::]:41641 is in use by tailscaled[✓] tcp:0.0.0.0:53 is in use by pihole-FTL[✓] tcp:0.0.0.0:80 is in use by lighttpd tcp:127.0.0.1:25 is in use by master tcp:100.113.249.128:33441 is in use by tailscaled[✓] tcp:127.0.0.1:4711 is in use by pihole-FTL tcp:*:22 is in use by sshd[✓] tcp:[::]:53 is in use by pihole-FTL[✓] tcp:[::]:80 is in use by lighttpd tcp:[::1]:25 is in use by master[✓] tcp:[::1]:4711 is in use by pihole-FTL tcp:[fd7a:115c:a1e0::c871:f980]:33441 is in use by tailscaled*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain[✓] cdn.imhd.io is 0.0.0.0 on lo (127.0.0.1)[✓] cdn.imhd.io is 0.0.0.0 on eth0 (192.168.1.192)[✗] Failed to resolve cdn.imhd.io on tailscale0 (100.113.249.128)[✓] doubleclick.com is 142.250.66.206 via a remote, public DNS server (8.8.8.8)*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain[✓] support-customer-security-10898276365.netlify.app is :: on lo (::1)[✗] Failed to resolve support-customer-security-10898276365.netlify.app on eth0 (fe80::be24:11ff:febd:cc00)[✗] Failed to resolve support-customer-security-10898276365.netlify.app on tailscale0 (fd7a:115c:a1e0::c871:f980)[✗] Failed to resolve support-customer-security-10898276365.netlify.app on tailscale0 (fe80::2387:b1cb:1db9:1f5b)[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)
IPv4 TCP/UDP LAN net * LAN address 53 (DNS) * * Allow access to DNS server on LAN interface
IPv4 * LAN net * ! PrivateNetworks * * * Allow access to the internet, but block access to private networks
This rule allows only traffic of source from LAN subnet to LAN address of OPNsense port 53Why? You have Pihole as your DNS why you need this rule?
nano /etc/resolv.conf
root@pihole:~# nslookup opnsense.orgServer: 1.1.1.1Address: 1.1.1.1#53Non-authoritative answer:Name: opnsense.orgAddress: 178.162.131.118Name: opnsense.orgAddress: 2001:1af8:4700:a1fa:3::2
FIRST; that some devices are querying the OPNsense gateway (.1.1) and being blocked. See attachment 2.
SECOND; that some queries from my work office IP are being blocked coming into the public IP for this device, yet I'm currently accessing it via Tailscale without issue. See attachment 1.