Do Not Change Too Much

The lesson learned during the installation of my new OPNsense¹ router.

Change one thing after another!

I switched to a more reliable router, at least I thought it would be… About this journey and some parallel adjustments and their consequences. Such as:

• New DNS Server; Unbound² (provided in my new opnsense router)
• Unbound DNS Blocklists
• DNS overrides for *.xyz.ch to my reverse proxy –> so my Minecraft Server was only accessible from outside at abc.xyz.ch with an SRV Entry, which points to the correct port and server…
• Network Printer Problems

New DNS Server; Unbound

Before I was using external DNS-Servers in combination with a local PiHole³. Because I configured most of my servers statically ,and they all pointed to the PiHole, so that it can get rid of the ads.

That step I fortunately anticipated, nevertheless I forgot some of them, but it was always the first step I verified when something broke down…

Unbound DNS Blocklists

I decided to replace the PiHole with the block-lists of unbound. I actually really liked the nice dashboards of the PiHole, but I was visiting it 2 times, when I set it up, and then forgot about it… I also painfully learned that:

keep it simple

is the better strategy than:

install all nice looking things

So I scrolled through these block-lists and activated a lot of them, not following the new strategy :-D Once again I learned it the hard way, wondering why for example web.whatsapp.com was not working anymore… There was also a facebook-block-list responsible for that. I encountered 2 more problems just like this. That is why I finally activated only two lists, which is apparently plenty enough for getting rid of most ads.

DNS Overrides

While going through the settings, I discovered these override possibilities, which I thought is a great thing to be less dependent from the outside world…

Guess what, I deactivated it soon. I activated it for some subdomains which also map to a minecraft server over an external SRV DNS entry. This took quite a while to figure out… Probably I could also write a SRV Entry in Unbound, but for now I deactivated it, so that it takes the external SRV entry again.

Network Printer Problems

We are used to printing a lot from mobile devices, which was suddenly not working anymore. Because of the already described problems above, I was sure it has to be something router related. It kind of was…

I quickly found out that it was mysteriously working if we were connected over cable. But the firewall allowed traffic the way it should. After a lot of trying I realised that also the admin interface throws a http status code: 403 Forbidden. This told me that it is actually not the routers fault, because I am getting to this webserver and it is able to respond with this Forbidden response.

So finally I figured out that a directive in the configuration of my self-made network printer with cups (see Past projects / About, Chapter: Print-Service) was responsible.

Here the snippet:

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow @LOCAL
  Allow from 192.168.123.0/24 # <--- new additonal subnet!
</Location>

The Allow @LOCAL only allowed addresses from the same subnet where the printer was, and the Wi-Fi in the new router was distributing other ip-addresses. So I added Allow from 192.168.123.0/24 and it worked again.

The End

In the end it all worked out. Additionally, I learned some new things about DNS-Tools and especially to introduce new things one at a time! Finally, I was happy with the new OPNsense-Router.

---

1. see: https://opnsense.org/ ↩

2. OPNsense docs for unbound: OPNsense docs, Unbound GitHub Repo: Unbound source ↩

3. see: https://pi-hole.net/ ↩