Do Not Change Too Much
The lesson learned during the installation of my new OPNsense1 router.
Change one thing after another!
I switched to a more reliable router, at least I thought it would be… About this journey and some parallel adjustments and their consequences. Such as:
- New DNS Server; Unbound2 (provided in my new opnsense router)
- Unbound DNS Blocklists
- DNS overrides for *.xyz.ch to my reverse proxy –> so my Minecraft Server was only accessible from outside at abc.xyz.ch with an SRV Entry, which points to the correct port and server…
- Network Printer Problems
New DNS Server; Unbound
Before I was using external DNS-Servers in combination with a local PiHole3. Because I configured most of my servers statically ,and they all pointed to the PiHole, so that it can get rid of the ads.
That step I fortunately anticipated, nevertheless I forgot some of them, but it was always the first step I verified when something broke down…
Unbound DNS Blocklists
I decided to replace the PiHole with the block-lists of unbound. I actually really liked the nice dashboards of the PiHole, but I was visiting it 2 times, when I set it up, and then forgot about it… I also painfully learned that:
keep it simple
is the better strategy than:
install all nice looking things
So I scrolled through these block-lists and activated a lot of them, not following the new strategy :-D Once again I learned it the hard way, wondering why for example web.whatsapp.com was not working anymore… There was also a facebook-block-list responsible for that. I encountered 2 more problems just like this. That is why I finally activated only two lists, which is apparently plenty enough for getting rid of most ads.
While going through the settings, I discovered these override possibilities, which I thought is a great thing to be less dependent from the outside world…
Guess what, I deactivated it soon. I activated it for some subdomains which also map to a minecraft server over an external SRV DNS entry. This took quite a while to figure out… Probably I could also write a SRV Entry in Unbound, but for now I deactivated it, so that it takes the external SRV entry again.
Network Printer Problems
We are used to printing a lot from mobile devices, which was suddenly not working anymore. Because of the already described problems above, I was sure it has to be something router related. It kind of was…
I quickly found out that it was mysteriously working if we were connected over cable. But the firewall allowed traffic the way it should. After a lot of trying I realised that also the admin interface throws a http status code: 403 Forbidden. This told me that it is actually not the routers fault, because I am getting to this webserver and it is able to respond with this Forbidden response.
So finally I figured out that a directive in the configuration of my self-made network printer with cups (see Past projects / About, Chapter: Print-Service) was responsible.
Here the snippet:
# Restrict access to the server... <Location /> Order allow,deny Allow @LOCAL Allow from 192.168.123.0/24 # <--- new additonal subnet! </Location>
Allow @LOCAL only allowed addresses from the same subnet where the printer was, and the Wi-Fi in the new
router was distributing other ip-addresses. So I added
Allow from 192.168.123.0/24 and it worked again.
In the end it all worked out. Additionally, I learned some new things about DNS-Tools and especially to introduce new things one at a time! Finally, I was happy with the new OPNsense-Router.
see: https://opnsense.org/ ↩
OPNsense docs for unbound: OPNsense docs, Unbound GitHub Repo: Unbound source ↩
see: https://pi-hole.net/ ↩