OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • [SOLVED] DNS requests do not enter IPsec tunnel
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] DNS requests do not enter IPsec tunnel  (Read 3138 times)

Droppie391

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 4
    • View Profile
[SOLVED] DNS requests do not enter IPsec tunnel
« on: May 30, 2017, 04:48:14 pm »
DNS requests made to the dns resolver (unbound) do not go through the ipsec tunnel for domain-overrides.
These DNS requests follow the routing table which states for the network on the other side of the ipsec tunnel to go via the wan interface. I don´t understand how traffic from any workstation other then the oünsense box and destinated to the remote ipsec network can find its way through the tunnel but packets originating from the opnsense box itself are routed via the wan interface bypassing the ipsec tunnel.


« Last Edit: May 31, 2017, 03:34:04 pm by franco »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: DNS requests do not enter IPsec tunnel
« Reply #1 on: May 30, 2017, 08:26:59 pm »
Binding unbound to the explicit interfaces that you need it to work with is required, especially including the the one that is paired with IPsec. It's in the main settings page, interfaces and outbound interfaces selection.

FreeBSD does not support routes into IPsec by default, it is very strict about its security associations. To illustrate with ping from the OPNsense box:

Doesn't work:

# ping REMOTE.RIGHTSUBNET.IP

Works:

# ping -S LOCAL.LEFTSUBNET.IP REMOTE.RIGHTSUBNET.IP


Cheers,
Franco
Logged

Droppie391

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 4
    • View Profile
Re: DNS requests do not enter IPsec tunnel
« Reply #2 on: May 31, 2017, 02:12:57 pm »
Thanks, that did the trick.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: [SOLVED] DNS requests do not enter IPsec tunnel
« Reply #3 on: May 31, 2017, 03:34:19 pm »
Yay, cool, thanks for checking back! 8)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • [SOLVED] DNS requests do not enter IPsec tunnel
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2