OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: colotroy on April 27, 2023, 12:11:54 am
-
Ok, I'm new to opnsense but this is driving me crazy, yup - short drive...
In the firewall logs I see some things I don't understand. I see 1.1.1.1:53 out of the WAN when I'm using UnboundDNS and am not using 1.1.1.1, I'm using 1.1.1.2:853.
WAN 2023-04-26T15:53:15-06:00 192.168.1.97:46081 1.1.1.1:53 udp let out anything from firewall host itself (force gw)
I don't have anything in the General DNS settings under System>Settings>General under DNS servers, all DNS Server entries are blank.
I'm using Pi-hole and it's 10.0.048 on a 10.0.0./24 pointed at opnsense router for DNS.
I don't seem to be able to set a rule to stop WAN outbound :53 traffic because I can't set a rule above the auto-generated rules and the auto-generated "let out anything from firewall host itself" rule let's everything out.
I've tried setting a rule on the LAN interface ( to see if this is coming from LAN and being forwarded through the router, I'm only using WAN and LAN now ) to PASS or BLOCK 1.1.1.1 but it doesn't seem to catch anything so I think this must be coming from the router??
I'm also seeing 8.8.8.8 ICMP that I don't understand where that's coming from. I checked System>Gateways and all have Disable Gateway Monitoring checked.
WAN 2023-04-26T16:02:02-06:00 192.168.1.97 8.8.8.8 icmp let out anything from firewall host itself (force gw)
I'll add that I have Zenarmor ( LAN), Intrusion Detection( WAN ), and CrowdSec enabled.
Where the heck is the WAN 1.1.1.1:53 and 8.8.8.8 ICMP traffic coming from? How do I figure that out?
Also, is there a way to move a rule before the Automatically generated rules that I'm too dim to figure out?
Thanks!
-
In OPNsense, up to the right; search - "packet capture" (Interfaces > Diagnostics > Packet Capture).
Download that file and open in it Wireshark. Maybe that can help.
Perhaps something on your LAN is 'hardcoded' to use that DNS server..
For DNS, I prefer to create NAT port forward rule that redirects DNS which is not going to unbound / pi-hole:
Interface
LAN
Proto
TCP/UDP
Adress
LAN net
Ports
*
Address (Destination)
!LAN adress (IP to pi-hole)
Ports
53
IP
127.0.0.1 (or IP to pi-hole -- I have 127.0.0.1 as I am running unbound on the firewall)
Ports
53
Description
"Redirect external DNS queries to Opnsense Unbound DNS"
My Unbound DNS is configured to use DoT upstream servers.
https://1.1.1.1/help
-
Thanks for the input. I'm trying to port forward to my pihole too... I may have messed up something here...
Interface - LAN
TCPIP - IPv4
Protocol - UDP/TCP
Destination - GoogleDNS ( alias for 8.8.8.8, 8.8.4.4, 1.1.1.1 ) I added the cloudflare addr for a test.
Destination Port - DNS
Redirect target IP - PiHole ( alias for pihole 10.0.0.48 )
Redirect port - DNS
Description - Redirect GoogleDNS to Pihole
All the rest are defaults...
Also the interesting thing is I'm not seeing any 1.1.1.1 traffic on the LAN but I'm also over my head with wireshark....
-
Ah-ha! The mystery 1.1.1.1 traffic is coming from a Unfi Dream Router I've been playing with. I don't like the darn thing, the software hides too much and doesn't let you customize it like I want. This is a good example of hiding things... It seems like it's using a ping to 1.1.1.1 to see if it has internet connectivity. If I make a rule to block LAN 1.1.1.1 ICMP then it thinks it's lost it's internet connection. I had a pass rule that I thought would have showed me that but it didn't... I'm still getting used to the opnsense rules so I must have messed up the pass rule... anyway mystery solved.
I've been chasing down the WAN DNS because I'm trying to push everything through my pihole and unboundDNS. I'm trying to block, unsuccessfully, adds with my Google TVs and chromecast. I read that chromecast hard codes DNS to the google DNS servers so I'm trying to route that to pihole but the mystery WAN traffic to 8.8.8.8 and 1.1.1.1 was driving me crazy. By the way this hasn't helped. If anyone knows how to get rid of youtube adds with FW rules or pihole rexedit rules let me know! Adds suck!
-
Long story made short, it is not possible to block youtube ads with firewall rules. The adds use the same urls as the rest of the content so a rule would block both. If you search this topic on the forum you'll have a longer and more comprehensive explanation and some suggestions (which fall outside OPN).