Over the weekend I got OpnSense set up for the first time, and I'm loving it.
That said, I'm hitting an issue that has me completely perplexed. For some reason, I can't access anything that requires DNS translation for roughly the first 10-15 minutes after a reboot. I can ping external IPs and can directly access hosts on my LAN via IP. I'm hoping that someone else may have run into this before, and has some recommendations for things I can try to resolve it.
Here are a few notes that may be worth mentioning:
- I'm running AdGuard Home on an RPi Zero--it's set to 192.168.1.101, and I point to that that in both System -> Settings -> General -> DNS servers and in Services -> DHCPv4 -> DNS servers.
- Unbound is disabled. (Eventually I'm planning to migrate to the AdGuard Home plug-in and enable Unbound, but I thought it best to make incremental steps getting there.)
- A NAT rule is set up to pass all port 53 traffic to 192.168.1.101. I've tried toggling this on and off at various times, but it doesn't seem to cause or fix the issue.
- I have WireGuard set up, and it's running mostly fine for both browsing the Internet and accessing devices on my LAN. The only issue is that there's one host (my NAS) that I can't access when connected through WireGuard. That host is connected to a VPN (PIA), which I think is causing the issue. I plan to raise a separate question about this, but figured it worth mentioning, just in case it's a clue to something.
- I've attached some screenshots of my settings, since it's quite likely that something I haven't mentioned, but is glaringly obvious to others, is the culprit. :)
Thanks in advance for any help troubleshooting this!
I doubt is the setup. As it is, it works but with that long delay.
Assuming OPN is the upstream resolver for AdGuard then that leaves you with a timing issue to track.
The name resolution from ADG is down during OPN's reboot and this time can be a few minutes based on hardware. 15 minutes sounds long for a reboot.
That makes me think you could try letting OPN do name resolution bypassing ADG for a test.
If that reduces considerably, you can narrow things down.
Thanks a lot for the help, cookiemonster! I took your advice, and reconfigured things so that OpnSense could go directly out to the DNS server, bypassing AdGuard Home. Upon reboot, as suspected, it worked immediately.
Out of curiosity, I figured it as good of an excuse as any to just take a shot at activating the AdGuard plug-in and Unbound, to see if I could get it all going. I had a bit of trouble with the firewall rule recommended in this post (https://forum.opnsense.org/index.php?topic=22162.0), but once I disabled that, things are now working immediately after reboots.
I'm still left wondering what the issue could have been between OpnSense and the RPi instance of AGH, but I'm happy with it as is, so will let sleeping dogs lie. :D Not to mention, now I've got an extra Pi0 to have some new fun with.
Thanks again for your help!