I'm running OPNsense 21.7.8 and I installed Adguard through the mimugmail repository.
My primary goal is to have all my DNS traffic from my LAN to ultimately be handled by Adguard.
The problem: I've set up a pool on the DHCP server where devices that haven't been assigned an IP. Everything else on my network has a static DHCP mapping. Only those devices with a static IP mapping get valid DNS settings. When a new device connects, it cannot resolve any DNS names (local or Internet) until I go into OPNSense and assign it a static mapping under the DHCPv4 settings.
Settings:
I can't remember what tutorial I followed and I've changed so many things fighting this problem I'm not sure that's even relevant any longer.
System -> General -> Networking
Prefer IPv4 over IPv6: checked
DNS servers: I've configured several publicaly available (e.g. 1.1.1.1) using the WAN gateway
All other networking settings are unchecked
DHCPv4
Enable: checked
Deny unknown clients: unchecked
Ignore Clienty UIDs: checked
Subnet, subnet mask, available range and range set to reasonable values
Static ARP: checked
All other settings are blank/unchecked/default values
Static DHCP Mapping:
I'll fill out the MAC Client identifier, IP, hostname, description and check ARP Table Static Entry. All other settings are left blank/defaults.
Unbound DNS
Enabled: checked
Listen Port: 5353
Network Interfaces: LAN, Tailscale
DNSSEC: checked
DNS64: unchecked
DHCP Registration: checked
DHCP Domain Override: blank
DHCP Static Mapping: checked
IPv6 Link-local: checked
TXT Comment Support: checked
DNS Cache: checked
DNS Query Forwarding: checked
Local Zone Type: transparent
Adguard DNS Settings:
Upstream DNS Servers: the Unbound server (i.e. localhost:5353)
Parallel requests
Bootstrap DNS Servers: added the Unbound server, I think I left the other entries that were already there
Private reverse DNS servers: the Unbound server
Use private reverse DNS resolvers: checked
Enable reverse resolving of client' IP addresses: checked
(testing upstreams pass)
All other DNS settings are the defaults
No clients are stored in the configuration.
Adguard's DHCP is turned off
I've tried so many things over many months but usually either end up breaking everything or not changing this behavior.
Any recommendations or tips would be greatly appreciated.
Thanks!
Probably with firewall rules to push dns queries directed to OPN, to be redirected to Adguard.
Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.
Your settings appear to be a mix of everything. Perhaps not everything is needed. At least for testing I would rely on adguard only. My settings are as follows:
System -> General -> Networking
DNS servers: I've configured the local aduard DNS server here 192.168.xxx
Do not use the local DNS service as a nameserver for this system : checked
DHCPv4
I assume that DNS servers can be left blank
Unbound DNS: disabled
Adguard DNS Settings:
Upstream DNS Servers: for example Cloudflare
tls://1.1.1.1:853
tls://1.0.0.1:853
Bootstrap DNS Servers: same as for upstream DNS servers
Private reverse DNS servers: blank
Use private reverse DNS resolvers: unchecked
Enable reverse resolving of client' IP addresses: checked
DNSSEC: Check
Firewall: First I created an adguard alias since adguard can listen on multiple IP addresses at the same time. This simplifies things when creating rules in multiple interfaces.
Rule for Firewall:
Allow * destination Adguard-Alias Port 53
Deny * destination * Port 53 (=block direct attempt to DNS bypassing adguard)
Allow Adguard-Alias destination * Port 853
Deny * destination * Port 853
As a safeguard I have also set up a port forward as follows (firewall - NAT - port forward):
Forward port 53 for traffic source NOT adguard-alias and dest NOT adguard-alias to adguard-IP
Thanks for the replies and sorry for the delay in response.
QuoteBefore just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.
I've run it with and without that box checked. I get no change in behavior but I'll leave it unchecked because I agree it's not needed.
If it were a firewall rule issue, wouldn't it not work all the time? I wouldn't think that the fact that clients with a static DHCP mapping in the ARP table would work and clients that are dynamically assigned their IP would not given I've no rules that specifically address the IPs in the range of the dynamic pool. In either case DHCP is serving out the OPNsense/Adguard as the DNS.
I did review my firewall rules and I don't see anything unexpected but there might be something going on here so I'll have to study it more closely. I tried this test.
I connected to the WiFi with a client without a static mapping (it's as easy as turning on randomized MAC on my phone). As usual it would not resolve anything. But this time I tried to bring up Adguard's admin page using it's IP and port and it timed out. So something does seem to be blocking access to Adguard itself.
The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.
QuoteYour settings appear to be a mix of everything.
Not surprising since I've been fighting this for months. But in the interest of getting back to a clean slate I've mirrored your settings to the best of my ability, including adding the firewall rules and NAT. I still get the same results. My intent though was to use Unbound to resolve the host names for my local machines.
Though now none of my internal host names are resolving now (as expected) which is a separate problem I can overcome in time.
After looking and applying my firewall rules are as follows (not posting the automatically generated rules):
Thanks for the replies and sorry for the delay in response.
[quote]Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.
[/quote]
I've run it with and without that box checked. I get no change in behavior but I'll leave it unchecked because I agree it's not needed.
If it were a firewall rule issue, wouldn't it not work all the time? I wouldn't think that the fact that clients with a static DHCP mapping in the ARP table would work and clients that are dynamically assigned their IP would not given I've no rules that specifically address the IPs in the range of the dynamic pool. In either case DHCP is serving out the OPNsense/Adguard as the DNS.
I did review my firewall rules and I don't see anything unexpected but there might be something going on here so I'll have to study it more closely. I tried this test.
I connected to the WiFi with a client without a static mapping (it's as easy as turning on randomized MAC on my phone). As usual it would not resolve anything. But this time I tried to bring up Adguard's admin page using it's IP and port and it timed out. So something does seem to be blocking access to Adguard itself.
The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.
[quote]Your settings appear to be a mix of everything.[/quote]
Not surprising since I've been fighting this for months. But in the interest of getting back to a clean slate I've mirrored your settings to the best of my ability, including adding the firewall rules and NAT. I still get the same results.
Though now none of my internal host names are resolving now which is a separate problem I can overcome in time.
After looking and applying my rules are as follows (not posting the automatically generated rules):
[code]
Type Protocol Source Port Destination Port Gateway Schedule
Allow IPV4 TCP/UDP * * AdGuard 53 (DNS) * *
Block IPV4 TCP/UDP * * * 53 (DNS) * *
Allow IPV4 TCP/UDP * * AdGuard 853 * *
Block IPV4 TCP/UDP * * * 853 * *
Allow IPv4 * LAN net * * * * *
Allow IPv6 * LAN net * * * * *
I don't see anything unexpected (beyond I probably should define the source for the new rules I added above).
Quote from: paperrhino on April 11, 2022, 05:20:40 PM
The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.
If this is not a typo, then it is most likely the reason for most of your problems. It is the wrong way to setup a pool of ips range. Unless I'm mistaken and OPN can actually merge the two network segments.
Just change it to 10.10.1.200-10.10.1.254 and things should start working.
Thanks for the reply.
I've played around a bit with that field, even going as far as setting both of those rules to allow any source for both IPv4 and IPv6 (though I'm pretty sure all my machines are running v4). This generated no change in behavior. Those machines that are served up an address from the DHCP pool still cannot connect while those with a static mapping can connect. I've left the rules with * for now.
Looking around some more I did notice a couple of other potential sources of problems. I had not realized that I've added some static mappings in the dynamic pool range. So my client was being assigned an IP address that was mapped to a different device that wasn't connected (one gets a lot of mappings when a mapping needs to be added for every guest's device). I fixed the pool so there is no overlap but that didn't fix anything. Thought it worth mention just in case it's relevant.
I looked at the DHCPD logs and there is an odd error that appears when the device tries to connect.
2022-04-19T11:58:33-06:00 Error dhcpd icmp_echorequest 10.10.1.220: Invalid argument
I wonder if that's the ping the phone makes when it first connects to see if the internet can be reached.