OPNsense Forum

My OPNsense hostname is "router" (I know, very original). I have a bunch of interfaces/VLANs... my problem is that pinging "router" is very inconsistent, and here is why (example coming from the 10.1.1.0/24 subnet):

vm-admin:~ # dig router

; <<>> DiG 9.16.6 <<>> router
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20656
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;router.                                IN      A

;; ANSWER SECTION:
router.                 3600    IN      A       10.1.100.1
router.                 3600    IN      A       10.1.200.1
router.                 3600    IN      A       10.2.30.1
router.                 3600    IN      A       10.2.20.1
router.                 3600    IN      A       10.2.10.1
router.                 3600    IN      A       10.1.1.1
router.                 3600    IN      A       10.2.1.1

;; Query time: 0 msec
;; SERVER: 10.1.1.1#53(10.1.1.1)
;; WHEN: Sun Jul 17 13:53:39 EDT 2022
;; MSG SIZE  rcvd: 163

Of course, on every interface/VLAN, the ".1" is OPNsense itself, however I'd like the DNS to reply either with 10.1.1.1 or whatever ".1" from the interface the request comes from.

That's a feature of the Unbound integration in OPNsense. I use BIND and manage my zones manually for that reason among others.

Quote from: pmhausen on July 17, 2022, 08:47:58 PM
That's a feature of the Unbound integration in OPNsense. I use BIND and manage my zones manually for that reason among others.

As I've self-taught myself through learning pfSense/OPNsense and network in general, could you walk me through the easiest way to have only 10.1.1.1 responds as router on all interfaces, or if it's easier whichever .1 from the subnet the DNS query is made from?

Sent from my Pixel 6 using Tapatalk

Deactivate Unbound.
Install and adtivate BIND plugin.
Change BIND port to 53.
Create ACL with all your local networks.
Permit recursion for that ACL.
Create zone(s) with your local domain(s).
Create reverse zone(s) with your network(s).
Fill all zones manually.

Not sure if that's what you want. Running BIND in my data centre for >25 years now it's easy for me, but manual work. I don't like Unbound.

Possibly there is a solution with a host override in Unbound - someone else will have to step in because as I said I don't run Unbound.

The at least partially helpful part of my first message was: it's a builtin feature and there is possibly no simple way around it. Try a host override, but again I don't know if that works.

Already tried an override in Unbound without success. I guess I'm going to create a static lease with a different hostname maybe... something like that. I'd rather stick with Unbound right now as it's only a minor inconvenience, and this wasn't an issue on pfSense so I'm sure it can configured somewhere.

Sent from my Pixel 6 using Tapatalk

You probably don't need a static lease, but you can use a host override. If it's a name that does not yet exist.

Quote from: pmhausen on July 17, 2022, 09:18:38 PM
You probably don't need a static lease, but you can use a host override. If it's a name that does not yet exist.

I'm just gonna change its hostname for opnsense a create a host override for "router" then. That should do the trick.

I wish there was a cleaner way to do this.

Sent from my Pixel 6 using Tapatalk