OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: JGN1956 on August 16, 2022, 10:59:30 pm
-
I have recently installed OPnSense and I have configured different VLANs and Interfaces. I have also configured a DMZ for a server that has to be accesible from Internet. The WAN interface has static IP and DNS configured in the general settings since I have to keep the broadband router in the middle so that my fiber optics connection and TV keeps working. Everithing is working fine except that I have had to explicitly assign DNS servers to every internal network in the DHCPV4 config instead of keeping the default, that is, the firewall. I am using Unbound, with DNSSec enabled and I have also enabled Forwarding and DNS over TLS without overrrides. However, forwarding is not working because, if I take out the explicit DNS servers from the DHCPV4 assignments in order to use the firewall as DNS, I cannot access Internet from my PCs. I have even checked packet capture and I do not see anything coming out of the WAN interface.
I have checked and rechecked documentation and Internet postings without success. I think that, if this was an OPNSense error, it would be all over because Unbound with the firewall as DNS for internal networks is the standard configuration, and therefore, I must be missing something in my settings.
Can anybody help me sort this out?.
Thanks in advance.
-
i have had that issue since day one of moving to opnsense. i am using a dec670 on the latest business release..
every vlan created. 2 so far, i have to assign static DNS servers under DNS for devices to be usable
if i use the gateway address of the newly created vlan, it does Not solve this issue
i have also verifed under services> unbound > access lists. internal + allow + network IP gateway is listed
-
For each new interface you also need to create firewall rules to permit traffic at all. This includes DNS queries. Only the rules for DHCP and or IPv6 RA are created automatically.
-
i have Aliases for most of my devices on the newly created Vlan.
the rule is
protocol ip4*
source = Arlo camera (4 IP's)
port= *
destination= *
port= *
gateway = Wan_GW
should that pass DNS?
-
If you explicitly set the gateway then - no.
The packet arrives at the OPNsense interface, is permitted, but instead of being handed over to the local Unbound on that same interface it is sent to the gateway.
HTH,
Patrick
-
Since I am still in the hardening process, I have a rule to open everithing gooing out:
Source: PCs network
Port: any
Destination: any
Ports: any
Gateway: Default
Should this work?
(Later on I will set the rules for specific protocols and ports but I have this rule for the moment so that I can access Internet)
-
i did 2 things since reading this thread. it is is working now :
1. changed the gateway rule to Default. which the default IS wan_gw
2. added the address AGAIN. to ACL a 2nd time, they were already posted as default rules, following this : https://docs.opnsense.org/manual/unbound.html
and it works. i've removed all Static DNS servers to all the devices and it continues to work. i've cleared states, and rebooted all the devices
interesting is all i have to say
-
I tried what you said:
- My rule gateway was already default
- I added the PCs network in CIDR format to the Unbound Access List explicitly
Now, something has changed according to Unbound Register. The request seems to be forwarded, which is something that did not happen before but, however, the request is not fulfilled, at least not always, because some requests seem to be responded or, at least, I can access the site in Chrome, but most of them not.
So, there seems to be some improvement but it is still not working properly.
I am really confused about this.
-
I have been home testing this now that I know I won't take my network offline while remote:
1. changing the gateway did not fix it. it didn't change anything that I can tell but I did leave it to "default" for the rules
2. I deleted the 3 network address under: Services: Unbound DNS: Access Lists. and my network Immediately stopped working for all devices on those network. keep in mind they are listed on that page.. to get them to work. I manually re added them again down below.
not the IP address of the device, just the gateway of the Vlan. they immediately started working again.
thoughts?
-
How are your Forwarding and DNS over TLS entries configured? Are you trying to resolve local domains as well?
-
Yes, it is checked to use the system DNS in both cases and I do not have any custom dns domains, everything is per default.
Regarding the use for local domains, I do not see any check for that in any of the DNS configuration screens, either in unbound or system configuration.
How are your Forwarding and DNS over TLS entries configured? Are you trying to resolve local domains as well?
-
Now, something has changed according to Unbound Register. The request seems to be forwarded, which is something that did not happen before but, however, the request is not fulfilled, at least not always, because some requests seem to be responded or, at least, I can access the site in Chrome, but most of them not.
So, there seems to be some improvement but it is still not working properly.
You could do a packet capture on a specific client request (maybe capture both the WAN and the LAN side) and filter on port 53 to see if there are responses at all on the WAN side to determine on which side the problem resides. As far as I know, Unbound will do round-robin requests if there are multiple system DNS servers configured, which hints towards the "not always" remark.
-
I have done the packet capture and the requests seem to be forwarded but, for some unexplained reason, sometimes they are returned to the origin and some other times not, and "NOT FOUND" message is returned. As I explained in my initial posts, Unbound works for some requests and not for others, and it does so in a very consistent manner: some FQDNs ALWAYS are resolved correctly and some others NEVER do. The only thing I have seen in these last ones are that they use AKAMAI, but I do not know if all the FQDNs that use AKAMAI have the same problem (for example www.marca.com)
May be there is some explanation for this but this kind of inconsistency is strange.
-
Just for closing the thread. As I have said in a different post abot DNSMasq, Unbound does not work in my case because the internet provider is blocking access to Root DNSs for home accesses.
Thanks to all the people that tried to help.
-
This also did the trick for me, I was having issues with DNS on every interface except my default LAN subnet. This all started happening after I installed adguard on opnsense. I was really struggling with wireguard, I figured it was something I did wrong with my roadwarrior config, but when troubleshooting I always had handshakes and everything else looked good except I could never browse to a website.
Thanks for posting your results!
quote author=DEC670airp414user link=topic=29883.msg144400#msg144400 date=1660751564]
I did 2 things since reading this thread. it is is working now :
1. changed the gateway rule to Default. which the default IS wan_gw
2. Add the address AGAIN. to ACL a 2nd time, they were already posted as default rules, following this : https://docs.opnsense.org/manual/unbound.html
and it works. I've removed all Static DNS servers to all the devices and it continues to work. I've cleared states and rebooted all the devices
interesting is all I have to say
[/quote]