I have always used Opnsense as the firewall with a Ubuntu box acting as the network router and dnsmasq for dhcp/dns, which has worked great.
At last firewall build I installed an Intel x550 lan card so decided to use the fw for routing/dhcp/unbound dns too to make use of the enhanced 2.5gbe bandwidth. Unfortunately since I've done this, I've had issues. When trying to browse websites on any device, it sometimes takes an age before the site comes up, sometimes it times out and a refresh works. Other times I'll be using a site then all of a sudden the connection will drop and I'll have to reload (normally when entering info into a page).
I've checked the config and everything seems fine - the only oddity I've setup is that only the firewall is allowed to contact wan dns, all other devices on the network use the fw for dns and are blocked from external services. I had this setup previously, with only the Ubuntu box being allowed external dns and it worked fine.
I know on hardware firewalls in the past we've been advised not to use it as the default router for the network (eg Sonicwall) as they had some unexpected behavior, I was wondering if anyone had similar experiences with Opnsense?
Hi,
I use unbound on OPNsense and it works just fine. The behaviour may be caused by an incorrect IPv6 setup. Do you use IPv6 and did you allow IPv6 to pass the firewall through WAN?
Please provide the interface config for WAN and LAN, the unbound config and the rules for the firewall in order to understand your situation better.
Have you completely removed the Ubuntu box? I would recommend you start with a clean install and then slowly add in the rules and settings to replicate what you had previously.
In regards to blocking all DNS and making OPNSense the sole source, that's what I do and it works just fine.
Whenever you run into a slow site, open the dev tools and look to see what's hanging. Your problem may not be DNS. Additionally, if you have slow upstream DNS and had tuned dnsmasq then you made need to do some tuning with unbound.
Both the Ubuntu server and the firewall were rebuilt at the same time as I used new hardware, so no rogue routes etc left to cause issues.
Will look into the dev tools - thanks for the suggestion. The only tuning on dnsmasq is to redirect Remote Desktop services (teamviewer etc) to null and to redirect legacy music streaming services to the Ubuntu box.
With re Garda to IPv6 - the firewall was set to handle ipv6 but dhcpv6 was disabled. If disabled on fw settings as well now; is there anywhere else to look?
Some time ago I had strange slow website behavior and pings being dropped/delayed when upgrading to 5Gbit, and in the end it were faulty cables which created a lot of these errors.
Regarding ipv6:
Do your internal hosts have a public Ipv6 (e.g. any that os not fe80:: or fd80::)? DHCPv6 is not required for IPv6 to work automatically. If yes: Is outgoing traffic allowed as well as for IPv4?
I've seen a couple of Apple devices showing ipv6 addresses as well as ipv4, but any ipv6 is disabled - although saying that I think there's an ipv6 default allow rule that Opnsense has set up...
Would it be possible that you inspect network traffic during website loading - e.g. using Dev-Tools in a browser?
Then we'd be able to identify what takes you so long. Is it DNS, generic networking or sth els.e
Quote from: mightyi on August 24, 2023, 03:23:14 PM
I've seen a couple of Apple devices showing ipv6 addresses as well as ipv4, but any ipv6 is disabled - although saying that I think there's an ipv6 default allow rule that Opnsense has set up...
Under Firewall->Settings->Advanced there's an Allow IPv6 checkbox that will block all IPv6 traffic if you turn it off.
Additionally, under System->Settings->General is a check box to prefer IPv4 even when IPv6 is available.
Lastly, IPv6 addresses that start with fe80 are link local and equivalent to 169.254 in IPv4.