Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: chemlud on October 03, 2023, 07:23:02 PM

Title: No Unbound replies on new interface
Post by: chemlud on October 03, 2023, 07:23:02 PM
Hi!

Installed a fresh 23.7, all up-to-date and imported my working config for DNS-over-TLS with unbound. All fine.

I configured a new interface, DHCP works, set up firewall rules (including block to HTPPS of opnsense and allowing ipv4 UDP to port 53 of opnsense) and added the new interface to unbound in the GUI and applied. Rebooted. According to resolve.conf on the only host attached to the new interface, the DNS ist set to the interface address of the opnsense.

With package capture on port 53 of the new opnsense interface I see the requests of the host, but there is no reply at all from unbound.

With "inspect" on the FW-rules page of the new interface I see no evaluation of the FW-rule allowing UDP to port 53 of the opnsense?!?! The only rule hit is the first on the page, no matter which rule this is...


Any ideas?
Title: Re: No Unbound replies on new interface
Post by: newsense on October 04, 2023, 12:25:09 AM
Check in Unbound settings if it's listening on the new interface
Title: Re: No Unbound replies on new interface
Post by: chemlud on October 04, 2023, 08:40:49 AM
Quote...and added the new interface to unbound in the GUI and applied. Rebooted. ...

So: Yes...

But there is no reply.
Title: Resolved: No Unbound replies on new interface
Post by: chemlud on October 04, 2023, 09:27:52 AM
As I wrote above: Apparently only the first FW-rules get's evaluated, so I moved the "allow ipv4 UDP to SERVER address (Interface of opnsense for the new network) port 53" rule to the first position. And started "apt update" on the client attached to this interface. No resolution of repo names on the client. But according to "Inspect" on FW-Tab the first rule (allow DNS to sense) gets evaluated some hundred times, but 0 (zero) States, Packages, Bytes going back and forth.

What is going on here? This should be absolutely basic stuff, I have never seen something like that in over 10 years of *sense....

PS: Although NTP is also allowed on this new interface (to specific server), it apparently doesn't work either. So: not a problem with unbound, but pf?

Disables "Static ARP" (why?) and rebooted. Traffic started flowing...
Title: Re: No Unbound replies on new interface
Post by: CJ on October 04, 2023, 02:57:33 PM
Are you asking why disabling Static ARP makes things work or why it was checked in the first place?
Title: Re: No Unbound replies on new interface
Post by: chemlud on October 05, 2023, 02:52:07 PM
neither. I use static ARP on nearly all interfaces and usually it works. No idea why disabling and enabling it afterwards made it work this time for the new interface...

Solved anyway.
Text only | Text with Images