Intro: I took a lot of screenshots as proof, but I can only upload 4 with a max. of 256kb. I hadn't thought such restrictions might exist here ...
Hi all,
I am experiencing some weird behaviour in my newly set up opnsense and need some help.
Background:
I have a lot of experience in networking, coming from an IT Security background and many years of penetration testing.
I want to say of myself that I understand how networking and routes work on layers 2 and 3 and 4.
My home network consists of:
- Telekom fiber modem
- My own fritz box that connects through the fiber modem. As far as I understood Telekom's documentation, the modem simply converts ethernet into fiber. The fritz box does the dial in.
- I have an lte router as fall back Internet gateway.
- I use a tp link omada infrastructure at the moment. It contains a router, which is currently the main router in my network. I also have some WiFi APs and a switch from tp link, but that's unnecessary for my issue.
- I also use a pihole for dns, installed on an ordinary raspberry pi.
- My network is 192.168.0.0/21, because I wanted some more space in my lan for all different kinds of devices.
- I bought a mini computer and installed opnsense on it, and want to swap, at some point in the future, the omada infrastructure to opnsense (and a different WiFi vendor).
What I have done so far:
I installed opnsense, configured the two gateways, formed a group for fail over, imported DHCP from omada, enabled dhcp. Up to that point, everything works nicely.
The IP addresses look like this:
- Fritz box, WAN: 192.168.178.1
- Omada router, WAN port: 192.168.178.2
- Omada router, lan port: 192.168.0.1
- Pihole: 192.168.0.253
- Opnsense, WAN: 192.168.178.3
- Opnsense, LAN: 192.168.4.254
The ipconfig on my computer looks like this, nothing manually set, everything comes from DHCP.
(image missing)
Now I wanted to remove the raspberry pi from the equation and enable dns in the opnsense. Here, I got stuck and the oddities begin, or became obvious:
When I do tracert 192.168.4.254, I see three hops:
- 192.168.4.254
- 192.168.0.1
- Some entry point at my ISP
When I do tracert on any other address, I get 1 hop straight to the target.
It is the same in a linux machine, by the way.
See attachment "tracert.png"
Second weird thing: the DNS port appears as filtered/unavailable in nmap.
(image missing)
Other ports on the firewall are open, e.g. 80.
(image missing)
If port 80 wasn't available, I couldn't configure the opnsense, anyway.
(image missing)
Third strange thing: When I try to manually set the DNS server in Windows via nslookup (nslookup google.com 192.168.4.254), I see this result in the firewall logs of opnsense.
(image missing)
I have no clue why it would show the WAN network IP, 192.168.178.3, as outgoing, and the LAN network IP, 192.168.4.254, as incoming, because the request never should have left the LAN network at all.
Now, you might be wondering if I made a mistake in the firewall rules, but I in fact did not do anything there yet. When I got stuck, I added the rule to allow port 53/UDP from anywhere, but I just added this because it didn't work.
See attachment "firewall rules.png".
Unbound does listen on port 53, I did not change anything in the config there.
(image missing)
When I go to the diagnostics, I see that the opnsense can itself perform DNS requests "to the internet" and get information.
(image missing)
The service is also running, it's not stopped or anything.
(image missing)
I have asked two colleagues whom I appreciate as keen IT experts, but none found an immediate error here of what I'm doing wrong, so I'm really looking forward to your replies! :-(
Thanks a lot in advance <3
Edit: so, the problem is: dns is not accessible from the LAN network. Dns does work, as the diagnostics show that the opnsense can resolve external domains, but the service is not reachable from other devices.
I don't understand the actual problem yet. I think you say clients in the LAN aren't getting dns resolution from OPN. You should be able to see activity in the Unbound logs.
One thing I would suggest is to eliminate a problem with the gateways setup, to remove the falllback router and run a single gateway, see if things work that way first.
Quote from: Mombro on March 04, 2024, 07:29:59 AM
Hi,
I edited the topic post to reflect more clearly that the dns service is not reachable.
I will delete the gateway group and see if that helps or changes anything.
Bro, what the heck ... I deleted the group, disabled the LTE WAN, and it works instantly.
I guess I gotta inspect that grouping a bit more and learn about it more <3