I am struggling completing my firewall setup and am looking for support. Will pay.
I have created several vlans and need to complete the firewall rules. In addition I've setup wireguard (protonvpn) but am having problems with the DNS, local devices cannot be reached on the vlan using the vpn unless using the IPs (e.g. .local addresses not resolving). On vlans not using wireguard they work.
I've tried everything and now just looking for someone who can go through the setup with me and get it to work and help with additional firewall rules.
My setup is mostly based on these:
- https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/
- https://schnerring.net/blog/router-on-a-stick-vlan-configuration-with-swos-on-the-mikrotik-crs328-24p-4s+rm-switch/
- https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8
Hi!
I have a very similar experience with a configuration that's also based on Schnerring's OPNSense Baseline Guide. I used it for a little more than a year without issues. I think it was the 24.1.2 upgrade that broke it. After that I couldn't access the Internet from any client computer (except through VLAN40), oddly enough it seems as if the firewall itself can resolve DNS requests. I've been able to upgrade OPNsense and other services like Let's Encrypt and ClamAV has been able to stay updated. Most of the Firewall > Log Files > Live View is in red. As per the guide there are 4 Vlan's, VLAN10 is used for management. VLAN20 is the main access over Wireguard (in my case Mullvad) which uses Unbound and resolves DNS requests by DNS root servers. VLAN30 is a backup access path and uses Dnsmasq. VLAN40 is a guest network and isolated from the 3 other Vlan's and uses a public DNS server configured in the DHCP server. Access through VLAN40 has been working uninterrupted. I include an image of the DNS-arcitecture from the site. I hope Schnerring doesn't mind.
Miroco
https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/
From the changelog of 24.1.2 there's a mentioning of the "recent DNS denial of service attack mitigation". Could this have anything to do with the fact that my configuration stopped working after applying it? 5 months on and I'm still scratching my head.
I never got it to work correctly so not sure what could be the change that broke it.
My vlan setup is slightly different from Schnerring's guidelines but similarly I'm trying to use unbound for the wireguard vlan (vlan10), while for the non-wireguard vlan (vlan20) I'm using Dnsmasq / Quad9
They both "work", can access the internet. The issue is on vlan10 cannot access any local devices unless using the IP. I have several devices with with .local addresses and when using that vlan it doesn't work
For those interested, I finally resolved the issue I was having. I had to create a firewall rule to allow multicast mDNS traffic
Firewall > Rules > Your VLAN Interface:
- Action: Pass
- Protocol: UDP
- Source: the VLAN network
- Destination: 224.0.0.251/24
- Destination port range: Custom port, 5353 for both the start and end of the port range.
This seem to have resolved my issue