Hi all,
I have just successfully setup a Fujitsu S920 as a OPNsense 24.7.11 firewall so far running a flat LAN network. I am doing some final basic settings.Traditionally I have always used pi-hole as my DNS server, I run two instances one on a my NAS and another on a dedicated pi2. I have them setup as unbound DNS servers, I have also setup some NAT rules as per this site https://labzilla.io/blog/force-dns-pihole to force all DNS traffic through the pihole. On the OPNsense firewall I have all DNS servers disabled and the general settings pointing to my two piholes. 
The weird behaviour I am experiencing is that my laptop is happy with this arrangement and finds the internet if pihole(unbound) is the only DNS endpoint setup on the piholes at 127.0.0.1#5335. However my Android phone is not happy and won't talk to the internet with pi-hole(unbound) as the final endpoint. This took quite some time to discover but proves that the piholes are been used. However the Android phone is able to access gmail and Facebook with the pihole(unbound) as the sole endpoint, just no other services such as youtube.
If I switch from pihole(unbound)@127.0.0.1#5335 been the only allowed forwarder to Google at 8.8.8.8 then the Android phones start to be able to see the internet again. 
I attempted to set the forwarder endpoint to the OPNsense instance of Unbound - but I get the same behaviour.
It seems that this question has been asked many times before - but the goalposts are moving so quickly with OPNsense development that none of the previous advice is very relevant to my current situation. I can live with having a internet DNS as my endpoint, but this is a regression in my functionality for my setup and I just want to understand why its not working, I suspect it has something to do with the use of the loopback interface on the pi. Plain vanilla pihole is fine but adding unbound just messes things up.
Any advice as to what sort of firewall rules might allow this to work, or a pointer to how unbound interacts with the firewall would be helpful.Bare in mind this is part of the steep learning curve I am on with regard to OPNsense firewall setup.
Stephen
 
			
			
			
				Going to report this as resolved, I went back to basics and checked my piholes to see if the unbound services were actually running. Turned out that the one on my NAS wasn't and needed a restart. Once I did that the Android phones started to connect to the internet fine. Still a bit weird that the laptop was using the working pihole unbound but the Android phone wasn't.
Still, lesson learned - check the basics.
Stephen
			
			
			
				I wonder what is your PiHole setup in terms of network diagram. 
			
			
			
				Piholes are both coming off the same Mikrotic switch going to the OPNsense router. However the Mikrotic is segregated into two switches which are internally bridged, one side is Gbit and the other is just fast ethernet - the two piholes are on different sides of the switch so could be introducing latency.