Hey all. So, this one's got me stumped and I have no idea how to proceed with it. I've finally decided to make the jump from virtualized PFSense+ to OPNSense on bare metal, since they decided to take the Home/Lab license away. I finally have my entire configuration moved from one instance to the other, but... nothing on my LAN/DMZ will connect to the internet. Well, I shouldn't say that. Nothing can resolve via DNS. I can ping IP addresses just fine (i.e. 1.1.1.1 or 8.8.8.8). However, it won't resolve hostnames at all. I followed a lot of the guidance on the forums and made sure NAT was configured correctly (I went full manual, because I'm a control freak), DNSSEC was completely turned off on Unbound, and (just for testing purposes) created a rule that allowed any-any through the default gateway (in and out). Does anyone else have ideas on what I can check next? This firewall is supposed to completely replace the VM that powers my entire home network infrastructure, so it's super important to me that I get this figured out ASAP. Thanks!
Quote from: petrij98 on February 08, 2025, 08:02:00 PMand (just for testing purposes) created a rule that allowed any-any through the default gateway (in and out).
What means here "through the default gateway"? Did you set up policy routing rules by any chance?
If you have a policy routing rule in the first position your devices would not be able to access your Unbound DNS on OPNsense.
So... the way I resolved this generates more questions than answers. I completely shut down Unbound and turned on Dnsmasq... and suddenly, everything started working. I combed through all of the options between Dnsmasq and Unbound, but there are absolutely no differences between their settings. I have absolutely no idea why Unbound wouldn't work, but Dnsmasq would.
Maybe it cannot resolve host names. Check the log to investigate.
Unbound user DNS root servers by default, while DNSmasq just forward the traffic to the systems DNS. That one you've stated in the general settings or if nothing, wich is pushed to you by your ISPs.
I saw similar issues here, where it turned out, that the ISP was blocking DNS root servers for some reason. Maybe you're concerned from this as well.
Did you use root servers on pfSense? Or did you run Unbound in forwarding mode?
For testing you can also configure the forwarding in OPNsense Unbound.
I exclusively used Unbound on PFSense with no issues whatsoever. It was never used in forwarding mode. The logs aren't telling me a whole lot, unfortunately. However, at this point, I'm happy I have DNS working at all.