I've put some of my VM's in their own DMZ Vlan 192.168.50.** /24
My DNS is obviously on the LAN on 192.168.1.1
I've put a rule in the DMZ Firewall - Source DMZ Net to LAN Net on Port 53 (Pass Any).
Whenever i type Nslookup my VM's cannot contact the server. I'm also not able to update any of my VM's.
I take it that DNS is being blocked by the Firewall but I can't figure out why.
Its a steep learning curve
Direction "in"?
Quote from: Patrick M. Hausen on March 11, 2025, 10:51:19 PMDirection "in"?
Yep, direction In. Just on the DMZ firewall rules
Do a tcpdump. I suspect this happens:
- client on the DMZ sends a query to Unbound (you are running Unbound?) using the address on LAN
- Unbound answers using the address on the DMZ interface as the source
Answers like that will be dropped by any modern client.
Best set clients on the DMZ network to use the address of the DMZ interface on OPNsense as their DNS server, not the address on LAN.
Quote from: meddyuk76 on March 11, 2025, 10:34:08 PMI've put some of my VM's in their own DMZ Vlan 192.168.50.** /24
My DNS is obviously on the LAN on 192.168.1.1
I've put a rule in the DMZ Firewall - Source DMZ Net to LAN Net on Port 53 (Pass Any).
That firewall rule does look ok, a bit wide open to the LAN but it should work.
Have you set the DNS IP 192.168.1.1 in the DMZ DHCP as DNS server?
Have you set the DNS IP 192.168.1.1 in the DMZ DHCP as DNS server?
No. Ive set it to 1.1.1.1 and 8.8.8.8
I've got Unbound enabled and Dynamic DNS set up via Cloudflare.
It was all working fine when i had everything on VLAN 1 and all the VM's were running via Vmbr0 (Proxmox Host). Now i've changed IP's and Vlans on the VM's i can ping everything internal and external, i just can't get DNS.
Quote from: meddyuk76 on March 12, 2025, 10:25:30 AMHave you set the DNS IP 192.168.1.1 in the DMZ DHCP as DNS server?
No. Ive set it to 1.1.1.1 and 8.8.8.8
I've got Unbound enabled and Dynamic DNS set up via Cloudflare.
It was all working fine when i had everything on VLAN 1 and all the VM's were running via Vmbr0 (Proxmox Host). Now i've changed IP's and Vlans on the VM's i can ping everything internal and external, i just can't get DNS.
Ok, that would work, too of course. All DMZ service use 1.1.1.1 and 8.8.8.8 as their DNS server and don't use OPNsense for DNS at all.
What is the purpose of the rule you mentioned, "DMZ Firewall - Source DMZ Net to LAN Net on Port 53 (Pass Any)"? That allows the DMZ lan to access port 53 on any LAN ip.
What other rules do you have in the DMZ firewall? Do you have an 'Allow All Out' rule?
The rules are all 'IN' rules no out rules.
IPv4+6 TCP/UDP DMZ net * DMZ address 53 (DNS) * * Allow access to DNS
IPv4+6 * DMZ net * LAN net * * * Access to internet
IPv4 ICMP * * * * * * Allow ICMP echo reply messages
IPv4 TCP/UDP DMZ net * LAN net 53 (DNS) * * DMZ to LAN DNS access
Quote from: meddyuk76 on March 12, 2025, 01:59:18 PMThe rules are all 'IN' rules no out rules.
IPv4+6 TCP/UDP DMZ net * DMZ address 53 (DNS) * * Allow access to DNS
IPv4+6 * DMZ net * LAN net * * * Access to internet
IPv4 ICMP * * * * * * Allow ICMP echo reply messages
IPv4 TCP/UDP DMZ net * LAN net 53 (DNS) * * DMZ to LAN DNS access
You're right, they are 'in' rules. Is all the traffic from the servers routed through the LAN?
Usually I would expect a rule like:
IPv4+6 * DMZ net * * * * * Access to internet
Your "Access to internet" rule allows DMZ net access to LAN net, not more and not less.
If all the rules are 'quick' rules then (which they are per default) ...
"IPv4 TCP/UDP DMZ net * LAN net 53 (DNS) * * DMZ to LAN DNS access"
... won't be reached at all since the 'Access to internet' rule does also cover DMZ net to LAN net 53/udp.
Confusingly with these DMZ rules the clients in the DMZ zone can't access the internet, expect if they all go through a router on LAN.
Maybe I overlook something.
I thought I would try a NAT Port Forward from DMZ to DMZ Net (DNS) but that's not worked either. I'm trying to get the VM's to at least update, so that I can confidently deploy another VM and start the next project which is HomeAssistant.
If you can't connect (or ping) from the DMZ net then it's as I thought it to be.
You gotta change the
IPv4+6 * DMZ net * LAN net * * * Access to internet
to
IPv4+6 * DMZ net * * * * * Access to internet
for the reason I wrote before.
I havent' really understood your DNS part. You wrote that you use 1.1.1.1 and 8.8.8.8 but there do you set them? For OPNsense to use as DNS forwarder (in System > Settings > General) or you enter these two in the DMZ net DHCP server in the 'DNS Server' field?
I can ping external addresses from the vlan, I just can't reach linux repositories and can't resolve NSlookups as the server 127.0.0.1:53 is unreachable.
The DNS part is where I am slightly confused, as there are numerous places you can put entries.
I have used 1.1.1.1 and 8.8.8.8 in the DMZ DHCP DNS server entries.
I have also used 1.1.1.1 and 8.8.8.8 in Unbound DNS TLS entry.
Thanks for your ongoing advice/help - it's appreciated!
Quote from: meddyuk76 on March 12, 2025, 09:09:32 PMI can ping external addresses from the vlan
I don't really understand how you can get to the internet with these rules. And since that's not clear to me, I'm of not much help with the DNS.
Can you do a traceroute -n 1.1.1.1 so it shows what way the package takes?
QuoteI don't really understand how you can get to the internet with these rule
You were right, i changed the rule from LAN Net to Any and it connects. I'm able to update my Ubuntu repo's
Quote from: meddyuk76 on March 13, 2025, 10:29:52 AMYou were right, i changed the rule from LAN Net to Any and it connects. I'm able to update my Ubuntu repo's
Uuff, ok. My world does make sense again :)
About DNS: OPnsense reacts to DNS queries from local clients, that is what Unbound does. And with the DNS Server field in the DHCP server you tell the DHCP server what IP the clients should receive as the to-query DNS server. If you don't set anything in OPNsense that is going to be Unbound from OPNsense, on the IP address of the interface.
If you set the DNS Server field in the DHCP server to something else, like 1.1.1.1, then the clients will use that DNS server. Nothing wrong with it but that way you don't see what the clients look up and if you enable blocklist on OPNsense they won't have any effect, or the caching of DNS query answers.
Setting 1.1.1.1 and/or 8.8.8.8 in System > Settings > General tells OPNsense/Unbound where to forward DNS queries from clients. If you don't enter any IPs Unbound will ask the DNS root servers.
For your DMZ is would be easiest if you let the DMZ server use OPNsense/Unbound as the DNS server. For that you don't have to create any rules and it's the default in the DHCP server settings. And per default Unbound listens to all interfaces for DSN queries, also the DMZ.
DMZ firewall rules: right now the DMZ can access the LAN (or any other network you will create), most of the time you want the DMZ to isolated from the rest of the network.
The nature of the 'in' direction (seen from the router, 'in' means incoming from LAN or DMZ) rules is that you restrict access from the source. If you want DMZ devices to only be able to access the internet, you would modify the
IPv4+6 * DMZ net * * * * * Access to internet
... rule to something like
IPv4+6 * DMZ net * 'not LAN net' * * * Access to internet
Which translates to: Allow DMZ net access everything except LAN net.
Best practise is to create an alias for the network, like an alias for 'trusted_networks' in which you add the LAN net' and in the firewall rule you replace the 'not LAN net' with 'not alias trusted_networks'.
That way if you add another internal LAN2 to which DMZ should not have access to, you just add it to the alias trusted_networks and the DMZ will automagically not be able to access it.
The above rule would be the last rule in the list. And if you need a server in the DMZ to access a server in the LAN network, you add a rule above the before mentioned rule, e.g.
IPv4+6 TCP 'Some DMZ server IP * 'A backend Server in LAN' 80 * * Access Web Server in LAN
Brilliant - thanks for everything and thanks for clarifying! You are correct, I don't want my DMZ to access my LAN or my Private Devices Vlan - I want to do the same with the Guest Wifi Vlan and IoT Devices Vlan......i'll get there in the end.
Would you recommend applying a rule to 'reject' anything with a destination of 'Private RCC Networks'? and place above all other rules?
Quote from: meddyuk76 on March 13, 2025, 03:59:16 PMWould you recommend applying a rule to 'reject' anything with a destination of 'Private RCC Networks'? and place above all other rules?
I don't know wha RCC Networks are, maybe you refer to RFC1918, private and not routable addresses?
But no, since the default are 'quick' rules. The first matched firewall rule is applied and no further rules are evaluated. You want that rule as the last rule in the list.
If you put it first then no other rule you create after it, e.g. matching a private IP (for example allow access for one DMZ server to the LAN net) would be evaluated.