📦 System context
Hardware: OPNsense DEC2687 (official appliance)
License: Business Subscription (active)
Version: OPNsense 24.10.7 (latest)
🌐 Network setup
Internet via Livebox Orange (192.168.2.1) – DHCP
Secondary WAN via Bouygues – fallback (Tier 2)
Multi-WAN configured using a gateway group WANGROUP
Default gateway is the WAN interface from Orange (WAN_DHCP)
⚙️ OPNsense configuration
Unbound DNS enabled with forwarding to public resolvers (8.8.8.8, 1.1.1.1)
Floating firewall rule to allow This Firewall on UDP port 53 via WANGROUP
Outbound NAT set to automatic
No firewall or NAT rule appears to block outbound DNS
❌ Symptoms
✅ ping to public IPs (e.g. 8.8.8.8) works
❌ No DNS resolution works:
drill, dig, or host to any resolver (8.8.8.8, 1.1.1.1) → fail
Even dig @192.168.2.1 (Livebox itself) → no response
Even with TCP (+tcp) instead of UDP → fails
Manually editing /etc/resolv.conf to force public DNS → no change
Disabling Unbound DNS → no effect
pkg update and firmware updates fail with "host does not resolve"
🧠 Most likely cause
The Livebox Orange blocks or intercepts all outbound DNS traffic, including TCP.
It likely acts as a DNS proxy and prevents the firewall from using any external resolver.
✅ What has already been tested
Proper floating rule with gateway assignment ✅
Unbound forwarding and custom servers ✅
NAT working ✅
Tried using only Livebox DNS (192.168.2.1) ❌
Tried using dig @8.8.8.8 google.com +tcp ❌
No DNS traffic succeeds in any form from OPNsense
🙏 What I'm asking
As an OPNsense Business customer using official hardware, I'd like to know:
Has anyone successfully deployed OPNsense behind a Livebox Orange?
Does the Livebox really block outbound DNS (UDP and TCP)?
Is DoH via cloudflared the only viable solution?
Is bridging the Livebox the only clean fix? If so, how do I proceed (e.g. external ONT or modem)?
Any help from the community or the Deciso support team is greatly appreciated.
You ought to be able to check that you can reach public DNS servers through the Livebox from any host connected to the Livebox directly.
The Livebox shouldn't be aware of the type of host that's on its LAN. Regular PC, OPN, ...
Once that's verified, you can come back to your OPN setup.
It does not seem you've gone very far.
I suggest you restart from scratch (especially if you've tinkered with internal config files) and verify proper operation with a single WAN.
Snapshot that config and redo multi-WAN. Retest.
Earlier today, I was in comm with another French member.
He indicated that his box (pretty sure it's Orange as well) was in bridge mode. Yet it still offered RFC1918 IPs (presented by him as some form of DMZ)...
And port forwards on OPN work, despite the fact that nothing is done on the box.
I'm a little skeptical but I think we're done for the day. It's late in France.
A quick search confirms that "bridge mode" on recent Liveboxes is not really bridging (but no firewall + DMZ. Maybe 1:1 NAT?):
https://communaute.orange.fr/t5/mes-services-Orange/Livebox-en-mode-bridge/td-p/1773410/page/3 (https://communaute.orange.fr/t5/mes-services-Orange/Livebox-en-mode-bridge/td-p/1773410/page/3)
This said, replacing the Livebox altogether appears to be supported. The setup might not be simple.