Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: 0zzy on May 29, 2025, 03:54:52 PM

Title: DMZ to DNS on DMZ interface not working
Post by: 0zzy on May 29, 2025, 03:54:52 PM
Hey together,

I configured a DMZ in my vlan.

everything works except the firewall rule for DNS which should be the Interface Address.

I Use Unbound for everything.

I set an ACL in Outbound for it.
My Firewall Rules are:

Protocol   Source   Port   Destination   Port   Gateway   Schedule      Description
IPv4 TCP/UDP   LANDMZ net   53 (DNS)   dmz_ns    53 (DNS)   *   *      Forward DNS       
        IPv4 ICMP   LANDMZ net   *   *   *   *   *      Allow ICMP to OPNsense       
        IPv4+6 *   LANDMZ net   *   RFC1918    *   *   *      Block LANDMZ to internal       
        IPv4+6 *   LANDMZ net   *   ! RFC1918    *   *   *      Allow access to Internet and block access to all local networks       
        IPv4 *   LANDMZ net   *   FLUX_IPs    *   *   *      Allow to admin PC only       
        IPv4 *   LANDMZ net   *   *   *   *   *      Block all other

Why can't the dmz reach the DNS?
I'm confused about that.

Title: Re: DMZ to DNS on DMZ interface not working
Post by: Patrick M. Hausen on May 29, 2025, 04:16:33 PM
The source port is not 53 but any.
Title: Re: DMZ to DNS on DMZ interface not working
Post by: 0zzy on May 29, 2025, 04:58:48 PM
@Patrick M. Hausen,
oh my god.... it works...
you are my hero of the day ;)
Thank you!
Title: Re: DMZ to DNS on DMZ interface not working
Post by: EricPerl on May 29, 2025, 07:13:58 PM
A few comments on the rules (reformatted), inline

Quote from: 0zzy on May 29, 2025, 03:54:52 PMMy Firewall Rules are:

Code Select
AB   Protocol     Source     Port Destination Port Description
A  IPv4 TCP/UDP LANDMZ net *    dmz_ns      53   Forward DNS               # Corrected by Patrick. Based on preamble, LANDMZ address could have been used for dest
A  IPv4 ICMP    LANDMZ net *    *           *    Allow ICMP to OPNsense   
B  IPv4+6 *     LANDMZ net *    RFC1918     *    Block LANDMZ to internal  # Typically not useful unless there's a more general allow later,
                                                                           # like the following rule if the destination was any.
A  IPv4+6 *     LANDMZ net *    !RFC1918    *    Allow access to Internet and block access to all local networks
                                                                           # The above rule doesn't block anything...   
A  IPv4 *       LANDMZ net *    FLUX_IPs    *    Allow to admin PC only    # Isn't the Block RFC1918 rule getting in the way?   
B  IPv4 *       LANDMZ net *    *           *    Block all other           # Without this, the 'default deny / state violation' would be used...
AB is Allow or Block.
Wrt the !RFC1918 rule, the meaning is Allow all traffic to 'any destination except private networks' (iow, only the Internet).
It's an allow rule. It can't block anything.
Importantly, because it does not apply to local/private traffic, such traffic can be allowed by other rules below.
Text only | Text with Images