Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: Kets_One on October 14, 2025, 06:44:37 PM

Title: Virtual IP Addresses Unreacheable from within LAN
Post by: Kets_One on October 14, 2025, 06:44:37 PM
Hi All,

I have a few virtual IP addresses on the WAN interface which are exposed to the internet via FDQNs and can be reached by external clients fine thourgh the FDQNs as well as through their IP address.

However, these virtual IPs are not reacheable (pingable) from within the LAN itself. Whenever a client within the LAN requests Unbound to resolve the FDQNs the response is NXDOMAIN.
This appears to be related to virtual addresses only, because non-virtual addresses exposed to the internet via FDQNs can be reached by ping from within the LAN network fine.

I've tried various settings in firewall, Unbound and DNSMasq (DHCP), but I can't seem to get it to work. What am i missing?

Kets
Title: Re: Virtual IP Addresses Unreacheable from within LAN
Post by: meyergru on October 14, 2025, 07:45:33 PM
If you cannot resolve those FQDNs locally, then either Unbound setup is botched for everything or those names are masked somehow. That depends on how your DNS / DHCP is set up. In Unbound, this could happen if "Query Forwarding" is active for the affected domains, also, if you "Register DHCP Static Mappings" or uncheck "Do not register system A/AAAA records".
Title: Re: Virtual IP Addresses Unreacheable from within LAN
Post by: Patrick M. Hausen on October 14, 2025, 07:47:36 PM
Are you using the same domain for your externally visible domains and for local resolution with Unbound? You could change that or set the local domain type to "transparent".
Title: Re: Virtual IP Addresses Unreacheable from within LAN
Post by: Kets_One on October 14, 2025, 08:01:48 PM
Thanks, i realise i have not been specific enough.
A ping request from LAN via FQDN results in a RA, so address resolution appears to work fine.
Only pinging this routable address (which points to a virtual IPv6 address on LAN) does not work (Destination host unreachable).
This is strange, because ping requests from LAN to other RA's on the same LAN (non-virtual addresses) are successful.

It gets stranger, because ping requests which originate from WAN are not answered by any of the virtual or non-virtual RA's.
If i add FW rule to allow for echo requests to pass to these RA's these pings from WAN are successful.

So, this still appears to be a local problem where FQDNs are successfully resolved, pings to non-virtual addresses are succesful, but pings to virtual addresses result in "Destination host unreachable".
I have tried to activate "Reflection for port forwards", "Reflection for 1:1" and "Automatic outbound NAT for Reflection". No success.
Ideas?

@meyergru: could you please be a little more specific? I tried both options on and off and it didnt seem to make much difference. Should i restart maybe?
PS: @Patrick I did change the local domain name to something different.
Text only | Text with Images