OPNsense Forum

Hi everyone,

I'm looking for help with an OPNsense setup that mostly works, but breaks when I enforce DNS filtering on a VLAN that uses policy routing through WireGuard.

Environment

Firewall / Router: OPNsense 25.7.10

VPN: WireGuard client to Mullvad

DNS: AdGuard Home official OPNsense plugin

WireGuard: running directly on the OPNsense router

Clients: smartphones, PCs, IoT devices


Network layout

• LAN: 192.168.100.0/24

OPNsense: 192.168.100.1

• VPN / IoT VLAN: 192.168.41.0/24

        Interface: vlan_unifi_wifi_VPN

        Gateway: 192.168.41.1

• WireGuard tunnel address: 10.x.x.x/32 (Mullvad)

Gateway configuration

(System → Routing → Gateways)

WAN gateway

Interface: WAN (DHCP)

Default gateway: Yes

Used for normal LAN traffic



WireGuard (Mullvad) gateway

Interface: WireGuard

Name: Mullvad_WG_GW

Default gateway: No

Monitor IP: configured (public IP / 1.1.1.1)

Status: Online

Used only via policy routing in firewall rules



Goal (important)

I'm intentionally using this design because:

• the vlan_unifi_wifi_VPN network contains IoT devices

• all clients on this VLAN must use filtered DNS

I want:

• to force DNS traffic to AdGuard Home

• to filter selected DNS queries (ads / tracking / domains)

• after DNS filtering, to route all Internet traffic via WireGuard (Mullvad)

Using AdGuard is not optional in this VLAN.



What works

WireGuard itself works:

• ping from WireGuard tunnel → 8.8.8.8 ✅

• ping from 192.168.41.1 → 8.8.8.8 ✅
• Outbound NAT on WireGuard is in place and working
• Mullvad gateway is online
• AdGuard Home receives DNS queries from the VPN VLAN
• If I don't force DNS, Internet access works from the VPN VLAN
• Using WireGuard directly on a phone (WG app) works perfectly

Problem

• When I enable DNS firewall rules on the VPN VLAN:
• AdGuard receives the DNS queries
• DNS resolution works
• BUT clients have no Internet access
• clicking links → timeout
• many apps fail to load

👉 If I disable the DNS firewall rules on vlan_unifi_wifi_VPN, Internet works immediately




Firewall rules – vlan_unifi_wifi_VPN

(order top → bottom)

1) Allow DNS to AdGuard

Action: PASS

Source: 192.168.41.0/24

Destination: 192.168.100.1

Port: 53 TCP/UDP

Gateway: default

2) Internet via Mullvad (policy routing)

Action: PASS

Source: alias VPN_Machines

includes 192.168.41.100–200

Destination: !RFC1918

Gateway: Mullvad_WG_GW

3) Block external DNS

• Action: BLOCK

• Source: 192.168.41.0/24

Destination: any

• Port: 53 TCP/UDP

Firewall rules – LAN

Allow LAN net → any
(no restrictions during troubleshooting)


Additional checks

• Firewall states reset multiple times
• Outbound NAT in Hybrid mode
• Explicit NAT rule:
• Interface: WireGuard
• Source: 192.168.41.0/24
• Translation: Interface address
• WireGuard MTU set to 1420
• Tried MSS clamping via Firewall → Settings → Normalization
• No obvious blocks in firewall logs

Questions

• Is this the correct approach to force DNS through AdGuard on a policy-routed VLAN?
• Are there known issues between:
• AdGuard Home plugin
• policy routing with WireGuard
• blocking external DNS
• Am I forcing/blocking DNS in the wrong place?
• Would floating rules / reply-to / normalization be required here?

Screenshots available for:

gateways

VLAN firewall rules

LAN firewall rules

outbound NAT

WireGuard

AdGuard Home

Thanks in advance for any insight.

I could see now that many people have problems with DNS after upgrading to 25.7.10, but with the version before i had have the some issue also.

Other interfaces are sending queries to adguardHome and works fine. The only issue is when i connect under wireguard(Mullvad)